ISA Server

Introduction &
Installation
Introduction
History Of ISA Server The history of ISA Server goes back to a product named Proxy
Server 1.0. At the time, the m fast and secure Internet access market saw one more player -
the Microsoft Corporation. Proxy Server 1.0, however, was merely a means for the effective
conduct of initial market research. The market responded favourably to this product being
integrated within the existing Windows NT 4.0 enterprise networking systems. The first edition
of MS Proxy Server had many limitations. It supported only a few basic Internet protocols and
its implemented security tool functions were rather obsolete.

Microsoft’s second try at a Proxy Server 2.0 was a natural evolution with many useful and
expected functions. One great application of this tool is to use Windows NT account databases.
Therefore, user management within the enterprise has been considerably simplified. Many
more protocols are supported, as well as caching services, packet filtering capability and
considerably enhanced security performance have also been incorporated. Although it was an
improved version, Proxy Server 2.0 still suffered from a limited range of functions compared
to third-party products. This is surely not Microsoft’s last word. In the time of Windows NT 4.0
successors, i.e. Windows 2000 and the newest Microsoft Windows Operating System, Windows
XP, new possibilities have emerged in the sphere of implementation of the technologies they
incorporate. The most common scenario for implementing Microsoft's method is where ISA
server functions as the application gateway to a Web server. ISA Server checks each request
at the application level before re-requesting from the protected Web server. Following this
method, all authentication and encryption with the Internet client terminates at the ISA
Server. This approach is important because ISA Server relieves the Web server from being the
point man. ISA Server can fully apply security checks to the request instead of waiting until
the request hits the Web server where a malicious request might succeed in harming or
exploiting the data and transactions that the Web server exposes. When the application uses
an authentication type supported by ISA Server, the client on the Internet must authenticate
to the ISA Server before a request ever hits the protected server. This scenario lets you place
the actual server out of the DMZ and back into the warm and cozy environs of the internal
network where it can more easily interface with other servers to complete transactions. In
place of the protected server, ISA Server becomes the sacrificial lamb in the DMZ . If the ISA
Server is compromised by an application-level attack, the protected server is still untouched.

ISA Server Architecture For large enterprises, Internet Security and Acceleration (ISA)
Server is a complementary technology to classic network firewalls. You can integrate ISA
Server into your existing perimeter security infrastructure to address your application gateway
filtering needs without the massive "rip and repair" costs associated with changing firewalls.
For small to medium organizations, ISA Server can fulfill the total network and application
gateway requirement. ISA Server provides features found in classic network firewalls such as
packet filtering, stateful inspection, port mapping, and network address translation (NAT) as
well as Web content caching. But the product's focus is on application gateway filtering for
publishing servers on the internal network to the Internet and controlling internal user access
to the Internet. In fact, Microsoft's prescriptive guides for enterprise and Internet data centers
employs partner products as network firewalls and utilizes ISA Server just for its application
gateway capability.

Microsoft built ISA Server to provide secure access to certain "published" resources on the
internal network while blocking access to everything else. Microsoft's philosophy for publishing
a resource (a Web server, for example) securely is to put an application gateway between the
Internet and the server that, serving as a reverse-proxy, poses as the published server,
accepts the request and inspects it, and then makes an equivalent request to the protected
server. Packets from the outside never touch the protected server.
New Concepts Created By ISA Server ISA Server carries new terms that need to be
understood before attempting product deployment on the network.

 Array – a group of ISA computers that are located close together, for example a
department, office, and region. There are two types of arrays:

 Domain Arrays – that use Active Directory. A domain array can encompass
computers located within a single domain.
 Independent Arrays – allow storage of information not in the Active
Directory, but in a local configuration database. This array is mainly used in
NT 4.0 based networks.

 Rule – with rules, the system administrator can set up a series of protocols to govern
sites, contents, protocols, and IP packet filters.

 Array policy – a set of rules that define the array policy. Such a policy can be applied
to any specific (and single) array.
 Enterprise policy – enterprise-level policies contain similar rules to those established
in array policies but they are applied to multiple arrays.

With ISA Server, array policies can be used to modify enterprise policies making them more
restrictive. However, it is not possible for an array policy to ease restrictions imposed by the
enterprise policy.

