SolutionBase: Preparing to deploy ISA Server 2004

Connecting Windows Server 2003 to the Internet can be both dangerous and difficult. To help make things easier, Microsoft created ISA Server 2004, which can act as both a router and a firewall. Here's what you need to know before running Setup.

To get the most out of your Microsoft ISA Server 2004 deployment, you must first spend some time planning and preparing for it. This entails several tasks:

  • Determining the ISA Server's mode on your network
  • Deciding on the placement of your ISA Server machine(s)
  • Determining what (if any) additional roles and tasks you want the ISA Server machine(s) to perform
  • Ensuring that the computer on which you want to install ISA Server 2004 meets the hardware and software requirements for your deployment
  • Installing and hardening the Windows 2000 or Server 2003 operating system on which you're installing ISA Server 2004

In this article, we'll look at how to complete each of these steps as you prepare to deploy your ISA Server computer.

Determining the ISA Server's mode of operation

Microsoft's ISA Server 2004 can be deployed on your network as a firewall, a Web caching server, or both. One of your first planning tasks is to decide in which mode(s) ISA Server will perform. This decision will also affect placement and hardware requirements. For example, if your ISA Server will be a Web caching server only, it requires only a single network interface card (NIC), whereas an ISA firewall must be multihomed (with at least two NICs). On the other hand, an ISA Server that functions only as a firewall won't require as much disk space as an ISA Server that performs Web caching.

In ISA Server 2000, you were given the options during installation to install the product in firewall only, caching only, or firewall and caching mode. With ISA 2004, there are no such choices during installation. Caching is disabled by default, and you must explicitly enable it after installation.

Here are some considerations regarding each of the three ISA Server roles.

Firewall only

This is the default role of ISA Server 2004 when installed on a machine with multiple NICs. Caching is turned off by default, and the ISA Server functions as a dedicated multilayered firewall. Because processing cycles and memory are not being used for caching, performance is faster and less disk space is needed since cached objects are not being stored on the hard disk.

Caching only

This is the default role of ISA Server 2004 when installed on a single-NIC machine (however, you still need to enable caching after installation). The machine can still act as a Web proxy, but you lose the firewall client capabilities, and you can't create server publishing rules (you can still create Web publishing rules). You can't create access rules to support protocols other than HTTP/HTTPS and Web proxy tunneled FTP.

Firewall and caching

When you enable caching on a multihomed ISA Server, you get two products for the price of one: a multilayered firewall and a forward and reverse Web caching server. Enabling caching doesn't affect the security of the ISA firewall, but you'll need more memory and additional disk space for best performance.

There is a fourth scenario that might be of use in special circumstances: If you install ISA Server 2004 on a single-NIC machine and do not enable caching, the ISA Server can function as a Web proxy only. This would be something of a waste of ISA's capabilities, but it's another mode in which ISA can serve.

You can use an ISA Server that has multiple NICs as a unihomed machine by disabling all of the NICs except one and running the Single Network Adapter template that is included with ISA Server 2004.

Determining placement and role

Where the ISA Server computer is to be placed on the network and the role it will play are important considerations in planning your deployment. Here are some common scenarios.

Internet edge firewall

The firewall placement that most of us think of first is at the Internet edge (also called a "front-end" firewall). The ISA Server sits between the public network and the local area network. All communications that are coming into or going out of the local network are subject to the firewall policies you've set, and you can granularly control both inbound and outbound access based on user or group accounts.

ISA Server's built-in intrusion detection system (IDS) and intrusion prevention system (IPS) can protect the local network from common attacks, and the ISA can also act as a VPN gateway and SMTP filtering relay. The ISA Server filters traffic at the packet level (layer 3), circuit level (layer 4), and application level (layer 7).

Back-to-back ISA Servers in a DMZ

You can use two ISA Servers to create a perimeter network (DMZ) that provides a screened subnet between the public network and the internal network. Servers that need to be accessible by Internet users, such as public Web servers, FTP servers, and NNTP servers, are placed in this perimeter network.

One ISA Server acts as the front-end firewall at the Internet edge, and the second acts as a back-end firewall to protect the internal network from users who access the servers in the DMZ. Only limited access is allowed between the internal network and the perimeter network segment.

Back-end firewall

A common scenario for companies that already use a traditional packet-filtering firewall at the Internet edge is to put ISA Servers on the "back end" of a perimeter network. The ISA firewall then protects the internal computers from the users who access the servers in the DMZ. This allows organizations to keep utilizing their existing third-party firewalls and avoid a major redesign of the network. It also allows organizations to increase security through ISA's deep application layer filtering, which protects the internal network from application-level exploits.

Internetwork access control

With its new support for multinetworking, the ISA Server can be used to control multiple security zones within the internal network. Firewall policy can be applied to all of the ISA Server's network interfaces, and you can set up routed or NAT relationships between networks or zones. Intelligent application layer filters will do stateful inspection of the traffic that passes between the network segments.

