Contents
Overview 1
Introducing ISA Server 2
Using Caching 8
Using Firewalls 11
Deployment Scenarios for ISA Server 18
Review 23
Module 1: Overview of
Microsoft ISA Server
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2000 Microsoft Corporation. All rights reserved.
Microsoft, BackOffice, MS-DOS, Windows, Windows NT, <plus other appropriate product
names or titles. The publications specialist replaces this example list with the list of trademarks
provided by the copy editor. Microsoft is listed first, followed by all other Microsoft trademarks
in alphabetical order. > are either registered trademarks or trademarks of Microsoft Corporation
in the U.S.A. and/or other countries.
<The publications specialist inserts mention of specific, contractually obligated to, third-party
trademarks, provided by the copy editor>
Other product and company names mentioned herein may be the trademarks of their respective
owners.
Module 1: Overview of Microsoft ISA Server iii
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Instructor Notes
Instructor_notes.doc
Module 1: Overview of Microsoft ISA Server 1
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Overview
!
Introducing ISA Server
!
Using Caching
!
Using Firewalls
!
Deployment Scenarios for ISA Server
The Internet enables organizations to connect with customers, partners, and
employees. While this presents new business opportunities, it can also cause
concerns about security, performance, and manageability.
Microsoft
®
Internet Security and Acceleration (ISA) Server 2000 is designed to
address the needs of today’s Internet-enabled businesses. ISA Server includes
caching features that enables an organization to save network bandwidth and
provide faster Web access for users. ISA Server includes a firewall service that
helps protect network resources from unauthorized access from outside the
organization’s network, while enabling efficient authorized access. Finally, ISA
Server includes management and administration features that enable an
organization to centrally control and manage Internet use and access.
After completing this module, you will be able to:
!
Explain the use of ISA Server.
!
Describe the concept of caching.
!
Describe the concept of firewalls.
!
Identify the deployment scenarios for ISA Server.
Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about the use of ISA Server
as a cache server and an
enterprise firewall.
2 Module 1: Overview of Microsoft ISA Server
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
#
##
#
Introducing ISA Server
!
ISA Server Editions
!
Benefits of ISA Server
!
Installation Modes
ISA Server is an enterprise firewall and cache server built on the Microsoft
Windows
®
2000 operating system that provides policy-based access control,
acceleration, and management of internetworking. ISA Server is available in
two editions that are designed to meet the business and networking needs of
your organization. Whether deployed as dedicated components or as an
integrated firewall and caching server, ISA Server provides organizations with a
unified management console that is designed to simplify security and access
management.
Topic Objective
To introduce ISA Server.
Lead-in
ISA Server provides benefits
and deployment options to
help an organization
manage Internet security
and access.
Module 1: Overview of Microsoft ISA Server 3
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
ISA Server Editions
!
ISA Server Enterprise Edition
!
ISA Server Standard Edition
ISA Server is available in two editions that are designed to meet the business
and networking needs of your organization.
ISA Server Enterprise Edition
The enterprise edition is designed to meet the performance, management, and
scalability needs of high volume Internet traffic environments with centralized
server management, multiple levels of access policy, and fault-tolerant
capabilities. The enterprise edition provides secure, scaleable, fast Internet
connectivity for mission-critical environments.
ISA Server Standard Edition
The standard edition provides enterprise-class firewall security and Web
caching capabilities for small business, workgroups and departmental
environments. The standard edition provides robust security, fast web access,
intuitive management and excellent price/performance for business-critical
environments.
Topic Objective
To identify the ISA Server
editions.
Lead-in
ISA Server is available in
two editions that are
designed to meet the
business and networking
needs of your organization.
