To get the most out of your Microsoft ISA Server 2004
deployment, you must first spend some time planning and preparing for it. This
entails several tasks:

  • Determining
    the ISA Server’s mode on your network
  • Deciding
    on the placement of your ISA Server machine(s)
  • Determining
    what (if any) additional roles and tasks you want the ISA Server
    machine(s) to perform
  • Ensuring
    that the computer on which you want to install ISA Server 2004 meets the
    hardware and software requirements for your deployment
  • Installing
    and hardening the Windows 2000 or Server 2003 operating system on which
    you’re installing ISA Server 2004

In this article, we’ll look at how to complete each of these
steps as you prepare to deploy your ISA Server computer.

Determining the ISA Server’s mode of operation

Microsoft’s ISA Server 2004 can be deployed on your network
as a firewall, a Web caching server, or both. One of your first planning tasks
is to decide in which mode(s) ISA Server will perform. This decision will also
affect placement and hardware requirements. For example, if your ISA Server
will be a Web caching server only, it requires only a single network interface
card (NIC), whereas an ISA firewall must be multihomed (with at least two
NICs). On the other hand, an ISA Server that functions only as a firewall won’t
require as much disk space as an ISA Server that performs Web caching.

In ISA Server 2000, you were given the options during
installation to install the product in firewall only, caching only, or firewall
and caching mode. With ISA 2004, there are no such choices during installation.
Caching is disabled by default, and you must explicitly enable it after
installation.

Here are some considerations regarding each of the three ISA
Server roles.

Firewall only

This is the default role of ISA Server 2004 when installed
on a machine with multiple NICs. Caching is turned off by default, and the ISA
Server functions as a dedicated multilayered firewall. Because processing
cycles and memory are not being used for caching, performance is faster and
less disk space is needed since cached objects are not being stored on the hard
disk.

Caching only

This is the default role of ISA Server 2004 when installed
on a single-NIC machine (however, you still need to enable caching after
installation). The machine can still act as a Web proxy, but you lose the
firewall client capabilities, and you can’t create server publishing rules (you
can still create Web publishing rules). You can’t create access rules to
support protocols other than HTTP/HTTPS and Web proxy tunneled FTP.

Firewall and caching

When you enable caching on a multihomed ISA Server, you get
two products for the price of one: a multilayered firewall and a forward and
reverse Web caching server. Enabling caching doesn’t affect the security of the
ISA firewall, but you’ll need more memory and additional disk space for best
performance.

There is a fourth scenario that might be of use in special
circumstances: If you install ISA Server 2004 on a single-NIC machine and do not enable caching, the ISA Server can
function as a Web proxy only. This would be something of a waste of ISA’s
capabilities, but it’s another mode in which ISA can serve.

You can use an ISA Server that has multiple NICs as a
unihomed machine by disabling all of the NICs except one and running the Single
Network Adapter template that is included with ISA Server 2004.

Determining placement and role

Where the ISA Server computer is to be placed on the network
and the role it will play are important considerations in planning your
deployment. Here are some common scenarios.

Internet edge firewall

The firewall placement that most of us think of first is at
the Internet edge (also called a “front-end” firewall). The ISA Server sits
between the public network and the local area network. All communications that
are coming into or going out of the local network are subject to the firewall
policies you’ve set, and you can granularly control both inbound and outbound
access based on user or group accounts.

ISA Server’s built-in intrusion detection system (IDS) and
intrusion prevention system (IPS) can protect the local network from common
attacks, and the ISA can also act as a VPN gateway and SMTP filtering relay.
The ISA Server filters traffic at the packet level (layer 3), circuit level
(layer 4), and application level (layer 7).

Back-to-back ISA Servers in a DMZ

You can use two ISA Servers to create a perimeter network
(DMZ) that provides a screened subnet between the public network and the
internal network. Servers that need to be accessible by Internet users, such as
public Web servers, FTP servers, and NNTP servers, are placed in this perimeter
network.

One ISA Server acts as the front-end firewall at the
Internet edge, and the second acts as a back-end firewall to protect the
internal network from users who access the servers in the DMZ. Only limited
access is allowed between the internal network and the perimeter network
segment.

Back-end firewall

A common scenario for companies that already use a
traditional packet-filtering firewall at the Internet edge is to put ISA Servers
on the “back end” of a perimeter network. The ISA firewall then protects the
internal computers from the users who access the servers in the DMZ. This
allows organizations to keep utilizing their existing third-party firewalls and
avoid a major redesign of the network. It also allows organizations to increase
security through ISA’s deep application layer filtering, which protects the
internal network from application-level exploits.

Internetwork access control

With its new support for multinetworking, the ISA Server can
be used to control multiple security zones within the internal network.
Firewall policy can be applied to all of the ISA Server’s network interfaces,
and you can set up routed or NAT relationships between networks or zones.
Intelligent application layer filters will do stateful inspection of the
traffic that passes between the network segments.

