GETTING START WITH ISA SERVER

Because ISA Server is completely different from Proxy Server 2.0, Microsoft recommends that even experienced administrators become acquainted with the Wizard that will help in the initial steps of product configuration and customization.

The Getting Started Wizard works with a set of options that will aid
users through the process of customizing the product and will also clarify the effects of specific modifications when introduced to the ISA Server.

The Wizard is split into two sections (see Fig. 10):

* Configuring policies,
* Configuring arrays.

After you have finished the initial configuration of ISA Server with help from the Getting Started Wizard, you can fully adapt the product to the working environment by finally re-adjusting certain settings

Creating protocol rules

Administering an ISA Server means creation of suitable arrays, rules and policies. Arrays and policies have already been explained so let us examine the term “rules”.

ISA Server uses two types of rules:

• Site and content rule – determines if and when content from specific Internet destinations can be accessed by users,
• Protocol rule – determines which packets may or may not access the ISA server.

Apart from the above rules, the following rules can also be defined for ISA server:

• Bandwidth (Capacity) rule – this will prioritise different types of services using ISA server. This allows administrators to verify which specific www traffic or business-related traffic will be allocated to the available bandwidth.
• Web publishing rules– to “publish” incoming HTTP, HTTPS, FTP requests and map them as services on the ISA Server.
• Server publishing – with this feature, clients from the public Internet are directed to the ISA Server instead of to the web server. Moreover, the ISA Server may act as the proxy for inbound and outbound traffic between the public Internet clients and the internal web server.
  

Web Cache functions

ISA Server features high-performance Web Cache functions. With Cache Configuration tab the user is guided through Web service configuring. In addition to a variety of settings, the possibility exists to set up the size of the cache memory per hard disk and configure the schedule of caching tasks (TTL utility).

Fig. 11 Configuring caching services

When ISA Server is set up as a Web caching server, two situations are possible:

• Forward Web Caching Server – this is the most popular use of the Web caching server. Its function is as follows:

Fig. 12 Forward Web Caching Server

1. User No. 1 (Client 1) forwards a request to the Web server for an object;

2. The ISA Server approves the request and checks if the object already exists in the local cache. If the content does not already exist in the cache, the ISA Server contacts the Web server to fetch the requested object (on behalf of the user);

3. The Web server returns the object in question to the ISA Server;

4. ISA Server returns the Web object to the original client No. 1, and saves this object to cache it locally.

5. User No. 2 forwards the request for the same Web object;

6. ISA Server will send the object cached locally to user No. 2.

• Reverse Web Caching Server – Reverse Proxy by an ISA Server offers security for one or more Web servers located on the internal network. This ensures secure Web publishing, which is of particular concern if sensitive data is to be sent from the servers.
  

Fig. 13 Reverse Web Caching Server

In addition to the security offered by both forward and reverse caching, ISA Server could be configured to give administrators the possibility to manage various Web caching solutions such as:

• Scheduled Content Download – ISA Server can be configured to provide tools for downloading/refreshing web pages at appropriate intervals. In this way, the most popular web objects may be refreshed at night instead of during the day without risking overloaded connections.
• Active caching – when active caching is used, ISA Server itself will evaluate and rank the cache and refresh it as necessary. This is a particularly useful option in situations where employees must use specific url sites to fetch necessary information several times during the day, from sites that are frequently updated, and especially if it is risky to fetch non updated versions.
• On Demand – the most popular configuration of a caching server: upon an initial request for on-demand content, the server acquires requested Web files and stores them locally in its cache.
  

Secure Internet Access through ISA Server

Secure Internet Access is one of the fundamental features provided by ISA Server. It is increasingly necessary to improve security tools and check users that access the network from outside, especially in a situation where the Global Web is vulnerable to outside interference from viruses, trojan horses or hacker attacks. One may also wish to improve security to monitor network users and protect the network from potential Internet threats. To face this challenge and provide solutions for a broad landscape of users, Microsoft has implemented three types of clients in ISA Server:

• Firewall clients – all computers that have Firewall Client software installed and active,
• SecureNat clients – all computers that do not have Firewall Client software installed,
• Web Proxy clients – all Web browser clients are configured to use ISA Server.
  

Feature	SecureNat Client	Firewall Client	Web Proxy Client
Installation required?	No, but some network configuration changes required	Yes	No, requires Web browser configuration
Operating System support	Any OS that supports TCP/IP	Only Windows platforms	All platforms
Protocol support	Requires application filters for multi-connection protocols	All Winsock applications	HTTP,SHTTP,FTP, Gopher
User-level authentication	No	Yes	Yes
Server applications	No installation or configuration required	Requires configuration file	N/A

Table 3 Comparison of ISA Server Clients

Both Firewall and SecureNat clients include WebProxy client service, since all Web client requests are passed to WebProxy. All other requests sent by either Firewall or SecureNAT clients are redirected to other modules within ISA server.

Before selecting the client type to be used in a specific enterprise, it is necessary to recognize what particular applications and protocols are to be used in the network. A proper evaluation will help to have trouble-free use of Web services without continuous changes to the configuration. Choosing reliable clients is also the foundation for all network security since a more liberal access policy to Internet facilities may threaten not only e-privacy but also e-access. It is enough to realise that a few users who are downloading MP3 or AVI files from the Net and have a few Internet sessions open will be sufficient to occupy an enterprise connection at nearly 100 percent utilisation.

Network need	Recommended client type	Reason
To avoid deploying client software or configuring client computers.	SecureNAT	SecureNAT clients do not require any software or specific configuration on client machines.
To use ISA Server only for forward Web caching.	SecureNAT	If one uses ISA Server as a Web caching server, one will not have to deploy any special software.
One wants to create user-based access rules to control non-Web Internet access.	Firewall Client	If one uses Firewall clients, one may configure access rules for non-Web sessions. However, these rules will be effective only if one configures ISA Server to require authentication information with each session.
The network supports many roaming users and computers.	Firewall Client	SecureNat clients do not support automatic discovery of ISA server. When one configures automatic discovery, roaming users or computers cannot connect to the Internet server as appropriate.
The clients need access (outside of Web browsers) to protocols with secondary connections to the Internet via FTP.	Firewall Client	SecureNat clients do not support protocols with secondary connections.
To support dial-in-demand for non-Web sessions from the clients.	Firewall Client	Though SecureNat supports dial-out, only Firewall clients support dial-in-demand for non-Web sessions.

Table 4 Choosing an ISA Server Client Type

Table 4 represents the choice that may be useful to benefit from a proper selection of clients accessing the network in a specific enterprise. For more detailed specification of the particular types of clients see the files attached to the program.