Module 11: Implementing
ISA Server 2004 Enterprise
Edition
Overview
Overview of ISA Server 2004 Enterprise Edition
Planning an ISA Server 2004 Enterprise Edition
Deployment
Implementing ISA Server 2004 Enterprise Edition
Lesson: Overview of ISA Server 2004 Enterprise Edition
Animation: Comparing ISA Server 2004 Enterprise Edition and
Standard Edition
Why Deploy ISA Server Enterprise Edition?
What Is Active Directory Application Mode?
What Is a Configuration Storage Server?
What Are Enterprise Policies?
What Are Enterprise Networks?
What Are Arrays and Array Policies?
What Are Effective Policies?
How Enterprise Edition Integrates with Network Load Balancing
How Enterprise Edition Enables Virtual Private Networking
How Enterprise Edition Enables Distributed Caching Using CARP
Animation – Comparing ISA Server 2004 Enterprise
Edition and Standard Edition
Why Deploy ISA Server Enterprise Edition?
ISA Server 2004 Enterprise Edition enables:
ISA Server 2004 Enterprise Edition enables:
Easier management of multiple-server deployments
More scalable Web proxy caching
More scalable and fault-tolerant deployments
Easier management of multiple-server deployments
More scalable Web proxy caching

More scalable and fault-tolerant deployments
ISA Server 2004 Enterprise Edition deployment
scenarios:
ISA Server 2004 Enterprise Edition deployment
scenarios:
Deploying multiple ISA Server computers with the same
configuration
Deploying ISA Server computers in a distributed
administration scenario
Deploying ISA Server computers without Active Directory
Deploying multiple ISA Server computers with the same
configuration
Deploying ISA Server computers in a distributed
administration scenario
Deploying ISA Server computers without Active Directory
What Is Active Directory Application Mode?
Active Directory Application Mode:
Active Directory Application Mode:
Is a special mode of the Active Directory directory service
Is an LDAP-compatible directory that does not require
DNS or domains
Enables multiple-master replication between ADAM
servers
Is a special mode of the Active Directory directory service
Is an LDAP-compatible directory that does not require
DNS or domains
Enables multiple-master replication between ADAM
servers
ADAM is installed when you install Configuration Storage
server

You use ISA Server Management to manage the directory
information stored in ADAM
ADAM is installed when you install Configuration Storage
server
You use ISA Server Management to manage the directory
information stored in ADAM
Configuration
Storage Server
Configuration
Storage Server
MS Firewall
Control
Port 3847
MS Firewall
Control
Port 3847
MS Firewall
Storage
Replication
Port 2173
MS Firewall
Storage
Replication
Port 2173
ISA Server
Management
MS Firewall
Storage
Port 2172/2121
MS Firewall

Storage
Port 2172/2121
What Is a Configuration Storage Server?
What Are Enterprise Policies?
Definition
Definition
An ordered set of access rules and policy elements
defined at the enterprise level
An ordered set of access rules and policy elements
defined at the enterprise level
Options
Options
Unless you configure enterprise policies, only array
policies apply
You can configure enterprise polices to be applied before
or after the array policy
Configure policy elements that can be used when
configuring enterprise or array rules
Unless you configure enterprise policies, only array
policies apply
You can configure enterprise polices to be applied before
or after the array policy
Configure policy elements that can be used when
configuring enterprise or array rules
What Are Enterprise Networks?
Definition
Definition
A range of enterprise-level IP addresses that do not cross
a security boundary
A range of enterprise-level IP addresses that do not cross

a security boundary
To use enterprise networks, you can:
To use enterprise networks, you can:
Use the predefined enterprise networks, which are
associated with array networks of the same name
Define enterprise rules using enterprise networks
Use enterprise networks to enable communication
between arrays
Manage the IP address space in the organization
Use the predefined enterprise networks, which are
associated with array networks of the same name
Define enterprise rules using enterprise networks
Use enterprise networks to enable communication
between arrays
Manage the IP address space in the organization
What Are Arrays and Array Policies?
Array definition
Array definition
A group of ISA Server 2004 computers that share the same
configuration
Includes a Configuration Storage server and ISA Server Management
computers
Requires that ISA Server computers have a similar server
configuration
A group of ISA Server 2004 computers that share the same
configuration
Includes a Configuration Storage server and ISA Server Management
computers
Requires that ISA Server computers have a similar server
configuration

Array policy definition
Array policy definition
A set of access rules and publishing rules applied to all array
members
An array policy definition includes:
•
Policy elements that can define array rules
•
Array networks that define network configuration options
A set of access rules and publishing rules applied to all array
members
An array policy definition includes:
•
Policy elements that can define array rules
•
Array networks that define network configuration options
What Are Effective Policies?
Definition
Definition
The resultant policy applied to an array member after the system
policy, enterprise policy and the array policy rules are evaluated based
on rule order
The resultant policy applied to an array member after the system
policy, enterprise policy and the array policy rules are evaluated based
on rule order
Example:
Example:
Enterprise policy rules applied before array firewall policy
•
Allow HTTP and HTTPS access to the Internet for all users.