4 Module 1: Overview of Microsoft ISA Server
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Benefits of ISA Server
Caching
Caching
Caching
Fast Access with a High-Performance Web Cache
Fast Access with a High-Performance Web Cache
Security
Security
Security
Enterprise Security Through a Multilayered Firewall
Enterprise Security Through a Multilayered Firewall
Management
Management
Management
Extensibility
Extensibility
Extensibility
Powerful Management with Integrated Administration
Powerful Management with Integrated Administration
Extensible and Customizable Platform
Extensible and Customizable Platform
ISA Server is a key member of the .NET Enterprise Server family. The
products in .NET Enterprise Servers are Microsoft’s comprehensive family of
server applications for building, deploying and managing scalable, integrated,
Web-based solutions and services. ISA Server offers several benefits to
organizations that want fast, secure, and manageable Internet connectivity.
Fast Access with a High-Performance Web Cache
ISA Server provides the following Web performance benefits:
!
Provides faster Web access for users by retrieving objects locally rather than
over a slower connection to the potentially congested Internet.
!
Reduces bandwidth costs by reducing network traffic.
!
Distributes the content of Web servers and e-commerce applications
efficiently and cost-effectively to reach customers worldwide.
The capability for distributing Web content is only available in ISA
Server Enterprise Edition.
Enterprise Security Through a Multilayered Firewall
ISA Server provides the following security benefits:
!
Protects networks from unauthorized access.
!
Protects Web, e-mail, and other application servers from external attacks by
using Web publishing and server publishing to securely process incoming
requests to internal servers.
!
Filters incoming and outgoing network traffic to ensure security.
!
Enables secure access for authorized users from the Internet to the internal
network by using virtual private networks (VPNs).
Topic Objective
To describe the benefits
offered by ISA Server.
Lead-in
ISA Server offers an
organization several
benefits for Internet
connectivity.
Delivery Tip
The slide for this topic
includes animation. Click or
press the SPACEBAR to
advance the animation.
Delivery Tip
To present more information
about the .NET Enterprise
Server family, play the .NET
Enterprise Servers
animation. The animation is
included on the Trainer
Materials Compact Disc.
Note
Module 1: Overview of Microsoft ISA Server 5
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Powerful Management with Integrated Administration
ISA Server provides the following management benefits:
!
Controls access centrally to ensure and enforce corporate policies.
!
Improves productivity by limiting Internet use to approved applications and
destinations.
!
Allocates bandwidth to match business priorities.
!
Provides monitoring tools and produces reports that show how Internet
connectivity is used.
Extensible and Customizable Platform
ISA Server provides the following extensibility and customization benefits:
!
Addresses security and performance needs that are specific to an
organization by using ISA Server Software Development Kit (SDK) for in-
house development of add-on components.
!
Extends security and management functionality with third-party solutions.
!
Automates administrative tasks with scriptable Component Object Model
(COM) objects.
6 Module 1: Overview of Microsoft ISA Server
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Installation Modes
!
Cache Mode
!
Firewall Mode
!
Integrated Mode
!
Features Available with Each Mode
You can install ISA Server in three different modes: cache mode, firewall
mode, and integrated mode.
Cache Mode
In cache mode, you can improve network performance and save bandwidth by
storing frequently accessed Web objects closer to the user. You can then route
requests from clients to a cache server that holds cached objects.
Firewall Mode
In firewall mode, you can secure network traffic by configuring rules that
control communication between an internal network and the Internet. You can
also publish internal servers, which enables an organization to share data on its
network with partners or customers.
Integrated Mode
In integrated mode, you can combine the firewall and cache services on a single
host computer. While organizations can deploy ISA Server as a separate
firewall or caching service, you can have a single integrated enterprise firewall
and cache server by choosing this mode.
Topic Objective
To identify the installation
modes and associated
features of ISA Server.
Lead-in
There are three modes for
installing ISA Server.
Module 1: Overview of Microsoft ISA Server 7
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Features Available with Each Mode
Depending on which mode you select, different features are available. The table
below lists the features that are available for the firewall and cache modes. In
integrated mode, all of the features are available.