ISA Server Components ISA Server supports many more functions than its predecessor.
The following options are available with this new product:
 Firewall – the Firewall client is an extension to the ISA Server that features an
enhanced set of functions allowing it to compete with other similar products available
on the IT market. With Firewall client, Active Directory can be supported from
Windows 2000 (or the SAM databases from NT). These are used to provide specific
security functions at user or group level. This feature is not supported by a majority of
third-party products that use either separate user databases or IP addressing. Firewall
functions are enhanced to support so called stateful packet inspection, i.e. a solution
for improved security where data packets passing through the firewall are intercepted
and analyzed at either a protocol or connectivity level.
 Policy-based administration – ISA Server lets the administrators manage using
predefined policy rules. Policies can include a set of consistent rules regarding users,
groups of users, protocols etc. A specific policy may apply to a single array or globally,
to the whole enterprise. For businesses that use networks with Active Directory
enhancements, multi-tiered enterprise policies are those that match their needs to
have a comprehensive IT system, to facilitate management of the entire enterprise
and its infrastructure.
 Virtual Private Network Support – ISA Server provides an easy solution to create
VPN – based networks. The wizards supplied with ISA Server help to configure VPN
tunneling and may activate the RRAS service if not already initialized.
 Dynamic IP filtering – depending on the security policy used, an enterprise can
dynamically open firewall ports for authorized Internet users on a session-by-session
basis. This considerably simplifies the administrator’s duties in situations where there
are applications that frequently change ports though they communicate with each
other.
 IDS (Intrusion Detection System) – Microsoft has equipped the ISA Server with an
Intrusion Detection System. This module had been purchased from Internet Security
Systems, the leading developer in these IT solutions. Thus, ISA offers out-of-box
support for preventing several types of attacks including WinNuke, Ping of Death,
Land, UDP bombs, POP Buffer Overflow, Scan Attack. Once an attack has been
 detected and identified, ISA may decide either to disable the attack or notify
administrators about the event.
 Web Cache – ISA Server provides fast Web caching performance. Administrators are
allowed to automatically refresh frequently requested www pages on reverse and
scheduled caching basis.
 Reports – the major point of contrast between ISA and its predecessor i.e. Proxy
Server 2.0 is that ISA features numerous report generating possibilities. By scheduling
report generation connected. for example, with the users’ actions or security related
events, managing ISA Server based networks is a simple task.
 Gatekeeper H.323 – this component allows ISA Server to manage IP telephony calls
or H.323-based VoIP applications (for example Microsoft NetMeeting 3.0). The DNS
SRV record must be registered in order to have gatekeeper enabled.
 Client Deployment – with SecureNAT (Network Address Translation) feature, ISA
Server delivers to clients and servers a transparent and secure access to the Internet
with no need to configure extra software on client machines. SecureNAT allows
monitoring of all traffic in ISA Server.

Therefore, instead of being a simple product improvement, Microsoft Internet Security

and Acceleration Server fills a gap in the range of this type of products available at the
Redmond colossus and is trying to jump aggressively into the mass market sector
associated with Web security and fast Web access. The new potential implemented in
ISA Server is expected to allow Microsoft to compete effectively in this business area.

It should be noted that Microsoft’s engineers carefully integrate all products together
to bring the Company’s vision of a .NET platform to businesses.

Software And Hardware Requirements The minimum hardware requirements

recommended by Microsoft for this product are:

 300MHz or higher Pentium II compatible CPU,

 256 MB of RAM,
 2 GB hard-disk space on NTFS formatted partition,
 200 MB of available hard-disk space for installation.

ISA Server requires a computer running Windows 2000 upgraded to Service Pack 1 or greater.

Problems with insufficient server capacity may occur with this type of configuration. Thus, for
various ISA Server usage scenarios, the hardware should be adequately strengthened.

If ISA Server is to be used as a firewall, one will need to consider how powerful the CPU
should be in terms of throughput requirements.

Throughput requirements Recommended CPU

Less than 25 Byte/s Pentium II 300 MHz – 500 MHz
From 25 Byte/s to 50 Byte/s Pentium III 550 MHz or better
More than 50 Byte/s Pentium III 550 MHz or better for each 50Mb

CPU capacity requirements vs. throughput Obviously these values can only be used
as a reference when planning the ISA Server’s hardware to meet the expected load. This may
vary in function or various usage scenarios (such as the type of transmitted data).

