Understanding Microsoft Internet Security and Acceleration Server (ISA) Planning and Optimization

    February 2, 2004

Planning decisions are critical for a successful firewall implementation. Missing some of the most important points when designing a firewall implementation can jeopardize our information integrity and the overall network security.

A number of issues have to be addressed when we are responsible for designing and implementing or overseeing the installation of a firewall. Vendors offer different products for specific environments. Firewalls vary in their manageability, level of protection and features. And costs have to be adapted to the corporate financial situation.

On the other hand, from the technical point of view several evaluations have to be made. The amount of traffic that our network is exposed to might increase in a short-term period. If one server becomes unavailable, other servers must perform the firewall protection functions or our network will be exposed. Fault-tolerance, scalability and ease of administration are very important technical considerations. Finally, it is important to evaluate firewalls not only in terms of what they cost now, but the continuing costs such as technical support and version upgrades.

Microsoft ISA Server Firewall Design

Microsoft ISA Server can implement server “arrays”. An array is a computer running Microsoft ISA Server, that shares a collection of most recent web pages and requests made by internet clients (the cache). The ISA Server cache can be distributed and shared by multiple computers in arrays or chain of arrays. This helps internet clients obtain content from the ISA Server cache closest to them, and retrieve web pages faster.

Caching and hits requirements are very important technical considerations. ISA Server can be deployed as a caching server, which keeps a cache of frequently requested objects and pages accessed by clients. In this scenario, it is very important to consider the amount of internal web clients the server is going to support.

When planning for hits requirements, for example you might want to place an ISA Server computer between the corporate network and a Human Resources intranet application. The more hits that web application has, the more powerful hardware will be needed.

Memory is dependent of the size of the content you are caching. All content should fit in memory with additional 256 MB of room for server operations. For every additional 150 hits add an additional server according to the content being published.

Microsoft Internet Secuirity and Acceleration Server Features

ISA Server offers several security and firewall features. Access policies based on user information or IP addresses can be applied throughout the network. Unauthorized access or malicious content and web sites can be deployed centrally to prevent branch administrators to change the corporation firewall rules or information security policies. ISA Server includes several security options:

IP Packet Filters and Publishing Rules. Site and content publishing rules can be defined to control how and which internal clients access internet. Protocol rules and filters can be applied to manage inbound and outbound communication.

Application Specific Filters. Session information can be accessed to analyze specific application rules and filters. Application level protocols and packets can be examined to provide an extra layer of security. Virus checking filters are commonly used.

Intrusion Detection. This feature helps identify when and who is trying to attack your network. Alerts and actions can be configured to inform a security office in case of an attack.

VPN Support. ISA Server can be used to encapsulate private data over a public network. A VPN Server is often used to provide internal applications access over the internet, or to securely communicate with branch offices (Bank Scenario).

Sorry But…Extend The Schema

ISA Server modifies the Windows 2000 schema, if we want to set up an array chain. An extension to Active Directory must be installed in the ISA Server domain. Before performing this action, it is recommended to analyze how this might impact your network and directory services replication. You can also install ISA Server as a stand-alone server where all the configuration is saved to the registry.

In order to expand the schema of Active Directory, you must be an Administrator in the local computer. You must also be a member of the Enterprise Admins and Schema Admins group. This process copies the ISA Server schema information to Active Directory. And it is irreversible.

To import Microsoft ISA Server schema into Active Directory:

1. Click Start, and then Click Run. The Run… dialog box appears.

2. In the Run… dialog box, type driveISAi386msisaent. Where drive is the Microsoft ISA Server CD Drive.

3. You can run msisaent -q to expand the schema without having to click or answer any prompts.

Warning: This process is irreversible because Active Directory does not support deletion deletion of classes.

Using an array chain has several advantages. You can use “array policies” to create security rules to apply to a specific group of servers. “Enterprise Policies” go to higher level rules that can be applied to any array chain. In a bank scenario, this allows Security Officers to define corporate wide security policies and branch administrators to further restrict access (by not changing the corporate restrictions).

Selecting the Features

During the setup process, you can select between different modes: firewall, cache and integrated. Depending on the mode selected different features are available.

Selecting between different installation modes:

1. Click Start, and then Click Run. The Run… dialog box appears.

2. In the Run… dialog box, type driveISASetup.exe. Where drive is the Microsoft ISA Server CD Drive.

3. Follow the on-screen instructions and select the installation Mode.

ISA Server Services are always installed to perform firewall functions. You can also install different components including ISA Server Management and ISA Server Extensions. If you are going to use remote administration, you can install ISA Management tools to manage one or more arrays of servers. Terminal server can also be used to manage a remote stand alone server. ISA Server Extensions are default application filters provided by Microsoft. A Message Screener is provided to filter and secure e-mail communications and a H.323 Gatekeeper service protocol filter to manage audio-visual applications and allow conferencing applications.

Leonard Loro, MCSE, MCSD, ISS, MCT, CCNA, is a recognized e-Business specialist. His experience includes engaging, managing and implementing large consulting projects for government agencies and companies like Microsoft, Nissan as well as other Fortune 500’s. Leonard can be reached at Leonardo.loro@enresource.com.