Application-layer filtering Web proxy

If the organization already has a perimeter network that uses third-party firewalls at the front and back ends, there's still a place for ISA Server as an application-layer filtering Web proxy server. In this scenario, the ISA Server is placed within the perimeter network between the front- and back-end firewalls or on the internal network. You can take advantage of the high speed of the packet-filtering firewalls while the ISA Server performs resource-intensive, application-layer filtering.

Another choice is the reverse Web proxy scenario, in which the ISA Server 2004 application-layer filtering proxy forwards user credentials across the back-end firewall to pre-authenticate remote users.

Web caching server

You can use the ISA Server to speed up your internal users' access to Internet Web objects by enabling caching and setting the ISA Server up as a forward Web caching server. You can use the ISA Server to speed up external Internet users' access to the content on your company's Web servers by enabling caching and setting the ISA Server up as a reverse Web caching server. The ISA Server can perform both forward and reverse caching, and caching can be done in conjunction with firewall functionality.

Determining the ISA Server's additional roles and tasks

Once you've determined the placement and roles of your ISA Server on the network, you'll need to consider whether the ISA Server will also host other Windows services, such as remote access services, terminal services, and so forth.

Common additional roles for the ISA Server machine include:

  • Remote access VPN server/site-to-site VPN gateway: The Windows 2000 or Server 2003 machine on which the ISA Server is installed can also function as a remote access VPN server or site-to-site VPN gateway. The ISA Server is commonly used as your VPN server when you're using site-to-site VPN to link two LANs.
  • Terminal server: The Windows 2000 machine on which the ISA Server is installed can also function as a terminal server for remote administration (you should not use the ISA Server as an application server).
  • Spam-filtering SMTP relay: Third-party spam filtering software can be installed on the ISA Server 2004 machine.
  • Caching-only DNS server: The ISA Server can act as a forwarder for the internal DNS servers to protect them from DNS cache poisoning and other DNS attacks.

You don't need to set up a Windows Server 2003 computer as a terminal server in order to remotely manage its desktop. You only have to enable Remote Desktop in the System applet in Control Panel.

Meeting hardware and software requirements

The next step, before installing the ISA Server 2004 software, is to ensure that the machine meets the hardware requirements both for the underlying operating system (Windows 2000 or Server 2003) and for ISA Server 2004 operating in the modes and roles that you've planned for it.

Microsoft's recommended minimums are a 550 MHz PIII processor; 256 MB of RAM; 150 MB of free disk space on an NTFS partition; and one NIC for each network to which the ISA Server will be connected.

These should be considered bare minimums. For best performance, we recommend that you double the processor and memory recommendations. If you plan to deploy ISA Server as a Web caching server, you'll need additional hard disk space and memory. We've found a good rule of thumb to be 100 MB of additional disk space, plus 1 to 5 MB per user for the average network, and a minimum of 1 GB of memory. You should analyze the actual usage load to determine requirements for your network.

ISA Server 2004 can be installed on Windows 2000 Server, Advanced Server, or Datacenter Server with Service Pack 4 or above and Internet Explorer 6 or above; or on Windows Server 2003 Standard, Enterprise, or Datacenter Edition (ISA Server 2004 won't install on Web Edition).

Hardening the underlying Windows operating system

A common criticism of ISA Server from advocates of appliance-based firewalls is that the underlying Windows operating system is not secure by default. If you're installing ISA Server 2004 on Windows Server 2003, Microsoft recommends that you apply the Microsoft Baseline Security Policy template as described in the Windows Server 2003 Security Guide. You should not apply the IPSec filters or server role policies. If you're installing ISA Server 2004 on Windows 2000 Server, see the Windows 2000 Security Hardening Guide.

A key aspect of hardening the operating system is disabling unneeded services. However, you don't want to disable services that are used by the ISA Server to perform necessary tasks. Services that need to be enabled depend on the ISA Server's role and functions. You can find a list of the core services that ISA Server 2004 needs enabled at Microsoft's Web site.

The ISA Server may also need services enabled to allow it to function as a client to other servers (for example, the DHCP and DNS clients, the automatic update service, and so forth).

When you've determined which services are needed on your ISA Servers, you can create a security template to make it easy to configure a security policy and apply it to all of your ISA Server machines. The template is created with the Security Templates MMC snap-in and is applied using the Security Configuration and Analysis snap-in.

Plan, plan, plan

Prior to installing the ISA Server 2004 software, you should plan your deployment and prepare the computer(s) on which the ISA software will be installed. In this article, I've discussed planning considerations for common scenarios and explained how to ensure that your machine is ready to host ISA Server 2004 for firewall functionality, Web caching, or both.