Feature
Description
Firewall
Mode
Cache
Mode
Access policy Defines which protocols and Internet
content that clients located behind an
ISA Server computer can access.
Yes HTTP
only
Web publishing Allows internal Web servers to be made
available to external clients.
Yes Yes
Server publishing Allows internal Web servers to be made
available to external clients.
Yes No
Virtual Private
Networks
Extend a private network using links
across shared or public networks like
the Internet.
Yes No
Cache service Stores frequently retrieved objects and
URLs in the cache drive of an ISA
Server computer.
No Yes
Packet filtering Controls the flow of IP packets to and
from ISA Server computer.
Yes No
Application filters Perform protocol-specific or system-
specific tasks, such as authentication, to
provide an extra layer of security for the
Firewall service.
Yes No
Real-time
monitoring
Enables you to centrally monitor the
ISA Server computer activity including
alerts, sessions, and services.
Yes Yes
Alerts Notify you when specific events occur
and execute corresponding actions.
Yes Yes
Reports Summarize and analyze the activity
occurring on one or more ISA Server
computers.
Yes Yes
Explain that the tasks
associated with each of
these features will be
presented during the
course.
8 Module 1: Overview of Microsoft ISA Server
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
#
##
#
Using Caching
!
The Caching Process
!
Types of Caching
Cache
Caching improves network performance by maintaining a cache of frequently
accessed Web objects. You can deploy ISA Server as a forward caching server
to improve the speed at which users on your internal network can gain access to
Internet resources. You can also deploy ISA Server as a reverse caching server
to improve the speed at which external users can gain access to selected Web
resources that you make available on the Internet. Additionally, you can
distribute the cache across multiple ISA Server computers. By distributing the
cache, a client can gain access to content from the ISA Server computer that is
closest to them. Distributed caching also provides load balancing and fault
tolerance in a network that has multiple ISA Servers.
Topic Objective
To introduce the topics
related to the use of
caching.
Lead-in
The cache service in ISA
Server improves network
performance by maintaining
a cache of frequently
accessed Web objects.
Module 1: Overview of Microsoft ISA Server 9
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
The Caching Process
GET www.nwtraders.msft
GET www.nwtraders.msft
GET www.nwtraders.msft
Object is sent from Internet
Object is sent from cache
Client 1
Client 1
Client 2
Client 2
ISA Server
ISA Server
Cache
1
1
1
2
2
2
3
3
3
4
4
4
5
5
5
The process that ISA Server uses to cache content is similar to the process a
Web browser uses to save temporary Internet files. Most Web browsers cache
objects locally, storing requested Web pages in a folder on a computer’s hard
disk so that you can access subsequent objects locally. ISA Server takes this
concept one step further and maintains a centralized cache of frequently
requested Web objects.
The following steps describe the caching process that ISA Server uses to
retrieve Web objects for clients:
1.
Client 1 requests a Web object.
2. If the object is not already in the ISA Server cache, ISA Server retrieves the
object from the server on the Internet.
3. The server on the Internet returns the object to the ISA Server computer.
The ISA Server computer retains a copy of the object in its cache and
returns the object to Client 1. The time that it takes the client to receive the
object and the resulting Internet traffic are approximately the same as if the
client had gained access to the object directly.
4. Client 2 requests the same Web object.
5. The ISA Server computer returns the object from its cache rather than
obtaining it from the server on the Internet. The client receives the object
much quicker and the request requires no Internet traffic.
Topic Objective
To illustrate the process that
ISA Server uses to cache
content.
Lead-in
The process that ISA Server
uses to cache content is
similar to the process a Web
browser uses to save
temporary Internet files.
Delivery Tip
The slide for this topic
includes animation. Click or
press the SPACEBAR to
advance the animation.
