Microsoft ISA Server, Part I – introduction, installation, configuration, Web caching and Internet access

by Sebastian Serwin [Published on 18 July 2002 / Last Updated on 18 July 2002]

Microsoft is trying to present itself as not only the worldwide leading manufacturer of operating systems but also as a top provider of comprehensive IT solutions for business. With its Microsoft Internet Security & Acceleration Server, the Redmond software giant is approaching this goal. This is Part I of a series of articles on ISA Server: its origin, complexity, benefits and shortcomings.

What happened before ISA Server?

The history of ISA Server goes back to a product named Proxy Server 1.0. At the time, the m fast and secure Internet access market saw one more player - the Microsoft Corporation. Proxy Server 1.0, however, was merely a means for the effective conduct of initial market research. The market responded favourably to this product being integrated within the existing Windows NT 4.0 enterprise networking systems. The first edition of MS Proxy Server had many limitations. It supported only a few basic Internet protocols and its implemented security tool functions were rather obsolete.

Microsoft’s second try at a Proxy Server 2.0 was a natural evolution with many useful and expected functions. One great application of this tool is to use Windows NT account databases. Therefore, user management within the enterprise has been considerably simplified. Many more protocols are supported, as well as caching services, packet filtering capability and considerably enhanced security performance have also been incorporated. Although it was an improved version, Proxy Server 2.0 still suffered from a limited range of functions compared to third-party products.

This is surely not Microsoft’s last word. In the time of Windows NT 4.0 successors, i.e. Windows 2000 and the newest Microsoft Windows Operating System, Windows XP, new possibilities have emerged in the sphere of implementation of the technologies they incorporate.
 

New concepts created by ISA Server

ISA Server carries new terms that need to be understood before attempting product deployment on the network.

  • Array a group of ISA computers that are located close together, for example a department, office, and region. There are two types of arrays:

Domain Arraysthat use Active Directory. A domain array can encompass computers located within a single domain.
Independent Arrays – allow storage of information not in the Active Directory, but in a local configuration database. This array is mainly used in NT 4.0 based networks.

  • Rulewith rules, the system administrator can set up a series of protocols to govern sites, contents, protocols, and IP packet filters.

  • Array policya set of rules that define the array policy. Such a policy can be applied to any specific (and single) array.

  • Enterprise policy – enterprise-level policies contain similar rules to those established in array policies but they are applied to multiple arrays.

With ISA Server, array policies can be used to modify enterprise policies making them more restrictive. However, it is not possible for an array policy to ease restrictions imposed by the enterprise policy.
 

ISA Server Components

ISA Server supports many more functions than its predecessor. The following options are available with this new product:

  • Firewall – the Firewall client is an extension to the ISA Server that features an enhanced set of functions allowing it to compete with other similar products available on the IT market. With Firewall client, Active Directory can be supported from Windows 2000 (or the SAM databases from NT). These are used to provide specific security functions at user or group level. This feature is not supported by a majority of third-party products that use either separate user databases or IP addressing. Firewall functions are enhanced to support so called stateful packet inspection, i.e. a solution for improved security where data packets passing through the firewall are intercepted and analyzed at either a protocol or connectivity level.
  • Policy-based administration – ISA Server lets the administrators manage using predefined policy rules. Policies can include a set of consistent rules regarding users, groups of users, protocols etc. A specific policy may apply to a single array or globally, to the whole enterprise. For businesses that use networks with Active Directory enhancements, multi-tiered enterprise policies are those that match their needs to have a comprehensive IT system, to facilitate management of the entire enterprise and its infrastructure.
  • Virtual Private Network Support – ISA Server provides an easy solution to create VPN – based networks. The wizards supplied with ISA Server help to configure VPN tunneling and may activate the RRAS service if not already initialized.
  • Dynamic IP filtering – depending on the security policy used, an enterprise can dynamically open firewall ports for authorized Internet users on a session-by-session basis. This considerably simplifies the administrator’s duties in situations where there are applications that frequently change ports though they communicate with each other.
  • IDS (Intrusion Detection System) – Microsoft has equipped the ISA Server with an Intrusion Detection System. This module had been purchased from Internet Security Systems, the leading developer in these IT solutions. Thus, ISA offers out-of-box support for preventing several types of attacks including WinNuke, Ping of Death, Land, UDP bombs, POP Buffer Overflow, Scan Attack. Once an attack has been detected and identified, ISA may decide either to disable the attack or notify administrators about the event.
  • Web Cache – ISA Server provides fast Web caching performance. Administrators are allowed to automatically refresh frequently requested www pages on reverse and scheduled caching basis.
  • Reports  the major point of contrast between ISA and its predecessor i.e. Proxy Server 2.0 is that ISA features numerous report generating possibilities. By scheduling report generation connected. for example, with the users’ actions or security related events, managing ISA Server based networks is a simple task.
  • Gatekeeper H.323 – this component allows ISA Server to manage IP telephony calls or H.323-based VoIP applications (for example Microsoft NetMeeting 3.0). The DNS SRV record must be registered in order to have gatekeeper enabled.
  • Client Deployment – with SecureNAT (Network Address Translation) feature, ISA Server delivers to clients and servers a transparent and secure access to the Internet with no need to configure extra software on client machines. SecureNAT allows monitoring of all traffic in ISA Server.

