Pentium III 550 MHz for every 2,000 users 256 for every 2000 users 10 GB for every

2,000 users

Table 2 – Capacity planning for forward caching server applications

If you want to use ISA Server in Integrated Mode (see Installation), these values will be further
augmented. Therefore, the performance of any computer intended to operate as an ISA server will be
completely utilised.

Installing ISA Server

A Windows 2000 Server with a full implementation of Active Directory is the minimum on which it is
possible to install Microsoft ISA Server. Before installing ISA Server, one must configure Active
Directory (adding required classes and selecting object properties).

Fig. 1 ISA Server setup screen with selected AD schema modification option
Before the system attempts to update the schema you will be warned that this action is not reversible.
 Fig. 2 Active Directory’s modification-related warning
When modifying the schema, it is necessary to determine what the intended extent of modifications to
the existing policies integrated in AD would be. In case of problems with the modification of Active
Directory, one should consult the Ldif.log file.

Fig. 3 Modifying Active Directory

Once the Active Directory has been updated, you can attempt to install ISA Server. In the first step, you
will be requested to supply the information about the installation mode (Typical, Full, Custom).
 Fig. 4 ISA Server installation options
After this step, the set-up wizard checks whether Active Directory has already been installed or not and
if any settings have been modified. Next, you will be prompted to determine if the server should be a
part of a domain or be used as a standalone unit. In the next step, select the mode of operation from the
following three options:
· Firewall – with this option, ISA Server will function as a very powerful firewall,
· Web Cache – will establish the ISA Server as a cache server and give access to ‘Net resources’
· Integrated Mode – when in integrated mode, all ISA Server implemented and initialized features will
be available.
 Fig. 5 selecting the functional mode
Once the required mode has been selected, the next dialog box stops the Internet Information Services
(if any are already installed) and prompts you to either deinstall IIS or re-configure it not to listen in on
ports 80 and 8080 that are required for ISA Server. Despite possible joint operation, Microsoft
recommends relocating the IIS Server to another machine.
In the next step, you will be prompted to specify the cache size for the Web Cache service.
 Fig. 6 Configuring the cache size for WWW caching
If it is a multiple-disk server, one may benefit by distributing caches onto a few disks. This would
accelerate the process of accessing cacheable information.
Having configured appropriate cache sizes for WWW Web services one may attempt to configure LAT
(Local Address Table).

Fig. 7 LAT setup utility

LAT (Local Address Table) – these are tables that define all internal IP address ranges. If one selects
this Table (Fig. 7), either the private IP address ranges as defined in RFC 1918 (10.X.X.X, 172.16.X.X,
192.168.X.X) or the external Windows 2000 routing tables will be used.
 Fig. 8 A default LAT
Once this step is successful, you will get a screen with the end of LAT configuration. Remember to
ensure that all network cards are connected to the Internet while installing ISA Server. Should any
network card be inactive, LAT tables will probably not be created.

Fig. 9 Completing the LAT setup procedures

After completing the setup procedures, you can attempt to replicate the content of all files to the ISA
Server directory. After installation, the ISA Server Administration utility will start.
 Fig. 10 Microsoft ISA Server Administrator utility and Getting Started Wizard
To manage this utility, use the Microsoft Management Console (MMC) feature. The left dialog box
contains all options that are necessary for setup whilst the right box provides the settings available for
such options.

Getting Started Wizard

Because ISA Server is completely different from Proxy Server 2.0, Microsoft recommends that even
experienced administrators become acquainted with the Wizard that will help in the initial steps of
product configuration and customization.
The Getting Started Wizard works with a set of options that will aid
users through the process of customizing the product and will also clarify the effects of specific
modifications when introduced to the ISA Server.
The Wizard is split into two sections (see Fig. 10):
 Configuring policies,
 Configuring arrays.
After you have finished the initial configuration of ISA Server with help from the Getting Started
Wizard, you can fully adapt the product to the working environment by finally re-adjusting certain
settings.

Creating protocol rules

Administering an ISA Server means creation of suitable arrays, rules and policies. Arrays and policies
have already been explained so let us examine the term “rules”.
ISA Server uses two types of rules:
 Site and content rule – determines if and when content from specific Internet destinations can
be accessed by users,
 Protocol rule – determines which packets may or may not access the ISA server.
Apart from the above rules, the following rules can also be defined for ISA server:
 Bandwidth (Capacity) rule – this will prioritise different types of services using ISA server.
This allows administrators to verify which specific www traffic or business-related traffic will
be allocated to the available bandwidth.
 Web publishing rules– to “publish” incoming HTTP, HTTPS, FTP requests and map them as
services on the ISA Server.
 Server publishing – with this feature, clients from the public Internet are directed to the ISA
Server instead of to the web server. Moreover, the ISA Server may act as the proxy for inbound
and outbound traffic between the public Internet clients and the internal web server.

Web Cache functions

ISA Server features high-performance Web Cache functions. With Cache Configuration tab the user is
guided through Web service configuring. In addition to a variety of settings, the possibility exists to set
up the size of the cache memory per hard disk and configure the schedule of caching tasks (TTL
utility).