Application-layer filtering Web proxy

If the organization already has a perimeter network that
uses third-party firewalls at the front and back ends, there’s still a place
for ISA Server as an application-layer filtering Web proxy server. In this
scenario, the ISA Server is placed within the perimeter network between the
front- and back-end firewalls or on the internal network. You can take advantage
of the high speed of the packet-filtering firewalls while the ISA Server
performs resource-intensive, application-layer filtering.

Another choice is the reverse Web proxy scenario, in which
the ISA Server 2004 application-layer filtering proxy forwards user credentials
across the back-end firewall to pre-authenticate remote users.

Web caching server

You can use the ISA Server to speed up your internal users’
access to Internet Web objects by enabling caching and setting the ISA Server
up as a forward Web caching server. You can use the ISA Server to speed up
external Internet users’ access to the content on your company’s Web servers by
enabling caching and setting the ISA Server up as a reverse Web caching server.
The ISA Server can perform both forward and reverse caching, and caching can be
done in conjunction with firewall functionality.

Determining the ISA Server’s additional roles and tasks

Once you’ve determined the placement and roles of your ISA Server
on the network, you’ll need to consider whether the ISA Server will also host
other Windows services, such as remote access services, terminal services, and
so forth.

Common additional roles for the ISA Server machine include:

  • Remote access VPN server/site-to-site
    VPN gateway:
    The Windows 2000 or Server 2003 machine on which the ISA
    Server is installed can also function as a remote access VPN server or site-to-site
    VPN gateway. The ISA Server is commonly used as your VPN server when you’re
    using site-to-site VPN to link two LANs.
  • Terminal server: The Windows 2000
    machine on which the ISA Server is installed can also function as a
    terminal server for remote administration (you should not use the ISA Server as an application server).
  • Spam-filtering SMTP relay: Third-party
    spam filtering software can be installed on the ISA Server 2004 machine.
  • Caching-only DNS server: The ISA Server
    can act as a forwarder for the internal DNS servers to protect them from
    DNS cache poisoning and other DNS attacks.

You don’t need to set up a Windows Server 2003 computer as a
terminal server in order to remotely manage its desktop. You only have to
enable Remote Desktop in the System applet in Control Panel.

Meeting hardware and software requirements

The next step, before installing the ISA Server 2004
software, is to ensure that the machine meets the hardware requirements both
for the underlying operating system (Windows 2000 or Server 2003) and for ISA
Server 2004 operating in the modes and roles that you’ve planned for it.

Microsoft’s recommended minimums are a 550 MHz PIII
processor; 256 MB of RAM; 150 MB of free disk space on an NTFS partition; and one
NIC for each network to which the ISA Server will be connected.

These should be considered bare minimums. For best
performance, we recommend that you double the processor and memory
recommendations. If you plan to deploy ISA Server as a Web caching server, you’ll
need additional hard disk space and memory. We’ve found a good rule of thumb to
be 100 MB of additional disk space, plus 1 to 5 MB per user for the average
network, and a minimum of 1 GB of memory. You should analyze the actual usage
load to determine requirements for your network.

ISA Server 2004 can be installed on Windows 2000 Server,
Advanced Server, or Datacenter Server with Service Pack 4 or above and Internet
Explorer 6 or above; or on Windows Server 2003 Standard, Enterprise, or
Datacenter Edition (ISA Server 2004 won’t install on Web Edition).

Hardening the underlying Windows operating system

A common criticism of ISA Server from advocates of
appliance-based firewalls is that the underlying Windows operating system is
not secure by default. If you’re installing ISA Server 2004 on Windows Server
2003, Microsoft recommends that you apply the Microsoft Baseline Security
Policy template as described in the Windows
Server 2003 Security Guide
. You should not
apply the IPSec filters or server role policies. If you’re installing ISA
Server 2004 on Windows 2000 Server, see the Windows
2000 Security Hardening Guide
.

A key aspect of hardening the operating system is disabling
unneeded services. However, you don’t want to disable services that are used by
the ISA Server to perform necessary tasks. Services that need to be enabled
depend on the ISA Server’s role and functions. You can find a list of the core
services that ISA Server 2004 needs enabled at Microsoft’s
Web site
.

The ISA Server may also need services enabled to allow it to
function as a client to other servers (for example, the DHCP and DNS clients,
the automatic update service, and so forth).

When you’ve determined which services are needed on your ISA
Servers, you can create a security template to make it easy to configure a
security policy and apply it to all of your ISA Server machines. The template
is created with the Security Templates MMC snap-in and is applied using the
Security Configuration and Analysis snap-in.

Plan, plan, plan

Prior to installing the ISA Server 2004 software, you should
plan your deployment and prepare the computer(s) on which the ISA software will
be installed. In this article, I’ve discussed planning considerations for
common scenarios and explained how to ensure that your machine is ready to host
ISA Server 2004 for firewall functionality, Web caching, or both.