Trial Guide

For ISA Server 2000 Evaluation Edition

Abstract
Microsoft Internet Security and Acceleration Server 2000 (ISA Server) is an extensible enterprise firewall and Web cache server built on the Windows 2000 operating system security, management and directory for policy-based access control, acceleration and management of internetworking. The Internet provides organizations with new opportunities to connect with customers, partners and employees. While this presents great opportunities, it also opens new risks and concerns such as security, performance and manageability. ISA Server is designed to address the needs of todays Internet-enabled businesses. ISA Server provides a multilayered enterprise firewall that helps protect network resources from viruses, hackers and unauthorized access. ISA Servers Web cache enables organizations to save network bandwidth and provide faster Web access for users by serving objects locally rather than over a congested Internet. Whether deployed as dedicated components or as an integrated firewall and caching server, ISA Server provides a unified management console that simplifies security and access management. Built for the Windows 2000 platform, ISA Server provides secure and fast Internet connectivity with powerful, integrated management tools.

 2000 Microsoft Corp. All rights reserved. This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein. The information contained in this document represents the current view of Microsoft Corp. on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication. This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO THE INFORMATION IN THIS DOCUMENT. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording or otherwise), or for any purpose, without the express written permission of Microsoft Corp. Microsoft may have patents, patent applications, trademarks, copyrights or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights or other intellectual property. The example companies, organizations, products, people and events depicted herein are fictitious. No association with any real company, organization, product, person or event is intended or should be inferred. Microsoft, Windows, Active Directory, BizTalk, Windows Media, ActiveX, Windows NT and MSN are either registered trademarks or trademarks of Microsoft Corp. in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Contents
How to Use This Guide ...........................................................................................1 Product Overview .....................................................................................................1 Editions comparison ................................................................................................3
ISA Server Enterprise Edition ..................................................................................3 ISA Server Standard Edition ....................................................................................3 Key Differences ........................................................................................................3

Enterprise Customer Requirements........................................................................5

Internet Connectivity With Strong Security...............................................................5 Productive Internet Access.......................................................................................6 Fast, Scalable E-Commerce ....................................................................................6 Powerful Management, Transparent Setup to Reduce Total Cost of Ownership ....6

ISA Server Usage Scenarios....................................................................................7

Internet Firewall .......................................................................................................7 Secure Server Publishing.........................................................................................7 Forward Web Caching Server ..................................................................................8 Reverse Web Caching Server..................................................................................8 Integrated Firewall and Web Cache Server..............................................................8

Features at a Glance ................................................................................................9 Testbed Configuration for ISA Server ..................................................................11

Platform Setups......................................................................................................12

ISA Server Installation............................................................................................15

Additional Installation..............................................................................................20

ISA Server Management.........................................................................................20

The Basis of Control, Policies and Rules................................................................20 The ISA Server Console.........................................................................................23

Configuring for Firewall..........................................................................................25

Getting Started Wizard............................................................................................25 Completing the Array Configuration........................................................................32

User Security and Site Access Control.................................................................35

SecureNAT Clients.................................................................................................35 Firewall Clients........................................................................................................35 SecureNAT Clients and Firewall Clients.................................................................36 Testing Access Policy Rules With SecureNAT.......................................................36 Installing the Firewall Client....................................................................................37 Testing User Authentication Rules With the Firewall Client....................................38

Secure Web and Server Publishing.......................................................................42

Server Publishing....................................................................................................42 Web Publishing.......................................................................................................42 Publishing a Web Server........................................................................................44 Testing the Published Web Server.........................................................................50

System Hardening...................................................................................................51 Web Cache Server...................................................................................................53

Configuring ISA Server Caching.............................................................................54 Scheduled Cache Content Download Service........................................................55 Creating a Cache Download Schedule...................................................................56

Distributed Caching................................................................................................57
Cache Array Routing Protocol Better Way to Scale...........................................58 Chained or Hierarchical Caching............................................................................59

Alerting.....................................................................................................................60 Reporting..................................................................................................................63
Predefined Reports.................................................................................................63

Conclusion...............................................................................................................69 Frequently Asked questions..................................................................................70

General ..................................................................................................................70 Firewall.................................................................................................................... 73

Caching and Performance Acceleration ................................................................74 Extensibility Features .............................................................................................75 Management and Operating System Environment.................................................75

For More Information..............................................................................................76

 Microsoft Internet Security and Acceleration Server 2000 (ISA Server) has a rich set of security, caching and management features that will enable organizations to set up and manage secure, fast Internet connectivity. This evaluation guide will highlight the important features and benefits of ISA Server Enterprise Edition. It is

HOW TO USEOVERVIEW THIS GUIDE PRODUCT

not intended to replace the users guide, but will provide technical evaluators with a sample of the security, caching and management features of this new product. The Product Overview section offers context for how security, performance and management are integral to todays Internet-enabled organizations. It highlights product features and describes how these features can benefit large and small enterprises.

The Walk-Through section provides useful tips to help you install, setup and test ISA Server Enterprise Edition in an integrated firewall and cache configuration. For additional configuration, usage and upgrade information, please refer to the Microsoft ISA Server Release Notes, Installation Guide and Migration documents, all of which are accessible from the main ISA Server setup menu.

Microsoft Internet Security and Acceleration Server 2000 offers secure, fast and manageable Internet connectivity. ISA Server integrates an extensible, multilayer enterprise firewall and a scalable high-performance Web cache. It builds on Microsoft Windows 2000 security and directory for policy-based security, acceleration and management of internetworking. ISA Server is a key member of the Microsoft .NET Enterprise Server family. .NET Enterprise Servers are Microsoft Corp.s comprehensive family of server applications for building, deploying and managing scalable, integrated, Web-based solutions and services. Enterprise organizations that want secure, fast and manageable Internet connectivity can benefit from ISA Server: ISA Server comes in two editions: Standard Edition and Enterprise Edition. Both have the same rich feature set, although Standard Edition is a stand-alone server supporting a maximum of four processors. For large-scale deployments, server array support, multilevel policy and computers with more than four processors, you

Microsoft ISA Server EE

will need ISA Server Enterprise Edition. This guide will focus on the Enterprise Edition only. Secure Internet Connectivity Connecting networks and users to the Internet introduces security and productivity concerns. ISA Server provides your organization with the comprehensive ability to control access and monitor usage. ISA Server protects networks from unauthorized access, inspects traffic and alerts administrators to attacks. ISA Server includes an extensible, multilayer enterprise firewall featuring security with packet-, circuit-, and application-level traffic screening, stateful inspection, broad application support, integrated virtual private networking (VPN), system hardening, integrated intrusion detection, smart application filters, transparency for all clients, advanced authentication, secure server publishing and more. ISA Server enables you to do the following:

Protect networks from unauthorized access. Defend Web and e-mail servers from external attacks. Inspect incoming and outgoing network traffic to ensure security. Receive alerts of suspicious activity.

Fast Web Access The Internet offers organizations exciting productivity benefits, but only to the extent that content access is fast and cost-effective. The ISA Server Web cache can minimize performance bottlenecks and save network bandwidth resources, by serving up locally cached Web content. ISA Server enables you to do the following:

Provide faster Web access for users by serving objects locally rather than over a congested Internet. Reduce bandwidth costs by reducing network traffic. Distribute the content of Web servers and e-commerce applications to reach customers worldwide efficiently and cost-effectively. Serve popular Web content on your cache to free up bandwidth for other content requests.

Unified Management By combining enterprise firewall and high-performance Web cache functions, ISA Server delivers a common management infrastructure that reduces network complexity and costs. Whether opting to deploy it as an integrated system or as a separate firewall and cache, you get the benefit of integrated management. ISA Server is tightly integrated with Windows 2000, offering a consistent and powerful way to manage user access, configuration and rules. ISA Server enables you to do the following:

Microsoft ISA Server EE

Apply policy consistently to the firewall and cache. Control access by user, group, application, content type and schedule. Reduce network complexity and costs.

EDITIONS COMPARISON

Apply policy rules at the enterprise level and the array level. Monitor network usage and performance. Take advantage of Windows 2000 integration including security, VPN, bandwidth control with QoS, and the Active Directory service.

Extensible, Open Platform Security policies and imperatives vary from organization to organization. Traffic volume and content formats also pose unique concerns. No single product fits all security and performance needs, so ISA Server is built to be highly extensible. Available for it are a comprehensive software developers kit (SDK) for in-house development, a large selection of third-party add-on solutions, and an extensible administration option. Microsoft Internet Security and Acceleration Server is available in two editions designed to meet your business and networking needs.

ISA Server Enterprise Edition

ISA Server Enterprise Edition is Microsofts scalable enterprise firewall and Web cache server. The enterprise edition was designed to meet the performance, management and scalability needs of high-volume Internet traffic environments with centralized server management, multiple levels of access policy and fault-tolerant capabilities. ISA Server Enterprise Edition offers secure, scalable, fast Internet connectivity for mission-critical environments.

ISA Server Standard Edition

ISA Server Standard Edition provides enterprise-class firewall security and Web caching capabilities for small businesses, workgroups and departmental environments. The standard edition provides robust security, fast Web access, intuitive management and excellent price/performance for business-critical environments.

Key Differences
The security, caching, management, performance and extensibility capabilities of ISA Server are the same in both editions. The standard edition, however, is limited to a stand-alone server, local policy only, and will support up to four processors. The enterprise edition supports multiserver arrays with centralized management, enterprise-level and array-level policy, and no hardware limits.