Fig. 11 Configuring caching services

When ISA Server is set up as a Web caching server, two situations are possible:
 Forward Web Caching Server – this is the most popular use of the Web caching server. Its
function is as follows:
 Fig. 12 Forward Web Caching Server
1. User No. 1 (Client 1) forwards a request to the Web server for an object;
2. The ISA Server approves the request and checks if the object already exists in the local cache. If the
content does not already exist in the cache, the ISA Server contacts the Web server to fetch the
requested object (on behalf of the user);
3. The Web server returns the object in question to the ISA Server;
4. ISA Server returns the Web object to the original client No. 1, and saves this object to cache it
locally.
5. User No. 2 forwards the request for the same Web object;
6. ISA Server will send the object cached locally to user No. 2.
 Reverse Web Caching Server – Reverse Proxy by an ISA Server offers security for one or
more Web servers located on the internal network. This ensures secure Web publishing, which is
of particular concern if sensitive data is to be sent from the servers.
 Fig. 13 Reverse Web Caching Server
In addition to the security offered by both forward and reverse caching, ISA Server could be configured
to give administrators the possibility to manage various Web caching solutions such as:
 Scheduled Content Download – ISA Server can be configured to provide tools for
downloading/refreshing web pages at appropriate intervals. In this way, the most popular web
objects may be refreshed at night instead of during the day without risking overloaded
connections.
 Active caching – when active caching is used, ISA Server itself will evaluate and rank the
cache and refresh it as necessary. This is a particularly useful option in situations where
employees must use specific url sites to fetch necessary information several times during the
day, from sites that are frequently updated, and especially if it is risky to fetch non updated
versions.
 On Demand – the most popular configuration of a caching server: upon an initial request for
on-demand content, the server acquires requested Web files and stores them locally in its cache.

Secure Internet Access through ISA Server

Secure Internet Access is one of the fundamental features provided by ISA Server. It is increasingly
necessary to improve security tools and check users that access the network from outside, especially in
a situation where the Global Web is vulnerable to outside interference from viruses, trojan horses or
hacker attacks. One may also wish to improve security to monitor network users and protect the
network from potential Internet threats. To face this challenge and provide solutions for a broad
landscape of users, Microsoft has implemented three types of clients in ISA Server:
 Firewall clients – all computers that have Firewall Client software installed and active,
 SecureNat clients – all computers that do not have Firewall Client software installed,
 Web Proxy clients – all Web browser clients are configured to use ISA Server.
Feature SecureNat Client Firewall Client Web Proxy Client
Installation No, but some network No, requires Web browser
Yes
required? configuration changes required configuration

Operating System Only Windows

Any OS that supports TCP/IP All platforms
support platforms

HTTP,SHTTP,FTP,
Requires application filters for All Winsock
Protocol support
multi-connection protocols applications
Gopher

User-level
No Yes Yes
authentication

No installation or configuration Requires

Server applications N/A
required configuration file

Table 3 Comparison of ISA Server Clients

Both Firewall and SecureNat clients include WebProxy client service, since all Web client requests are
passed to WebProxy. All other requests sent by either Firewall or SecureNAT clients are redirected to
other modules within ISA server.
Before selecting the client type to be used in a specific enterprise, it is necessary to recognize what
particular applications and protocols are to be used in the network. A proper evaluation will help to
have trouble-free use of Web services without continuous changes to the configuration. Choosing
reliable clients is also the foundation for all network security since a more liberal access policy to
Internet facilities may threaten not only e-privacy but also e-access. It is enough to realise that a few
users who are downloading MP3 or AVI files from the Net and have a few Internet sessions open will
be sufficient to occupy an enterprise connection at nearly 100 percent utilisation.
Recommended
Network need Reason
client type

To avoid deploying client

SecureNAT clients do not require any software or
software or configuring client SecureNAT
specific configuration on client machines.
computers.

To use ISA Server only for If one uses ISA Server as a Web caching server, one
SecureNAT
forward Web caching. will not have to deploy any special software.

If one uses Firewall clients, one may configure

One wants to create user-based access rules for non-Web sessions. However, these
access rules to control non-Web Firewall Client rules will be effective only if one configures ISA
Internet access. Server to require authentication information with
each session.

The network supports many Firewall Client SecureNat clients do not support automatic
roaming users and computers. discovery of ISA server. When one configures
 automatic discovery, roaming users or computers
cannot connect to the Internet server as appropriate.

The clients need access (outside

of Web browsers) to protocols SecureNat clients do not support protocols with
Firewall Client
with secondary connections to secondary connections.
the Internet via FTP.

To support dial-in-demand for Though SecureNat supports dial-out, only Firewall

non-Web sessions from the Firewall Client clients support dial-in-demand for non-Web
clients. sessions.

Table 4 Choosing an ISA Server Client Type

Table 4 represents the choice that may be useful to benefit from a proper selection of clients accessing
the network in a specific enterprise. For more detailed specification of the particular types of clients see
the files attached to the program.

Extras
Because many extras are included with ISA Server, additional information may be required that can be
found on the Internet at the following sites
 http://www.microsoft.com/isaserver/
 http://www.isaserver.org/
 http://www.faq.net.pl/
Newsgroups:
 ms-news.pl.isa-server
 microsoft.public.isa
Microsoft Press Publishing:
MCSE Training Kit: Microsoft Internet Security and Acceleration Server 2000