Ready for the Big Time
The Enterprise Edition of ISA 2004 provides centralized management and unmatched scalability.
One size rarely fits all. Microsoft has clearly realized this with its software-based
firewall called Internet Security and Acceleration Server. ISA Server 2004 comes
in two editions: Standard and Enterprise. The Standard Edition is suitable for
smaller companies that only need one firewall. The Enterprise Edition is aimed
at larger organizations that need fault-tolerant firewalls and the ability to
centrally manage multiple firewalls.
1: Virtually inoperable or nonexistent
5: Average, performs adequately
ISA Server 2004 Enterprise Edition (ISA) fills three needs: firewall protection,
Web caching and VPN services. ISA’s firewall service provides application-layer
filtering, which lets ISA make intelligent decisions based on a packet’s contents
instead of just looking at the IP address and port number.
Most firewalls, especially traditional hardware firewalls, only inspect packets
at layer three (IP) and layer four (TCP and UDP). This leaves them susceptible
to application layer attacks like CodeRed and Nimda. Because ISA functions at
the same application layer, you can easily configure it to block those types
By default, ISA doesn’t cache Web pages. If you choose to enable caching (and
I suggest that you do), you must have at least one NTFS-formatted drive in your
system. Also, the more RAM you have the better, because ISA caches to disk and
RAM -- 10 percent of RAM is used for caching; everything over this amount is
cached to disk. Caching reduces the bandwidth needed to serve your clients if
your users regularly visit the same Web sites.
ISA really shines as a VPN. You can configure ISA as the end point in a site-to-site
VPN and as a VPN server for remote clients. ISA treats VPN connections as a
separate network, which lets you apply unique firewall rules to each connection.
ISA will then apply stateful filtering to all incoming connections based on
To Serve and Protect
ISA offers a choice of five general network templates for initial configuration
that correspond to common network topologies. You can define your server as an
edge firewall, three-leg perimeter firewall, front-end firewall, back-end firewall
or single network adapter firewall. These are defined as follows:
- Edge firewall: Sits between your network and the Internet -- aka a bastion
- Three-leg perimeter firewall: Protects your network from attacks like an
edge firewall, but uses an additional network to securely publish services
to the Internet.
- Front-end firewall: Used when you have two firewalls separating your network
from the Internet (known as a back-to-back firewall topology). This firewall
has a connection to the Internet and a connection to your DMZ (the shared
area between your two firewalls).
- Back-end firewall: Also used when you have two firewalls, this firewall
would have a connection to your DMZ and a connection to your internal LAN.
- Single network adapter firewall: Used as a caching proxy server to cache
content from the Internet for use by clients on the local network.
Apply the template that best matches your topology and ISA automatically configures
itself. Depending on your chosen template, ISA also gives you anywhere from
five to eight choices of firewall policies to apply, like “block” or “allow
all Internet access.”
The ISA installation and configuration process uses wizards to accomplish most
tasks like creating access rules, networks and protocol definitions. This makes
ISA very intuitive to those new to firewall management.
ISA’s reporting features are helpful for analyzing and summarizing traffic patterns.
You can run a variety of built-in reports, such as which sites are accessed
the most and who is accessing them. You can also determine which protocols and
applications your users are using most. You can even report on the percentage
of Web pages being retrieved from the ISA Web cache as opposed to live from
You can run traffic reports manually or schedule them as recurring jobs. To
schedule a job, simply specify the length of time the report will cover and
how often the report will be generated. You can run reports on a daily, weekly,
monthly or yearly basis, and get an e-mail copy of the complete report.
|Figure 1. A live monitor lets you see incoming network traffic, the action ISA Server 2004 is taking and the rule governing that action. (Click image to view larger version.)
My favorite ISA 2004 feature is the monitoring. ISA includes a live monitor
of the traffic your server’s processing (see Figure 1). You can see in real-time
which traffic is being allowed or rejected and which rule is responsible for
the decision. This makes troubleshooting much easier: Just watch the traffic
and go straight to the problem-causing rule.
- ISA 2004 Enterprise Edition is an improvement in a number of ways over its
predecessor, ISA 2000.
- ISA 2004 puts all firewall rules in one place and processes sequentially
from top to bottom. This refinement makes it much easier to troubleshoot problems.
- ISA 2004 lets you create any number of networks. You can then define the
routing relationship between the networks choosing to either route the traffic
as is or route it using Network Address Translation (NAT).
- In ISA 2004, you can back up your configuration and restore it to an alternate
server. This makes it very easy to recover from hardware failure or to migrate
to a new ISA server.
- You can now use ISA as the endpoint for an IPSec site-to-site VPN with a
third-party VPN product.
- ISA 2004 supports creating groups on the firewall. You can either use Active
Directory groups or create your own. You can then populate your ISA groups
with Active Directory user accounts.
There are two ways to beef up your ISA server deployment. You can scale up by
adding more hardware to your firewall, or you can scale out by adding more firewalls.
While the Standard Edition of ISA 2004 is limited to four processors and 2GB
RAM, the Enterprise Edition doesn’t have a cap on supported hardware, so you
can scale up as needed.
ISA installation and configuration process uses wizards to accomplish
most tasks like creating access rules, networks and protocol definitions.
This makes ISA very intuitive to those new to firewall management."
The ISA Array lets you centrally manage all your ISA servers. Installing your
ISA servers in the same array will let you do centralized logging and reporting.
It also lets you enforce enterprise-wide firewall policies with all members
of the array, making it much easier to change rules on multiple firewalls at
the same time.
You can scale out with ISA by having all members of the array support Network
Load Balancing (NLB). Using NLB lets online ISA servers take over for failed
ISA servers without disrupting client access. This lets you dynamically expand
or reduce the number of firewalls you’re using and do so completely behind the
ISA also supports the Cache Array Routing Protocol (CARP), which improves Web
performance by providing load balancing and failover for Web proxy browser connections.
CARP provides shared caching across the servers in the array, letting your system
cache more information and improving overall performance.
ISA 2004 Enterprise Edition provides all the security and functionality of
the Standard Edition, plus some features and flexibility that make it suitable
for larger organizations. Its centralized management and logging is great for
companies with geographically disperse firewalls. The built-in NLB and CARP
support provide fault tolerance and improved performance that will scale as
much as needed to handle most companies’ Internet connections.
Once you’re familiar with ISA Server’s user interface, live monitoring, reporting,
centralized management and scalability, you may find it difficult to use any
Chad Todd, MCSE, MCT, CNE, is the author of Hack Proofing Windows 2000 Server by Syngress Publishing. He is the co-owner of Training Concepts, which specializes in Windows 2000 and Cisco training.