Microsoft ISA Server EE

Microsoft ISA Server EE

Microsoft .NET Enterprise Servers .NET Enterprise Servers are Microsofts comprehensive server family for quickly building and managing an integrated, Web-enabled enterprise. Designed with scaleable, mission-critical performance in mind, .NET Enterprise Servers deliver

ENTERPRISE CUSTOMER REQUIREMENTS

reliability and manageability for the global, Web-enabled enterprise while delivering on the best performance in its class. .NET Enterprise Servers are built from the ground up for interoperability using todays Web standards. With XML built in, .NET Enterprise Servers attain high levels of integration and interoperability. With production-ready out-of-the-box applications and the worlds largest partner base of developers and software vendors, .NET Enterprise Servers deliver fast time to market for the Web-ready enterprise. The core .NET Enterprise Servers include the following: SQL Server 2000. The complete database and analysis solution for rapidly delivering scalable Web applications Internet Security and Acceleration Server 2000. Integrated firewall and Web cache server built to make the Web-enabled enterprise safer, faster and more manageable Host Integration Server 2000. Integration components for host systems Exchange Server 2000. Reliable, easy-to-manage messaging and collaboration solution for bringing users and knowledge together Commerce Server 2000. The solution for quickly building an effective online business BizTalk Server 2000. For orchestration of business processes and Web services within and between organizations Application Center 2000. The deployment and management tool for highavailability Web applications built on Windows 2000

The Internet has been changing the way people and organizations communicate and conduct business. It presents new opportunities to connect with customers, partners and employees. It also brings new concerns and risks that organizations must address. Microsoft has worked with customers to design a product that addresses the needs of todays Internet-enabled businesses: security, performance and manageability.

Internet Connectivity With Strong Security

Connecting a network to the Internet can expose an organization to new security concerns. Computer viruses, hacker attacks and unauthorized usage of networks

Microsoft ISA Server EE

and private resources can occur if proper security precautions and technologies are not in place. Although no single security measure will provide foolproof protection, ISA Servers multilayered firewall and intrusion detection will help you stay one step ahead.

Productive Internet Access

Internet access is an essential tool for todays knowledge worker. With the heavy Internet traffic that runs across network gateways, Web access performance can become the bottleneck for productivity. ISA Servers Web caching features provide faster Web access performance by caching static Internet content closer to the user, minimizing multiple requests to the congested Internet. In addition, by using the policy-based access controls, administrators can limit which Web sites are permitted for specific users, time of day, content type and more. With fast caching and access control, ISA Server can help lower the cost of managing Internet connectivity and improve the productivity of Internet users.

Fast, Scalable E-Commerce

Whether the organization is an Internet e-commerce retailer or a large enterprise looking to expand its business reach, the Internet is a key part of its business strategy. Organizations cannot afford to have slow, unresponsive e-commerce Web sites, especially when their competition is a mouse-click away from their customers. ISA Servers Web cache will provide Internet clients with a fast Web experience that scales with growing businesses.

Powerful Management, Transparent Setup to Reduce Total Cost of Ownership

Managing security and caching separately usually requires a separate set of network technologies, infrastructure equipment and skilled administrators, therefore increasing complexity, cost and inconsistency. ISA Servers unified policy-based administration tool helps administrators manage and secure their Internet connectivity from a central location, reducing network complexity and lowering total cost of ownership. Organizations often benefit from consistent firewall and cache policies. The management integration enabled by Windows 2000 provides a single view of these policies, rather than having to separately manage firewall and cache infrastructure. In addition to powerful management capabilities, organizations require products that are easy to deploy. ISA Server eliminates the need to perform any settings other than that of the firewall and cache server, simplifying firewall, server publishing and caching setup. With ISA Servers Secure Network Address Translation (SecureNAT) feature, administrators need not configure additional software on client machines or published servers to use the firewall or cache. ISA Server delivers transparency to clients and servers that can minimize administrative complexity and cost.

Microsoft ISA Server EE

ISA Server can provide value to IT managers, network administrators and information-security professionals in organizations of all sizes who are concerned about the security, performance, manageability or operating costs of their networks. ISA Server can be installed in three different modes: firewall mode, cache mode,

ISA SERVER USAGE SCENARIOS

and integrated mode with firewall and caching available on the same computer. Organizations can deploy ISA Server in numerous networking scenarios including these:

Internet Firewall
ISA Server can be deployed as a dedicated firewall that acts as the secure gateway to the Internet for internal clients. The ISA Server computer is transparent to the other parties in the communication path. The Internet user should not be able to tell that a firewall server is present, unless the user attempts to access a service or site where the ISA Server computer denies access. By setting the security access policies, administrators can help prevent unauthorized access and malicious content from entering the network as well as restrict outbound traffic by user and group, application, destination, content type and schedule. Key features include these:

Multilayered traffic screening packet-, circuit- and application-level filtering Smart data-aware application filters Built-in intrusion detection System hardening for locking down Windows 2000 Integrated virtual private networking (VPN)

Secure Server Publishing

ISA Server allows organizations to publish services to the Internet without compromising the security of their internal network. They can configure Web publishing and server publishing rules that determine which requests should be sent downstream to a server located behind the ISA Server computer, providing an increased layer of security for their internal servers. For example, a Microsoft Exchange server can be placed behind the ISA Server and server publishing rules can be created that allow the e-mail server to be published to the Internet. Incoming e-mail to the Exchange Server is intercepted by the ISA Server computer, which appears as an e-mail server to clients. ISA Server can filter the traffic and forward it on to the Exchange Server. The Exchange Server is never exposed directly to

Microsoft ISA Server EE

external users and remains in a secure environment, maintaining access to other internal network services. Key features include these:

Easy-to-use server publishing wizards SecureNAT for transparent client connections and server publishing Published services including HTTP, FTP, H.323, SMTP, streaming media and more

Forward Web Caching Server

ISA Server can be deployed as a forward caching server that provides internal clients with access to the Internet. ISA Server maintains a centralized cache of frequently requested Internet objects that can be accessed by any Web browser. Objects served from the disk cache require significantly less processing than objects served from the Internet. This improves client browser performance, decreases user response time, and reduces bandwidth consumption on Internet connections. Key features include these:

Fast in-memory RAM caching Scheduled caching content downloads Distributed and hierarchical cache chaining Active Caching for proactive downloads of popular content

Reverse Web Caching Server

ISA Server can be deployed in front of an organization's Web server that is hosting a commercial Web business or providing access to business partners. With incoming Web requests, ISA Server can act as a Web server fulfilling client requests for Web content from its cache and forwarding requests to the Web server only when the requests cannot be served from its cache. Key features include these:

Web publishing wizards Fast in-memory RAM caching Transparency for all clients Distributed caching with Caching Array Routing Protocol (CARP)

Integrated Firewall and Web Cache Server

Microsoft ISA Server EE

While organizations can deploy ISA as separate firewall and caching components, some administrators will choose to have a single integrated firewall and Web cache server to provide both secure and fast Internet connectivity. However organizations choose to physically deploy the ISA server, they will benefit from the centralized

FEATURES AT A GLANCE
and integrated policy-based management.

In all ISA Server scenarios, administrators will benefit from the following:

Granular policy-based access rules Bandwidth control Enterprise and array policies Logging and reporting Active Directory service integration Centralized Microsoft Management Console (MMC)

ISA Server has the technology to provide secure, fast Internet connectivity with unified management to meet the needs of todays Internet-enabled businesses.

Microsoft ISA Server Features at a Glance

Feature Enterprise Firewall Security Multilayered Firewall Security Description
Organizations can maximize security with packet-, circuit- and application-level traffic filtering:

Static and dynamic packet filtering determines which packets will be allowed to pass through to the secured network circuit and application layer proxy services. Dynamic filtering opens ports automatically only as needed and then closes the ports when the communication ends. Circuit filtering provides application-transparent circuit gateways for multiplatform access to Telnet, RealAudio, Windows Media technologies, IRC and several other Internet services. Unlike other circuit layer proxies, ISA Server circuit-layer security works with dynamic packet filtering for enhanced security and ease of use. Application filtering understands commands within the application protocols (e.g., HTTP, FTP and Gopher) from client PCs. ISA Server acts on behalf of the client PC, hiding the network topology and IP addresses from the outside network.

Stateful Inspection Smart Application Filtering

ISA Server dynamically and intelligently examines traffic crossing the firewall in the context of its protocol and the state of the connection to ensure integrity of communications and to prevent security breaches. ISA Server goes beyond basic application filtering by controlling application-specific traffic with data-aware filters. Traffic can be accepted, rejected, redirected and modified based on its contents through intelligent filtering of HTTP, FTP, SMTP e-mail, H.323 conferencing, streaming media and RPC. Organizations can protect Web servers, e-mail servers and e-commerce applications from

Secure Server Publishing

Microsoft ISA Server EE

Microsoft ISA Server Features at a Glance

Feature Description
external attacks through secure server publishing. ISA Server can impersonate the published server, adding a layer of security. Web publishing rules protect internal Web servers by allowing organizations to specify which computers can be accessed. Server publishing rules protect internal servers from unwarranted access by external users.

