ISA Server 2004 as a Security Appliance
An ISA Server with a single connected NIC interface is still a very powerful tool. Although not a full firewall while deployed like this, the ISA server becomes a security appliance, similar to many of the other security products that are available. This deployment scenario is exceedingly common, so it is important to understand what ISA can do when deployed as a unihomed server, and what limitations it has as well.
Understanding How Reverse Proxies Work
To understand first what a reverse proxy is, it is important to fully define what a proxy server does in the first place. ISA Server 2004 was originally named Proxy Server 1.x/2.x. (The 2004 version was the 4.x version of the product.) The product was designed to assist clients in retrieving web and FTP content from the Internet, but had the clients route all their requests through the server.Chapter 8, "Deploying ISA Server 2004 as a Content Caching Server."Reverse Proxy works in a similar way, except in this case the clients are on the Internet, and the server that is being accessed is in the organization's environment. This concept gave rise to the term "reverse" proxy, in that the client/server relationship is flipped when compared to a standard "forward" proxy. For example, Figure 7.1 illustrates how a reverse proxy protects internal servers by acting as a bastion host to the traffic.
Figure 7.1. Understanding how reverse proxy servers work.
Deploying a Unihomed ISA Server as a Security Appliance
It is important to note that ISA Server 2004 does an extremely good job at providing reverse proxy capabilities to organizations, in addition to the other types of functionality that it possesses. It was specifically designed to understand the types of communications that are supposed to occur over commonly used services such as Outlook Web Access and standard web page access. These factors have positioned ISA as one of the more attractive options for securing these particular services.That said, many organizations are not willing to simply throw away existing security infrastructure, such as packet-filter firewalls, VPN solutions, intrusion detection equipment, and the like. The real advantage in ISA's case is that it is not necessary to replace anything currently in place. Deploying ISA as a dedicated reverse-proxy security appliance simply adds a layer of security to an environment, and the only configuration required to existing firewalls in this deployment scenario is creating rules for the type of traffic (such as HTTP or HTTPS) needed to process the request.One of the key points to this type of deployment scenario is that it removes the "religious" debates about Microsoft products from the conversation. It no longer becomes necessary to try to convince skeptical security personnel that the keys to the entire organization should be held by a Microsoft product. Instead, ISA is deployed and governed by the rules set forth by the existing security infrastructure. This also keeps Exchange front-end servers and other types of application servers and their need for "swiss-cheese" firewall rules out of the DMZ.NOTEIt should be pointed out that this chapter does not imply that ISA Server 2004 is not capable of filling other roles within an organization such as edge firewall, VPN server, or caching solution. It simply points out that ISA can be, and is often, deployed in other types of scenarios, such as this one, and can be a welcome improvement to the security of organizations without any modifications to existing infrastructure.
Understanding the Capabilities of ISA Server 2004 Reverse Proxy
Unihomed ISA Servers do not have the full range of capabilities that multi-homed ISA servers do, such as the edge firewall and network filtering firewall that deployment scenarios offer. That said, however, the reverse proxy capabilities that ISA does offer are quite powerful, and may be all that is necessary for ISA Server to be considered a success in an organization. For example, securing Exchange Outlook Web Access (OWA) with publishing rules, which can be easily accomplished on a unihomed server, is quite likely the single most common deployement scenario for ISA today. In addition, ISA posseses the capability to publish and secure other web servers, Microsoft SharePoint sites, and certain other applications as well.
Defining Web Server Publishing Rules for Reverse Proxy
ISA Server 2004 Reverse Proxy makes it possible to secure web and other services through a logical construct known as a web server publishing rule. A web server publishing rule is a firewall policy rule that uses specific filters to monitor web traffic and force that traffic to conform to specific conventions. For example, particular web server publishing rules can be set up to allow Internet access to a web server, but to restrict that access to particular subdirectories on the server, and to require that only specific HTTP commands are used.Chapter 14, "Securing Web (HTTP) Traffic."
Using a Unihomed ISA Server for SMTP Filtering
Another common use for a unihomed ISA Server is for securing SMTP traffic through use of the SMTP Screener component. This component enables the ISA server to look and feel like a real SMTP server, enabling mail to be sent through the server just as it would be sent through a regular mail server. This model has the ISA server deployed as an SMTP smarthost, which is mainly used to process and scan mail traffic for content and/or viruses before it is passed into a mail environment.