Microsoft's ISA Server (Internet Security and Acceleration Server)

Microsoft's ISA Server (Internet Security and Acceleration Server) is the successor to Microsoft's Proxy Server 2.0 (see proxy server) and is part of Microsoft's .NET support. ISA Server provides the two basic services of an enterprise firewall and a Web proxy/cache server. ISA Server's firewall screens all packet-level, circuit-level, and application-level traffic. The Web cache stores and serves all regularly accessed Web content in order to reduce network traffic and provide faster access to frequently-accessed Web pages. ISA Server also schedules downloads of Web page updates for non-peak times.

ISA Server allows administrators to create policies for regulating usage based on user, group, application, destination, schedule, and content type criteria. ISA Server is designed to work with Windows 2000 and later operating systems and to take advantage of Windows' Kerberos security. ISA Server includes a software development kit (SDK).

ISA Server comes in two editions, Standard Edition and Enterprise Edition. Standard Edition is a stand-alone server that supports up to four processors. Enterprise Edition is for large-scale deployments, server array support, multi-level policy, and computers with more than four processors. Licenses are based on the number of processors.

ISA Server carries new terms that need to be understood before attempting product deployment on the network.

• Array – a group of ISA computers that are located close together, for example a department, office, and region. There are two types of arrays:

Domain Arrays – that use Active Directory. A domain array can encompass computers located within a single domain.Independent Arrays – allow storage of information not in the Active Directory, but in a local configuration database. This array is mainly used in NT 4.0 based networks.

• Rule – with rules, the system administrator can set up a series of protocols to govern sites, contents, protocols, and IP packet filters.

• Array policy – a set of rules that define the array policy. Such a policy can be applied to any specific (and single) array.
  
• Enterprise policy – enterprise-level policies contain similar rules to those established in array policies but they are applied to multiple arrays.

With ISA Server, array policies can be used to modify enterprise policies making them more restrictive. However, it is not possible for an array policy to ease restrictions imposed by the enterprise policy.

ISA Server supports many more functions than its predecessor. The following options are available with this new product:

• Firewall – the Firewall client is an extension to the ISA Server that features an enhanced set of functions allowing it to compete with other similar products available on the IT market. With Firewall client, Active Directory can be supported from Windows 2000 (or the SAM databases from NT). These are used to provide specific security functions at user or group level. This feature is not supported by a majority of third-party products that use either separate user databases or IP addressing. Firewall functions are enhanced to support so called stateful packet inspection, i.e. a solution for improved security where data packets passing through the firewall are intercepted and analyzed at either a protocol or connectivity level.
• Policy-based administration – ISA Server lets the administrators manage using predefined policy rules. Policies can include a set of consistent rules regarding users, groups of users, protocols etc. A specific policy may apply to a single array or globally, to the whole enterprise. For businesses that use networks with Active Directory enhancements, multi-tiered enterprise policies are those that match their needs to have a comprehensive IT system, to facilitate management of the entire enterprise and its infrastructure.
• Virtual Private Network Support – ISA Server provides an easy solution to create VPN – based networks. The wizards supplied with ISA Server help to configure VPN tunneling and may activate the RRAS service if not already initialized.
• Dynamic IP filtering – depending on the security policy used, an enterprise can dynamically open firewall ports for authorized Internet users on a session-by-session basis. This considerably simplifies the administrator’s duties in situations where there are applications that frequently change ports though they communicate with each other.
• IDS (Intrusion Detection System) – Microsoft has equipped the ISA Server with an Intrusion Detection System. This module had been purchased from Internet Security Systems, the leading developer in these IT solutions. Thus, ISA offers out-of-box support for preventing several types of attacks including WinNuke, Ping of Death, Land, UDP bombs, POP Buffer Overflow, Scan Attack. Once an attack has been detected and identified, ISA may decide either to disable the attack or notify administrators about the event.
• Web Cache – ISA Server provides fast Web caching performance. Administrators are allowed to automatically refresh frequently requested www pages on reverse and scheduled caching basis.
• Reports  – the major point of contrast between ISA and its predecessor i.e. Proxy Server 2.0 is that ISA features numerous report generating possibilities. By scheduling report generation connected. for example, with the users’ actions or security related events, managing ISA Server based networks is a simple task.
• Gatekeeper H.323 – this component allows ISA Server to manage IP telephony calls or H.323-based VoIP applications (for example Microsoft NetMeeting 3.0). The DNS SRV record must be registered in order to have gatekeeper enabled.
• Client Deployment – with SecureNAT (Network Address Translation) feature, ISA Server delivers to clients and servers a transparent and secure access to the Internet with no need to configure extra software on client machines. SecureNAT allows monitoring of all traffic in ISA Server.

Therefore, instead of being a simple product improvement, Microsoft Internet Security and Acceleration Server fills a gap in the range of this type of products available at the Redmond colossus and is trying to jump aggressively into the mass market sector associated with Web security and fast Web access. The new potential implemented in ISA Server is expected to allow Microsoft to compete effectively in this business area.

It should be noted that Microsoft’s engineers carefully integrate all products together to bring the Company’s vision of a .NET platform to businesses.

The minimum hardware requirements recommended by Microsoft for this product are:

• 300MHz or higher Pentium II compatible CPU,
• 256 MB of RAM,
• 2 GB hard-disk space on NTFS formatted partition,
• 200 MB of available hard-disk space for installation.

ISA Server requires a computer running Windows 2000 upgraded to Service Pack 1 or greater.

Problems with insufficient server capacity may occur with this type of configuration. Thus, for various ISA Server usage scenarios, the hardware should be adequately strengthened.

If ISA Server is to be used as a firewall, one will need to consider how powerful the CPU should be in terms of throughput requirements.

Throughput requirements	Recommended CPU
Less than 25 Mbyte/s	Pentium II 300 MHz – 500 MHz
From 25 Mbyte/s to 50 Mbyte/s	Pentium III 550 MHz or better
More than 50 Mbyte/s	Pentium III 550 MHz or better for each 50Mb

Table 1 CPU capacity requirements vs. throughput

Obviously these values can only be used as a reference when planning the ISA Server’s hardware to meet the expected load. This may vary in function or various usage scenarios (such as the type of transmitted data).

In case ISA Server is to be deployed as a Forward Cache, in addition to an adequate CPU capacity consider also requirements for RAM and high free disk space available for caching purposes.

Number of users	Recommended processor	Minimal RAM capacity (Mb)	Recommended disk space allocated for caching
Up to 250	Pentium II 300 MHz	256	4 GB
250 – 2000	Pentium III 550 MHZ	256	10 GB
More than 2000	Pentium III 550 MHz for every 2,000 users	256 for every 2000 users	10 GB for every 2,000 users

Table 2 – Capacity planning for forward caching server applications

   

Secure Internet Access is one of the fundamental features provided by ISA Server. It is increasingly necessary to improve security tools and check users that access the network from outside, especially in a situation where the Global Web is vulnerable to outside interference from viruses, trojan horses or hacker attacks.  One may also wish to improve security to monitor network users and protect the network from potential Internet threats. To face this challenge and provide solutions for a broad landscape of users, Microsoft has implemented three types of clients in ISA Server:

• Firewall clients – all computers that have Firewall Client software installed and active,
• SecureNat clients – all computers that do not have Firewall Client software installed,
• Web Proxy clients – all Web browser clients are configured to use ISA Server.
   

Reference Site:
About ISA server installation