Intrusion Detection Integrated Virtual Private Networking System Hardening Streaming Media Splitting Firewall Transparency Strong User Authentication Dual-Hop SSL

Integrated intrusion detection based on technology from Internet Security Systems (ISS) can generate an alert and execute an action if it detects a network intrusion attempt such as port scanning, WinNuke and Ping of Death. Organizations can provide standards-based secure remote access with the integrated virtual private networking services of Windows 2000. ISA Server supports secure VPN access that can connect branch offices or remote users to corporate networks. The System Hardening Wizard allows organizations to lock down Windows 2000 by setting the appropriate level of security, depending on how ISA Server functions in their network. Organizations can save bandwidth by splitting live media streams through ISA Servers streaming media filters. ISA can obtain information from the Internet once, then make it available locally on a Windows Media Technologies Server for access by other clients. SecureNAT provides extensible, transparent firewall protection for all IP clients by substituting a globally valid IP address for an internal IP address, with no client software or configuration necessary. Strong user authentication is supported with integrated Windows authentication (NTLM and Kerberos), client certificates and digest; basic and anonymous Web authentication is also supported. For Web servers that require authenticated and encrypted client access, ISA Server can provide end-to-end security and firewall filtering through dual-hop SSL authentication. ISA Server verifies the client certificate from the user, inspects the data, and then presents its own server certificate to the Web server for the second authentication. Unlike most firewalls, encrypted data can be inspected before reaching the Web server. Web performance is accelerated for internal clients accessing the Internet and external Internet users accessing a corporate Web server with ISA Servers fast RAM caching and efficient disk operations. The freshest content can be ensured for each user thanks to proactive caching of popular objects. Based on how long an object has been cached or when that the object was last retrieved, ISA Server automatically determines which Web sites are used most and how frequently their content should be refreshed. ISA Server can proactively preload that Web content into cache during periods of low network use, without requiring network manager intervention. Organizations can preload the cache with entire Web sites on a defined schedule. Scheduled downloads ensure the freshest cache content for every user, consistent mirrored servers and offline availability. With ISA Server, organizations can set up distributed content caching among an array of ISA Server computers. ISA Server further extends distributed caching by allowing them to set up a hierarchy of caches, chaining together arrays of ISA Server-based computers so clients can access the cache nearest them. Organizations can control inbound and outbound access by user and group, application, destination, content type and schedule. Policy wizards can specify which sites and content are accessible, whether a particular protocol is accessible for inbound and outbound communication, and allow or block communication between specified IP addresses, using the specified protocols and ports. ISA Sever supports multilevel policy management through array-level access policies and enterprise-level policies. This enables administrators at branch and departmental levels to adopt

Web Caching Server High-Performance Web Caching Smart Caching

Scheduled Caching Distributed and Hierarchical Caching

Unified Management Policy Based Access Control

Multilevel Management

Microsoft ISA Server EE

10

TESTBED CONFIGURATION FOR ISA SERVER

Microsoft ISA Server Features at a Glance

Feature Bandwidth Management Active Directory Integration Description
governing enterprise policies and set local access rules based on their specific needs. Organizations can save bandwidth and manage network usage by prioritizing bandwidth allocation for any specific Internet request in terms of group, application, site or content type. ISA Server leverages the quality of service features of Windows 2000. All users, rules and configuration information can be centrally stored and managed in the Windows 2000 server Active Directory service. While not a requirement to deploy ISA Server, Active Directory allows organizations to share schema, implement caching arrays and automatically adopt enterprise settings, access policies, publishing policies and monitoring configurations. Graphical taskpads and wizards simplify navigation and configuration of common tasks. For example, wizards can publish Exchange-based servers on the network behind the ISA Server computer, configure ISA Server to be a VPN gateway, or create a new site and content rule. ISA Servers can be managed remotely through MMC or Windows 2000 Terminal Service, which is included in Windows 2000 Server. Using DCOM, administrators can use command-line scripts to manage ISA services. Detailed security and access logs are provided in standard data formats like W3C and ODBC. Organizations can run scheduled built-in reports on Web usage, application usage, network traffic patterns and security. Event-driven alerts can e-mail administrators, start and stop services, and take automated action based on alert criteria. For ISA Firewall Service clients, organizations can restrict access on a per-user basis, not just IP addresses, thereby enabling even more granular access control for both inbound and outbound access for all protocols. ISA Server supports many Internet protocols, including HTTP, FTP, RealAudio and RealVideo, IRC, H.323, Windows Media streaming, and mail and news protocols. Independent vendors offer products, such as virus detection, management tools, content filtering and reporting, that build on and integrate with ISA Server. For example, organizations can use third-party filters to prevent the latest viruses, Java scripts or ActiveX Controls from being downloaded into their secured networks. ISA Server includes a comprehensive SDK for developing tools that build on ISA Servers firewall, caching and management features. Full API documentation and step-by-step samples are provided to build additional Web filters, application filters, MMC snap-ins, reporting tools, scriptable commands, alert management and more.

Graphical Taskpads and Configuration Wizards Remote Management Logging, Reporting and Alerting

User-Level Management Extensible Platform Broad Application Support Broad Vendor Support

Extensive SDK

This guide cant cover all the ISA Server features, but it will give you a chance to walk through key activities such as these: Installing and configuring ISA Server Setting up firewall filters Creating and modifying access rules

Microsoft ISA Server EE

11

Configuring and testing user access via SecureNAT and the firewall client Publishing an internal Web server Scheduling a cache content download Configuring an automated alert Running built-in reports

The built-in Product Help documentation is also very comprehensive and contains checklists to help you accomplish common tasks. For the purpose of this demonstration, it is assumed your test bed has some form of direct connection to the Internet. To experience the majority of new features in Microsoft ISA Server, youll need a minimum of four computer systems. The first will be set up with the ISA Server software running on Windows 2000 Server. For testing purposes, this system will also be configured as the Active Directory Domain Controller and DNS. Youll use the second machine as an internal Web server when working through the Server Publishing section. It too will be running Windows 2000 Server. The third PC will operate as your external public client and will run Windows 2000 Professional. The last system also running Windows 2000 Professional will be your internal client and will run the ISA Firewall Client software. While this test bed is using Windows 2000 Professional as the client, ISA Server supports Windows and non-Windows clients. Please refer to the diagram below for details about how to configure the test systems. The idea here is to create an internal private network secured by the ISA Server and an external connection to the Internet.

ISA Server testing configuration diagram

Platform Setups
Follow these steps to configure each machine. (For a complete list of minimum hardware requirements and detailed setup information, please consult the Windows 2000 Server documentation and the ISA Server Release Notes and Installation Guide.) While ISA Server requires Windows 2000 Service Pack 1, it is

Microsoft ISA Server EE

12

recommended that you install the latest Windows service pack for all Windows machines. Server 1 (Windows 2000 Server With Service Pack 1) This is the primary machine used for examining the features of Microsoft ISA Server. 1. 2. 3. Install two network interface cards (NICs). Connect one NIC to the internal network hub and the other to the external network hub. Be sure to create at least one NTFS5 partition (for Active Directory and the caching repository). However, for best security practices, ISA Server and a Domain Controller would not normally be configured on the same computer. But for purposes of this evaluation, configure this machine as a Domain Controller and install DNS. The simplest way to do this is to run the Active Directory Wizard from the Configure Your Server menu. Set the IP address of the internal NIC to a valid address for your internal network and the external NIC to a valid registered Internet address for the host name you defined. Define the default gateway for the external NIC as appropriate for your network. (This is usually the router that connects to the Internet.) Do not set a default gateway address for the internal NIC. Define the DNS Server on your external NIC as appropriate for your network. (This is usually the address of the DNS at your ISP.) The DNS Server for your internal NIC should be defined as that NICs address. Create several new domain user accounts and groups. Add some members to each of the groups.

4.

5.

6. 7. 8.

ISA Server does not require Internet Information Services (IIS) to be running on the same computer.

Microsoft ISA Server EE

13

Server 2 (Windows 2000 Server) This will be used as an internal Web server to demonstrate the Web server publishing feature of Microsoft ISA Server. 1. 2. 3. Install one NIC and connect it to the internal hub. Set it up as a standalone server, but add the machine to the Active Directory domain. Install IIS. Set the default gateway and DNS addresses to that of the ISA Servers internal NIC.

Internal Client (Windows 2000 Professional) This will be used to show how SecureNAT, Web proxy and firewall clients operate transparently from the users perspective. 1. 2. 3. Install one NIC and connect it to the internal hub. Add this machine to the Active Directory domain. Set the IP address to a valid address for your internal network. Set the default gateway and DNS addresses to that of the ISA Servers internal NIC.

External Client (Windows 2000 Professional) This plays the part of an Internet client. 1. 2. 3. Install a dial-up or direct connection to the Internet. Ensure that you can contact the ISA Server over the Internet by testing using the ping command. Create a local hosts file in the <default drive:>\WINNT\system32\etc directory. Add an entry with the name of the internal Web server, but assign it the IP address of the ISA Servers external NIC. (This step facilitates Web server publishing testing, its only necessary if you cannot enter the web server alias into the DNSs records. Such would be the case when using a public DNS.)

Modified hosts file on external test client

Microsoft ISA Server EE

14

Setting up Microsoft Internet Security and Acceleration Server is a very easy an straightforward process.

ISA SERVER INSTALLATION

1. Insert the ISA Server CD into your CD-ROM drive. The main setup menu will appear. Please take the time to look over the release notes and installation guide; they contain valuable information that will make it easier to get up to speed with the product. Choose Run ISA Server Enterprise Initialization. This starts the Active Directory schema update process. When prompted to continue, click on Yes.

2.

3.

The next dialog box lets you decide how to apply enterprise-level policies to arrays. Leave Use this enterprise policy: and Force packet filtering on the array selected, check the Allow array-level access policy rules that restrict enterprise policy and Allow publishing rules boxes, and then click on OK.

Microsoft ISA Server EE

15

4.

When schema modifications are completed a dialog box will let you know it is ok to install the ISA Server as a domain array member. Click on OK to dismiss the message and return to the main setup menu. Choose Install ISA Server. At the Welcome screen, click on Continue. For the CD Key: enter the product key number located on the CD sleeve or provided from the Web, click on OK, and then click on OK once more. On the License Agreement screen, click on I Agree. For the installation type, click on Full Installation. Now youll see a dialog box asking if you want to install the server as an array member. Click on Yes to allow the most flexibility possible during testing.

5. 6. 7.

8. 9.

Change the default array name if youd like and click on OK. The next screen to appear lets you fine tune how an enterprise policy is applied to this array. For purposes of this walk-through you can just leave the default and click on Continue.

Microsoft ISA Server EE

16

10. To demonstrate both firewall and caching features, leave the default Integrated mode selection and click on Continue.

The IIS Web service is

stopped because its default port is 80, the HTTP standard. Two different services cannot bind to the same port, so if you intend to use the ISA Sever Web publishing feature on this port, you must modify the listening port settings for IIS. 11. When warned about the stopping of the IIS service, click on OK. (See the text

box on the left for an explanation of why this must be changed.) 12. The next dialog box lets you configure caching parameters. Click on OK to accept the default settings. 13. The last few steps involve creating the local address table (LAT). The ISA Server uses the LAT to differentiate between the internal and external networks. Begin by clicking on the Construct Table button.