10 Module 1: Overview of Microsoft ISA Server
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Types of Caching
Forward
Caching
Reverse
Caching
Distributed
Caching
Internal Network
Internal Network
Internal Network
Internal Network
Cache
Cache
Cache
Cache
Cache
Web Server
Web Server
Internet
Internet
Internet
Internet
Internet
Internet
The caching service accelerates Web performance for both internal and external
clients. ISA Server supports both forward caching for outgoing requests and
reverse caching for incoming requests. Additionally, the cache can be
distributed across multiple ISA Server computers.
Forward Caching
You can use forward caching to provide internal clients with access to Web
objects the Internet. The ISA Server computer maintains a centralized cache of
frequently requested Web objects that can be accessed by any Web browser.
Objects served from the cache require significantly less processing than objects
served from the Internet.
Reverse Caching
You can use reverse caching to provide external clients with access to Web
objects from an internal Web server. The ISA Server computer, which is
located in front the Web server, only forwards requests to the Web server when
it cannot retrieve a requested object from its cache. The ISA Server computer
keeps external traffic away from the internal network.
Distributed Caching
You set up an array of ISA Server computers to use distributed caching. An
array is a group of ISA Server computers that can be treated and managed as a
single, logical entity. Distributing cached objects enhances caching
performance through load balancing and provides fault tolerance if an ISA
Server computer is unavailable. Both forward and reverse caching can be
distributed.
Distributed caching is only available in ISA Server Enterprise Edition.
Topic Objective
To describes the types of
caching available for ISA
Server.
Lead-in
ISA Server supports caching
in three configurations.
Note
Module 1: Overview of Microsoft ISA Server 11
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
#
##
#
Using Firewalls
!
Firewall Overview
!
Bastion Host
!
Perimeter Network with Three-Homed Firewall
!
Perimeter Network with Back-to-Back Firewalls
!
Using Filters to Control Network Access
A firewall is a system, consisting of hardware, software, or a combination of
both, designed to protect private networks from unauthorized access. There are
several types of firewall designs including bastion hosts and perimeter networks
with a three-homed firewall or back-to-back firewalls. In addition, firewalls can
use packet filtering and other types of filtering to control network access.
Topic Objective
To identify the topics related
to the use of firewalls.
Lead-in
A firewall is a system
designed to protect private
networks from unauthorized
access.
12 Module 1: Overview of Microsoft ISA Server
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Firewall Overview
Firewall
Firewall
Internal Network
Internal Network
Internet
Internet
In a building, you construct a firewall to keep a fire in one area of the building
from spreading to another area of a building. A firewall on a network provides a
similar purpose—it prevents the potential dangers of the Internet from
spreading to your internal network. A firewall is typically installed at the point
where an internal network connects to the Internet.
A firewall serves two primary functions:
!
It is a controlled point of access for all traffic that enters the internal
network.
A firewall prevents unauthorized users from gaining access to your network
data and resources.
!
It is a controlled point of access for all traffic that leaves the internal
network.
A firewall ensures that interactions between the Internet and your internal
network conform to the security rules and policies of your organization
Topic Objective
To illustrate the network
configuration of a firewall.
Lead-in
A firewall serves three
primary functions.
Key Points
A firewall is typically
installed at the point where
an internal network
connects to the Internet.
Module 1: Overview of Microsoft ISA Server 13
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Bastion Host
Internet
Internet
Bastion Host
Bastion Host
Internal Network
Internal Network
A bastion host is a computer that is the main point of contact for clients of
internal networks to gain access to the Internet. As a firewall, the bastion host is
designed to defend against attacks aimed at the internal network. A bastion host
is typically used for smaller networks to protect the internal network from the
intruders.
Configuration of a Bastion Host
A bastion host has two network adapters, one connected to the internal network
and one connected to the Internet. This configuration physically isolates the
internal network from potential intruders on the Internet.
Because a bastion host
configuration is a single point of defense, it is important to make sure that the
computer is well secured.
