Documenti di Didattica
Documenti di Professioni
Documenti di Cultura
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
Microsoft® Internet Security and Acceleration (ISA) Server is an integrated firewall and
Internet caching server. Deploying ISA Server saves network bandwidth by providing
faster Web access for users. ISA Server secures your network, allowing you to implement
your business security policy by configuring a broad set of rules that specify which sites,
protocols, and content can be passed through the firewall.
In This Chapter
Overview of ISA Server
Related Information
• For more information about creating a virtual private network (VPN), see
"Deploying Dial-up and VPN Remote Access Servers" in this book.
Overview of ISA Server
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
ISA Server offers a complete Internet connectivity deployment solution as a firewall and
a Web caching server.
Important
• ISA Server (the successor to Proxy Server 2.0) is a separate product from the
Microsoft® Windows® Server 2003 operating system. You must install ISA
Server Service Pack (SP1) for ISA Server immediately after installing ISA Server
for it to be interoperable with Windows Server 2003.
ISA Server monitors requests and responses between the Internet and internal client
computers; ISA Server also controls which computers on the Internet the internal clients
can access.
ISA is a complete firewall product that provides packet filtering, stateful packet
inspection and application-level awareness for many common protocols, such as
Simple Mail Transfer Protocol (SMTP) and Domain Name System (DNS). You
can create access policies based on user-level information, IP addresses, or Web
content.
• Secure publishing.
You can use ISA Server as a reverse cache server to define a secure publishing
policy. This protects internal publishing servers and makes them safely accessible
to Internet clients.
• ISA Server can cache Web content, potentially reducing your external
bandwidth requirements.
You can configure the cache to contain content that your organization uses
frequently or that your Internet clients access.
You can program the COM interface in ISA Server using high-level programming
languages or scripting languages. Developers can implement application and web
filters to extend the core firewall functionality. You can use the ISA Server
management interface to develop additional administration tools and management
scripts.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
ISA Server can act as a firewall, a Web caching server, or both in your network.
Figure 5.2 shows the process for determining the role of your ISA server.
• In cache mode, you can improve network performance and save bandwidth by
storing frequently accessed content closer to the user. You can also route requests
from internal users to the appropriate Web server and publish Web servers in
cache mode.
• In integrated mode, all cache and firewall features are available. You can
configure a policy to meet both cache performance and security requirements.
Use Table 5.1 to determine which mode of ISA Server installation is most appropriate in
your network.
Goal Mode
Secure your connection to the Internet, connect remote offices, or implement
Firewall
secure extranets.
Increase performance of your Internet connection. Cache
Secure your connection to the Internet and increase the performance of your
Integrated
Internet connection.
Tags : Add a tag
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
Before you can make ISA Server interoperable with other network services and
computers, you need to evaluate possible implementation and integration issues within
your configuration, as shown in Figure 5.6.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
Before deploying ISA Server, estimate your Internet connectivity requirements. Use the
following sections as guidelines for planning the size and type of your servers, and
whether to deploy them as an array. Figure 5.8 shows the process for designing for high
availability.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
ISA Server secures your connection to the Internet or to remote sites and extranets.
Security decisions for implementing ISA Server are discussed in the following sections.
Figure 5.11 shows the process for securing the design.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
After determining the roles you want for ISA Server and completing your ISA Server
design, you will implement your ISA Server solution. Figure 5.15 shows when to
implement your ISA Server solution.
1. Ensure that you are running either Windows 2000 Server or the Windows
Server 2003 family. If necessary, upgrade the operating system before continuing
with the deployment.
2. Ensure that the latest service pack in installed. If necessary, install the service
pack before proceeding with the deployment.
3. Ensure that the network adapters are installed and working correctly; make sure
you have a valid connection to the Internet.
o You can choose to connect your network to the Internet through either a
persistent connection (T1, T3, xDSL, or cable modem) or a dial-up
connection. If you choose a direct connection, you need to set up a
network adapter that connects the ISA Server–based computer to the
Internet.
o When you set TCP/IP properties for the external network adapter, consult
with your ISP for the correct settings. Specifically, you need the IP
address, subnet mask, default gateway, and IP addresses for the DNS
servers to use in DNS name searches. In some cases, your ISP might be
using Dynamic Host Configuration Protocol (DHCP) or bootstrap protocol
(BOOTP) for dynamic assignment of client addresses.
o Typically, ISA Server has only one IP default gateway. You should
configure the IP address of the default gateway on the external — not
internal — network adapter. Leave the Default Gateway setting for the
internal network adapter blank.
o When setting TCP/IP properties for any internal network adapter, you
should enter a permanently reserved IP address for the ISA Server–based
computer and an appropriate subnet mask for your internal network.
Addressing that is assigned by DHCP should not be used for the internal
network adapter, because DHCP might reset the default gateway you
selected for the ISA Server–based computer. The external network adapter
can be DHCP-enabled, including the default gateway and DNS settings, or
these settings can be statically defined.
4. If you are installing ISA Server Enterprise Edition you need to initialize the
enterprise. You can run the Enterprise Initialization Tool in ISA Server startup.
o If this is the first time you are installing ISA Server as an array member,
you should run the ISA Server Enterprise Initialization Tool.
Important
o In order to install the ISA Server schema to Active Directory, you must be
a member of both the Enterprise Administrators and Schema
Administrators groups.
o Installation options.
o Array selection.
If you previously initialized the enterprise, you can select which array to
join. If you did not initialize the enterprise, then ISA Server is installed as
a stand-alone server.
o Mode.
You can install ISA Server in firewall mode, integrated mode, or cache
mode.
o Cache configuration.
o LAT configuration.
6. Before building your LAT, ensure that you enter all subnets correctly.
o A LAT that is configured correctly ensures that ISA Server can determine
which network adapter to use, in order to access different portions of your
internal network. If the LAT is not configured correctly, a client request
for an internal IP address might be incorrectly routed to the Internet or
redirected through the firewall service.
7. After installation, ISA Server effectively blocks all communication between your
internal network and the Internet. No communication can occur until you
configure an access policy with the protocol, site, and content rules specifically
allowing access. Similarly, you must configure publishing rules if you want to
allow Internet clients access to computers on your internal network.
If you installed ISA Server as an array member, then an enterprise policy might
be applied to the array. In this case, ISA Server might allow communication if the
enterprise policy is configured appropriately.
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2
These resources contain additional information and tools related to this chapter.
Related Information
• "Deploying Dial-up and VPN Remote Access Servers" in this book for more
information about creating a virtual private network (VPN).
• The Migrating from Proxy Server 2.0 link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information
about migrating from Proxy Server 2.0 to ISA Server.
• The Internet Engineering Task Force link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information
about RFC documents and Internet Engineering Task Force (IETF) Internet-
Drafts.
• The Hardware Compatibility List (HCL) link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information
about hardware compatibility.