ISA Server Introduction & Installation

Introduction

History Of ISA Server

The history of ISA Server goes back to a product named Proxy Server 1.0. At the time, the m fast and secure Internet access market saw one more player – the Microsoft Corporation. Proxy Server 1.0, however, was merely a means for the effective conduct of initial market research. The market responded favourably to this product being integrated within the existing Windows NT 4.0 enterprise networking systems. The first edition of MS Proxy Server had many limitations. It supported only a few basic Internet protocols and its implemented security tool functions were rather obsolete.

Microsoft’s second try at a Proxy Server 2.0 was a natural evolution with many useful and expected functions. One great application of this tool is to use Windows NT account databases. Therefore, user management within the enterprise has been considerably simplified. Many more protocols are supported, as well as caching services, packet filtering capability and considerably enhanced security performance have also been incorporated. Although it was an improved version, Proxy Server 2.0 still suffered from a limited range of functions compared to third-party products. This is surely not Microsoft’s last word. In the time of Windows NT 4.0 successors, i.e. Windows 2000 and the newest Microsoft Windows Operating System, Windows XP, new possibilities have emerged in the sphere of implementation of the technologies they incorporate. The most common scenario for implementing Microsoft’s method is where ISA server functions as the application gateway to a Web server. ISA Server checks each request at the application level before re-requesting from the protected Web server. Following this method, all authentication and encryption with the Internet client terminates at the ISA Server. This approach is important because ISA Server relieves the Web server from being the point man. ISA Server can fully apply security checks to the request instead of waiting until the request hits the Web server where a malicious request might succeed in harming or exploiting the data and transactions that the Web server exposes. When the application uses an authentication type supported by ISA Server, the client on the Internet must authenticate to the ISA Server before a request ever hits the protected server. This scenario lets you place the actual server out of the DMZ and back into the warm and cozy environs of the internal network where it can more easily interface with other servers to complete transactions. In place of the protected server, ISA Server becomes the sacrificial lamb in the DMZ . If the ISA Server is compromised by an application-level attack, the protected server is still untouched.

ISA Server Architecture For large enterprises, Internet Security and Acceleration (ISA) Server is a complementary technology to classic network firewalls. You can integrate ISA Server into your existing perimeter security infrastructure to address your application gateway filtering needs without the massive "rip and repair" costs associated with changing firewalls. For small to medium organizations, ISA Server can fulfill the total network and application gateway requirement. ISA Server provides features found in classic network firewalls such as packet filtering, stateful inspection, port mapping, and network address translation (NAT) as well as Web content caching. But the product’s focus is on application gateway filtering for publishing servers on the internal network to the Internet and controlling internal user access to the Internet. In fact, Microsoft’s prescriptive guides for enterprise and Internet data centers employs partner products as network firewalls and utilizes ISA Server just for its application gateway capability.

Microsoft built ISA Server to provide secure access to certain "published" resources on the internal network while blocking access to everything else. Microsoft’s philosophy for publishing a resource (a Web server, for example) securely is to put an application gateway between the Internet and the server that, serving as a reverse-proxy, poses as the published server, accepts the request and inspects it, and then makes an equivalent request to the protected server. Packets from the outside never touch the protected server.

New Concepts Created By ISA Server ISA Server carries new terms that need to be understood before attempting product deployment on the network.

· Array – a group of ISA computers that are located close together, for example a department, office, and region. There are two types of arrays:

v Domain Arrays – that use Active Directory. A domain array can encompass computers located within a single domain.

v Independent Arrays – allow storage of information not in the Active Directory, but in a local configuration database. This array is mainly used in NT 4.0 based networks.

· Rule – with rules, the system administrator can set up a series of protocols to govern sites, contents, protocols, and IP packet filters.

· Array policy – a set of rules that define the array policy. Such a policy can be applied to any specific (and single) array.

· Enterprise policy – enterprise-level policies contain similar rules to those established in array policies but they are applied to multiple arrays.

With ISA Server, array policies can be used to modify enterprise policies making them more restrictive. However, it is not possible for an array policy to ease restrictions imposed by the enterprise policy.

ISA Server Components ISA Server supports many more functions than its predecessor. The following options are available with this new product:

· Firewall – the Firewall client is an extension to the ISA Server that features an enhanced set of functions allowing it to compete with other similar products available on the IT market. With Firewall client, Active Directory can be supported from Windows 2000 (or the SAM databases from NT). These are used to provide specific security functions at user or group level. This feature is not supported by a majority of third-party products that use either separate user databases or IP addressing. Firewall functions are enhanced to support so called stateful packet inspection, i.e. a solution for improved security where data packets passing through the firewall are intercepted and analyzed at either a protocol or connectivity level.

· Policy-based administration – ISA Server lets the administrators manage using predefined policy rules. Policies can include a set of consistent rules regarding users, groups of users, protocols etc. A specific policy may apply to a single array or globally, to the whole enterprise. For businesses that use networks with Active Directory enhancements, multi-tiered enterprise policies are those that match their needs to have a comprehensive IT system, to facilitate management of the entire enterprise and its infrastructure.

· Virtual Private Network Support – ISA Server provides an easy solution to create VPN – based networks. The wizards supplied with ISA Server help to configure VPN tunneling and may activate the RRAS service if not already initialized.

· Dynamic IP filtering – depending on the security policy used, an enterprise can dynamically open firewall ports for authorized Internet users on a session-by-session basis. This considerably simplifies the administrator’s duties in situations where there are applications that frequently change ports though they communicate with each other.

