Deploying ISA Server

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

Microsoft® Internet Security and Acceleration (ISA) Server is an integrated firewall and
Internet caching server. Deploying ISA Server saves network bandwidth by providing
faster Web access for users. ISA Server secures your network, allowing you to implement
your business security policy by configuring a broad set of rules that specify which sites,
protocols, and content can be passed through the firewall.

In This Chapter
Overview of ISA Server

Determining the Role of ISA Server

Evaluating Interoperability Issues

Designing for High Availability

Securing the Design

Implementing Your ISA Server Solution

Additional Resources for Deploying ISA Server

Related Information
• For more information about creating a virtual private network (VPN), see
"Deploying Dial-up and VPN Remote Access Servers" in this book.
Overview of ISA Server

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

ISA Server offers a complete Internet connectivity deployment solution as a firewall and
a Web caching server.

Important

• ISA Server (the successor to Proxy Server 2.0) is a separate product from the
Microsoft® Windows® Server 2003 operating system. You must install ISA
Server Service Pack (SP1) for ISA Server immediately after installing ISA Server
for it to be interoperable with Windows Server 2003.

ISA Server monitors requests and responses between the Internet and internal client
computers; ISA Server also controls which computers on the Internet the internal clients
can access.

ISA Server offers many security and caching options, including:

• Enhanced security with multilayer firewall and integrated intrusion

detection.

ISA is a complete firewall product that provides packet filtering, stateful packet
inspection and application-level awareness for many common protocols, such as
Simple Mail Transfer Protocol (SMTP) and Domain Name System (DNS). You
can create access policies based on user-level information, IP addresses, or Web
content.

• Secure publishing.

You can use ISA Server as a reverse cache server to define a secure publishing
policy. This protects internal publishing servers and makes them safely accessible
to Internet clients.

• ISA Server can cache Web content, potentially reducing your external
bandwidth requirements.

You can configure the cache to contain content that your organization uses
frequently or that your Internet clients access.

• ISA Server is extensible.

You can program the COM interface in ISA Server using high-level programming
 languages or scripting languages. Developers can implement application and web
filters to extend the core firewall functionality. You can use the ISA Server
management interface to develop additional administration tools and management
scripts.

Determining the Role of ISA Server

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

ISA Server can act as a firewall, a Web caching server, or both in your network.
Figure 5.2 shows the process for determining the role of your ISA server.

Figure 5.2 Determining the Role of ISA Server

You can install ISA Server in firewall, cache, or integrated mode.

 • In firewall mode, you can secure network communication by configuring rules
and access policies that control communication between your internal network
and the Internet. You can also publish internal servers.

• In cache mode, you can improve network performance and save bandwidth by
storing frequently accessed content closer to the user. You can also route requests
from internal users to the appropriate Web server and publish Web servers in
cache mode.

• In integrated mode, all cache and firewall features are available. You can
configure a policy to meet both cache performance and security requirements.

Use Table 5.1 to determine which mode of ISA Server installation is most appropriate in
your network.

Table 5.1 Determining the ISA Server Installation Mode

Goal Mode
Secure your connection to the Internet, connect remote offices, or implement
Firewall
secure extranets.
Increase performance of your Internet connection. Cache
Secure your connection to the Internet and increase the performance of your
Integrated
Internet connection.
Tags : Add a tag

Evaluating Interoperability Issues

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

Before you can make ISA Server interoperable with other network services and
computers, you need to evaluate possible implementation and integration issues within
your configuration, as shown in Figure 5.6.

Figure 5.6 Evaluating Interoperability Issues

Designing for High Availability

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

Before deploying ISA Server, estimate your Internet connectivity requirements. Use the
following sections as guidelines for planning the size and type of your servers, and
whether to deploy them as an array. Figure 5.8 shows the process for designing for high
availability.

Figure 5.8 Designing for High Availability

Securing the Design

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

ISA Server secures your connection to the Internet or to remote sites and extranets.
Security decisions for implementing ISA Server are discussed in the following sections.
Figure 5.11 shows the process for securing the design.

Figure 5.11 Securing the Design

Implementing Your ISA Server Solution

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

After determining the roles you want for ISA Server and completing your ISA Server
design, you will implement your ISA Server solution. Figure 5.15 shows when to
implement your ISA Server solution.

Figure 5.15 Implementing Your ISA Server Solution

Figure 5.16 shows the process for implementing the ISA Server solution in your network.

Figure 5.16 Details of Implementing Your ISA Server Solution

Use the following steps to deploy ISA Server in your network:

1. Ensure that you are running either Windows 2000 Server or the Windows
Server 2003 family. If necessary, upgrade the operating system before continuing
with the deployment.

