balance on the fine line between accessibility and security), although that scenario will work with a relatively simple domain structure that has a single domain in each forest, administration becomes incredibly complex if your existing network has multiple domains at various levels in one or more domain trees. In that case, in order to provide ISA functionality to clients in all the domains, multiple explicit one-way trusts must be created and managed between the ISA Server domain and each of the other individual domains (see Figure 2.5). Figure 2.5 Placing ISA Servers in a Separate Forest Requires Creating Explicit One-Way Trusts between the ISA Domain and All Other Domains that Contain ISA Clients Ultimately, it’s a trade-off. Placing the ISA servers in a separate forest does provide more security, but it also requires a higher cost in administrative time and effort. What about placing the ISA servers in their own domain but in the same forest or tree as your existing domains? Is there any advantage to this solution? Regardless of where in the forest your ISA domain is placed, it still has an implicit two-way trust with the other domains in the forest, so you lose the security advantage of the one-way trust. One reason you might place the ISA servers in their own domain in the same forest is to create an administrative boundary. That is, if you want to assign a specific administrator or group to manage the ISA Servers, this is an option. If we were working with an NT network, that would be a good reason to create a separate domain for the ISA Servers. However, because Windows 2000 provides for organizing resources into OUs and delegating administrative authority over individual OUs, you can place the ISA servers in an OU and assign administrative privileges to the selected users without giving them administrative control over the entire domain. However, keep in mind that the domain administrator will have administrative authority over all the OUs within the domain. Domain administrators don’t have administrative authority outside their domains, however (unless that authority is granted by the administrator of the other domain), so this might factor into your decision as to whether or not to place the ISA servers in a separate domain or simply create an OU for them. If your network is also divided into sites, which are physical divisions of the network as opposed to the logical divisions created by domains, bandwidth and performance issues could also come into play. If the ISA servers are located in a site that is separated from its clients by a slow WAN link, performance will be negatively impacted. WARNING Keep in mind that if you have multiple ISA servers that you want to join in arrays, all members of an array must belong to the same Windows 2000 domain and to the same Active Directory site. There is no definitive right or wrong" answer when it comes to where to place your ISA servers within the domain structure. Rather, you must evaluate your own priorities tac.com us.tac.com ca.tac.com training. ca.tac.com acctg. ca.tac.com isa.com tac.com forest isa.com forest and determine which option works best in your particular network environment. Be aware that the complexity of the enterprise environment could be a factor in making this decision. User Needs Assessment An important step in planning the deployment of your ISA servers in the enterprise is assessing the needs of your users and determining what applications and services the internal clients require. Assessing your user needs will help you determine whether client computers should be configured as firewall clients, Web proxy clients, SecureNAT clients, or a combination of the three. The checklist in Table 2.2 should help you assess your users’ needs in terms of which client(s) should be deployed. Table 2.2 Client Assessment Checklist Other factors to consider when assessing user needs include: · What types of applications do your users need to run? For example, if users are using Outlook Express to access Hotmail accounts, and the ISA Server is configured to require authentication, the request will fail. · What other security needs do your users have? For example, IPSec in transport mode will not work with ISA’s network address translation. · Is there a need for such functionality as an incoming ping to internal clients? This option is not supported. · Is there a need for internal clients to ping outside the LAN, to the other side of the ISA server? This works only with SecureNAT clients. · Is there a need to control access by user account or group? With SecureNAT, you can control only by IP address, not by user or group. You need to use the firewall client to configure user-based policy rules. · Do users need to use NetMeeting for conferencing? You might need to configure the H.323 gatekeeper in ISA and set the clients to use the gatekeeper. · Do you need to improve the performance of internal clients’ requests for Web Assessment Question Yes No Is ease of installation and configuration of client computers your top priority? In this case, you can deploy SecureNAT clients, which require no installation of software and no complex configuration. You might want to consider using the firewall client, which requires installation of client software, and/or the Web proxy client, which requires configuration of applications. Do you plan to use the server publishing feature to make Web, e-mail, or other internal servers available to Internet users? You might want to publish the internal servers as SecureNAT clients, using server publishing rules on the ISA server. This is much easier than publishing the internal servers as firewall clients. You might want to use the firewall client for added security. Is security your highest priority? You might want to deploy firewall clients, allowing you to configure user-based access policy rules to allow access only for authenticated clients. You might want to use the SecureNAT client, which is easier to set up and configure. objects? You should use the Web proxy client. · Do you have non-Microsoft operating systems on the network and need to improve