Therefore, instead of being a simple product improvement, Microsoft Internet Security and Acceleration Server fills a gap in the range of this type of products available at the Redmond colossus and is trying to jump aggressively into the mass market sector associated with Web security and fast Web access. The new potential implemented in ISA Server is expected to allow Microsoft to compete effectively in this business area.

It should be noted that Microsoft’s engineers carefully integrate all products together to bring the Company’s vision of a .NET platform to businesses.
 

Software and hardware requirements

The minimum hardware requirements recommended by Microsoft for this product are:

  • 300MHz or higher Pentium II compatible CPU,
  • 256 MB of RAM,
  • 2 GB hard-disk space on NTFS formatted partition,
  • 200 MB of available hard-disk space for installation.

ISA Server requires a computer running Windows 2000 upgraded to Service Pack 1 or greater.

Problems with insufficient server capacity may occur with this type of configuration. Thus, for various ISA Server usage scenarios, the hardware should be adequately strengthened.

If ISA Server is to be used as a firewall, one will need to consider how powerful the CPU should be in terms of throughput requirements.

Throughput requirements

Recommended CPU

Less than 25 Mbyte/s

Pentium II 300 MHz – 500 MHz

From 25 Mbyte/s to 50 Mbyte/s

Pentium III 550 MHz or better

More than 50 Mbyte/s

Pentium III 550 MHz or better for each 50Mb

Table 1 CPU capacity requirements vs. throughput

Obviously these values can only be used as a reference when planning the ISA Server’s hardware to meet the expected load. This may vary in function or various usage scenarios (such as the type of transmitted data).

In case ISA Server is to be deployed as a Forward Cache, in addition to an adequate CPU capacity consider also requirements for RAM and high free disk space available for caching purposes.

Number of users

Recommended processor

Minimal RAM capacity (Mb)

Recommended disk space allocated for caching

Up to 250

Pentium II 300 MHz

256

4 GB

250 – 2000

Pentium III 550 MHZ

256

10 GB

More than 2000

Pentium III 550 MHz for every 2,000 users

256 for every 2000 users

10 GB for every 2,000 users

Table 2 – Capacity planning for forward caching server applications

If you want to use ISA Server in Integrated Mode (see Installation), these values will be further augmented. Therefore, the performance of any computer intended to operate as an ISA server will be completely utilised.
 

Installing ISA Server

A Windows 2000 Server with a full implementation of Active Directory is the minimum on which it is possible to install Microsoft ISA Server. Before installing ISA Server, one must configure Active Directory (adding required classes and selecting object properties).


Fig. 1: ISA Server setup screen with selected AD schema modification option

Before the system attempts to update the schema you will be warned that this action is not reversible.


Fig. 2: Active Directory’s modification-related warning

When modifying the schema, it is necessary to determine what the intended extent of modifications to the existing policies integrated in AD would be. In case of problems with the modification of Active Directory, one should consult the Ldif.log file.

 
Fig. 3: Modifying Active Directory

Once the Active Directory has been updated, you can attempt to install ISA Server. In the first step, you will be requested to supply the information about the installation mode (Typical, Full, Custom).

 
Fig. 4: ISA Server installation options

After this step, the set-up wizard checks whether Active Directory has already been installed or not and if any settings have been modified. Next, you will be prompted to determine if the server should be a part of a domain or be used as a standalone unit. In the next step, select the mode of operation from the following three options:

·        Firewall – with this option, ISA Server will function as a very powerful firewall,

·        Web Cache – will establish the ISA Server as a cache server and give access to ‘Net resources’

·        Integrated Mode – when in integrated mode, all ISA Server implemented and initialized features will be available.


