Microsoft ISA Reviews

Understanding Internet Security and Acceleration Server (ISA Server)

Understanding Internet Security and Acceleration Server (ISA Server)

Web Safety and Acceleration Server (ISA Server) Overview

Microsoft Web Safety and Acceleration Server (ISA Server) is mixture of a firewall and Net caching server that can be utilized to guard the enterprise from exterior entry, whereas sharing a web connection on the community. The multilayer firewall of ISA Server protects priceless community assets of the enterprise from unauthorized exterior entry, assaults from hackers, and malicious viruses. You may as well management shopper entry to the Web. The Net cache server allows quicker Net entry for customers by serving objects regionally from the cache as an alternative of over the Web. This in flip improves Web efficiency for shoppers on the community.

The interior personal community is separated from the Web. There’s one bodily connection to the Web and one other to the interior community. The networks are additionally related to totally different community playing cards. Visitors should transfer by means of the ISA Server software program to maneuver from one connection to the opposite.

Whenever you set up ISA Server in your community, you’ll be able to configure it as:

  • A firewall that controls inbound entry and outbound entry by means of filters and guidelines, and numerous different configuration settings.
  • A Net cache server that manages outbound entry by means of guidelines, and downloads and caches regularly accessed knowledge.
  • A firewall and Net cache server.

The structure that ISA Server makes use of to guard the personal community from unauthorized entry and nonetheless allow customers to entry the Web are listed right here:

  • The ISA Server Firewall service supplies in-bound safety and administration of protocol particular filters.
  • The ISA Server Net Proxy service supplies outbound entry.
  • The shoppers and servers hosted on the personal community that have to entry the general public community. These embrace:
    • Net proxy shoppers.
    • SecureNAT shoppers.
    • Firewall shoppers.
    • Net servers.
    • mail servers.
  • The shoppers and servers hosted on the personal community that don’t need to entry the general public community nor be accessed by the general public community.
  • The Web.

ISA Server Firewall Service Overview

The ISA Server firewall know-how consists of a variety of firewall methods that safe the community from unauthorized entry:

  • Packet filtering.
  • Circuit-level (protocol) filtering.
  • Software-level filtering.
  • Stateful inspection.
  • Constructed-in intrusion detection.
  • System hardening templates.
  • Digital Personal Networking.

With packet filtering, you’ll be able to handle the move of IP packets to ISA Server and from ISA Server. Packet filtering inspects the header of every packet for protocol, port, and vacation spot tackle and supply handle info. Packets are dropped if they don’t seem to be explicitly allowed.

If you configure circuit-level (protocol) filtering, periods are inspected, and never packets and connections. You should use entry coverage guidelines and publishing guidelines to configure circuit-level (protocol) filtering. ISA Server helps dynamic filtering. With dynamic filtering, ports open routinely solely when wanted, and closed as soon as communication has occurred. On this method, the variety of ports that stay open are decreased. Circuit-level filtering offers built-in help for protocols with secondary connections. You possibly can configure the first and secondary connection of the protocol within the consumer interface. That is executed by specifying the next:

  • Port or port vary.
  • Protocol sort.
  • Transmission Management Protocol (TCP) or Consumer Datagram Protocol (UDP)
    Inbound or outbound path.

Software-level filtering is used to guard towards DNS server assaults and unsafe SMTP instructions. You should use third-party instruments for content material screening and virus detection to use software and Net filters. Withapplication-level filtering, the info stream for an software is analyzed and inspected, and may be blocked, redirected, or modified.

ISA Server supplies the next software filters:

  • HTTP Redirector Filter; forwards HTTP requests to the Net Proxy service, from the firewall and SecureNAT shoppers.
  • FTP Entry Filter; intercepts and inspects FTP knowledge.
  • SMTP Filter; intercepts and inspects SMTP visitors. The SMTP filter can display e-mail messages for content material or measurement, and may also detect unsafe SMTP instructions. Any e-mail visitors that isn’t accepted is dropped efore it will probably attain the mail server. This protects mail servers from being attacked.
  • SOCKS Filter; used for shoppers that do have Firewall Shopper software program. The SOCKS filter sends requests from SOCKS four.three purposes to the Firewall service, the place entry coverage guidelines decide whether or not the SOCKS shopper software is allowed to speak with the Web.
  • RPC Filter; inspects and filters RPC requests based mostly on the precise interfaces outlined.
  • H.323 Filter; handles H.323 packets utilized for multimedia communications and teleconferencing by offering name management capabilities.
  • Streaming Media Filter; helps industry-standard media protocols similar to Microsoft Home windows Media Applied sciences, Progressive Networks Audio (PNA) and Actual-Time Streaming Protocol (RTSP). Customers can cut up reside Home windows Media streams, thereby conserving bandwidth.
  • DNS Intrusion Detection Filter; prevents inner servers from being attacked.
  • POP Intrusion Detection Filter; prevents inner servers from being attacked.