Web performance? You can use SecureNAT to pass requests transparently to the ISA Server firewall service and then on to the caching service. ISA Server Functionality In the enterprise environment, it is especially important that you consider the appropriate mode (firewall, caching, or integrated) in which each ISA server will be installed. All members of an array must run in the same mode. Mode is selected during setup, so preplanning is essential. You will want to consider how the ISA servers will be used, what policies will be implemented, special needs such as VPN support, and the client types that will be installed. Both the firewall and caching modes allow implementation of enterprise policy, but caching mode supports access policy only for HTTP. Both modes support Web publishing, but only the firewall mode supports server publishing. Packet and application filtering and VPN support are available only in firewall mode, but both firewall and caching modes support Web filters, real-time monitoring, alerts, and reports. Only Web proxy clients are supported in caching mode; all three client types (Web proxy, SecureNAT, and firewall clients) can be used with an ISA server running in firewall mode. Table 2.3 provides a quick at-a-glance summary of the features supported by each mode. Table 2.3 ISA Server Mode Functionality Comparison Of course, in many cases you will want both the caching and firewall functionalities and will install your enterprise ISA servers and arrays in integrated mode. ISA Server Interoperability An enterprise network is a complex entity. Your network is likely to have in place existing security measures that could be affected by the deployment of ISA. You must also consider, as part of the planning process, how ISA Server will interoperate with various network services and other Internet-related software such as your Web server. Here are some issues that need to be addressed as you determine how best to deploy ISA Server on your network: · Interoperation with Active Directory This is dependent on whether ISA Server is installed as a standalone or an array member. If the former, its configuration information will be saved to the Registry on the ISA Server computer. However, configuration for ISA Server arrays is stored in Active Directory. This is the reason that arrays require a Windows 2000 domain (standalone ISA Servers can be installed on a Windows 2000 server in a Windows NT domain). The enterprise initialization is really just a fancy (or perhaps less scary) way of referring to modification of the Active Directory schema. The ISA schema information will be installed in your existing schema. ISA Functionality Caching Firewall Integrated Enterprise policy X X X Access policy X (HTTP only) X X Server publishing X X Web publishing X X X Packet filtering X X Application filtering X X Web filters X X X Monitoring, alerts, and reports X X X VPN X X SecureNAT clients X X Web Proxy clients X X X Firewall clients X X WARNING Schema modifications are not to be taken lightly! Remember that a schema is shared by all domains in the forest, and once object classes or attributes have been added to the schema, they cannot be removed (although they can be deactivated). · Interoperation with IIS The IIS 5.0 Web server is included with Windows 2000. It is possible to run IIS on the ISA Server (although it is not required). If you choose to do this, you can use the Web publishing rules to publish IIS to the Internet. However, you might need to do some “tweaking” of the IIS configuration. If ISA is listening for Web requests on port 80, IIS should be set up to use any currently unused port (for example, 81). IIS also should not use port 8080, the default port used by ISA for outbound Web requests. If you want IIS to listen on port 80, you could use packet filters to publish the Web server. The objective is to prevent port conflicts between ISA and IIS. Because of the potential for these problems, the ISA installation will stop the WWW publishing service. However, once you change the IIS ports, you can restart the service. · ISA impact on ICS or NAT ISA provides address translation, so there is no use for Internet Connection Sharing or the Windows 2000 built-in NAT. If you have NAT configured in RRAS, the ISA Server installation will disable it and you will see an error in the system log (accessed via Event Viewer), as shown in Figure 2.6. Figure 2.6 If NAT Is Configured, It Reports an Error in the System Log Stating NAT Was Unable to Start NOTE Windows 2000 NAT recognizes that another process has taken over its address translation function, but it does not recognize that ISA Server is the culprit. Note that the error message suggests that the problem might be due to ICS being enabled on a network connection. This is not the case in this situation; it is ISA Server that is causing the error, not ICS. Other interoperability issues include: · ISA Server interoperation with IPSec As we have noted, IPSec will not work with ISA Server in transport mode, providing a secure end-to-end connection from a client on the internal network. However, IPSec can be enabled on the computer on which ISA Server is installed. If you do this, AH and ESP (IP protocols 50 and 51) will be controlled by the IPSec driver rather than by ISA’s packet filter driver. This will ensure that the network allows only valid AH and ESP traffic. · Interoperation with RRAS RRAS can coexist with ISA on the Windows 2000 Server computer, but ISA packet filtering will replace RRAS packet filtering (if you had the latter configured). The ISA Server will use dial-up entries that you have configured for use by RRAS. A dministrative Permissions I t is important to understand the role played by access permissions and to be aware of t he permissions necessary to install, configure, and manage ISA Server: · To install ISA Server as a standalone, you need an account that belongs to the local administrators group on the machine on which you are installing. If you are installing a standalone ISA server on a machine that belongs to a Windows 2000 domain, you can do so if you are a member