Microsoft ISA Server EE

17

14. Now check the box that corresponds to your internal NIC. You can uncheck the private ranges box unless your test bed requires them. Click on OK.

15. At the resultant Setup Message box, click on OK. 16. Verify the accuracy of the table and click on OK again.

17. The next to last dialog box appears. Check the Start ISA Server Getting Started Wizard box and click on OK.

Microsoft ISA Server EE

18

18. Click on OK on the setup completion screen. The ISA Server Administration screen shown below will appear.

Microsoft ISA Server EE

19

Additional Installation
On the distribution CD is a rollup package consolidating several hot fixes designed to address known operational issues regarding ISA Server. These issues are

ISA SERVER MANAGEMENT

primarily related to heavily loaded servers, or servers running on multiprocessor systems, and will be fixed in Windows 2000 Service Pack 2. In the meantime, it is best if you install them now.

1. 2.

Locate the Support\Hotfixes\Win2000 folder on the ISA Server CD. Double-click on the file Q275286_W2K_SP2_x86_en.EXE.

3.

When the update process finishes youll see a dialog box indicating that Windows 2000 has been updated. Click on OK to reboot the system.

The Internet Security and Acceleration Server installation is complete. A closer look will now be given to the main interface.

The Basis of Control, Policies and Rules

Microsoft ISA Server was designed to provide great management support to make it easy to own and operate. Creating a central location to control and manage caching

Microsoft ISA Server EE

20

and firewall improves security, consistency and ease of management. This design goal applies to a single ISA Server in an elementary school, a chain of servers across several branch offices, or an array in an ISPs point of presence. Outlined here are the major facets with which administrators can safely and securely control inbound and outbound network access. Policies Organizations can configure rules that control how their local network communicates with the Internet. Rules can be specified in enterprise-level policies or in an array-level policy and stored centrally in Active Directory. Array Policy vs. Enterprise Policy Organizations can create site and content rules, protocol rules, Web publishing rules and IP packet filters at the array level. Together, these rules compose an array policy. The array policy determines how the ISA Server clients communicate with the Internet and what communication is permitted. The array policy applies only to the ISA Server computers in the array. You can also create an enterprise policy. The enterprise policy includes site and content rules and protocol rules. The enterprise policy can be applied to any array and can be augmented by the arrays own policy. This enables administrators at branch and departmental levels to adopt governing enterprise policies. Array policies can only limit enterprise policies. That is, the array-level rules can further refine enterprise policies by denying access to additional, users, sites, content or protocols. Introducing ISA Server Rules Organizations can configure ISA Server to meet their specific security needs by defining and configuring rules that determine whether users, services, ports or domains are granted access to computers in their network and on the Internet. ISA Server allows them to define three types of rules: Access policy rules Bandwidth rules Publishing rules

Microsoft ISA Server EE

21

Access Policy Rules

Organizations can use ISA Server to configure an access policy, which consists of site and content rules protocol rules and IP packet filters.

Site and content rules define which Internet sites can be accessed by clients behind the ISA Server computer. Site and content rules are processed at the application level. Protocol rules define which protocols users behind the ISA Server computer can access. Protocol rules are processed at the application level. IP packet filters allow or block communication between specified IP addresses, using the specified protocols and ports. IP packet filters are processed at the packet level.

Bandwidth Rules
ISA Server bandwidth rules build on the Windows 2000 QoS features to determine how much bandwidth should be allocated for any specific Internet request. Bandwidth rules are processed at the application level.

Publishing Rules
Server publishing rules filter all incoming and outgoing requests. They map incoming requests to the appropriate servers behind the ISA Server computer. For example, Exchange Server 2000 can be published transparently through ISA Server. Web publishing rules map incoming requests to the appropriate Web servers behind the ISA Server computer.

Policy Elements
Policy Elements are the building blocks for the rules and policies you create. They provide a fine-grain level of control, for not only locations and users, but also over things such as bandwidth allocation, specific protocols and types of content. Like much of ISA Server, Policy Elements can be extended by third-party vendors or developers to meet customized needs. For example, organizations can purchase lists of restricted URL sites from third-party Site Blocking vendors, which then plug into the ISA Server Policy Elements. The individual elements are these: Schedules determine when clients are allowed or denied access. Bandwidth priorities ascribe a weighting to inbound or outbound traffic to better utilize available network bandwidth. Destination sets define remote sites by IP address or URL. Client address sets define internal clients by IP address or Windows NT and Windows 2000 operating system domain users and groups. Protocol definitions refine rules based on protocol. Content groups are logical groupings of most common file types (e.g., video, audio and images).

Microsoft ISA Server EE

22

The ISA Server Console

All ISA Server configuration, management, monitoring and reporting tools are accessed from the Administration application. This program uses the standard Microsoft Management Console. In the left side, or Scope Pane, youll find all the items used to manage or monitor operations of the Internet Security and Acceleration Server. The right-hand side, the Results Pane, is where youll find the taskpads. As you select different tree items, the Results Pane changes to reveal the appropriate taskpad for that item. MMC provides two viewing modes: Taskpad and Advanced. The screen below is displaying the Taskpad view.

Scope Pane

Results Pane

Internet Security and Acceleration Server Management Console

Microsoft ISA Server EE

23

A Closer Look at the Scope Pane Here the left side tree, or Scope Pane, will be examined and the use of some of the main elements will be clarified.

Used to manage enterprisewide policy settings Used to manage array-specific policy settings Used for monitoring alerts, user sessions and viewing reports

Allows access restriction based on location, IP address, domain membership, protocol and time

Used to form the basis of Rules and Policies

Used to safely expose internal servers to external clients Used to control alert methods and report scheduling Used to control firewall and Web proxy routing and configure VPN

Used to set up Intrusion Detection and packet filtering Used to manage bandwidth usage Used to adjust caching parameters and scheduling of content downloads Application and third-party or user developed plug-in filters

Microsoft ISA Server EE

24

Windows 2000 Integration and Management

ISA Server is built to take advantage of the management features of Windows 2000 Server and its Active Directory service. Though Active Directory integration is

CONFIGURING FOR FIREWALL

optional, it enables administrators to centrally manage policies, configurations and users. This enables a single user logon experience for all network services and applications, including Internet access via ISA Server. This saves time deploying the new capabilities to users. It also enables network managers to exploit the user account information to allow or deny access to a wide range of Internet or intranet services via Microsoft ISA Server. Integration with the operating system pays off in other ways, too. For example, the Windows 2000 Server Performance Monitor supports several Microsoft ISA Server real-time measurements. The Windows 2000 Event Log is also used to help track and troubleshoot Microsoft ISA Server. Remote administration is supported through remote MMC and the built-in Terminal Services. These tools provide essential information to enable network managers to stay on top of their ISA Server network. ISA Server provides a flexible and highly configurable management console. The COM object model enables administrators programmatic access to the rules engine and all administrative options. ISA Servers extensibility enables third party products to seamlessly integrate into the ISA administration console to deliver a single management interface. With a unified administration tool, ISA Server can eliminate the complexity and cost of managing multiple separate systems for firewall, caching and bandwidth management.

Getting Started Wizard

The best way to get acquainted with ISA Server is through the Getting Started Wizard. Not all items in the list will be covered, but a few will be touched upon to get you started on building a policy. At the enterprise level you will create a Client Address Set and a Protocol Rule that permits all internal clients to browse the Internet. Youll also create an array-level Site and Content rule that will restrict access to a specific site by using a Destination Set for the Client Address Set.

Microsoft ISA Server EE

25

1.

Beneath the Configure Enterprise Policy section, click on Configure Client Sets and then click on the Create a Client Set icon.

Internet Security and Acceleration Server Getting Started Tutorial

2.

Fill in a name and description for your internal client and then click on Add. Enter this nodes IP address in both the From and To boxes. Click on OK to finish adding the Client Set.

A Client Set normally would

incorporate multiple machines grouped by their role or users, but in this test bed there is only one client.

Microsoft ISA Server EE

26

3.

Click on the Next button at the bottom of the screen or just click on Configure Protocol Rules then click on the Create a Protocol Rule for Internet Access icon.

If you find yourself needing

some assistance, please check the context sensitive online help. It is very comprehensive.

4.

Give the rule a name and click on Next >. Review the protocols and click on Next >.

Uncheck the Show

only selected protocols box to see the full list of protocols ISA Server can apply rules to.

Microsoft ISA Server EE

27

5.

For the Schedule options, choose Work Hours and click on Next >. (If testing takes place during off-hours, choose Always or you wont be able to connect.)

6. 7.

Leave the default of Any request on the Client Type page and then click on Next >. On the rule completion page click on Finish.

Microsoft ISA Server EE

28

8.

As a security best practice,

ISA Server denies all inbound or outbound traffic by default until the administrator changes the settings.

All internal clients can now utilize standard Web protocols during work hours. However, before user requests will be allowed to pass through the ISA Server, a Site and Content rule is also required. Thats coming up in step 12.

9.

Click on Next at the bottom of the screen again to move to the Configure Destination Sets, then click on the Create a Destination Set icon.

10. Name the Destination Set MSNBC, give it a description, and then click on Add.

11. In the Destination: box, enter www.msnbc.com, click on OK, and then click on OK once more. Youll use the new Destination Set a bit later in a rule to block the internal client from accessing this particular Web site. 12. Click on Next at the bottom of the screen again to move to Configure Site and Content Rules, then click on the Create a Site and Content Rule icon.

Microsoft ISA Server EE

29

13. Give the rule a name and click on Next >.

14. For the Rule Action, choose Allow and click on Next >. 15. Leave All destinations and click on Next >. 16. Leave the schedule as Always and click on Next >. 17. For Client Type choice, leave Any request and click on Next >.