· IDS (Intrusion Detection System) – Microsoft has equipped the ISA Server with an Intrusion Detection System. This module had been purchased from Internet Security Systems, the leading developer in these IT solutions. Thus, ISA offers out-of-box support for preventing several types of attacks including WinNuke, Ping of Death, Land, UDP bombs, POP Buffer Overflow, Scan Attack. Once an attack has been detected and identified, ISA may decide either to disable the attack or notify administrators about the event.

· Web Cache – ISA Server provides fast Web caching performance. Administrators are allowed to automatically refresh frequently requested www pages on reverse and scheduled caching basis.

· Reports – the major point of contrast between ISA and its predecessor i.e. Proxy Server 2.0 is that ISA features numerous report generating possibilities. By scheduling report generation connected. for example, with the users’ actions or security related events, managing ISA Server based networks is a simple task.

· Gatekeeper H.323 – this component allows ISA Server to manage IP telephony calls or H.323-based VoIP applications (for example Microsoft NetMeeting 3.0). The DNS SRV record must be registered in order to have gatekeeper enabled.

· Client Deployment – with SecureNAT (Network Address Translation) feature, ISA Server delivers to clients and servers a transparent and secure access to the Internet with no need to configure extra software on client machines. SecureNAT allows monitoring of all traffic in ISA Server.

Therefore, instead of being a simple product improvement, Microsoft Internet Security and Acceleration Server fills a gap in the range of this type of products available at the Redmond colossus and is trying to jump aggressively into the mass market sector associated with Web security and fast Web access. The new potential implemented in ISA Server is expected to allow Microsoft to compete effectively in this business area.

It should be noted that Microsoft’s engineers carefully integrate all products together to bring the Company’s vision of a .NET platform to businesses.

Capacity planning for forward caching server applications If you want to use ISA Server in Integrated Mode (see Installation), these values will be further augmented. Therefore, the performance of any computer intended to operate as an ISA server will be completely utilized.

Installation

Before we get started on the actual installation of ISA Server, there are some things you should do beforehand though:

1. Ensure that Windows 2000 Server is installed on your ISA Server machine, including the most recent Service Pack. Service Pack 1 is required to be installed, at a minimum, before installing ISA Server.

2. Configure the server that will be hosting the ISA Server installation. You should start with Jim Harrison’s wonderful article Configuring ISA Server Interface Settings, which will walk you through the setup of your ISA Server machine’s network adapters.

3. Figure out what your internal network will encompass, both presently and in the future in regards to IP address. Write these down if it’s a complicated picture—you will need this information again later.

4. If your internal network contains more than one range of IP addresses (say 192.168.x.y and 10.x.y.z, for example), then you need to create the routing table on the server that is to be the ISA Server via the command shell route command. If you only have one address range, Windows will do this for you. Be sure to view the routing table before installing ISA Server to make sure it’s correct…this can prevent problems later.

1. Main Setup Screen.

clip_image003

2. Before the system attempts to update the schema you will be warned that

this action is not reversible.

clip_image005

3. When modifying the schema, it is necessary to determine what the intended

extent of modifications to the existing policies integrated in AD would be.

In case of problems with the modification of Active Directory, one should

consult the Ldif.log file.

clip_image007

4. ISA Server installation options

clip_image009

5. After this step, the set-up wizard checks whether Active Directory has

already been installed or not and if any settings have been modified.

Next, you will be prompted to determine if the server should be a part of a

domain or be used as a standalone unit. In the next step, select the mode

of operation from the following three options:

· Firewall – with this option, ISA Server will function as a very powerful firewall,

· Web Cache – will establish the ISA Server as a cache server and give access to

‘Net resources’

· Integrated Mode – when in integrated mode, all ISA Server implemented

initialize features.

6. Selecting the functional mode.

clip_image011

7. Specifying the NTFS partition.

clip_image013

8. These are tables that define all internal IP address ranges.

clip_image015

9. Setup completed successfully.

clip_image017

Microsoft ISA Server Administrator utility and Getting Started Wizard

clip_image019

Getting started Wizard

Because ISA Server is completely different from Proxy Server 2.0, Microsoft

recommends that even experienced administrators become acquainted

with the Wizard that will help in the initial steps of product configuration

and customization.

The Wizard is split into two sections.

· Configuring policies,

· Configuring arrays.

  1. View Of ISA server management

clip_image021

2. Creating Protocol Rules

Administering an ISA Server means creation of suitable arrays, rules and policies.

Arrays and policies have already been explained so let us examine the term “rules”.

ISA Server uses two types of rules:

· Site and content rule – determines if and when content from specific Internet

destinations can be accessed by users,

· Protocol rule – determines which packets may or may not access the ISA server.

clip_image023

Apart from the rules, the following rules can also be defined for ISA server:

clip_image025

· Bandwidth (Capacity) rule – this will prioritise different types of services using ISA server. This allows administrators to verify which specific www traffic or business-related traffic will be allocated to the available bandwidth.

· Web publishing rules– to “publish” incoming HTTP, HTTPS, FTP requests and map them as services on the ISA Server.

· Server publishing – with this feature, clients from the public Internet are directed to the ISA Server instead of to the web server. Moreover, the ISA Server may act as the proxy for inbound and outbound traffic between the public Internet clients and the internal web server.

Protocol Configurations

1. Specify how you want protocol to respond to client’s request.

clip_image027

2. Select the protocol to which the rule applies.

clip_image029

3. Now select the schedule for applying this rule.

clip_image031

4. Now you can specify the client type by username, group name or IP addresses.

clip_image033

5. Now completing the new protocol wizard

clip_image035

6. Now specifying the bandwidth.

clip_image037

7. Setting priority for the new bandwidth.

clip_image039

8. Now showing the bandwidth description.

clip_image041

9. Create client address sets.

clip_image043

10. Client Set.

clip_image045

11. Showing the sessions of the users.

clip_image047

Be Sociable, Share!

Leave a Reply