Lesson 1: Planning an ISA Server Deployment
The ISA Server Deployment Planning Process :
Most organizations install ISA Server to address security requirements. ISA Server is a firewall that is likely to be among the critical components to ensuring that your organization’s network is secure. In addition, the ISA Server computer is likely to be the primary connection point for all internal network traffic to access the Internet. This means that when you design your ISA Server deployment, you must consider a wide variety of security and functional requirements. The following is an overview of the process of planning an ISA Server deployment.
1. Understand the current network infrastructure. The first step in planning an ISA Server deployment is to understand the current networking environment. When you start planning, collect network diagrams that provide details on the network infrastructure. These diagrams should include the Internet Protocol (IP) networks, router configurations, and client and server networking configuration.
Collect information on the current configuration of network services. For example, all internal clients must be able to resolve Domain Name System (DNS) names on the Internet to connect to Internet resources. You need to understand how clients do this now. Also collect information about other network services such as Dynamic Host Configuration Protocol (DHCP) and Windows Internet Naming Service (WINS) if you have Microsoft Windows NT or Microsoft Windows 2000 clients.
Collect information about the current domain structure. ISA Server can be integrated with Active Directory directory service to enable authentication.
2. Review company security policies. Every organization should have security policies. These policies usually include general security requirements such as Internet or e-mail usage policies. The policies can also be very specific and define what protocols are not allowed through the firewall, what Web sites users can access, and what types of information can be sent from the internal network to the Internet. For example, most organizations have policies defining what types of customer information can be sent in an e-mail.
3. Plan the required network infrastructure. For your ISA Server installation to meet the company requirements, you must plan for some specific network infrastructure components. For example, if the ISA Server computer is an Internet-edge firewall and is the only access point to the Internet, you must ensure that all client computers can connect to the ISA Server computer. If you have a single network, this solution can be as simple as configuring the default gateway on each client computer to use the internal network interface on the server running ISA Server. If you have multiple locations within your organization, or if you deploy multiple ISA Servers, this solution can be more complex.
Your ISA Server implementation may also depend on additional network infrastructure components such as DNS, DHCP, and Certificate Services. These components must be taken into account when planning an ISA Server installation.
4. Plan for branch office installations. If your organization has more than one location, you must also plan for how the branch office networks will be integrated with the main office. In some cases, you may have existing wide area network (WAN) connections between the offices with routing already in place. In other cases, you may plan to replace the WAN link with a site-to-site virtual private network (VPN) or plan to deploy an ISA Server in each branch office.
6. Plan for access to the Internet. Most companies that deploy ISA Server use it as a proxy server for users to access the Internet. Some organizations enable full access to the Internet so that all users can use all protocols to access any Internet resource. Other organizations limit access based on protocols or applications, and users or groups, and they also limit users’ access to Web sites.
Once you have gathered your organization’s requirements for granting Internet access, you can plan the ISA Server access rule configuration to meet the organization’s Internet access and caching requirements.
7. Plan the ISA Server client implementation and deployment. An essential part of deploying an ISA Server infrastructure is to plan for ISA Server client configuration and deployment. ISA Server supports three clients: SecureNAT clients, Web Proxy clients, and Firewall clients. The use of each client has advantages and disadvantages. As part of your ISA Server deployment, you must know why you use each client and how to configure each client.
8. Plan for server publishing. Most organizations also publish some internal resources to the Internet. Because this allows network traffic from the Internet to your internal network, it is essential that the connection between the internal servers is as secure as possible.
9. Plan for VPN deployment. ISA Server can operate as a VPN remote access server for external clients and as a VPN gateway for site-to-site VPNs. If you plan to deploy ISA Server in either configuration, include this in your planning. An extra level of planning is required if you choose to implement VPN network quarantine. With VPN network quarantine, you can restrict access to the internal network until the VPN clients pass a security configuration check. To perform the security configuration check, you must run a script or application on the client computer. The script can check for virtually any setting on the computer. In your planning, therefore, you must decide which security settings you will check on the client computer. This can be complicated. For example, you may decide that all clients that connect to your network must have an antivirus application installed, and that the virus detection files must be up to date. However, if you allow users to use any antivirus software, the script must check for all acceptable antivirus applications.The script that checks the security configuration on the client computer can become very complicated, so you must plan to have very competent scripting help available.