Microsoft ISA Server EE

30

18. Review the completion page to be sure the items are correct and then click on Finish.

19. Lets look at one more entity before leaving the wizard. Move down a few items and click on Configure Firewall Protection and then click on the Configure Packet Filtering and Intrusion Detection icon. 20. As you can see on the General tab, the enterprise policy has already enforced packet filtering security. By checking the Enable Intrusion detection box and then clicking on the Intrusion Detection tab, you can view the attack types ISA Server can watch for. Click on OK.

21. Click on Finish in the lower right-hand corner of the Results Pane to exit. This will take you to the main ISA Server taskpads page.

Microsoft ISA Server EE

31

If you want to continue using the Taskpad views to perform the next set of operations, you can. It is assumed you are comfortable with that interface, so the following sections tasks will be carried out using the Advanced view.

Completing the Array Configuration

Before you can test your clients connection through the ISA Server, you will need to construct a few more policy elements as described here.

1. 2.

From the main MMC menu, choose View >Advanced. Scroll down to your arrays Access Policy (expand the list if necessary by clicking on the [+] symbol), right-click on Site and Content Rules and choose New >Rule. Give the rule a name and click on Next >.

3. 4. 5.

For the Rule Action, Deny is your only choice because array-level policies can only further restrict an enterprise policy, never overrule them. Click on Next >. For Rule Configuration, choose Custom and click on Next > once more. For the Destination Sets, use the drop-down box to select Specified destination set, then choose MSNBC and click on Next >.

6.

For Schedule, leave it set at Always and click on Next >.

Microsoft ISA Server EE

32

7.

When given the Client Type choices, pick Specific computers (client address sets) and click on Next >.

8.

At the Client Set dialog box, click on Add, highlight your internal client, click on Add >, click on OK and then click on Next >.

Microsoft ISA Server EE

33

9.

At the Content Groups screen you can further constrain which information types can be accessed from a site (e.g., you could block audio and video formats to conserve bandwidth). After reviewing the types, return the setting to its Any content type default and click on Next >.

10. Review the completion page to be sure the items are correct and then click on Finish. 11. You should now have two Site and Content rules: the enterprise rule allowing all users access, and your more restrictive array rule blocking access to the MSNBC site for a particular Client Set only.

Viewing newly added Site and Content rules

As can be seen here, when enterprise rules are in effect, and an array is configured to use both enterprise and array-level policies, they both appear in the arrays rules list. The Scope column lets you easily determine the source of any policy rule. You have learned how to configure ISA Server, created enterprise and array policy elements and access rules. You are now ready to test the connection from your internal client to see how rules are applied to users.

Microsoft ISA Server EE

34

In this section, you will configure the client computers to use ISA Server and test the access control policies created. Administrators can choose to use the transparent SecureNAT technology or deploy the ISA Firewall Client software depending on networking and application needs. This demonstration will walk you through both

USER SECURITY AND SITE ACCESS CONTROL

scenarios.

SecureNAT Clients
Client computers that do not have the firewall client software installed are referred to as SecureNAT clients. SecureNAT clients can benefit from many of the features of ISA Server, including most access control features, with the exception of highlevel protocol support and user-level authentication. SecureNAT eliminates the need to configure client computers, making deployment and management transparent to end users and less complex for administrators. Although SecureNAT clients do not require special software, you must configure the default gateway on them so all traffic destined to the Internet is sent via the ISA Server. While ISA Server can be the default gateway, it is not a requirement. SecureNAT and Windows 2000 NAT ISA Server extends the Windows 2000 network address translation (Windows 2000 NAT) functionality by enforcing ISA Server policy for SecureNAT clients. In other words, SecureNAT provides better security and control because content goes through the application filters, the policy engine and bandwidth control. All ISA Server rules regarding protocol usage, destination and content type can now be applied to SecureNAT clients, despite the fact that Windows 2000 NAT does not have an inherent authentication mechanism. Since requests from SecureNAT clients are essentially handled by the firewall service, SecureNAT clients benefit from the following security features: Application filters can modify the protocol stream to allow handling of complex protocols. In Windows 2000 NAT, this mechanism is accomplished through the use of NAT editors, which are written as kernel-mode NAT editor drivers in Windows NT. The firewall service passes all HTTP requests to the Web proxy service, which handles caching and ensures that site and content rules are applied appropriately.

Firewall Clients
With the firewall client installed, access policies can be applied to authenticated users, not just to IP addresses of client computers. For example, administrators can

Microsoft ISA Server EE

35

apply access and bandwidth rules to specific Windows NT or Active Directory domain users and groups that are authenticated through NTLM or Kerberos tickets. The firewall client also supports WinSock applications. Setting up a firewall client does not configure individual WinSock applications. Instead, it uses the same WinSock dynamic link library file (DLL) that the other applications use. The firewall client then intercepts the application calls and decides whether to route the request to the ISA Server computer. The firewall service supports WinSock version 1.1 and 2.0 applications. Before a WinSock application can gain access to the Internet through ISA Server, the server must also be configured to permit user access for the required protocol on the required service ports. You can install firewall client software on client computers that run Windows 95, Windows 98, Windows NT 4.0 or Windows 2000.

SecureNAT Clients and Firewall Clients

ISA Server ensures that communication with all firewall and SecureNAT clients on the network is secured. Furthermore, all clients benefit from the ISA Server cache. Both SecureNAT and firewall clients can be protected by application filters, which can offer content scanning and other security measures. Both can use the kernelmode data pump for improved performance and latency, if IP forwarding is available.

Testing Access Policy Rules With SecureNAT

If you followed the initial test bed setup procedures, your internal client has nothing more than its default gateway and DNS configured, with both pointing to the ISA Server. This is the ideal place to start experiencing what Internet Security and Acceleration Server can do. 1. At your internal client, open Microsoft Internet Explorer. By default it should open the MSN Web site. (If youve changed or removed the default home page setting, open any Web site now.) Return to the ISA Server console, expand the Monitoring section and click on the Sessions folder. You should see one Web Session and one Firewall Session connection, showing the IP address of your internal client.

2.

Real-time session monitor showing clients IP address

Microsoft ISA Server EE

36

3.

Now try to access the URL http://www.msnbc.com/ from the client. This time the connection wont go through. Instead, youll see the denial message below. This is the Site and Content rule you built previously being enforced.

SecureNAT makes it
possible to fully manage and protect traffic flows, regardless of the clients operating system.

Access denied to SecureNAT client based on IP address

Congratulations, youve successfully implemented and tested your first ISA Server policy.

Installing the Firewall Client

Now that youve seen how client access can be managed by IP address, it is time to install the firewall software on your client and test some user-based authentication. 1. From the client computer, use My Network Places to browse your ISA server for the mspclnt share, open the folder, and then double-click on SETUP.

Microsoft ISA Server EE

37

2.

Click on Next > on the Welcome screen and on Next > again on the Destination Folder page. Finally, click on the Install button. When the installation process is complete, click on Finish. The firewall setup process will also have modified your browser settings to use the proxy server. To verify this, open Internet Explorer and choose Tools >Internet Options. Click on the Connections tab, then on the LAN Settings button. Your ISA Server name should appear in the Address: box as below.

3.

Testing User Authentication Rules With the Firewall Client

To test user authentication youll make some minor revisions to the Protocol and Site and Content Rules used in the SecureNAT example. 1. Go to the Enterprise-level Site and Content Rules and double-click on your MSNBC exclusion rule. Choose the Applies To tab again, but this time set it to Users and groups specified below. Click on the top Add button, and in the resultant Select Users or Groups dialog box, double-click on Domain Users, and then click on OK.

Microsoft ISA Server EE

38

2.

Repeat the process for the Exceptions: list, adding the trusted user group you created. You should wind up a dialog box like the one below. Click on OK.

3.

Your two types of rules should look like these:

Existing Protocol Rule

Revised Site and Content Rules

Rules are applied from most restrictive to least restrictive. Examining these final rule settings reveals the following:

A Protocol rule allowing Web traffic to anyone during Work Hours The enterprise-level Site and Content Allow rule granting everyone rights to visit any destination Your modified array-level Deny rule prohibiting access to the MSNBC site for all Domain Users except members of the Trusted Users group

The net result is that everyone in the domain can go anywhere on the Web except to the MSNBC Web site, which only Trusted Users can access.

Microsoft ISA Server EE

39

You need to make one more change to the ISA Server configuration before youre ready to test these new settings. 4. 5. Highlight your array in the tree, right-click the mouse, and choose Properties. Click on the Outgoing Web Requests tab and check the Ask unauthenticated users for identification box. Click on OK.

6. 7.

Now choose Save the changes and restart the service(s) and click on OK. Watch for the services restarting using the Services folder under Monitoring. (You can quickly tell the service has stopped when a red X appears on the server icon.)

8.

Back at your internal client, log on as anyone not in the Trusted Users group. Next, youll need to configure this users browser to use the ISA Server proxy service. Most likely it wont already be set. This is because changes made to the browser during the firewall client setup only affect the user who is currently logged on.

Microsoft ISA Server EE

40

9.

Open Internet Explorer and choose Tools >Internet Options. Click on the Connections tab, then on the LAN Settings button. Check the Use a proxy server box, enter the ISA Servers name or IP address in the Address: box, and 8080 in the Port: box. OK your way back through the dialog boxes to save these settings.

10. Now enter the MSNBC URL (http://www.msnbc.com/) in the browser. The system will prompt you for a user name, password and domain name. Enter the credentials of someone not in the Trusted Users group.

11. You should encounter the access denied message shown here.

You also can configure your

Web browser to direct its requests directly to the ISA Server, also known as a Web proxy client configuration. Userlevel authentication for Web protocols will be supported. The firewall client must be installed to perform this authentication method for nonWeb protocols or non browserinitiated FTP connections.

