لطفا منتظر باشید ...
Lesson 1 Planning for an ISA Server Installation
When you install ISA Server, you will be asked to provide information that you should have gathered in advance. You prepare for the installation by assessing your network needs and then designing a suitable network topology if one doesn't already exist.
After this lesson, you will be able to
Determine whether installing ISA Server as a standalone server or as an array best suits your network needs
Determine whether installing ISA Server in Firewall mode, Cache mode, or Integrated mode best suits your network needs
Determine what hardware you need for your ISA Server configuration
Design a network topology suitable for your ISA Server configuration
Estimated lesson time: 60 minutes
Planning your ISA Server installation requires you to weigh your network needs against the practical limitations of cost and maintenance. Specifically, you will need to decide:
Whether you will install ISA Server as a standalone server or an array
Whether you will use the ISA Server as a firewall, cache server, or both
How you will connect to the Internet
Whether you intend to include publishing servers behind your ISA Server installation
How you will configure or modify your network topology in order to incorporate ISA Server
How many computers you will need to set up your chosen configuration
Capacity Planning
You should plan the ISA Server's hardware configuration and Internet connectivity to meet the expected network load. The following sections describe recommended system configurations for various usage scenarios.
Minimal Requirements
ISA Server requires a computer running one of the editions of Microsoft Windows 2000 Server. In addition to the network adapter that Windows 2000 uses to communicate on your internal network, ISA Server needs an external network adapter, modem, or Integrated Services Digital Network (ISDN) adapter to connect to the Internet.
To meet the minimum requirements for ISA Server, you need the following hardware:
Computer with 300 MHz or higher Pentium II–compatible CPU running Windows 2000 Server or Microsoft Windows 2000 Advanced Server with Service Pack 1 or later, or Microsoft Windows 2000 Datacenter Server operating system
256 MB of RAM
20 MB of available hard disk space
Windows 2000–compatible network adapter for communicating with the internal network
Windows 2000–compatible external network adapter, modem, or ISDN adapter for communicating with the Internet
One local hard disk partition formatted with the NT file system (NTFS)
To implement array and enterprise policies, you also need Windows 2000 Active Directory directory services on your network.
Remote Administration Requirements
For remote ISA Server administration, you need only to install ISA Management, which runs on Windows 2000 Professional or any edition of Windows 2000 Server. The client computer running ISA Management for remote administration must be a member of a Windows 2000 domain in order to connect to an ISA Server computer.
Alternatively, you can run Microsoft Terminal Server on the ISA Server computer and use Terminal Client to connect remotely to ISA Server.
Firewall Requirements
ISA Server can be installed as a dedicated firewall that acts as the secure gateway to the Internet for internal clients. In this case, you will need to consider how much throughput is required for your internal clients when they access the Internet.
Table 2.1 lists hardware configurations and network connections for expected throughput for firewall clients and SecureNAT clients accessing objects on the Internet.
Table 2.1 CPU and Internet Connection Requirements
| Throughput Requirements | ISA Server running on... | Internet Connection |
|---|---|---|
| 1 to 25 MBits/second | Pentium II, 300 MHz | T1, cable modem, or xDSL |
| 25 to 50 MBits/second | Pentium III, 550 MHz | T3 or better |
| More than 50 MBits/second | 1 Pentium III, 550 MHz, for each 50 MBits/second required | T3 or better |
Forward Caching Requirements
ISA Server can be installed as a forward Web and File Transfer Protocol (FTP) caching server that maintains a centralized cache of frequently requested Internet objects. These objects can be accessed by any Web browser client behind the firewall. In this case, you should consider how many Web browser clients will be accessing the Internet. Table 2.2 lists hardware configurations for projected numbers of internal clients accessing objects on the Internet.
