Unlike most Microsoft products, the Standard and Enterprise versions of ISA Server were released separately, approximately a half year apart from each other. This caused some confusion over what the Enterprise Edition was, and what distinguished it from the Standard version and the previous Standard and Enterprise versions of ISA 2000. To more fully understand the Enterprise version, it is important first to note the differences between Standard and Enterprise.
Exploring the Differences between the Standard and Enterprise Versions of ISA Server 2004
The Enterprise version of ISA Server 2004 contains all the features and functionality of the Standard version, in addition to the following features:Network Load Balancing (NLB) Support
Only the Enterprise version of ISA Server 2004 supports Network Load Balancing (NLB) clusters, allowing for automatic failover and load balancing of services across array members.Cache Array Routing Protocol (CARP) Support
The Enterprise version supports the Cache Array Routing Protocol (CARP) to properly balance web proxy requests across an array.Configuration Storage Server (CSS)
One of the biggest differences between Standard and Enterprise is that the Enterprise Edition uses a Configuration Storage Server (CSS) to store ISA rules and configuration. A CSS is an Active Directory in Application Mode (ADAM) implementation (essentially a "light\'94 version of an Active Directory forest) and can be installed on nonISA Servers. This also allows for centralized management of ISA Servers.Enterprise and Array Policy Support
As opposed to the Standard version, which allows only a single set of rules to be applied, ISA Enterprise allows a combination of global Enterprise policy rules, and individual array rules that are used in combination with one another.
Designing an ISA Server 2004 Enterprise Edition Environment
The Enterprise version of ISA Server 2004 is designed in a different way than the Standard version is. For instance, the CSS component itself changes the entire design equation. The concept of arrays also makes an ISA Enterprise version unique. It is subsequently important to understand what design factors must be taken into account when dealing with the EE.The first design decision that must be made with the Enterprise Edition is where to store the CSS. The CSS is a critical server in an ISA topology, and can be installed on any Windows 2000/2003 server in an environment. In certain cases, it is installed on the actual ISA Servers itself, and in other cases it is installed on a dedicated machine or on a Domain Controller.In smaller environments, the CSS would be installed directly on the ISA server. In larger and more secure environments, however, the CSS would be installed on systems within the network, such as in the ISA environment displayed in Figure 6.1.
Figure 6.1. Examining a complex ISA Enterprise deployment.
Because the Content Storage Server is essentially an LDAP-compliant, scaled-down version of an Active Directory forest, it can easily be replicated to multiple areas in an organization. It is ideal to configure at least one replica of the CSS server to maintain redundancy of ISA management.NOTEAlthough the ISA Servers get their configuration information from a CSS server, they do not shut down or fail if the CSS is down. Instead, they continue to process rules based on the last configuration given to them from the CSS server.The example illustrated in this chapter uses a single CSS server installed on an Internal domain controller, as shown in Figure 6.2. In addition, step-by-step deployment guides to setting up two ISA Server 2004 Enterprise servers running as edge firewalls in a network load balanced array of ISA Servers are outlined.
Figure 6.2. Conceptualizing the CSS deployment model illustrated in this chapter.
Although ISA Server Enterprise allows for a myriad of deployment models, this deployment scenario illustrates one of the more common ISA deployment scenarios, which is one that takes full advantage of ISA functionality. Other common deployment models, such as ISA deployment in a workgroup and uni-homed ISA reverse-proxy systems are similar in many ways, with slight variations to implementation.