Access denied to firewall client based on user name and/or group

Microsoft ISA Server EE

41

12. Check the Sessions list now, and youll see the users name listed, in contrast to the SecureNAT testing earlier, where the user was listed as anonymous.

SECURE WEB AND SERVER PUBLISHING

Real-time session monitor showing clients user name and IP address

13. Log that user off, and log on as one of the members of your Trusted Users group. Repeat steps 8 through 10 above, and now youll be allowed to open the MSNBC site. Using these straightforward, wizard-driven rules, it is easy to manage your users access to anywhere on an intranet or the Internet. ISA Server allows you to publish to the Internet without compromising the security of your internal network. You can configure Web publishing and server publishing rules that determine which requests should be sent downstream to a server located behind the ISA Server computer. By impersonating the published server to the external world, ISA Server offers an additional layer of security and improved performance for cached Web content. No additional software is required on the internal published server because ISA Server uses the SecureNAT technology for transparent communication.

Server Publishing
For example, an internal Microsoft Exchange Server might send SMTP mail on the Internet. Because SMTP mail requires the use of port 25 for incoming and outgoing communication, Exchange Server is bound to port 25 on the ISA Server computers external address. This way, Exchange Server can listen for incoming sessions. To enable this type of publishing, you create one or more server publishing rules specifying which internal servers have permission to publish to the Internet. ISA Server listens for requests on behalf of one or more servers and redirects the requests to the appropriate server.

Web Publishing
You can place your Web server behind the ISA Server computer and create Web publishing rules that allow the Web server to be published to the Internet. Incoming requests to the Web server are intercepted by the ISA Server computer, which gives the appearance of a Web server to clients. ISA Server fulfills client requests for Web content from its cache and forwards requests to the Web server only when

Microsoft ISA Server EE

42

the requests cannot be served from its cache. Meanwhile, your Web server is in a secure environment and maintains access to other internal network services. The ISA Server computer impersonates the Web site because its IP address is the one associated with the sites DNS name. A Web publishing rule forwards requests for the Web site to the actual Web server on the internal network. ISA Server would offload some Web content processing, offer an additional security layer, offer a central place for SSL key management and allow multiple servers to be published by a single site.

Microsoft ISA Server EE

43

Publishing a Web Server

The following instructions will guide you through the process of publishing a Web server and then accessing it from your external client. Organizations with ecommerce or Web applications can benefit from the performance improvements of this reverse-caching scenario. 1. To use a Web publishing rule, you must first create a new Destination Set. Right-click on the Destination Sets folder at either the array or enterprise level and choose New >Set. Fill in a name and description, and then click on the Add button.

2.

3.

For Add/Edit Destination, you can manually enter your internal Web servers name, or if you registered this system in the Domain click on Browse to locate it. Click on OK twice to complete this operation.

4.

Beneath the Publishing branch of your array in the Scope Pane, click on Web Publishing Rules, then right-click and choose New >Rule.

Microsoft ISA Server EE

44

5.

Give the rule a name, and click on Next >.

6.

For Destination Sets, choose the newly created Web servers set name from the drop-down list and click on Next >.

7.

At the Client Type dialog box leave the default and click on Next >.

Microsoft ISA Server EE

45

8.

For Rule Action, choose Redirect the request to this internal Web server (name or IP address):, enter the complete address of your internal Web server and click on Next >. (If you registered the server in the Domain, you can click the Browse button to select it as before.)

9.

Verify that the settings are correct on the Publishing Wizard completion page, and click on Finish.

10. You should now see two entries under Web Publishing Rules. The one named Last is installed by default; its purpose is to deny any access not explicitly granted by the administrator.

Viewing Web publishing rules

Microsoft ISA Server EE

46

11. Next, youll modify how ISA Server handles incoming Web requests. In the MMC Scope Pane, right-click on your array and choose Properties. Click on the Incoming Web Requests tab. To provide user authentication, highlight your server in the Identification section of the Incoming Web Requests page, and click on the Edit button.

12. Under the Authentication section, check the Basic with this domain: box. When the unencrypted passwords warning appears, click on Yes. Next, click on the Select domain button, and enter your full domain name (e.g., mydomain.com. You can also use the Browse button to select it.) Click on OK

twice.

Microsoft ISA Server EE

47

Microsoft ISA Server EE

48

13. To enforce user authentication against the chosen domain, you must check the Ask unauthenticated users for identification box under Connections, and then click on OK.

14. A warning box will appear. Choose Save the changes and restart the service(s), and then click on OK. 15. Monitor the services as you did earlier and wait for the Web proxy to stop and restart before continuing. (You can quickly tell the service has stopped when a red X appears on the server icon.)

Microsoft ISA Server EE

49

Testing the Published Web Server

1. 2. Go to your external client and enter the test Web servers name for the URL. Because authentication is turned on, youll be prompted for a user name and password. Enter a name and password from your test domain, and the default IIS message will appear.

3.

You might want to create or modify a default.htm file in the IIS root folder. This makes it easy to confirm that your page is coming from the redirected server.

4.

Back on the Internet Security and Acceleration Server console youll see this new session, listing both the users name and IP address.

Session monitor showing authenticated external client connection to the published Web server

Microsoft ISA Server EE

50

With the Web Publishing feature, ISA Server complements existing Web sites by offering faster Web access performance as well as an additional layer of security for Web Servers. Administrators who need to provide further secure for ISA Server can do so using

SYSTEM HARDENING
the built-in System Hardening Wizard. This wizard locks down the underlying Windows 2000 operating system by disabling services unrelated to ISA Server. 1. To invoke the System Hardening Wizard, highlight Computers in the Scope Pane, then right-click on your server in the Results Pane and choose Secure. At the Welcome screen, click on Next >.

2.

On the Select Security Level page, pick Limited Services and click on Next >.

3.

At the Congratulations page, click on Finish. After a brief period of activity, the new security settings will be activated.

Microsoft ISA Server EE

51

4.

The System Hardening Wizard uses Windows 2000 security features to run one of the standard predefined security templates. If youd like to examine the templates, choose Start >Run, enter mmc /a and press Return.

5.

From the MMC Console menu, choose Add/Remove Snap-in.

6.

On the next dialog box, click on Add, and then double-click on Security Templates from the available list. Click on Close and then on OK.

Microsoft ISA Server EE

52

7.

By comparing some of the security objects in a standard template like basicdc to hisecdc, (the high-security domain controller policy template), youll see numerous differences, such as enforcement of password policies.

WEB CACHE SERVER

Basic Domain Controller Audit Policy High Security Domain Controller Audit Policy Basic Domain Controller Passord Policy High Security Domain Controller Password Policy

Youll quickly find that, whereas the standard templates leave many object properties undefined, the higher security templates invoke stricter controls over elements such as logon restrictions, audit policies and file security. Most Web browsers feature local caching of objects, in which requested Web pages are stored in a computers local cache. ISA Server takes this concept one step

further and maintains a centralized cache of frequently requested Internet objects that can be accessed by all ISA Server clients. HTTP and FTP objects served from ISA Servers RAM or disk cache require significantly less processing than objects

Microsoft ISA Server EE

53

served from the Internet. Whether deployed as a reverse or forward cache, ISA Server improves client browser performance, decreases user response time and reduces bandwidth consumption on Internet connections.

Configuring ISA Server Caching

The standard caching settings will work for most installations. But here is how you can examine or change them. 1. Right-click on Cache Configuration and choose Properties. The General tab shows the current size of the cache. Click on the HTTP tab. Here you can enable and disable HTTP caching, adjust how often the cache checks for revised content on the source pages, and set the minimum and maximum age or percentage of age required before refreshing the items.

Microsoft ISA Server EE

54

2.

Click on the Advanced tab. This page lets you manage the size and types of Web pages cached, as well as determine what happens when an object in the cache has expired. When you are finished reviewing the settings options, click on Cancel.

Scheduled Cache Content Download Service

The scheduled download of cache content service of ISA Server enables scheduled content downloads from the Internet directly to the ISA Server cache. A background process downloads the content according to a predefined schedule and always when the ISA Server computer is not handling requests from Web proxy clients. The scheduled download of cache content allows updates to be made to the ISA Server cache with HTTP contents that may soon be requested by Web proxy clients. When used wisely, scheduled content downloading saves valuable network bandwidth and improves the overall cache performance without affecting throughput. The scheduled cache content download service in ISA Server is a Windows 2000 service; it can be stopped, started or paused like any other Windows 2000 service.

Microsoft ISA Server EE

55

Creating a Cache Download Schedule

By setting up Internet Security and Acceleration Server to prefetch Web pages of heavily accessed sites, administrators can significantly speed up end-user response times while reducing WAN bandwidth usage during peak activity periods. The following steps will take you through the setup process so you can see how easy it is. 1. 2. Right-click on Scheduled Content and Download Jobs and choose New >Job. Give the job a name and click on Next >. The start time should normally be set to an off-peak time like the early morning hours to avoid sapping bandwidth. Click on Next >.

3. 4.

For the Frequency setting, choose Daily or Weekly on: and pick one or more days. Click on Next >. On the Content page, enter the URL of the site to download. For this example, well use the MSNBC U.S. news site. The two check-boxes under Download: let you return pages only from the base URL, or follow off-site links and retrieve text objects only. Click on Next >.

Microsoft ISA Server EE

56

5.

The Links and Downloaded Objects page the last set of options controls how many levels deep you want to follow links from the main URL and the total number of links to be followed; it also lets you override an objects time to live (TTL). Click on Next >.

DISTRIBUTED CACHING

6.

Review the wizards rule settings and then click on Finish.

7.

Your new download schedule appears in the console.