Table 2.2 Memory and Disk Requirements
| # Users | ISA Server Computer | RAM (MB) | Disk Space Allocated for Caching |
|---|---|---|---|
| Up to 250 | Single ISA server with Pentium II, 300 MHz | 256 | 2 to 4 GB |
| Up to 2,000 | Single ISA server with Pentium III, 550 MHz | 256 | 10 GB |
| More than 2,000 | 1 ISA server with Pentium III, 550 MHz, for each 2,000 users If necessary, you can use Performance Monitor to identify bottlenecks and determine whether to add servers to the array. | 256 per 2,000 users | 10 GB per 2,000 users |
If you want to use the ISA Server caching feature, you must install ISA Server on a computer that has at least one partition formatted as an NTFS volume. If your current server disk volume uses file allocation table (FAT) partitions, you can convert these partitions to NTFS by using convert.exe, which is included with Windows 2000 Server. Convert does not overwrite the data on the disk. For more information on using Convert, type convert /? at a command prompt.
Publishing and Reverse Caching Requirements
ISA Server can be deployed in front of an organization's Web server that is hosting a commercial Web business or providing access to business partners. In this case, you need to consider how often external clients will request objects on the publishing servers.
Table 2.3 lists hardware configurations for projected numbers of requests from Internet (external) users in a reverse caching scenario.
Table 2.3 Hardware Requirements for Various Hit Rates
| Hits/Second | ISA Server | RAM (MB) |
|---|---|---|
| Less than 500 | Single ISA server with Pentium II, 300 MHz | 256 |
| 500 to 900 | Single ISA server with Pentium III, 550 MHz | 256 |
| More than 900 | 1 ISA server with Pentium III, 550 MHz, for each 800 hits/second increment You can also use Performance Monitor to identify bottlenecks and determine whether to add more servers. | 256 per server |
Array Considerations
If you determine that you will need multiple computers to handle your network load, consider setting up an array of ISA Server computers. Arrays allow a group of ISA Server computers to be treated and managed as a single, logical entity.
All the servers in an array share a common configuration. This saves on management overhead, since the array is configured once and the configuration is applied to all the servers in the array. Furthermore, with ISA Server Enterprise Edition, you can apply an enterprise policy to an array. This allows you to centralize management for all the arrays in your enterprise.
A unique array policy can be applied to each array in the enterprise. This can provide you with a method of dividing your organization into departments. For example, you might want to allow clients protected by one array unlimited access to the Internet and place more restrictions on clients in another array.
An array installation also means improved performance with less hardware. Arrays allow client requests to be distributed among several ISA Server computers, which increases response time for clients. Because load is distributed across all the servers in the array, you can achieve good performance even with moderate hardware.
In order to install ISA Server as an array member, the computer on which you are installing ISA Server must be a member of a Windows 2000 domain. Furthermore, the ISA Server enterprise must be initialized before you can install ISA Server as an array member. (Initializing the enterprise refers to the process of installing the ISA Server schema updates into Active Directory schema.)
If you choose not to install ISA Server as an array member, you can install ISA Server as a standalone server. If you perform a standalone server installation, the computer does not have to belong to a Windows 2000 domain.
Array Requirements
All array members must be in the same domain and in the same site. A site is a set of computers in a well-connected (reliable and fast) Transmission Control Protocol/Internet Protocol (TCP/IP) network. A domain is a collection of computers, defined by the administrator, that share a common directory (Active Directory) store. For more information, see the Windows 2000 Help.
While it is not a requirement, using Windows 2000 Advanced Server or Windows 2000 Datacenter Server with array installations is recommended to allow for network load balancing among array components.
Standalone Servers and Single-Server Arrays
Even if you are installing just one ISA Server computer, you should consider installing it as an array member. When ISA Server Enterprise Edition is installed as an array member, enterprise policy can be applied to the array. Furthermore, an array installation means that future expansion is easier—an additional server can be added to the array with ease.
Table 2.4 compares the features of an ISA Server array to those of a standalone server.
Table 2.4 Features Comparison of an Array and Standalone Server
| Array | Standalone server | |
|---|---|---|
| Scalability | Can have one or more array members. | Limited to one member only. |
| Active Directory required? | Yes. Can be installed only in Windows 2000 domains with Active Directory directory services installed. The local network can still be a Windows NT 4.0 domain. | No. Can be installed in Windows NT 4.0 domains. Configuration information is stored in the registry. |
| Enterprise policy | Yes. A single policy can be applied to all arrays in the enterprise. | No. |
If you configure arrays, you may choose to set them up at each branch in your organization. Because each branch then has its own array, each branch can define unique usage policies that will be common to all the servers in the array.