of the domain administrators group (because domain admins are automatically members of the local administrators group). · To initialize the enterprise, which must be done before you can install ISA Server as a member of an array in a Windows 2000 domain, you must belong to the enterprise admins group and the schema admins group (because initializing the enterprise modifies the Active Directory schema). · By default, to install ISA Server as an array member (after the enterprise has already been initialized), you must be a domain admin of the domain in which the array is installed or an enterprise admin. · To change enterprise policies for an array, you must be an enterprise admin; to change array policies, you must be a domain admin. If you attempt to modify policies without the proper permissions, you will see the message shown in Figure 2.7. Fi g ure 2.7 Enterprise Policies Chan g e Error Messa g e You can give additional users or groups permission to modify the array configuration. Simply right-click the array name in the left console tree of the ISA Management Console, select Properties, select the Security tab, and assign the Full Control permission to the user or group, as shown in Figure 2.8. Figure 2.8 Assigning Permissions to Modify the Array Configuration to Users or Groups Permissions can be configured for a variety of ISA Server objects, including the following: · Enterprise policy settings (by default, enterprise admins have Full Control and all authenticated users have Read) · Enterprise policies (by default, enterprise admins have Full Control and all authenticated users have Read) · Arrays (by default, enterprise, domain and local admins have Full Control and all authenticated users have Read) · Sessions (by default, enterprise, domain and local admins have Read Sessions Information and Stop Sessions; all authenticated users have Read Sessions Information) · Alerts (by default, enterprise, domain and local admins have Read Alerts Information and Reset Alerts; all authenticated users have Read Alerts Information) · Gatekeeper (by default, enterprise, domain and local admins have Full Control, Modify, and Read; all authenticated users have Read) NOTE The local system account has the same permissions as the enterprise admin accounts for each of the ISA objects listed. In order to generate reports, a user must have the proper permissions. You need to enter the account credentials to generate a report. When you access the properties for a report job in the ISA Management Console, you need to enter the user account information on the Credentials tab for a user who has permissions to generate reports, as shown in Figure 2.9. Figure 2.9 User Credentials Must Be Entered to Generate ISA Server Reports NOTE In Chapter 9, in the section on Monitoring, Alerts, and Reports, we look more closely at how to create and schedule a report job. When generating reports for arrays, note that reports are generated on whichever server you used to configure the report job, but the logs on the other servers in the array must be accessed for the reports to be generated. This means that your user account must have permissions for creating reports on the other servers as well as the one on which you configure the report job. To generate reports, by default you must be a member of the domain admins groups, be a member of the local administrators group on every ISA server in the array, or have permissions to access and launch the DCOM objects on every ISA server in the array. NOTE A thorough understanding of how permissions work is essential in effectively configuring, administering, and troubleshooting ISA Server. Planning Multiserver Arrays Arrays are appropriate for medium-sized and large networks, and in the enterprise environment, they offer many advantages. All the ISA servers in an array share the same configuration; this means that they can be managed as a single entity and provide fault tolerance, in addition to load balancing and distributed caching. In other words, many of the enterprise-level features we have discussed in this chapter are available only if you set up your ISA servers as array members. Consult the following checklist in determining whether to install your ISA servers as array members: q Active Directory must be installed on your network. q One or more ISA Servers can be members of the array. q A single enterprise policy can be applied to all arrays in the enterprise. q Array policies can be applied to all the computers in an array. q All array members must belong to the same Windows 2000 domain. q All array members must belong to the same Active Directory site. q All array members must be installed in the same mode. q The same add-ins should be installed on all servers in the array. NOTE If you install add-ins such as Web or application filters on an ISA server that is a member of an array, these add-ins are not automatically installed to the other array members. You must individually install the add-ins to each of the servers that belongs to the array. Understanding Multiserver Management Array members are managed as a single entity. By default, when you install the first member of the array, the array name is the same as the first member’s name. To see the servers that are members of the array, open the Computers container in the left pane of the ISA Management Console, as shown in Figure 2.10. Figure 2.10 The Array Members Appear in the Computers Folder This centralized administrative model enhances security because all administrative duties can be performed from one computer. If there is a very large number of ISA servers in the array, the ability to apply the same configuration and policies to all array members at once can mean a tremendous saving in administrative time. NOTE In keeping with Microsoft’s claim that ISA Server is infinitely scalable, it has placed no limitation on the number of ISA servers you can have in one array, as it did with Proxy Server 2.0. Backing Up the Array Configuration Information Array configuration information can be backed up using ISA Server’s backup and restore feature. The backup function