Preparing to deploy Microsoft Internet Security and Acceleration Server 2000

Do you want to connect your Windows 2000 network to the Internet but miss the features that Proxy Server 2.0 offered for Windows NT? John Sheesley shows you how to get ready to use ISA Server to connect your Windows 2000 network to the Internet.

You probably know that you can connect your Windows 2000 server to the Internet and use it as a gateway to allow Internet access for your clients. We pointed out several ways to do so in the Daily Drill Downs “Using NAT to connect Windows 2000 to the Internet” and “Using Windows 2000 Server as a router on your network.” Even though you can connect your network to the Internet using Windows 2000 by itself, you may not want to.

Native Windows 2000 routing works well but might not be the best choice for all circumstances. Fortunately, Microsoft recently released the Internet Security and Acceleration (ISA) Server 2000 to help address needs that may not be completely fulfilled by Windows 2000’s built-in capabilities. In this Daily Drill Down, I’ll take a look at ISA Server 2000, show you what it does, and show you how to prepare for it.

Do I really need ISA Server?
With Windows 2000’s built-in ability to route packets across networks, you may wonder what benefit you’d find by deploying ISA Server 2000. The main reasons to use it are in the name—Internet security and acceleration.

On the security side, ISA Server can provide firewall capability for your network. By itself, Windows 2000 Server can connect you to the Internet, but it leaves you relatively unprotected. ISA Server’s firewall capabilities are much stronger than Proxy Server’s. ISA Server can block hackers from seeing services available on your network and block unauthorized access. It also allows you to filter traffic at the packet, circuit, and application levels.

ISA also adds security when it comes to allowing access to Internet resources. You can block users, control the amount of bandwidth they get, or track what they’re doing. You can also restrict the types of services they can use. For example, if you want to clamp down on streaming media, you can block it from coming across your network.

On the acceleration side, ISA doesn’t actually increase the speed of the connection your network has to the Internet. Instead, it employs caching technology to store frequently accessed Web pages and information on your ISA server. That way, when clients request the pages, they receive the information over the high-speed LAN, not over your slower Internet pipe. This can be especially useful in keeping users from clogging your Internet connection. By itself, Windows 2000 can’t do this for you.

If you’ve used Proxy Server on your Windows NT network, you’ll want to upgrade to ISA Server. ISA Server is much more integrated with Windows 2000 than Proxy Server ever was with Windows NT. This integration not only makes ISA Server easier to administer but also makes ISA Server faster and more stable than Proxy Server was on NT.

Although your mileage will vary, Microsoft claims that ISA Server can process transactions about 10 times faster than Proxy Server 2.0 on similar hardware. And by applying policies to users or groups that control what they can do, you have much finer control over your users as they pass through ISA Server as opposed to Proxy Server.

A tale of two ISAs
Microsoft provides two versions of ISA Server—ISA Server Enterprise Edition and ISA Server Standard Edition. The two versions of ISA Server share essentially the same features. The main differences come into play when you start thinking about scalability. ISA Standard only supports a maximum of four processors in your host server. Additionally, it only supports local policies and runs as a standalone server.

When you deploy ISA Enterprise, the hardware limitations go away. You also get the ability to cluster your ISA servers into arrays to help share duties for large deployments. Policies you create can apply to servers throughout your array. Finally, you also gain centralized management to allow you to manage all of your servers at once, rather than having to administer individual servers, as you’re forced to do with ISA Standard.

For the purposes of this Daily Drill Down, we’ll focus on ISA Enterprise Edition. If you’re running ISA Standard Edition, most of the things we’ll cover are the same. As mentioned above, there are several limitations inherent in ISA Standard Edition, but they aren’t relevant for our discussion.

What’s it going to cost me?
To some extent, Microsoft made licensing for ISA Server simpler than that of Proxy Server, which ISA Server replaces. You don’t need to worry about licensing ISA Server on a client-access license basis. Instead, Microsoft licenses ISA Server on a per-CPU basis. For example, if you want to buy ISA Standard and run it on a dual-CPU server, you’ll need to buy two licenses for your server.

At the time of this writing, prices for ISA Server start at $1,499 per CPU for ISA Standard Edition. If you want to run ISA Enterprise Edition, it will cost you $5,999 per CPU. You can also upgrade from Proxy Server or from some of ISA’s competitors for a price of $749 for ISA Standard or $2,999 for ISA Enterprise. Qualifying upgrades include:
  • Axent Raptor
  • CacheFlow
  • Check Point FireWall-1
  • Cisco Cache Engine
  • Cobalt Cache
  • Cobalt Qube
  • IBM SecureWay Firewall
  • IBM WebSphere Cache
  • Inktomi Traffic Server
  • Microsoft Proxy Server
  • Netscape Proxy Server
  • Network Appliance NetCache
  • Novell BorderManager

If you first purchase ISA Standard and decide you want to upgrade to ISA Enterprise, it will cost you $4,499. For current prices, you can check Microsoft’s ISA Server Pricing and Licensing site.