Branch office array firewall policy rules
•
Allow all protocol access from the Internal network to the Internet for all
authenticated users
•
Allow DNS protocol traffic from branch-office DNS servers
Enterprise policy rules applied after array firewall policy
•
Enable DNS protocol traffic from main-office DNS servers
Enterprise policy rules applied before array firewall policy
•
Allow HTTP and HTTPS access to the Internet for all users.
Branch office array firewall policy rules
•
Allow all protocol access from the Internal network to the Internet for all
authenticated users
•
Allow DNS protocol traffic from branch-office DNS servers
Enterprise policy rules applied after array firewall policy
•
Enable DNS protocol traffic from main-office DNS servers
How Enterprise Edition Integrates with Network Load
Balancing
Enterprise Edition integrates with network load
balancing (NLB) by:
Enterprise Edition integrates with network load
balancing (NLB) by:
NLB configuration is performed using ISA Server
Management
ISA Server provides NLB health monitoring

Each network in an array can be configured for NLB
ISA Server enables single affinity so clients always
connect to the same ISA Server computer
ISA Server supports bi-directional affinity for front-
end/back-end firewall scenarios
NLB configuration is performed using ISA Server
Management
ISA Server provides NLB health monitoring
Each network in an array can be configured for NLB
ISA Server enables single affinity so clients always
connect to the same ISA Server computer
ISA Server supports bi-directional affinity for front-
end/back-end firewall scenarios
How Enterprise Edition Enables Virtual Private Networking
Network load balancing can be integrated with virtual
private networking to enable:
Network load balancing can be integrated with virtual
private networking to enable:
Network load balancing for remote access VPNs
•
The VPN clients must connect to the shared IP address
Network load balancing for site-to-site VPNs
•
The remote-site VPN server must connect to the shared
IP address
•
Client requests are automatically directed to the VPN
tunnel owner
•
Tunnel failover is automatically enabled

Network load balancing for remote access VPNs
•
The VPN clients must connect to the shared IP address
Network load balancing for site-to-site VPNs
•
The remote-site VPN server must connect to the shared
IP address
•
Client requests are automatically directed to the VPN
tunnel owner
•
Tunnel failover is automatically enabled
Deploying a Site-to-Site VPN without NLB will disable
automatic failover
Deploying a Site-to-Site VPN without NLB will disable
automatic failover
How Enterprise Edition Enables Distributed Caching
Using CARP
CARP enables distributed caching:
CARP enables distributed caching:
Without duplication of cache content
Without network traffic between ISA Server computers
That can adjust to the addition or removal of array members
That evenly distributes the cache or distributes the cache
based on load factors
Without duplication of cache content
Without network traffic between ISA Server computers
That can adjust to the addition or removal of array members
That evenly distributes the cache or distributes the cache
based on load factors

CARP works by:
CARP works by:
Using a script on the Web client that selects the ISA Server
computer that will cache the Web content
Using a script on the ISA Server computer to redirect client
requests to the ISA Server compute that will cache the Web
content
Using a script on the Web client that selects the ISA Server
computer that will cache the Web content
Using a script on the ISA Server computer to redirect client
requests to the ISA Server compute that will cache the Web
content
CARP does not use the shared IP address assigned to a NLB cluster
CARP does not use the shared IP address assigned to a NLB cluster
Lesson: Planning an ISA Server 2004 Enterprise Edition
Deployment
ISA Server Enterprise Edition Deployment Scenarios
Planning the Configuration Storage Server Deployment
Planning Enterprise and Array Policy Configuration
Planning for Centralized Monitoring and Management
Migrating from ISA Server 2000 Enterprise Edition
Overview
ISA Server Enterprise Edition Deployment Scenarios
Deploy multiple ISA Server computers in identical roles to:
Deploy multiple ISA Server computers in identical roles to:
Use centralized management using arrays
Implement Network Load Balancing
Implement CARP
Use centralized monitoring
Use centralized management using arrays

Implement Network Load Balancing
Implement CARP
Use centralized monitoring
Deploy ISA Server computers in a workgroup to:
Deploy ISA Server computers in a workgroup to:
Isolate the ISA Server computers from the domain
Implement flexible ISA Server computer configurations
Isolate the ISA Server computers from the domain
Implement flexible ISA Server computer configurations
Deploy ISA Server computers in a branch office to:
Deploy ISA Server computers in a branch office to:
Use multiple ISA Server computers for each role
Deploy a Configuration Storage server in each office
Use multiple ISA Server computers for each role
Deploy a Configuration Storage server in each office
Planning the Configuration Storage Server Deployment
Guidelines for deploying Configuration Storage servers:
Guidelines for deploying Configuration Storage servers:
Deploy multiple Configuration Storage servers
Deploy multiple Configuration Storage servers
1
1
Consider network speed when deploying Configuration
Storage servers
Consider network speed when deploying Configuration
Storage servers
4
4
Install the Configuration Storage server in a domain
Install the Configuration Storage server in a domain