2. Ensure that the latest service pack in installed. If necessary, install the service
pack before proceeding with the deployment.

3. Ensure that the network adapters are installed and working correctly; make sure
you have a valid connection to the Internet.

o You can choose to connect your network to the Internet through either a
persistent connection (T1, T3, xDSL, or cable modem) or a dial-up
connection. If you choose a direct connection, you need to set up a
network adapter that connects the ISA Server–based computer to the
Internet.

o When you set TCP/IP properties for the external network adapter, consult
with your ISP for the correct settings. Specifically, you need the IP
address, subnet mask, default gateway, and IP addresses for the DNS
servers to use in DNS name searches. In some cases, your ISP might be
using Dynamic Host Configuration Protocol (DHCP) or bootstrap protocol
(BOOTP) for dynamic assignment of client addresses.
 o Typically, ISA Server has only one IP default gateway. You should
configure the IP address of the default gateway on the external — not
internal — network adapter. Leave the Default Gateway setting for the
internal network adapter blank.

o When setting TCP/IP properties for any internal network adapter, you
should enter a permanently reserved IP address for the ISA Server–based
computer and an appropriate subnet mask for your internal network.
Addressing that is assigned by DHCP should not be used for the internal
network adapter, because DHCP might reset the default gateway you
selected for the ISA Server–based computer. The external network adapter
can be DHCP-enabled, including the default gateway and DNS settings, or
these settings can be statically defined.

4. If you are installing ISA Server Enterprise Edition you need to initialize the
enterprise. You can run the Enterprise Initialization Tool in ISA Server startup.

o If this is the first time you are installing ISA Server as an array member,
you should run the ISA Server Enterprise Initialization Tool.

o If you are installing a stand-alone server, or if you have previously

installed ISA Server in your enterprise as an array member, you do not
need to run the Enterprise Initialization Tool, and you can select Install
ISA Server.

Important

o In order to install the ISA Server schema to Active Directory, you must be
a member of both the Enterprise Administrators and Schema
Administrators groups.

5. Install ISA Server. Setup asks for the following information:

o Installation options.

You can select a Typical installation, Full installation, or Custom

installation.

o Array selection.

If you previously initialized the enterprise, you can select which array to
join. If you did not initialize the enterprise, then ISA Server is installed as
a stand-alone server.

o Mode.
 You can install ISA Server in firewall mode, integrated mode, or cache
mode.

o Cache configuration.

If you install ISA Server in integrated or cache mode, you need to

configure which cache drives to use and the size of the cache.

o LAT configuration.

If you install ISA Server in integrated or firewall mode, you need to

configure the address ranges to include in the LAT.

6. Before building your LAT, ensure that you enter all subnets correctly.

o The LAT is automatically constructed from the Windows Server 2003

routing table. If the computer is connected to a routed internal network
and you are unsure of the routing topology of your network or how to add
static routes, you can manually construct the LAT to contain the range(s)
of IP addresses that your internal clients use.

o Because a default gateway cannot be set on the internal interface of the

ISA Server–based computer, you need to create static routes for your
internal network at a later time to achieve full connectivity. You can do
this using the route command from the command prompt.

o A LAT that is configured correctly ensures that ISA Server can determine
which network adapter to use, in order to access different portions of your
internal network. If the LAT is not configured correctly, a client request
for an internal IP address might be incorrectly routed to the Internet or
redirected through the firewall service.

7. After installation, ISA Server effectively blocks all communication between your
internal network and the Internet. No communication can occur until you
configure an access policy with the protocol, site, and content rules specifically
allowing access. Similarly, you must configure publishing rules if you want to
allow Internet clients access to computers on your internal network.

If you installed ISA Server as an array member, then an enterprise policy might
be applied to the array. In this case, ISA Server might allow communication if the
enterprise policy is configured appropriately.

8. Install the latest service pack for ISA Server.

Additional Resources for Deploying ISA Server

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

These resources contain additional information and tools related to this chapter.

Related Information
• "Deploying Dial-up and VPN Remote Access Servers" in this book for more
information about creating a virtual private network (VPN).

• The Migrating from Proxy Server 2.0 link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information
about migrating from Proxy Server 2.0 to ISA Server.

• The Internet Engineering Task Force link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information
about RFC documents and Internet Engineering Task Force (IETF) Internet-
Drafts.

• The ISA Server link on the Web Resources page at

http://www.microsoft.com/windows/reskits/webresources for more information
about extending ISA Server.

• The Hardware Compatibility List (HCL) link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information
about hardware compatibility.