In case ISA Server is to be deployed as a Forward Cache, in addition to an adequate CPU

capacity consider also requirements for RAM and high free disk space available for caching
purposes.
Number of Minimal RAM Recommended disk space
Recommended processor
users capacity (Mb) allocated for caching
Up to 250 Pentium II 300 MHz 256 4 GB
250 – 2000 Pentium III 550 MHZ 256 10 GB
More than Pentium III 550 MHz for 256 for every
10 GB for every 2,000 users
2000 every 2,000 users 2000 users

Capacity planning for forward caching server applications If you want to use ISA Server
in Integrated Mode (see Installation), these values will be further augmented. Therefore, the
performance of any computer intended to operate as an ISA server will be completely utilized.

Installation
Before we get started on the actual installation of ISA Server, there are some things you
should do beforehand though:

1. Ensure that Windows 2000 Server is installed on your ISA Server machine, including
the most recent Service Pack. Service Pack 1 is required to be installed, at a
minimum, before installing ISA Server.
2. Configure the server that will be hosting the ISA Server installation. You should start
with Jim Harrison’s wonderful article Configuring ISA Server Interface Settings, which
will walk you through the setup of your ISA Server machine’s network adapters.
3. Figure out what your internal network will encompass, both presently and in the future
in regards to IP address. Write these down if it’s a complicated picture—you will need
this information again later.
4. If your internal network contains more than one range of IP addresses (say
192.168.x.y and 10.x.y.z, for example), then you need to create the routing table on
the server that is to be the ISA Server via the command shell route command. If you
only have one address range, Windows will do this for you. Be sure to view the routing
table before installing ISA Server to make sure it’s correct…this can prevent problems
later.
1. Main Setup Screen.

2. Before the system attempts to update the schema you will be warned that this
action is not reversible.

3. When modifying the schema, it is necessary to determine what the intended

extent of modifications to the existing policies integrated in AD would be. In
case of problems with the modification of Active Directory, one should consult
the Ldif.log file.
 4. ISA Server installation options

5. After this step, the set-up wizard checks whether Active Directory has already
been installed or not and if any settings have been modified. Next, you will be
prompted to determine if the server should be a part of a domain or be used as a
standalone unit. In the next step, select the mode of operation from the following
three options:

 Firewall – with this option, ISA Server will function as a very powerful
firewall,
 Web Cache – will establish the ISA Server as a cache server and give
access to ‘Net resources’
 Integrated Mode – when in integrated mode, all ISA Server implemented
initialize features.

6. Selecting the functional mode.

7. Specifying the NTFS partition.

8. These are tables that define all internal IP address ranges.

9. Setup completed successfully.
 Microsoft ISA Server Administrator utility and Getting Started
Wizard

Getting started Wizard

Because ISA Server is completely different from Proxy Server 2.0, Microsoft
recommends that even experienced administrators become acquainted with the
Wizard that will help in the initial steps of product configuration and customization.

The Wizard is split into two sections.

 Configuring policies,
 Configuring arrays.
1. View Of ISA server management

2. Creating Protocol Rules

Administering an ISA Server means creation of suitable arrays, rules and policies.
Arrays and policies have already been explained so let us examine the term “rules”.

ISA Server uses two types of rules:

 Site and content rule – determines if and when content from specific Internet
destinations can be accessed by users,
 Protocol rule – determines which packets may or may not access the ISA server.
Apart from the rules, the following rules can also be defined for ISA server:

 Bandwidth (Capacity) rule – this will prioritise different types of services using
ISA server. This allows administrators to verify which specific www traffic or
business-related traffic will be allocated to the available bandwidth.
 Web publishing rules– to “publish” incoming HTTP, HTTPS, FTP requests and
map them as services on the ISA Server.
 Server publishing – with this feature, clients from the public Internet are
directed to the ISA Server instead of to the web server. Moreover, the ISA Server
may act as the proxy for inbound and outbound traffic between the public Internet
clients and the internal web server.
Protocol Configurations

1. Specify how you want protocol to respond to client’s request.

2. Select the protocol to which the rule applies.

3. Now select the schedule for applying this rule.

4. Now you can specify the client type by username, group name or IP addresses.

5. Now completing the new protocol wizard

6. Now specifying the bandwidth.

7. Setting priority for the new bandwidth.

8. Now showing the bandwidth description.

9. Create client address sets.

10. Client Set.

11. Showing the sessions of the users.