ISA Server 2004 UNLEASHED [Electronic resources] نسخه متنی

Outlining Client Access with ISA Server 2004

It is somewhat of a misnomer to describe ISA clients as "clients" in the traditional software sense. In reality, a single ISA Client can appear to be all three types of ISA clients to the server itself. In a sense, each client is really defined more by how it uses the ISA Server rather than what is on the client machine itself. To understand this concept, it is important to understand what constitutes each one of the types of clients and how ISA views client traffic.

Defining the ISA Firewall Client

ISA Server 2004 comes with a full-blown ISA Client software component that can be installed on all workstations. The full ISA Software Client provides for the following capabilities:

Per-User Rules Configuration and Logging
One of the biggest advantages to the Firewall client is its capability to authenticate the client traffic and have the ISA Server determine not only from what IP address the client is coming, but also from what Active Directory user account it originated. This allows for the creation of per-user or per-group Firewall policy rules, enabling administrators to restrict access to specific applications, networks, and other resources on a per-user basis. This information is also logged in ISA, so that per-user reports on such things as per-user website usage and security audits can be performed.

Winsock Application Support
The Firewall client works directly with the Windows Sockets (Winsock) drivers to provide for rich support for application written to take advantage of WinSock functionality.

Complex Protocol Support
The Firewall client is capable of handling complex protocol definitions in ISA Server, including those that make use of secondary protocols as part of their definition.

TIP

As with any piece of software, the Firewall client requires occasional updates on all the systems. For example, ISA Server 2004 Standard version Service Pack 1 introduced a new version of the Firewall client. For security and functionality reasons, it is therefore important to keep the software up to date, using software such as Systems Management Server (SMS) 2003 or other software management software.

Defining the SecureNAT Client

The second defined client type in ISA Server 2004 is the SecureNAT client, which is essentially any IP client that can be physically routed to the ISA Server in one manner or another. This includes any type of client with a TCP/IP stack that is forced to send its traffic through the ISA Server.

For example, a simple network with a single internal subnet that has the ISA Server's internal IP address listed as the default gateway for that subnet would see all client requests from that network as SecureNAT client traffic, as shown in Figure 11.1.

The SecureNAT client scenario could also apply to more complicated networks with multiple subnets and routers, provided that the routes defined in the network topology route traffic through the ISA Server, as shown in Figure 11.2.

SecureNAT clients are the easiest to work with: They do not require any special configuration or client software. On the flip side, it is not possible to authenticate SecureNAT clients automatically or to determine individual user accounts that may be sending traffic through the ISA Server. SecureNAT clients can be controlled only through the creation of rules that limit traffic by IP address or subnet information.

NOTE

SecureNAT client support requires an ISA Server to have more than one network interface because the traffic must flow through the server from one network to the next. This disallows a unihomed (single NIC) ISA Server from handling SecureNAT or Firewall clients. A unihomed server can handle Web Proxy clients only (for forward- or reverse-proxy support).

Defining the Web Proxy Client

A Web Proxy client is a client connection that comes from a CERN-compatible browser client such as Internet Explorer or FireFox. Web Proxy clients interact directly with the proxy server capabilities of ISA Server 2004, and relay their requests off the ISA Server, which operates as a content caching solution to the clients. This enables commonly downloaded content to be stored on the ISA Proxy server and served up to clients more quickly. For more information on this concept, see Chapter 8, "Deploying ISA Server 2004 as a Content Caching Server."

NOTE

It is very common to have Web Proxy clients also displayed as SecureNAT or Firewall clients in the ISA Server monitoring tools. This is because, fundamentally, the description of a Web Proxy client simply refers to the web browserbased application traffic that comes from a SecureNAT or Firewall client.

Outlining the VPN Client

Technically speaking, ISA Server recognizes a fourth type of client: Virtual Private Network (VPN) clients. A VPN client is a client system that remotely establishes an encrypted tunnel to an ISA Server. For more information on VPN clients and for deployment scenarios involving them, see Chapter 9, "Enabling Client Remote Access with ISA Server 2004 Virtual Private Networks (VPNs)."