Advantages of a Bastion Host
The advantage of using a bastion host is that it minimizes cost and the amount
of administration that is required for a firewall. At the same time, a bastion host
is not a good solution when you must provide limited access to internal
resources. This design/configuration allows users on the Internet to directly
gain access to your internal network.
Topic Objective
To illustrate the design of a
bastion host.
Lead-in
A bastion host is the main
point of contact for clients of
internal networks to gain
access to the Internet.
Explain that a bastion host
derives its name from the
highly fortified projections of
the outer walls of medieval
castles.
14 Module 1: Overview of Microsoft ISA Server
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Perimeter Network with Three-Homed Firewall
Internet
Internet
Firewall
Firewall
Perimeter Network
Perimeter Network
Internal Network
Internal Network
A perimeter network is a computer or small network that is set up as a neutral
zone between an internal network and the Internet. A perimeter network allows
external clients to gain access to specific servers located within the perimeter
network, while completely preventing access to the internal network. You
typically use a perimeter network to deploy e-mail and Web servers. A
perimeter network can be set up in one of two configurations: three-homed
firewall or back-to-back firewall.
In a perimeter network configuration with a three-homed firewall, the firewall
is set up with three network adapters. One adapter is connected to each of the
following:
!
The Internet
!
Internal network servers located in the perimeter network
!
Internal network clients
Although the servers in the perimeter network each have Internet protocol (IP)
addresses that can be accessed by external clients, the firewall computer does
not allow direct access to resources that are located on the internal network.
An organization’s security policy may also allow limited and very
controlled network traffic between computers in the perimeter network and
selected computers on the internal network.
A three-homed firewall provides more security than a bastion host and it allows
for secure access to some network resources from the Internet. A bastion host
depends on a single firewall to secure the entire network. If an Internet user
compromises the firewall, that Internet user can gain access to the
organization’s internal network.
Topic Objective
To illustrate the design of a
perimeter network with a
three-homed firewall.
Lead-in
In perimeter network
configuration with a three-
homed firewall, a single ISA
Server computer (or an
array of ISA Server
computers) is set up with
three network adapters.
Key Points
A perimeter network allows
external clients to gain
access to specific servers
located within the perimeter
network, while preventing
access to the internal
network.
Note
Module 1: Overview of Microsoft ISA Server 15
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Perimeter Network with Back-to-Back Firewalls
Internet
Internet
Firewall
Firewall
Perimeter Network
Perimeter Network
Firewall
Firewall
Internal Network
Internal Network
In addition to a perimeter network with a three-homed firewall, you can also
configure a perimeter network with back-to-back firewalls.
Configuration of Back-to-Back Firewalls
In a perimeter network with back-to-back firewalls, two firewalls are located on
either side of the perimeter network. The two firewalls are connected to the
perimeter network, with one also connected to the Internet and the other one
also connected to the internal network. In this configuration, there is not a
single-point of access. In order to reach the internal network, a user would need
to get past both firewalls.
Advantages of Back-to-Back Firewalls
You can configure more restrictive security rules on a back-to back firewall
than on a three-homed firewall, which helps you to protect your internal
network more reliably.
It is also easier to configure rules for a back-to back firewall design, if an
organization’s access policy allows limited and very controlled network traffic
between computers in the perimeter network and selected computers on the
internal network.
The back-to-back firewall configuration is the safest and most
commonly used firewall design. Some organizations use variations of this
design to achieve even higher levels of security. For more information about
firewall design, see course 2150A, Designing a Secure Microsoft Windows
2000 Network.
Topic Objective
To illustrate the design of a
perimeter network with
back-to-back firewalls.
Lead-in
A perimeter network is a
computer or small network
set up as a neutral zone
between an internal network
and the Internet.
Key Points
In a perimeter network with
back-to-back firewalls, there
is not a single-point of
access. This design is the
most secure of the firewall
designs presented in this
module.