Fig. 5: Selecting the functional mode

Once the required mode has been selected, the next dialog box stops the Internet Information Services (if any are already installed) and prompts you to either deinstall IIS or re-configure it not to listen in on ports 80 and 8080 that are required for ISA Server. Despite possible joint operation, Microsoft recommends relocating the IIS Server to another machine.

In the next step, you will be prompted to specify the cache size for the Web Cache service.


Fig. 6: Configuring the cache size for WWW caching

If it is a multiple-disk server, one may benefit by distributing caches onto a few disks. This would accelerate the process of accessing cacheable information.

Having configured appropriate cache sizes for WWW Web services one may attempt to configure LAT (Local Address Table).


Fig. 7:  LAT setup utility

LAT (Local Address Table) – these are tables that define all internal IP address ranges. If one selects this Table (Fig. 7), either the private IP address ranges as defined in RFC 1918 (10.X.X.X, 172.16.X.X, 192.168.X.X) or the external Windows 2000 routing tables will be used.


Fig. 8:  A default LAT

Once this step is successful, you will get a screen with the end of LAT configuration. Remember to ensure that all network cards are connected to the Internet while installing ISA Server. Should any network card be inactive, LAT tables will probably not be created.


Fig. 9: Completing the LAT setup procedures

After completing the setup procedures, you can attempt to replicate the content of all files to the ISA Server directory. After installation, the ISA Server Administration utility will start.


Fig. 10: Microsoft ISA Server Administrator utility and Getting Started Wizard

To manage this utility, use the Microsoft Management Console (MMC) feature. The left dialog box contains all options that are necessary for setup whilst the right box provides the settings available for such options.
 

Getting Started Wizard

Because ISA Server is completely different from Proxy Server 2.0, Microsoft recommends that even experienced administrators become acquainted with the Wizard that will help in the initial steps of product configuration and customization.

The Getting Started Wizard works with a set of options that will aid
users through the process of customizing the product and will also clarify the effects of specific modifications when introduced to the ISA Server.

The Wizard is split into two sections (see Fig. 10):

  • Configuring policies,
  • Configuring arrays.

After you have finished the initial configuration of ISA Server with help from the Getting Started Wizard, you can fully adapt the product to the working environment by finally re-adjusting certain settings.
 

Creating protocol rules

Administering an ISA Server means creation of suitable arrays, rules and policies. Arrays and policies have already been explained so let us examine the term “rules”.

ISA Server uses two types of rules:

  • Site and content rule – determines if and when content from specific Internet destinations can be accessed by users,
  • Protocol rule – determines which packets may or may not access the ISA server.

Apart from the above rules, the following rules can also be defined for ISA server:

  • Bandwidth (Capacity) rule – this will prioritise different types of services using ISA server. This allows administrators to verify which specific www traffic or business-related traffic will be allocated to the available bandwidth.
  • Web publishing rules– to “publish” incoming HTTP, HTTPS, FTP requests and map them as services on the ISA Server.
  • Server publishing – with this feature, clients from the public Internet are directed to the ISA Server instead of to the web server.  Moreover, the ISA Server may act as the proxy for inbound and outbound traffic between the public Internet clients and the internal web server.

Web Cache functions

ISA Server features high-performance Web Cache functions. With Cache Configuration tab the user is guided through Web service configuring. In addition to a variety of settings, the possibility exists to set up the size of the cache memory per hard disk and configure the schedule of caching tasks (TTL utility).


Fig. 11: Configuring caching services

When ISA Server is set up as a Web caching server, two situations are possible:

  • Forward Web Caching Server – this is the most popular use of the Web caching server. Its function is as follows:

 
Fig. 12: Forward Web Caching Server 

  1. User No. 1 (Client 1) forwards a request to the Web server for an object;
  2. The ISA Server approves the request and checks if the object already exists in the local cache.   If the content does not already exist in the cache, the ISA Server contacts the Web server to fetch the requested object (on behalf of the user);
  3. The Web server returns the object in question to the ISA Server;
  4. ISA Server returns the Web object to the original client No. 1, and saves this object to cache it locally.
  5. User No. 2 forwards the request for the same Web object;
  6. ISA Server will send the object cached locally to user No. 2.

  • Reverse Web Caching Server – Reverse Proxy by an ISA Server offers security for one or more Web servers located on the internal network.  This ensures secure Web publishing, which is of particular concern if sensitive data is to be sent from the servers.


