Tuesday, March 21, 2017

ISA Server

ISA Server


What happened before ISA Server?

The history of ISA Server goes back to a product named Proxy Server 1.0. At the time, the m fast and secure Internet access market saw one more player - the Microsoft Corporation. Proxy Server 1.0, however, was merely a means for the effective conduct of initial market research. The market responded favourably to this product being integrated within the existing Windows NT 4.0 enterprise networking systems. The first edition of MS Proxy Server had many limitations. It supported only a few basic Internet protocols and its implemented security tool functions were rather obsolete.
Microsoft’s second try at a Proxy Server 2.0 was a natural evolution with many useful and expected functions. One great application of this tool is to use Windows NT account databases. Therefore, user management within the enterprise has been considerably simplified. Many more protocols are supported, as well as caching services, packet filtering capability and considerably enhanced security performance have also been incorporated. Although it was an improved version, Proxy Server 2.0 still suffered from a limited range of functions compared to third-party products.
This is surely not Microsoft’s last word. In the time of Windows NT 4.0 successors, i.e. Windows 2000 and the newest Microsoft Windows Operating System, Windows XP, new possibilities have emerged in the sphere of implementation of the technologies they incorporate.
 

New concepts created by ISA Server

ISA Server carries new terms that need to be understood before attempting product deployment on the network.
  • Array a group of ISA computers that are located close together, for example a department, office, and region. There are two types of arrays:
Domain Arraysthat use Active Directory. A domain array can encompass computers located within a single domain.Independent Arrays – allow storage of information not in the Active Directory, but in a local configuration database. This array is mainly used in NT 4.0 based networks.
  • Rulewith rules, the system administrator can set up a series of protocols to govern sites, contents, protocols, and IP packet filters.
  • Array policya set of rules that define the array policy. Such a policy can be applied to any specific (and single) array.
  • Enterprise policy – enterprise-level policies contain similar rules to those established in array policies but they are applied to multiple arrays.
With ISA Server, array policies can be used to modify enterprise policies making them more restrictive. However, it is not possible for an array policy to ease restrictions imposed by the enterprise policy.
 

ISA Server Components

ISA Server supports many more functions than its predecessor. The following options are available with this new product:
  • Firewall – the Firewall client is an extension to the ISA Server that features an enhanced set of functions allowing it to compete with other similar products available on the IT market. With Firewall client, Active Directory can be supported from Windows 2000 (or the SAM databases from NT). These are used to provide specific security functions at user or group level. This feature is not supported by a majority of third-party products that use either separate user databases or IP addressing. Firewall functions are enhanced to support so called stateful packet inspection, i.e. a solution for improved security where data packets passing through the firewall are intercepted and analyzed at either a protocol or connectivity level.
  • Policy-based administration – ISA Server lets the administrators manage using predefined policy rules. Policies can include a set of consistent rules regarding users, groups of users, protocols etc. A specific policy may apply to a single array or globally, to the whole enterprise. For businesses that use networks with Active Directory enhancements, multi-tiered enterprise policies are those that match their needs to have a comprehensive IT system, to facilitate management of the entire enterprise and its infrastructure.
  • Virtual Private Network Support – ISA Server provides an easy solution to create VPN – based networks. The wizards supplied with ISA Server help to configure VPN tunneling and may activate the RRAS service if not already initialized.
  • Dynamic IP filtering – depending on the security policy used, an enterprise can dynamically open firewall ports for authorized Internet users on a session-by-session basis. This considerably simplifies the administrator’s duties in situations where there are applications that frequently change ports though they communicate with each other.
  • IDS (Intrusion Detection System) – Microsoft has equipped the ISA Server with an Intrusion Detection System. This module had been purchased from Internet Security Systems, the leading developer in these IT solutions. Thus, ISA offers out-of-box support for preventing several types of attacks including WinNuke, Ping of Death, Land, UDP bombs, POP Buffer Overflow, Scan Attack. Once an attack has been detected and identified, ISA may decide either to disable the attack or notify administrators about the event.
  • Web Cache – ISA Server provides fast Web caching performance. Administrators are allowed to automatically refresh frequently requested www pages on reverse and scheduled caching basis.
  • Reports  the major point of contrast between ISA and its predecessor i.e. Proxy Server 2.0 is that ISA features numerous report generating possibilities. By scheduling report generation connected. for example, with the users’ actions or security related events, managing ISA Server based networks is a simple task.
  • Gatekeeper H.323 – this component allows ISA Server to manage IP telephony calls or H.323-based VoIP applications (for example Microsoft NetMeeting 3.0). The DNS SRV record must be registered in order to have gatekeeper enabled.
  • Client Deployment – with SecureNAT (Network Address Translation) feature, ISA Server delivers to clients and servers a transparent and secure access to the Internet with no need to configure extra software on client machines. SecureNAT allows monitoring of all traffic in ISA Server.
Therefore, instead of being a simple product improvement, Microsoft Internet Security and Acceleration Server fills a gap in the range of this type of products available at the Redmond colossus and is trying to jump aggressively into the mass market sector associated with Web security and fast Web access. The new potential implemented in ISA Server is expected to allow Microsoft to compete effectively in this business area.
It should be noted that Microsoft’s engineers carefully integrate all products together to bring the Company’s vision of a .NET platform to businesses.
 