Important
16 Module 1: Overview of Microsoft ISA Server
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Using Filters to Control Network Access
Internet
Internet
Streaming Media
Filter
Streaming Media
Filter
SMTP Filter
SMTP Filter
DNS Intrusion
Detection Filter
DNS Intrusion
Detection Filter
POP Intrusion
Detection Filter
POP Intrusion
Detection Filter
~~~ ~~~ ~~~
ISA Server
ISA Server
Packet filtering is the process of controlling network access based on the
characteristics of the network packets. IP packet filters work by parsing the
headers of a packet and then applying rules to determine whether to route or
drop the packet based on the header information. Most firewalls incorporate
packet filters to allow or deny users the ability to enter or leave the internal
network.
In addition to packet filtering, you can implement other filtering methods to
control network access. For example, you can configure application filters to
accept or deny data from specific applications or data with specific content.
You can also set intrusion detection filters to generate an alert when a security
event occurs.
IP Packet Filters
ISA Server allows you to set rules for allowing or denying network packets
based on characteristics of an IP packet, including:
!
Source address or destination address
!
Network protocol, such as Internet Control Message Protocol (ICMP)
!
Source port or destination port
Topic Objective
To describe filtering and
related functionality that is
available with the firewall
service.
Lead-in
You can use packet,
application, and intrusion
detection filters to control
network access.
Module 1: Overview of Microsoft ISA Server 17
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Application Filters
Application filters provide an extra layer of security for the firewall service.
Application filters examine network traffic that spans more than one IP packet,
such as an entire e-mail message. ISA Server includes several application filters
that are automatically installed with ISA Server including:
!
Streaming media filter. Allows you to control client access to data that uses
streaming media protocols to gain access to media streaming servers, such
as Microsoft Windows Media Technology (WMT) Server.
!
SMTP filter. Filters incoming e-mail based on source, user, or domain and
generates the corresponding alert. The filter maintains a list of rejected users
and domains from which e-mail messages are not accepted.
Intrusion Detection Filters
Intrusion detection filters analyze all incoming traffic for specific intrusions.
ISA Server includes several intrusion detection filters including:
!
DNS intrusion detection filter. Intercepts and analyzes Domain Name
System (DNS) traffic destined for the internal network. This filter checks
for several known attacks, including DNS host name overflow. A DNS host
name overflow occurs when a DNS response for a host name exceeds a
certain fixed length. Applications that do not check the length of the host
names may overflow internal buffers when copying this host name. This
reaction can allow a remote attacker to execute arbitrary commands on a
targeted computer.
!
POP intrusion detection filter. Intercepts and analyzes Post Office Protocol
(POP) traffic destined for the internal network. Specifically, the filter checks
for POP buffer overflow attacks. A POP buffer overflow attack occurs when
a remote attacker attempts to gain access to the root of a POP server by
overflowing an internal buffer on the server.
Explain to students that
more specific information
about intrusions and
intrusion detection will be
presented later in the
course.
18 Module 1: Overview of Microsoft ISA Server
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
#
##
#
Deployment Scenarios for ISA Server
!
Department/Branch Office Cache
!
Department/Branch Office Firewall
!
Enterprise Cache
!
Enterprise Firewall
ISA Server can be configured in deployment scenarios. While organizations of
all sizes can benefit from a combination of caching and firewall services, the
specific configurations that an organization uses can vary depending on scale,
resources, budget, and an organization’s approach to security and management.
This module only covers some of many possible deployment scenarios.
For more information on deployment scenarios for ISA Server, see Deployment
scenarios in ISA Server online Help.
Topic Objective
To identify scenarios in
which you can deploy ISA
Server.
Lead-in
There are a number of
different deployment
scenarios for ISA Server
that can benefit
organizations.
Note
Module 1: Overview of Microsoft ISA Server 19
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Department/Branch Office Cache
Internet
Internet
Main Office
Main Office
Cache
Branch Office
Branch Office
ISA Server
ISA Server
In this scenario, you set up ISA Server as a cache server to reduce network
traffic between a branch office and main office. Because you use less network
bandwidth accessing Web content, more bandwidth remains available for other
applications.
