Network Infrastructure Requirements :
For your ISA Server implementation to succeed, you must ensure that the network infrastructure
supports the ISA Server implementation. To support your ISA Server infrastructure, the following networking services must be installed and configured on your network:
- DNS
- Domain controllers
- DHCP
These supporting services are critical to the proper functioning of your ISA Server network infrastructure.
Domain Name System Requirements
To connect to resources on the Internet, client computers must be able to resolve the DNS names for servers on the Internet to IP addresses. If you publish internal servers to the Internet, users on the Internet must be able to resolve the DNS names for the published servers to an IP address. To enable both of these scenarios, a DNS infrastructure must be in place to provide name-resolution services.
To enable access to Internet resources, ensure that all client computers can resolve Internet DNS names. At a high level, you have two options for enabling name resolution for Internet resources: You can use an internal DNS server that can resolve both internal and Internet DNS addresses, or you can use an external DNS server to resolve IP addresses on the Internet.
To Use an Internal DNS Server Many organizations have deployed DNS servers on their internal networks. If you have deployed Active Directory in Microsoft Windows 2000 Server or in Windows Server 2003, DNS is required for domain replication and user authentication, so all client computers running Windows 2000 or later must be able to resolve the DNS names for domain controllers. In this environment, the internal DNS server is configured with DNS zones for your Active Directory domains.
To allow internal users to access Internet resources, the internal DNS servers must also be configured to resolve Internet DNS names. One way to enable this is to configure the DNS servers to forward all requests for Internet name resolution to DNS servers on the Internet. When you configure a DNS server to use a forwarder, it sends to the forwarder requests for domains for which it is not authoritative.
To Use an External DNS Server Some organizations have not deployed internal DNS servers or have not configured the internal DNS servers to resolve Internet DNS addresses. In this situation, all Internet name resolution must be performed by DNS servers on the Internet. You have two options to enable this. If you use Web Proxy clients and Firewall clients, ISA Server can function as a DNS proxy server to resolve Internet DNS requests on the client’s behalf.
Domain Controller Requirements :
If you want to restrict access to Internet resources based on user accounts, or if you want to require authentication before users can access published servers, ISA Server must be able to access a directory of user accounts to determine whether the user should have access. ISA Server provides several options for authenticating the users, including Remote Authentication Dial-In User Service (RADIUS), RSA SecureID, or the local user account database on the computer running ISA Server. However, the easiest option to implement for most organizations is to use a domain directory service to authenticate the users. Most organizations already have a domain infrastructure that includes all the user accounts; in such cases, ISA Server can use this directory service to authenticate user
accounts.
You can use Windows 2000, Windows Server 2003, or Windows NT 4 domains to perform this service. To use the domain for authentication, the server running ISA Server must be a member of the domain. In addition, ISA Server must be able to communicate with the domain controllers on the internal network. If you use Active Directory in Windows Server 2003 or Windows 2000, you must configure the internal network interface on the ISA Server computer with the IP address of a DNS server that can resolve the IP addresses for the local domain controllers.
MCP 70-350 : Installing ISA Server 2004