Software and hardware requirements

The minimum hardware requirements recommended by Microsoft for this product are:
  • 300MHz or higher Pentium II compatible CPU,
  • 256 MB of RAM,
  • 2 GB hard-disk space on NTFS formatted partition,
  • 200 MB of available hard-disk space for installation.
ISA Server requires a computer running Windows 2000 upgraded to Service Pack 1 or greater.
Problems with insufficient server capacity may occur with this type of configuration. Thus, for various ISA Server usage scenarios, the hardware should be adequately strengthened.
If ISA Server is to be used as a firewall, one will need to consider how powerful the CPU should be in terms of throughput requirements.
Throughput requirements
Recommended CPU
Less than 25 Mbyte/s
Pentium II 300 MHz – 500 MHz
From 25 Mbyte/s to 50 Mbyte/s
Pentium III 550 MHz or better
More than 50 Mbyte/s
Pentium III 550 MHz or better for each 50Mb
Table 1 CPU capacity requirements vs. throughput
Obviously these values can only be used as a reference when planning the ISA Server’s hardware to meet the expected load. This may vary in function or various usage scenarios (such as the type of transmitted data).
In case ISA Server is to be deployed as a Forward Cache, in addition to an adequate CPU capacity consider also requirements for RAM and high free disk space available for caching purposes.
Number of users
Recommended processor
Minimal RAM capacity (Mb)
Recommended disk space allocated for caching
Up to 250
Pentium II 300 MHz
256
4 GB
250 – 2000
Pentium III 550 MHZ
256
10 GB
More than 2000
Pentium III 550 MHz for every 2,000 users
256 for every 2000 users
10 GB for every 2,000 users
Table 2 – Capacity planning for forward caching server applications
If you want to use ISA Server in Integrated Mode (see Installation), these values will be further augmented. Therefore, the performance of any computer intended to operate as an ISA server will be completely utilised.
 

Installing ISA Server

A Windows 2000 Server with a full implementation of Active Directory is the minimum on which it is possible to install Microsoft ISA Server. Before installing ISA Server, one must configure Active Directory (adding required classes and selecting object properties).
Fig. 1: ISA Server setup screen with selected AD schema modification option
Before the system attempts to update the schema you will be warned that this action is not reversible.
Fig. 2: Active Directory’s modification-related warning
When modifying the schema, it is necessary to determine what the intended extent of modifications to the existing policies integrated in AD would be. In case of problems with the modification of Active Directory, one should consult the Ldif.log file.

No comments:

Post a Comment