MCP 70-350 : Introduction to ISA Server 2004

How ISA Server Works as a Branch Office Firewall :

A third deployment scenario for ISA Server is as a branch office firewall. In this scenario, ISA Server can be used to secure the branch office network from external threats as well as connect the branch office networks to the main office using site-to-site VPN connections.

For organizations with multiple locations, ISA Server can function as a branch office firewall in conjunction with additional ISA Servers at other locations. If a branch office has a direct connection to the Internet, ISA Server may operate as an Internet-edge firewall for the branch, securing the branch office network and also publishing server resources to the Internet. If the branch office has only a dedicated WAN connection to the other offices, ISA Server can be used to publish servers in the branch office such as Microsoft SharePoint Portal Server or a local Exchange Server.

One of the benefits of using ISA Server as a branch office firewall is that it can operate as a VPN gateway that connects the branch office network to the main office network using a site-to-site VPN connection. Site-to-site VPN provides a cost-effective and secure method of connecting offices. In this scenario, the following occurs:
1- ISA Server can be used to create a VPN from a branch office to other office locations. The VPN gateway at other sites can be either additional computers running ISA Server or third-party VPN gateways. ISA Server supports the use of three tunneling protocols for creating the VPN: IPSec tunnel mode, Point-to-Point Tunneling Protocol (PPTP), and Layer Two Tunneling Protocol (L2TP) over IPSec.
2- ISA Server can perform stateful inspection and application-layer filtering of the VPN traffic between the organization’s locations. This can be used to limit the remote networks that can access the local network and to ensure that only approved network traffic can access it.

How ISA Server Works as an Integrated Firewall, Proxy, and Caching Server :

In a small or medium organization, a single ISA Server computer may provide all Internet access functionality. The ISA Server computer is used to create a secure boundary around the internal network, and to provide Web proxy and caching services for internal users.

Small or medium-size organizations often have significantly different Internet access requirements than larger organizations. Small organizations may have dial-up or other slow connections to the Internet. Almost all organizations provide at least some level of Internet access to employees, but these offices may need to limit access because of the slow connections. Small organizations frequently do not require any services published to the Internet because their ISP may be hosting both their organization’s Web site and their e-mail servers. Other organizations may have much more complex requirements, including requirements for SMTP, FTP, and HTTP server publishing as well as VPN access. Another unique situation faced by many small or medium-size organizations is that a single network administrator performs all network administration tasks. This means that the administrator is usually not a firewall or Internet security expert. ISA Server is flexible enough to meet almost any small or medium organization's requirements:

1- Configuring caching on ISA Server computers means that Web pages are cached on the ISA Server hard disk. This can reduce the use of slow Internet connections or reduce the cost of a connection where cost is based on bandwidth usage.
2- ISA Server supports the option of using dial-up connections to access the Internet or other networks. You can configure ISA Server to dial the connection automatically when a request is made for access to Internet resources.
3- Installation of ISA Server is secure out of the box. By default, ISA Server 2004 will not accept any connections from the Internet after installation. This means that if the organization does not require any resources to be accessible from the Internet, the administrator does not need to configure ISA Server to block all incoming traffic. All the administrator has to do in this scenario is configure the server to enable Internet access for internal users and the configuration is complete.
4- ISA Server provides network templates and server publishing wizards that can be used to configure most required settings. Configuring ISA Server to provide access to Internet resources can be as simple as applying a network template and using the wizard to configure the security settings. ISA Server provides several server publishing wizards that make it easy to securely publish internal servers to the Internet.

How ISA Server Works as a Proxy- and Caching-Only Server :

A final deployment scenario for ISA Server 2004 is as a proxy server and caching server only. In this scenario, ISA Server is not used to provide a secure boundary between the Internet and the internal network, but only to provide Web proxy and caching services.

In most cases, computers running ISA Server are deployed with multiple network adapters to take advantage of ISA Server’s ability to connect and filter traffic between multiple networks. However, if ISA Server is deployed as a Web proxy- and cachingonly server, it can be deployed with a single network adapter. When ISA Server is installed on a computer with a single adapter, it recognizes only one network—the internal network.

If an organization already has a firewall solution in place, it can still take advantage of the proxy and caching functionality of ISA Server. To deploy ISA Server as a proxy and caching server, you only need to configure it to allow users to access resources on the Internet. You would then configure the Web browsers on all client computers to use the computer running ISA Server as a Web proxy server.
When you install ISA Server on a computer with a single adapter, the following ISA Server features cannot be used:

1- Firewall and SecureNAT clients
2- Virtual private networking
3- IP packet filtering
4- Multi-network firewall policy
5- Server publishing
6- Application-level filtering
These restrictions mean that ISA Server provides very few security benefits for the network.

Google