ISA Server Mode
As part of the setup process, you select which ISA Server mode to use: Firewall mode, Cache mode, or Integrated mode.
When you use Firewall or Integrated modes, you can secure network communications by configuring rules that control communications between your corporate network and the Internet. In Firewall and Integrated modes, you can also publish internal servers, thereby sharing data on your internal servers with Internet users.
If you use Cache or Integrated modes, you can improve network performance and save bandwidth by storing commonly accessed Internet objects closer to the user. You can also route requests from Internet users to an appropriate internal Web server.
Depending on which mode you select, different features are available. Table 2.5 lists which features are available when you use Firewall and Cache modes. All the features are available in Integrated mode.
Table 2.5 Features Comparison of Firewall and Cache Modes
| Feature | Firewall | Cache |
|---|---|---|
| Access policy | Yes | Yes, but only for HTTP protocol |
| Alerts | Yes | Yes |
| Application filters | Yes | No |
| Cache configuration | No | Yes |
| Enterprise policy | Yes | Yes |
| Packet filtering | Yes | No |
| Real-time monitoring | Yes | Yes |
| Reports | Yes | Yes |
| Server publishing | Yes | No |
| Web publishing | Yes | Yes |
Internet Connectivity Considerations
The first step to providing Internet access is finding an appropriate Internet Service Provider (ISP). The business of providing connectivity to the Internet is quite competitive, and many access methods are now available, including Digital Subscriber Line (DSL), cable modems, satellite, bundled phone lines, and T-1 service. When deciding which of these options is best for you, consider price, data throughput, and reliability.
You can connect ISA Server to the Internet with either a direct link or a dial-up link. If you connect using a direct link or using DSL or cable modem, you must set up an external network adapter. If you connect using a dial-up link, you must use a modem or an ISDN adapter with your server.
If you are using ISA Server to publish Web servers and other servers, and plan to make these readily available to Internet clients, you must reserve static IP addresses with your ISP and register at least one domain name through a registrar accredited by the Internet Corporation for Assigned Names and Numbers (ICANN). (You can find a list of ICANN-accredited registrars at http://www.icann.org/registrars/accredited-listl. Internet users are likely to access your internal servers by using a fully qualified domain name (FQDN), which is comprised of the computer (host) name, such as "www," plus the domain name that you have registered, such as "microsoft.com."
If you have already registered an Internet domain name, you may decide to have your ISP handle the details of how to administer the listing of your domain name in a Domain Name System (DNS) server for use by others on the Internet.
Publishing and Connectivity
When you publish internal servers, you must obtain IP addresses with which to associate the domain or server name. When external clients access your Web site or domain, the ISP's DNS server will find the IP address associated with the requested Web site name—usually an IP address on your ISA Server computer or on a perimeter network (DMZ). Alternatively, you can use an internal DNS server to resolve requests from external clients.
ISA Server in the Network
ISA Server secures and connects an existing network of services, which may be centralized on a single server or dispersed across many servers. The following sections describe network issues to consider when installing ISA Server.
Windows NT 4.0 Domain
ISA Server can be installed as a standalone server in a Windows NT 4.0 domain. In this case, no special configuration is required.
Arrays can also be used to connect and secure Windows NT 4.0 domain users and clients to the Internet. However, the array of ISA Server computers must be set up on a separate Windows 2000 domain. A trust relationship must then be established between the Windows NT 4.0 domain and the domain to which the ISA Server computer belongs.
ISA Server Configuration Data
If you install ISA Server as a standalone server, all configuration information is saved to the registry.
If you install ISA Server in an array configuration, all its configuration infor-mation is saved to the Active Directory store. In other words, ISA Server arrays require that Active Directory be installed on the Windows 2000 domain, of which ISA Server is a member.
Internet Connection Server
Before ISA Server was available, you may have used Internet Connection Sharing (ICS) to access the Internet. ISA Server replaces ICS and provides greater functionality in your organization. ISA Server provides the connectivity enabled by ICS as well as sophisticated security and caching features.
Do not install or enable ICS on a computer running ISA Server. If you previously installed and enabled ICS, remove it before installing ISA Server.
