Creating and Configuring Arrays
ISA 2000 Enterprise Edition introduced the concept of an array, and ISA Server 2004 Enterprise improved upon it. Essentially, an array is a grouping of ISA Servers that have the same NIC configuration and are connected to the same networks. They are meant to act as redundant load balanced members of a network team, either with integrated Windows Load Balancing or through the use of a third-party load balancer.For example, an organization may have an array of ISA Servers acting as edge firewalls for an organization. If one of the array members were to go down, the other one would shoulder the load. There also may be other arrays within the organization that protect other critical network segments from internal intrusion. Essentially, arrays provide a critical measure of load balancing and redundancy to a security environment.
Arrays can be defined in CSS before the ISA Servers have been installed. In this example, a single edge-firewall array is created via the following procedure:
|1.||From the ISA Enterprise Admin Console, click on the Arrays Node in the Console tree.|
|2.||In the Tasks tab, click the Create New Array link.|
|3.||Enter a name for the array, such as Edge-Array.|
|4.||Under the Array DNS Name dialog box, shown in Figure 6.13, enter the Fully Qualified Domain Name (FQDN) of the array, such as |
Figure 6.13. Creating an array.
|5.||In the Assign Enterprise Policy dialog box, select the customized policy previously created from the drop-down box, such as CompanyABC Policy, and click Next to continue.|
|6.||Under the types of array firewall policy rules that can be created, leave all checked, as displayed in Figure 6.14, and click Next to continue.|
Figure 6.14. Defining array policy rule types.
|7.||Click Finish, OK, Apply, and OK to save the settings.|
Configuring Array Settings
Creating an array opens up an entirely new set of nodes in the ISA Enterprise Admin Console, as shown in Figure 6.15. In fact, the array nodes may look familiar to an Administrator familiar with the Standard version because they are nearly identical to that version.
Figure 6.15. Examining the newly created array console settings.
[View full size image]
Name and description of the array.Policy Settings
Which Enterprise policy to apply to the array and what types of policy rule types can be applied.Configuration Storage
The FQDN of the main CSS server and an alternate server (if necessary), in addition to the definition of how often the CSS is checked for updates.Intra-Array Credentials
Defines what type of credentials (domain or workgroup) are used for inter-array communications.Assign Roles
Allows for delegation of administration at the array level.
Figure 6.16. Examining the array properties tabs.
Creating the NLB Array Network
If Windows Network Load Balancing will be used for the ISA Servers, then an additional NIC needs to be added and an isolated network created between those two servers, as shown in Figure 6.2. This network is solely devoted to NLB traffic, which is required because the NLB operates only in unicast mode.As well as being physically set up to provide for NLB, the network needs to be defined within the array. To define this network, do the following:
|1.||In the ISA Enterprise Admin Console, click on Arrays, Edge-Array (Array Name), Configuration, Networks node in the Console tree.|
|2.||In the Tasks tab of the Tasks pane, click the link for Create a New Network.|
|3.||In the Network Name field, enter Edge-Array-NLB and click Next.|
|4.||In the Network Type dialog box, shown in Figure 6.17, select Perimeter Network and click Next.|
Figure 6.17. Creating the NLB Array Network.
|5.||Under Network Addresses, click Add Range.|
|6.||Enter a start address and end address, such as 172.16.1.0 and 172.16.1.255, and click OK.|
|7.||After the address is entered, click Next to continue.|
|8.||Click Finish, Apply, and OK.|
Defining Array Policies
After the array has been configured, standard firewall policies can be defined for the array. These policies follow the same concepts as the Standard version follows, and specific chapters in this book can be used to configure these policies. For example, a mail publishing rule can be used to secure an OWA site through the array, or a SQL Server can be published. The options are nearly endless.As previously mentioned, the specific array policies are applied after the initial enterprise policies are, and before the final enterprise policies.