By caching the Web content, you can also reduce long-distance phone charges
that may occur because of demand dialing between a branch office and the main
office. The Web cache server at the branch office stores local copies of the most
frequently accessed Web objects from the main office in dedicated disk drives.
If the branch office is connected to the Internet via the main office, the ISA
Server computer at the branch office can also cache Web objects from the
Internet.
The following steps describe the process for requesting Web objects:
1. A client at a branch office requests a Web object from the main office. This
request may be an object that is located on a Web server at the main office
or on the Internet.
2. The request is sent to the ISA Server at the branch office. If the Web object
is not in the cache, the request is forwarded to the main office.
3. The server at the main office sends the Web object to the ISA Server
computer at the branch office.
4. At the branch office, the ISA Server computer caches the object, and then
sends it to the client. The ISA Server computer fulfills subsequent requests
for the same Web object from its local cache.
Topic Objective
To illustrate the network
configuration of ISA Server
deployed as a Web cache
server in a
department/branch office
scenario.
Lead-in
ISA Server set up as a Web
cache server at a branch
office can reduce network
traffic to the main office.
20 Module 1: Overview of Microsoft ISA Server
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Department/Branch Office Firewall
Internet
Internet
ISA Server
ISA Server
Branch Office
Branch Office
Internet
Service
Provider
Internet
Service
Provider
Actual Connection
Actual Connection
Perceived Connection
Perceived Connection
In this scenario, you set up an ISA Server computer as a dedicated firewall that
acts as the secure gateway to the Internet for internal clients. The ISA Server
computer is placed between the internal network and the Internet. In a small
network with up to 250 clients, a single ISA Server computer can provide
Internet connectivity and security for the entire network.
The ISA Server computer is transparent to the other parties in the
communication path. The branch office users are not able to tell that a firewall
is there, unless a user attempts to gain access to a service or a site in which you
configure an access policy to specifically deny access.
The ISA Server computer blocks all attempted access to the internal network
from the Internet and hides the internal network from the users on the Internet.
Topic Objective
To illustrate the network
configuration of an ISA
Server computer deployed
as a firewall in a
department/branch office
scenario.
Lead-in
A single ISA Server
computer can provide
Internet connectivity and
security for the entire
network in a department or
branch office.
Module 1: Overview of Microsoft ISA Server 21
BETA MATERIALS FOR MICROSOFT CERTIFIED TRAINER PREPARATION PURPOSES ONLY
Enterprise Cache
Internet
Internet
Corporate Network
Corporate Network
Cache
Cache
Cache
ISA Server Array
ISA Server Array
In this scenario, caching is distributed among an array of ISA Server computers
in an enterprise environment. By distributing the load of cached objects, ISA
Server enhances caching performance and provides fault tolerance in case an
ISA Server computer becomes unavailable.
ISA Server also supports chained, or hierarchical, caching. Chained caching is
a hierarchical connection between individual ISA Server computers or arrays of
ISA Server computers. Requests from clients are sent upstream through the
chain until the requested object is found. If the object is not cached, the ISA
Server retrieves the object from the Internet. ISA Server computers can be
chained as either individual computers or as arrays. Chaining is also an
effective means of distributing server load and providing fault tolerance.
Chaining can be useful in a scenario where an ISA Server computer at a
main office caches all Web objects that are retrieved from the Internet. The ISA
Server computer at the branch office retrieves Web objects from the ISA Server
computer at the main office, and then caches them locally at the branch office.
Topic Objective
To illustrate the network
configuration of an array of
ISA Servers deployed to
distribute caching in an
enterprise scenario.
Lead-in
An array of ISA Servers can
enhance caching
performance and provide
fault tolerance in an
enterprise environment.
Note