Remote Access Server
Before ISA Server was available, you may have used Windows 2000 Server's remote access server to make network services and computers available to remote clients. ISA Server provides the remote connectivity and improved remote access server features with more extensive and flexible security. ISA Server packet filtering replaces the remote access server's packet filtering. ISA Server also uses the dial-up entries configured for the remote access server and extends their functionality.
ISA Server Network Topology Scenarios
ISA Server can be deployed in various network topologies. This section describes some typical network configurations. While your actual network configuration may differ from those described here, the basic concepts and configuration logic will help you plan your network topology.
Small Office Scenario
In the small office network configuration, the ISA Server computer can be placed between the corporate local area network (LAN)/wide area network (WAN) and the Internet. A small office network might have fewer than 250 clients on a single LAN segment, use the IP network protocol, and demand-dial connectivity to an ISP. A single ISA Server computer can provide Internet connectivity and security for the entire network, as shown in Figure 2.1.
Figure 2.1 Small office scenario
The scenario depicted in Figure 2.1 is that of a small organization whose array contains just one ISA Server computer. To allow for future expansion, the server is set up as an array member.
In a slightly larger organization, you may configure an array of ISA Server computers. Assuming that most of the clients are located on a single site and in a single domain, one ISA Server array can be set up to service the entire organization. This array can contain one or more ISA Server computers, depending on bandwidth and cache requirements.
Enterprise Scenario
The scenario depicted in Figure 2.2 is that of a large corporation that has its headquarters in the United States and two branch offices, one in Canada and one in the United Kingdom. Each of the three locations has an array of one or more ISA Server computers installed. At the central office, an enterprise policy is created that defines one access policy for all clients. The network administrator at Headquarters is responsible for implementing a corporate policy and ensuring that all branch offices follow the guidelines stipulated in that policy. The Headquarters network administrator allows branch administrators to create more restrictive rules.
Enterprise Network Configuration
The branch office in Canada is connected via a router to Headquarters. The branch office in the United Kingdom is connected via a virtual private network (VPN) to Headquarters.
Figure 2.2 illustrates the network configuration for the large corporation described.
Figure 2.2 Enterprise network configuration
Each ISA Server computer that is a member of the array at Headquarters is configured with two network interfaces: one network adapter to connect to the internal network and one network adapter to connect to the Internet. For this scenario, it is possible to assume direct connectivity to the ISP through a router and a T1/E1 line, with a fallback to a backup dial-up line.
The ISA Server in the Canada office is installed in Cache mode and is chained (hierarchically connected) to the ISA Server at Headquarters. The Canada server has two network adapters, one connected to a local router and the other connected to a router at Headquarters.
The ISA Server array in the United Kingdom is set up in Integrated mode and serves as the branch's firewall and cache server. In addition, the ISA Server computers are configured so that requests for domestic Internet computers can be routed directly to the Internet.
Web Publishing Topologies
The Web publishing functions of ISA Server benefit organizations that want to publish Web content securely from within their protected intranet. For organizations that receive incoming Web requests, ISA Server can protect the Web server that is hosting a commercial Web business or providing access to business partners. The ISA Server impersonates a Web server to the outside world, while the Web server maintains access to internal network services.
The Web server that you are publishing can be located either on the same computer as the ISA Server or on a different computer.
Co-Located Web Server
Figure 2.3 illustrates another common Web publishing scenario, in which the Web server is located on the same computer as the ISA server.
Figure 2.3 Co-located Web server
In this scenario, the ISA Server computer is configured to listen for incoming requests on port 80 of the external interface card.
However, by default, the Web server also listens on port 80 for incoming requests. To avoid the two servers conflicting, the Web server should be configured so that it listens on a port other than 80. The ISA Server Web publishing rule is then modified so that ISA Server forwards the requests to the appropriate port on the Web server.
Alternatively, you can configure the Internet Information Services (IIS) server to listen on a different IP address. You might set the IIS Server to listen on 127.0.0.1, thereby accepting requests only from the ISA Server computer.
Web Server on Local Network
Figure 2.4 illustrates a Web publishing scenario in which the Web servers are located behind the ISA Server computer.