3
3
Test and verify communication between Configuration
Storage servers
Test and verify communication between Configuration
Storage servers
5
5
Install the Configuration Storage server on a dedicated
computer
Install the Configuration Storage server on a dedicated
computer
2
2
Planning Enterprise and Array Policy Configuration
Guidelines for planning enterprise and array policies:
Guidelines for planning enterprise and array policies:
Create an enterprise policy for each unique type of array
that you deploy
Create an enterprise policy for each unique type of array
that you deploy
1
1
Plan the policy rules and policy rule order for each
enterprise policy
Plan the policy rules and policy rule order for each
enterprise policy
4
4
Use the default enterprise policy if you only want to

configure array level rules
Use the default enterprise policy if you only want to
configure array level rules
3
3
When you create an array, choose what types of rules
can be created at the array level
When you create an array, choose what types of rules
can be created at the array level
5
5
Configure only the enterprise policies you need
Configure only the enterprise policies you need
2
2
Configure the array policy to meet the access-rule and
publishing-rule requirements for the array
Configure the array policy to meet the access-rule and
publishing-rule requirements for the array
6
6
Planning for Centralized Monitoring and Management
Guidelines for centralizing monitoring and management:
Guidelines for centralizing monitoring and management:
Choose a remote administration option: either Remote
Desktop or ISA Server Management
Choose a remote administration option: either Remote
Desktop or ISA Server Management
1
1

Implement MOM for centralized monitoring
Implement MOM for centralized monitoring
4
4
Assign administrators to array administrative roles
Assign administrators to array administrative roles
3
3
Assign administrators to enterprise administrative roles
Assign administrators to enterprise administrative roles
2
2
Migrating from ISA Server 2000 Enterprise Edition Overview
Steps to migrate the ISA Server 2000 configuration to ISA
Server 2004:
Steps to migrate the ISA Server 2000 configuration to ISA
Server 2004:
Use the ISA Server Migration Wizard to export the ISA
Server 2000 configuration to an .xml file
Install Configuration Storage server
Import the .xml configuration file into the Configuration
Storage server
Use the ISA Server Migration Wizard to export the ISA
Server 2000 configuration to an .xml file
Install Configuration Storage server
Import the .xml configuration file into the Configuration
Storage server
You can also upgrade individual ISA Server 2000 computers to
ISA Server 2004 after you deploy the Configuration Storage
server

You can also upgrade individual ISA Server 2000 computers to
ISA Server 2004 after you deploy the Configuration Storage
server
Lesson: Implementing ISA Server 2004 Enterprise Edition
Requirements for Installing Enterprise Edition
ISA Server Enterprise Edition Implementation Overview
How to Install Configuration Storage Server
How to Configure Enterprise Policies and Networks
How to Configure Arrays and Array Policies
How to Install ISA Server 2004 Enterprise Edition
How to Configure an ISA Server Management Computer
Requirements for Installing Enterprise Edition
Hardware requirements:
Hardware requirements:
A network adapter for each connected network
A network adapter for intra-array communication is recommended if
you implement NLB
150 MB of disk space plus space for caching and logging
A network adapter for each connected network
A network adapter for intra-array communication is recommended if
you implement NLB
150 MB of disk space plus space for caching and logging
Server component
or service
Capable of running on:
Windows
Server 2003
Windows 2000
Server
Windows XP

Configuration Storage
Server

ISA Server services

Message Screener
 
Firewall Client Share
  
ISA Server Management
  
ISA Server Enterprise Edition Implementation Overview
To implement ISA Server Enterprise Edition:
To implement ISA Server Enterprise Edition:
Install a Configuration Storage server
Install a Configuration Storage server
1
1
Install ISA Server services on one or more computers
Install ISA Server services on one or more computers
4
4
Install additional Configuration Storage servers
Install additional Configuration Storage servers
3
3
Install ISA Server Management on a management
workstation
Install ISA Server Management on a management
workstation

5
5
Define the enterprise policies, policy rules, and
enterprise networks, as well as the required arrays and
array policies
Define the enterprise policies, policy rules, and
enterprise networks, as well as the required arrays and
array policies
2
2
How to Install Configuration Storage Server
Practice: Installing Configuration Storage Server
Configure the required user and group
accounts
Install the Configuration Storage Server
Host1
Host2
Den-DC-01
Demo-CSS-01