Multi-networking with ISA Server 2004
ISA Server 2004 introduced "multi-networking" support. What this means is that it is possible to deploy an ISA server across multiple physical network segments, as illustrated in Figure 5.1. The goal of this is to filter, control, and monitor the traffic that traverses between the networks. In essence, this allows ISA to then become a true firewall for the traffic between multiple network segments.
Figure 5.1. Examining ISA multi-networking support.
Setting Up a Perimeter Network with ISA
Multi-networking capabilities in ISA Server 2004 allow for the creation of a traditional perimeter (DMZ) network. This network model, shown in Figure 5.2, isolates Internet-facing services into a dedicated network that has little access to resources in the internal network. The idea behind this model is that if one of the servers in the DMZ were to be compromised, the attacker would have access to only DMZ resources, and would not be able to directly hit any of the clients or servers on the internal network.
Figure 5.2. Viewing a perimeter network model.
[View full size image]
Deploying Additional Networks
ISA is not limited to three defined networks. On the contrary, the software is limited only to setting up as many networks as there are network cards in the server itself. Theoretically, additional networks can be established for wireless access points, server-only networks, client networks, and any other type of network. Defining the network is as straightforward as configuring the proper network definitions and network rules in the ISA Console.