Fig. 13: Reverse Web Caching Server

In addition to the security offered by both forward and reverse caching, ISA Server could be configured to give administrators the possibility to manage various Web caching solutions such as:

  • Scheduled Content Download – ISA Server can be configured to provide tools for downloading/refreshing web pages at appropriate intervals. In this way, the most popular web objects may be refreshed at night instead of during the day without risking overloaded connections.
  • Active caching – when active caching is used, ISA Server itself will evaluate and rank the cache and refresh it as necessary. This is a particularly useful option in situations where employees must use specific url sites to fetch necessary information several times during the day, from sites that are frequently updated, and especially if it is risky to fetch non updated versions.
  • On Demand – the most popular configuration of a caching server: upon an initial request for on-demand content, the server acquires requested Web files and stores them locally in its cache.
     

Secure Internet Access through ISA Server

Secure Internet Access is one of the fundamental features provided by ISA Server. It is increasingly necessary to improve security tools and check users that access the network from outside, especially in a situation where the Global Web is vulnerable to outside interference from viruses, trojan horses or hacker attacks.  One may also wish to improve security to monitor network users and protect the network from potential Internet threats. To face this challenge and provide solutions for a broad landscape of users, Microsoft has implemented three types of clients in ISA Server:

  • Firewall clients – all computers that have Firewall Client software installed and active,
  • SecureNat clients – all computers that do not have Firewall Client software installed,
  • Web Proxy clients – all Web browser clients are configured to use ISA Server. 
     

Feature

SecureNat Client

Firewall Client

Web Proxy Client

Installation required?

No, but some network configuration changes required

Yes

No, requires Web browser configuration

Operating System support

Any OS that supports TCP/IP

Only Windows platforms

All platforms

Protocol support

Requires application filters for multi-connection protocols

All Winsock applications

HTTP,SHTTP,FTP,

Gopher

User-level authentication

No

Yes

Yes

Server applications

No installation or configuration required

Requires configuration file

N/A

Table 3   Comparison of ISA Server Clients

Both Firewall and SecureNat clients include WebProxy client service, since all Web client requests are passed to WebProxy. All other requests sent by either Firewall or SecureNAT clients are redirected to other modules within ISA server.

Before selecting the client type to be used in a specific enterprise, it is necessary to recognize what particular applications and protocols are to be used in the network. A proper evaluation will help to have trouble-free use of Web services without continuous changes to the configuration. Choosing reliable clients is also the foundation for all network security since a more liberal access policy to Internet facilities may threaten not only e-privacy but also e-access. It is enough to realise that a few users who are downloading MP3 or AVI files from the Net and have a few Internet sessions open will be sufficient to occupy an enterprise connection at nearly 100 percent utilisation.

Network need

Recommended client type

Reason

To avoid deploying client software or configuring client computers.

SecureNAT

SecureNAT clients do not require any software or specific configuration on client machines.

To use ISA Server only for forward Web caching.

SecureNAT

If one uses ISA Server as a Web caching server, one will not have to deploy any special software.

One wants to create user-based access rules to control non-Web Internet access.

Firewall Client

If one uses Firewall clients, one may configure access rules for non-Web sessions. However, these rules will be effective only if one configures ISA Server to require authentication information with each session.

The network supports many roaming users and computers.

Firewall Client

SecureNat clients do not support automatic discovery of ISA server. When one configures automatic discovery, roaming users or computers cannot connect to the Internet server as appropriate.

The clients need access (outside of Web browsers) to protocols with secondary connections to the Internet via FTP.

Firewall Client

SecureNat clients do not support protocols with secondary connections.

To support dial-in-demand for non-Web sessions from the clients.

Firewall Client

Though SecureNat supports dial-out, only Firewall clients support dial-in-demand for non-Web sessions.

Table 4 Choosing an ISA Server Client Type

Table 4 represents the choice that may be useful to benefit from a proper selection of clients accessing the network in a specific enterprise. For more detailed specification of the particular types of clients see the files attached to the program.
 

Extras

Because many extras are included with ISA Server, additional information may be required that can be found on the Internet at the following sites

  • http://www.microsoft.com/isaserver/
  • http://www.isaserver.org/
  • http://www.faq.net.pl/

Newsgroups:

  • ms-news.pl.isa-server
  • microsoft.public.isa

Microsoft Press Publishing:
MCSE Training Kit: Microsoft Internet Security and Acceleration Server 2000

Legend for Fig. 12
Uzytkownik = user

Legend for Fig. 13
Lokalizacja 2 = Location 2
Centrala = Headquarters

Featured Links