Scheduled content download job

One of the most powerful features in ISA Server is its support for distributed caching. The set of support capabilities in ISA Server makes it the ideal way to meet the rigorous demands of large enterprises and ISPs. Distribution of the load of cached objects enhances caching performance through load balancing and enables

Microsoft ISA Server EE

57

fault tolerance if a host is unavailable. Distributed caching can be implemented with arrays, chains or a combination of both. Distributed caching is significant because it enables caching to take place closer to users. For example, within an enterprise, cache chaining can move beyond a single, central location at the edge of an organizations network and toward the branch office and work-group levels. Within an ISP, caching can move toward a regional ISP point of presence as opposed to one central ISP point of presence. Moving the caching closer to the user reduces network traffic, improves performance and reduces cost. These factors become even more important as organizations and ISPs deploy support for content distribution technologies. Microsoft ISA Server allows an array among multiple computers running ISA Server that were set up using the Cache Array Routing Protocol (CARP). This enhances active and passive caching by distributing the load of cached objects.

Cache Array Routing Protocol Better Way to Scale

Microsoft developed CARP to be an innovative way for computers running ISA Server in an array or chain to communicate with one another to enable efficient, scalable caching. CARP fixes classic inefficiencies in the caching process to make the ISA Server cache perform efficiently. Unlike competing caching technologies, CARP uses a method of hash-based routing instead of queries to resolve requests for cached Internet objects. Compared with other data access methods this ensures quick access, low maintenance and efficient use of space. Each Internet object is kept in only one computer running ISA Server in an array, so the array acts as a single logical cache. Finally, CARP ensures scalability: As more computers running ISA Server are added to the array, performance improves.

Microsoft ISA Server EE

58

Cache array

Secure network
Microsoft ISA Server Microsoft ISA Server Client PC Microsoft ISA Server

Internet

A cache array is a group of ISA Server computers behaving like a single, logical entity.

Chained or Hierarchical Caching

Chaining is a hierarchical connection of computers running ISA Server. Requests from clients are sent upstream through the chain until the requested object is found. For example, a client request in a branch office would go to the branch office ISA Server, then on to the regional or corporate headquarters before sending the request to the Internet.
Branch office Microsoft ISA Server Corporate HQ Microsoft Internet ISA Server Microsoft ISA Server Client PC
Chain-based (or hierarchical) caching

Client PC Branch office

Microsoft ISA Server EE

59

Computers running ISA Server can be chained as either individual computers or as arrays. Chaining is also an effective means of distributing server load and fault tolerance. Secure sockets layer (SSL) chaining is also supported.
Cache array at HQ Microsoft ISA Server Microsoft ISA Internet Server Microsoft ISA Server Microsoft ISA Server Client PC Microsoft ISA Server Client PC Branch office Branch office

ALERTING

Chain-based caching working with a cache array

Through distributed caching and hierarchical chaining, ISA Server can scale out to meet the caching needs of the largest enterprises. CARP delivers an efficient array technology to support fast performance, fault-tolerance and scalable growth. The customizable and flexible alerting service of ISA Server helps administrators monitor network attacks and system events and take corrective action. The alert service offers the ability to trigger a series of actions such as automatically emailing administrators, starting or stopping computing services, and executing customized scripts and programs. The alert service acts as a dispatcher and as an event filter. It is responsible for catching events, checking whether certain conditions are met and executing corresponding actions.

Microsoft ISA Server EE

60

1.

You can view the full list of events ISA Server tracks by clicking on the Alerts folder under Monitoring Configuration.

2. 3.

Double-click on the IP packet dropped alert. You probably noticed that the alerts icon had a red dot on it, indicating it is disabled. On the General page, check the Enable box.

Microsoft ISA Server EE

61

4.

Click on the Events tab. To make it easier to see the alert in action, change Number of occurrences before the alert is issued: to one.

5.

Click on the Actions tab. Once triggered, an alert can send out e-mail notification, execute any program (such as a paging application), or start and stop a service. Leave the default Report to Windows 2000 event log selected, and click on OK.

6.

To test the alert, go to the command line on your external client and issue the command NET USE \\<ISAservername>\<administrativeshare>. (The administrative share is normally C$, C being the installation drive, so the command for our test machine would be NET USE \\ISAEE\C$.)

Microsoft ISA Server EE

62

7.

Return to the ISA Server, and using the Windows 2000 Event Viewer located under Administrative Tools look at the Application Log. You will find one or more warnings. Double-click on one, and it should look similar to the event displayed here.

REPORTING

With the event-driven alerts and customizable responses, ISA Server provides a flexible administration tool that helps organizations maintain a secure firewall and network. Knowing when a firewall is under attack and being able to quickly respond is a key requirement for enterprise security. ISA Server includes a set of predefined reports to assist administrators in analyzing their security and Internet usage patterns. ISA Server offers basic reports, but because it also includes extensive reporting APIs, third-party reporting vendors can offer value-added tools to complement and extend ISA Servers reporting features. The reporting mechanism collates the logs from each of the computers running ISA Server in the array into a database on each ISA Server. When a report is created, all the databases are combined into a single database, according to the specified report period. The database resides on a specific computer running ISA Server, and the reports can be viewed only on that computer. Reports are generated from a database that includes data collated from the ISA Server log files. This data is saved in daily or monthly summaries, as specified. For example, daily summary data can be saved for 20 days, and reports based on those summaries can be generated daily.

Predefined Reports
ISA Server includes the following predefined reports:

Microsoft ISA Server EE

63

Summary reports illustrate network traffic usage, sorted by application. The summary reports combine data from the Web proxy service and firewall service logs. Web usage reports display top Web users, common responses and browsers. The reports are based on the Web proxy service logs, and show how the Web is being used in a company. Application usage reports illustrate Internet application usage in a company, including incoming and outgoing traffic, top users, client applications and destinations. Application usage reports are based on the firewall service logs. Traffic and utilization reports illustrate total Internet usage by application, protocol and direction; average traffic and peak simultaneous connections; cache hit ratio; errors; and other statistics. Traffic and utilization reports combine data from the Web proxy and firewall service logs. Security reports list attempts to breach network security. The reports are based on the Web proxy service, firewall service and packet filter logs. Security reports can help identify attacks or security violations after they have occurred.

Microsoft ISA Server EE

64

1.

The first step in creating your reports is to schedule a job. Under Monitoring Configuration, right-click on Report Jobs and choose New >Report Job.

2.

On the General tab, give the report a name and description and then click on the Period tab. All varieties, including customized periods, can be selected. These settings determine how long a time frame each report will contain. Leave it set for Daily and click on the Schedule tab.

Microsoft ISA Server EE

65

3.

The Scheduling options let you set how often the report itself is generated. Change the Recurrence pattern to Generate every day and then click on OK.

4.

Click on the Credentials tab and enter a valid user ID, password and domain. These are required when running reports against an array, and must reflect a user with appropriate permissions on the servers within the array. Fill in the fields with your administrative account information and then click on OK.

Microsoft ISA Server EE

66

5.

To further customize ISA Servers reporting, right-click on Report Jobs, choose Properties and click on the Log Summaries tab. Based on your particular installation and traffic patterns, you might want to adjust the number of retained daily and monthly summaries. For now leave the defaults and click on Cancel.

6.

To view the ISA Server reports, go to Monitoring and expand the Reports folder.

Although the Start Report Generation option has been set for Immediately, reports do not appear instantly in the subfolders. This is because the database generation process can be resource-intensive and is scheduled to run once a day in the early morning during off-peak hours. For testing purposes, create heavy traffic one day and then check the reports the following day.

Microsoft ISA Server EE

67

7.

Once you have some reports to view, double-click on one in the Summary folder and it should look similar to the one illustrated here.

The Summary Report shows the top 25 Web sites your users visited and the most active users, as well as protocol usage, cache hit ratio statistics and more. These reports are most relevant to the network administrator or the person managing or planning a companys Internet connectivity.

Microsoft ISA Server EE

68

8.

Now view the Traffic Utilization report. These reports can help you plan and monitor network capacity and determine bandwidth policies.

CONCLUSION

ISA Server offers the basic reports that allow administrators to understand their security and network usage. With this analysis of extensive log data, administrators can then design and customize their access rules to better meet their organizations requirements.

The Internet has changed the way people and organizations communicate and conduct commerce. Organizations of all sizes are transforming their businesses by connecting their networks to the Internet. While this presents great opportunities, it also brings new concerns and risks that organizations must address. ISA Server was designed to meet the needs of Internet-enabled business by providing enterprise-class security, fast Web caching performance and powerful unified management tools built for Windows 2000. ISA Server provides a multilayered firewall with built-in intrusion detection to keep internal networks safe. The Web Caching feature provides organizations with fast

Microsoft ISA Server EE

69

Internet access for their internal employees as well as high-performance e-commerce through reverse caching. The powerful, policy-based management features integrate with Windows 2000 Server, making security and Web caching easier to manage.

FREQUENTLY ASKED QUESTIONS

ISA Server provides businesses with secure, fast Internet connectivity built on the powerful management features of Windows 2000. Organizations that want to Internet-enable their networks should consider ISA Server a critical component for their communications infrastructure.

General

What is the difference between ISA Server Standard Edition and ISA Server Enterprise Edition?
ISA Server Standard Edition and ISA Server Enterprise Edition have the same feature set, the same firewall capabilities and Web cache functionality. ISA Server Standard Edition, however, is a stand-alone server supporting a maximum of four processors. For large-scale deployments, server array support, multilevel policy or computers with more than four processors, you will need ISA Server Enterprise Edition. For more information, please see the Editions Comparison section of this guide. Is ISA Server 2000 a firewall or a cache server? ISA Server 2000 can be configured as an integrated firewall and caching solution, or can be deployed as a locked-down firewall or dedicated cache. Organizations looking for a robust firewall solution can secure their networks with ISA Server dynamic packet filtering, intrusion detection, system hardening and "smart" application filters. Organizations looking for a dedicated cache solution can use ISA Server to enhance a network with advanced caching. For more information about these and other features at a glance section of this guide. What are the advantages of having a firewall combined with a caching solution? While organizations can opt to implement the firewall and caching functionalities separately, ISA Server provides consistent, single-point-of-access policy and management for both outbound and inbound traffic. Thus system and network administrators have a shorter learning curve and fewer products to manage and maintain.