Getting ready to install ISA Server
As you can probably guess, there’s more to installing ISA Server than just putting the CD-ROM in your server and running Setup. You must do some advance planning before reaching for that CD. Areas of planning involve:
  • Hardware considerations
  • Software considerations
  • Efficiency and fault tolerance
  • Client considerations

Hardware considerations
The first thing you should do is figure out exactly how many users are going to be going through your ISA server. You should also make sure you pad your current usage by 50 percent or more to ensure room for growth. You’ll need to determine the number of users because that will determine the amount of hardware you’ll need.

Microsoft claims that ISA Server’s minimum configuration is a 300-Mhz Pentium II with 256 MB of RAM and 20 MB of available hard drive space. Of course, you know how minimum requirements are. I was able to install ISA Server on a test laptop that had a 266-Mhz Pentium II with 192 MB of RAM. Naturally, you wouldn’t want to deploy a server that only meets the minimum. You might be able to deploy the server, but your users won’t enjoy the experience.

According to Microsoft, the minimum recommended hardware will serve to cache objects for up to 500 users if you reserve 2 to 4 GB of additional hard drive space for caching. If you want to use ISA Server’s cache-to-cache objects for remote users, the minimum configuration is only supposed to support 100 hits per second.

As you can see, you’re going to have to beef up your server a bit if you want it to work efficiently. One thing you’ll definitely need to add to your server is an additional network card. For ISA Server to work properly, it requires at least two network cards in your server. The first network card connects to your LAN. The second card connects to your WAN or whatever device you use to connect to the Internet.

Software considerations
Hardware isn’t your only consideration. You must also make sure you’re running the latest service pack for Windows 2000. At the time of this writing, the current service pack is Service Pack 1. ISA Server also comes with a post-Service Pack 1/pre-Service Pack 2 set of hot fixes that you should apply after you complete the installation.

Your other software consideration comes in the form of Active Directory. If you install ISA Standard as a standalone server, you don’t have to worry about Active Directory implications. When configured as a standalone server, ISA Server stores all of its configurations to the local machine’s registry. That means you can even install ISA Server on a Windows 2000 server that’s part of a Windows NT domain.

If you want to employ an ISA Server array, however, you’ll need to have Active Directory running properly on your network. ISA Server’s installation program makes extensive modifications to the Active Directory schema, so if you don’t have things running smoothly from the start, you’ll be in deep trouble. And of course, by implication, if you’re going to have Active Directory running properly, you’ll need to make sure that you have Windows 2000 DNS servers properly configured and running on your network as well.

Efficiency and fault tolerance
When you’re planning your ISA deployment, you may want to consider deploying an array of ISA servers rather than just deploying one large ISA server. There are several reasons for this. First of all, most servers don’t encounter processor bottlenecks. More often than not, they experience I/O contention as they service and pass data packets.

As you can probably guess, this can definitely be a point of contention for a server doing the type of work that it will have to do when running ISA Server. By deploying multiple ISA servers in an array, you can avoid this problem. ISA Server can employ load balancing to spread requests out across all of the servers in your array.

Another consideration when preparing to deploy ISA Server is that of fault tolerance. If Internet access is critical to your organization, you may not want to rely on only one server to provide this access. This is another place where an ISA array can come in handy. Should one ISA server fail in an array, the other servers will pick up the downed server’s workload.

Client considerations
Finally, before deploying ISA Server, take a look at your network clients. You’ll need to make sure that your clients will be able to use ISA Server before you deploy it. When you know what access your clients need, you can determine whether ISA can do the job or if you need to make changes to your workstations before deploying ISA Server. ISA Server can support three different types of clients: Web Proxy clients, SecureNAT clients, and firewall clients.

Web Proxy clients are those clients that are only going to be using ISA Server as a gateway for Web access on the Internet. They can’t do FTP, streaming media, or anything else. All the clients can do is access the Web using a Web browser such as Internet Explorer or Netscape Navigator. The client’s Web browser, not the client’s operating system, determines whether a client can be a Web Proxy client. Web Proxy clients can run any operating system, including Linux or OS/2.

SecureNAT clients can run any operating system, as well. All you have to do is configure the default gateway on the client to point to the ISA Server. SecureNAT clients use traditional network address translation (NAT) in concert with ISA Server’s security features to access the Internet.

Firewall clients run special firewall client software that allows them to pass data through ISA Server’s firewall. Currently, Microsoft only ships firewall client software for Windows 9x, Windows Me, Windows NT 4.0, and Windows 2000. If you have any Macintoshes or Linux workstations, you’re out of luck.

By itself, Windows 2000 is very powerful. It can even serve as a router on your network. It can’t necessarily serve all your needs when connecting your network to the Internet, however. With a little preparatory work, you can configure Windows 2000 with ISA Server to make your Internet connections faster and more secure.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.

Editor's Picks