will save the following information: · Access policy rules · Publishing rules · Policy elements · Alerts information · Caching configuration · Array properties This configuration information can be saved to a file on the local disk. The cache content, activity logs and reports, and the enterprise policy in effect are not saved when you back up the ISA configuration. TIP For added security, Microsoft recommends that when you save configuration information to the local disk, you should store it on a partition that is formatted with NTFS. Microsoft documentation recommends that you always back up the array configuration after making significant changes to your array, such as changing installation mode, cache size or location, or enterprise policy settings, and any time you add or remove a server to or from the array or change the name of a computer that is an array member. Even if you have made none of these major changes, it’s a good idea to back up your array configuration information on a regular basis, just as you back up any important data. Backing up the configuration information is done via the ISA Management Console by right-clicking the array name in the left console pane and selecting Back Up from the context menu, as shown in Figure 2.11. You will be prompted to enter the path where you want to save the backup configuration information. Figure 2.11 Use the ISA Management Console to Back Up Configuration Information TIP [...]... Integration Server 20 00, Commerce Server 20 00, Application Center Server 20 00, BizTalk Server 20 00, and SQL Server 20 00 Summary The enterprise network is not only bigger than other networks; it differs in other aspects as well Planning an ISA Server deployment in a large, multilocation, high-traffic, multiuse environment is a challenge that requires careful and precise strategic planning ISA Server features... admins group Q: Can ISA Server be used in a Windows NT domain? A: An ISA Server array can only be installed in a Windows 20 00 domain However, you can install an ISA Server as a standalone on a Windows 20 00 server in a Windows NT domain You can also provide Internet security to users and client computers that belong to an NT domain with an ISA Server array that is installed in a Windows 20 00 domain, if... you wanted to install the Proxy Server software Unfortunately, things get a little more complicated with ISA Server Processor-Based Licensing ISA Server uses a processor-based licensing structure, which means that the cost of an ISA Server license is dependent on how many microprocessors are installed in the computer on which it runs Thus, if the computers running ISA Server are using SMP, you must... each client machine on the network, allowing it to access as many servers on the network as desired 2. Purchase of a set number of licenses for each server, allowing that number of clients to connect simultaneously to that particular server n n n n ISA Server uses a processor-based licensing structure, which means that the cost of an ISA Server license is dependent on how many microprocessors are installed... for VPN connections to the ISA server itself, but does it also allow VPN connections to be made by the internal client computers? A: Yes Not only does ISA Server provide for opening the PPTP call and receive ports so users on the outside network can create a VPN connection directly to the ISA server, but it also provides for users on the internal network, behind the ISA Server, to initiate VPN calls... fact, ISA Server includes VPN wizards that make setting up a virtual connection quick and easy Q: What sort of impact can we expect ISA Server to have on the network’s performance? A: Speed of access to Web pages and other Web objects should be noticeably improved This results from ISA Server s caching capabilities Using advanced features, such as hierarchical caching, which allow you to “chain” ISA servers... servers or server arrays in a multilevel arrangement and cache pre-fetching and automated content download, ISA Server can significantly enhance performance from the user’s point of view Q: I used the Enterprise Initialization Tool and installed the ISA schema to Active Directory However, when I attempted to install ISA Server as an array member, I received an error message that the ISA Server schema... important part of ISA design and deployment planning involves estimating the expected usage, based on number of users and usage patterns, in order to determine the number of ISA servers required n A big advantage of installing additional ISA servers instead of merely adding processors to the existing server is the ability to group the multiple machines in arrays n If you have multiple ISA servers that you... simultaneously to that particular server The first option is called per-seat licensing and is most cost effective in a network with multiple servers to which many clients need to connect The second option is called per -server licensing and is preferred when there are only a few servers and all clients don’t connect to the server at the same time Licensing for Microsoft Proxy Server 2. 0 was simpler than this;... refer to properties of ISA policy rules, which can be created for your enterprise policy and for each array policy Understanding ISA Server Licensing n Many experience network administrators will be familiar with the licensing methods used by Microsoft for its server operating systems, Window NT and Windows 20 00 In both cases, there are two options for licensing connections to the servers: 1 Purchase . ISA Server, other products that use per-processor licensing include Host Integration Server 20 00, Commerce Server 20 00, Application Center Server 20 00, BizTalk Server 20 00, and SQL Server 20 00. . ISA Server be used in a Windows NT domain? A: An ISA Server array can only be installed in a Windows 20 00 domain. However, you can install an ISA Server as a standalone on a Windows 20 00 server. on the ISA Server computer. However, configuration for ISA Server arrays is stored in Active Directory. This is the reason that arrays require a Windows 20 00 domain (standalone ISA Servers