Microsoft ISA Server EE

70

Does implementing the cache functionality compromise the security of ISA Server as a firewall? No. The cache is basically a smart storage engine that allows the administrator to improve network access performance by storing frequently retrieved objects. The Web cache is built on top of the Web proxy engine, which provides Hypertext Transfer Protocol (HTTP) connectivity, filtering capabilities and security-related tasks such as content screening and Uniform Resource Locator (URL) blocking. Can I deploy only the firewall functionality? Yes, you can deploy the firewall as a locked-down security solution. As part of the setup process, you select the ISA Server mode: firewall, cache or integrated. In firewall mode, you can secure network communication by configuring rules that control communication between your corporate network and the Internet. You also can publish internal servers in this mode, securely sharing data on your internal servers with Internet users. In cache mode, you can improve network performance and save bandwidth by storing commonly accessed objects closer to the user. You also can publish internal Web servers in this mode. Integrated mode combines the features of both firewall and cache, ensuring security and enhancing performance. In all modes, you can benefit from ISA Server enterprise policy management, realtime monitoring and reporting features. How does caching impact bandwidth requirements and information availability? Caching reduces bandwidth requirements by moving Web content closer to the user. By caching frequently requested content, bandwidth usage can be decreased by as much as 40 percent. Caching can also provide content to users even when the source for the content is offline or unavailable. When will ISA Server be available? ISA Server was released to manufacturing in December 2000. Can I migrate from Proxy Server 2.0 to ISA Server? Yes, there is an upgrade path for customers running Microsoft Proxy Server version 2.0. The ISA Server robust firewall and caching features will support scenarios that used Proxy Server 2.0. However, ISA Server is a new product based on the security and reliability features of the Microsoft Windows 2000 operating system and has a new architecture that was designed for enterprise security and caching. What is reverse caching and does ISA Server support it? Reverse caching means placing a cache in front of a Web server or e-commerce application. This is called "reverse" because the decision to cache or distribute content from the servers or to offload processing is implemented by the administrators of the Web servers, rather than by the clients. ISA Server supports

Microsoft ISA Server EE

71

reverse caching, allowing Web managers to cache and distribute content, thereby improving user response time. Does ISA Server support stateful inspection? Yes. ISA Server supports three layers of filtering for complete comprehensive security: packet-level filtering, circuit-level filtering and application-level filtering. Circuit-level filtering, commonly referred to as "stateful inspection," is the process of inspecting packets as they reach the firewall, keeping state information, and allowing or disallowing them to pass the firewall based on the access policy. ISA Server adds application filters that enable filtering at a higher communication layer, based on smart inspection of specific application commands. This allows the blocking of specific Simple Mail Transfer Protocol (SMTP) commands, filtering remote procedure call (RPC) access based on requested interfaces.

Microsoft ISA Server EE

72

Firewall

How do I use Routing and Remote Access Service (RRAS) with ISA Server 2000?
In scenarios where specific routing has to be established for ISA Server use, a wizard is included to help configure connectivity between local area networks (LANs) with Point-to-Point Tunneling Protocol (PPTP) and Layer 2 Tunneling Protocol (L2TP). For all purely routing-related functions, there is no collision between ISA Server and RRAS features. However, it is preferred and recommended that secure network address translation (SecureNAT) and dynamic packet filtering functionality be configured only through ISA Server and not through RRAS. What is the difference between RRAS and ISA Server 2000 packet filtering? ISA Server allows for dynamic packet filtering where the required ports are opened and closed based on client requests. This makes for a more secure firewall because no more ports are left permanently open than absolutely necessary, based on services in use on the network. What protocols does ISA Server support? ISA Server can pass all protocols based on Transmission Control Protocol (TCP) and User Datagram Protocol (UDP). It includes a long list of predefined protocols (e.g., HTTP, SMTP and POP) and allows users to extend the list easily. More complex protocols, such as those with secondary connections, require either the firewall client software or an application filter. ISA Server includes several built-in application filters for the most important protocols, enabling additional functionality such as splitting live media streams or filtering SMTP e-mail. Does ISA Server support VPNs? Yes, ISA Server helps you set up and secure a virtual private network (VPN). Using wizards, ISA Server can configure the built-in VPN services of Windows 2000 Server, helping organizations achieve cost-effective links for remote sites and mobile users. ISA Server supports VPNs in two ways. One is allowing VPN connections to and from the ISA server itself. This is done by enabling the PPTP call and receive filters, which statically open the required ports to make outgoing calls (PPTP call) and incoming PPTP requests (PPTP receive) directly to and from the ISA Server. The other way VPN is supported is by allowing VPN calls to be initiated from clients behind the ISA Server to hosts on the Internet or the external network.

Microsoft ISA Server EE

73

Does ISA Server support SOCKS? ISA Server supports Windows Sockets (SOCKS) 4.3. The software development kit (SDK) includes samples for version 4.3 and 5.0 SOCKS authentication. What is SecureNAT Client Support? When an ISA server is present on the packet route path of any client on any platform, ISA Server transparently intercepts the traffic and applies policy to it. SecureNAT applies outbound firewall policies without the need for installing client software or configuring browser settings. How does ISA Server support encrypted requests? ISA Server supports encrypted content at several levels. ISA Server can help you set up a secure, encrypted VPN channel to remote networks. The channel then can transport any data in a secure manner. ISA Server can enforce the use of encrypted Web access (i.e., SSL) on incoming Web requests and can serve as an end point of an encrypted SSL session.

Caching and Performance Acceleration

How does ISA Server impact network performance?

The Web Proxy service of ISA Server offers a cache of Web objects that fulfills client requests from the cache. If the request cannot be fulfilled from the cache, a new request is initiated on behalf of the client. Once your remote Web server responds to the ISA Server computer, the ISA Server computer caches the response to the original client request. Then the client receives a response. Fast RAM caching in ISA Server keeps most frequently accessed items in RAM. It optimizes response time by retrieving those items from memory rather than from disk. ISA Server gives you optimized disk cache store that minimizes disk access on both read and write operations. Those techniques optimize response time and your overall system performance. How does ISA Server handle streaming media? ISA Server includes an application filter to pass and control media streaming. It specifically supports Microsoft Windows Mediabased streaming, RealAudio and Apple QuickTime. ISA Server also automatically splits live media streams that use Windows Media Technologies. So if multiple users from within the same network request the same stream, ISA Server will detect this, saving bandwidth and increasing performance. What is CARP? In ISA Server Enterprise Edition, the Cache Array Routing Protocol (CARP) is used by the ISA Server Web proxy clients and Web caching server to efficiently service requests by using the CARP algorithm to send requests to the server in the array that is most likely to have the cached content. CARP uses a deterministic approach

Microsoft ISA Server EE

74

based on smart URL hashing to direct the client request to the array member that contains the Web objects being requested. CARP allows dynamic load balancing and efficient scaling of multiserver arrays, distributing content and increasing the effective cache size without duplicating content, and maximizing cache hits and bandwidth savings. Does ISA Server utilize Windows 2000 Network Load Balancing services? Yes, ISA Server takes advantage of Network Load Balancing (NLB) in Windows 2000 Advanced Server for increased scalability, performance and availability. Does ISA Server support advanced caching techniques like automated content download? Yes. ISA Server uses Active Caching to proactively refresh popular content even before it has expired. It also includes scheduled content download to preload the cache with entire Web sites on a predefined schedule.

Extensibility Features

How can I take advantage of extensibility features of ISA Server?

Security and performance needs vary widely among organizations. To provide you with the fullest range of options, Microsoft works with leaders in network security and management. Third-party vendors offer compatible and complementary products including solutions for site categorization, virus detection, monitoring and remote administration, and content analysis. Visit the Partner Overview section of this guide to get information on third-party solutions. Customers and developers also have the ability to create their own extensions to ISA Server. ISA Server includes a comprehensive software development kit (SDK) for developing tools that build on ISA Server firewall, caching and management features.

Management and Operating System Environment

What client platforms does ISA Server support?

ISA Server supports all client platforms through its SecureNAT transparency feature. The ISA Server firewall client is an optional software component for 32-bit Windows-based clients (Windows 9x, Microsoft Windows NT, and Windows 2000) that adds user-level authentication and support for additional protocols without requiring application filters. The HTTP client is supported with any CERNcompatible browser (such as Microsoft Internet Explorer) and, with the HTTP application filter, any client application that uses HTTP to access the Internet. Can ISA Server be installed on Windows NT Server version 4.0? No. ISA Server makes extensive use of the security, reliability and availability features found in Windows 2000.

Is Active Directory required for ISA Server?

Microsoft ISA Server EE

75

The Windows 2000 server Active Directory service is not a requirement to achieve the security and acceleration advantages of ISA Server Standard Edition. However, customers seeking to create and deploy access policy across the enterprise in a tiered manner, or to create an array for load balancing and fault tolerance, will need

FOR MORE INFORMATION

to use Active Directory and ISA Server Enterprise Edition. Active Directory offers a single point of administration across the array and the enterprise. It is possible to implement an array with Active Directory and establish trust relations to the existing domains so change is minimal. In this case, a complete migration to Active Directory would not be required. The Microsoft Internet Security and Acceleration Server Web site features the latest news and information about ISA Server, including product information, case studies, white papers, information about related technologies and more. ISA Server is now available for download at http://www.microsoft.com/isaserver/. The support Web site provides developers and customers with technical support. It is located at http://www.microsoft.com/isaserver /support/.asp/. The Microsoft Security Web site delivers the latest news and information from Microsoft about security. It can be found at http://www.microsoft.com/security/. The Windows Networking and Communications Web site features the latest information about the great communications support provided by Windows platform. It is located at http://www.microsoft.com/communications/.

Microsoft ISA Server EE

76