Figure 2.4 Web servers located behind ISA Server
Two Web servers are located on the internal network, which is protected by ISA Server. When an Internet user requests an object on example.microsoft.com/Marketing or example.microsoft.com/Development, the request is sent to the ISA Server computer, which then routes the request to the appropriate Web server.
Notice that when external clients request objects from the Web servers, they actually gain access to the ISA Server computer. This way, ISA Server ensures that the network is never penetrated by external users. Furthermore, the IP addresses of the Web servers are never exposed. Instead, the Internet clients gain access to Web server content from the IP address of the ISA Server computer.
Exchange Server Publishing Topologies
A common ISA Server scenario involves securing the Simple Mail Transfer Protocol (SMTP) communication of mail servers. For example, ISA Server can protect a Microsoft Exchange Server. The Exchange Server that you are publishing can be co-located on the ISA Server computer or it can be located on the local network or on a perimeter network (DMZ).
Co-Located Exchange Server
Figure 2.5 illustrates a scenario in which ISA Server and Exchange Server are on the same computer.
Figure 2.5 Co-located Exchange Server
Exchange Server on Local Network
Figure 2.6 illustrates a scenario in which the Microsoft Exchange Server computer is on the local network and is protected by the ISA Server computer.
Figure 2.6 Exchange Server on LAN protected by ISA Server
Perimeter Network (DMZ) Scenarios
A perimeter network, also known as a DMZ, is a small network that is set up separately from an organization's private network and the Internet. The perimeter network allows external users access to the specific servers located in the perimeter network while preventing access to the internal corporate network. An organization may also allow very limited access from computers in the perimeter networks to computers in the internal network.
A perimeter network, also known as a screened subnet, is commonly used for deploying the e-mail and Web servers for the company. The perimeter network can be set up in one of the following configurations:
Back-to-back perimeter network configuration, with two ISA Server computers on either side of the perimeter network (Figure 2.7)
Three-homed ISA Server, with the perimeter network and the local network protected by the same ISA Server (Figure 2.8)
The perimeter network may include the company's Web server, so that Web content can be sent to the Internet. However, the perimeter network does not allow access to any other company data that may be available on computers in the local network. So then even if an external user penetrates the perimeter network security, only the perimeter network servers are compromised.
Back-to-Back Perimeter Network Configuration
In a back-to-back perimeter network configuration, two ISA Server computers are located on either side of the perimeter network. Figure 2.7 illustrates a back-to-back perimeter network configuration.
Figure 2.7 Back-to-back perimeter network
In this configuration, two ISA Server computers are hooked up to each other, with one connected to the Internet and the other to the local network. The perimeter network resides between the two servers. Both ISA Servers are set up in Integrated mode or Firewall mode, thereby essentially reducing the risk of compromise, since an attacker would need to break into both systems in order to get to the internal network.
Three-Homed Perimeter Network (DMZ) Configuration
In a three-homed screened perimeter network, a single ISA Server computer (or an array of ISA Server computers) is set up with three network cards. Figure 2.8 illustrates this perimeter network scenario.
Figure 2.8 Three-homed perimeter network
Lesson Summary
You should prepare for an ISA Server installation by assessing your network needs and then designing a network topology suitable to those needs. When determining your ISA Server installation's hardware requirements, you should plan to meet or exceed the expected network load. For a firewall, you will need to consider how much throughput is required for your internal clients when they access the Internet. For caching, consider how many Web browser clients will be accessing the Internet. For publishing and reverse caching, you need to consider how often external clients will request objects on the publishing servers. After assessing your needs, you should decide whether to install ISA Server in Firewall mode, Cache mode, or Integrated mode. If you determine that you will need multiple computers to handle your network load, you should set up an array of ISA Server computers instead of one standalone server.
ISA Server can be installed in various network topologies. In the small office network configuration, a single ISA Server computer can be placed between the corporate LAN and the Internet. For a larger, distributed enterprise, separate locations may each have an array of one or more ISA Server computers installed.
For secure server publishing behind a firewall, your publishing mail or Web servers can be located either on the same computer as the ISA Server or on a different computer. If you need even higher security, you may decide to place your publishing servers within a perimeter network.