ISA Server features a built-in intrusion-detection mechanism that may shield the community from a number of widespread assaults. The built-in intrusion-detection mechanism might be configured to ship an alert when an intrusion is detected.

ISA Server implements intrusion-detection on the following ranges:

  • Packet filter degree.
  • Software filter degree.

ISA Server can detect assaults on the packet filter degree:

  • All Ports Scan Assault; an attacker is trying to entry greater than the configured variety of ports. Port scanning or just scanning, is the method whereby which intruders acquire info on the community providers on a goal community. Right here, the intruder makes an attempt to seek out open ports on the goal system.
  • Enumerated Port Scan Assault; the unauthorized intruder makes use of numerous strategies to gather info on purposes and hosts on the community, and to rely the providers operating on a pc. The intruder probes the ports for a response.
  • IP Half Scan Assault; the attacker makes quite a few connection makes an attempt to a pc, however doesn’t truly go online. The aim of the assault is to probe for open ports.
  • Land Assault; TCP SYN packets are despatched with a spoofed supply IP handle and port quantity that match the vacation spot IP handle and port quantity.
  • Ping of Demise Assault; a considerable amount of info is appended to a web Management Message Protocol (ICMP) echo request (ping) packet in an try and trigger a kernel buffer overflow and crash the pc.
  • UDP Bomb Assault; UDP packets that include unlawful values in sure fields are despatched in an try and trigger older working techniques to crash.
  • Home windows Out of Band Assault; a denial-of-service assault towards an inner pc protected by ISA Server.

You’ll be able to configure POP and DNS intrusion detection filters to verify for the next:

  • DNS Hostname Overflow.
  • DNS Size Overflow.
  • DNS Zone Switch from Privileged Ports (1-1024).
  • DNS Zone Switch from Excessive Ports (above 1024).

The ISA Server intrusion-detection mechanism additionally lets you outline what motion must be carried out by the system when an attac is detected:

  • Cease the Firewall service.
  • Ship an e-mail message to the administrator.
  • Report the occasion within the Home windows 2000 Occasion Log.
  • Run a program or script.

You need to use the ISA Server Safety Configuration Wizard to use system safety settings to servers. You’ll be able to select between the next ranges of safety:

  • Safe; ISA Servers are mixed with IIS servers, SMTP servers, or database servers.
  • Restricted Providers; ISA is operating in built-in mode and might be protected by one other ISA Server.
  • Devoted; ISA is a devoted firewall.

ISA Server may also function because the end-point for a Digital Personal Community (VPN). A VPN allows knowledge to be despatched between computer systems over public community. VPNs prolong the personal community by making a safe hyperlink between two separate networks over the Web. Digital Personal Networks (VPNs) present safe and superior connections by means of a non-secure community by offering knowledge privateness. Personal knowledge is safe in a public surroundings.

Many corporations provide their very own VPN connections by way of the Web. Via their ISPs, distant customers operating VPN shopper software program are assured personal entry in a publicly shared surroundings. Through the use of analog, ISDN, DSL, cable know-how, dial and cellular IP; VPNs are carried out over in depth shared infrastructures. E mail, database and workplace purposes use these safe distant VPN connections. You’ll be able to configure ISA Server as a VPN server. You possibly can configure ISA Server to permit VPN visitors from exterior VPN shoppers to cross over the firewall to a VPN server on the interior community. You may as well configure ISA Server to permit VPN visitors from inner VPN shoppers to cross to a VPN server on the exterior community.

A VPN gateway, additionally referred to as a VPN router, is a connection level that connects two LANs that are related by a nonsecure community such because the Web. A VPN gateway connects to both a single VPN gateway, or to a number of VPN gateways to increase the LAN. Tunneling is the terminology utilized to explain a way of utilizing an internetwork infrastructure to switch a payload. Tunneling is also called the encapsulation and transmission of VPN knowledge, or packets. The VPN tunnel is the logical path or connection that encapsulated packets journey by way of the transit internetwork. The tunneling protocol encrypts the unique body in order that its content material can’t be interpreted. The encapsulation of VPN knowledge visitors is called tunneling.

A couple of enterprise firewall security measures and advantages of ISA Server are summarized right here:

  • Stateful inspection; ISA Server can dynamically look at visitors crossing the firewall.
  • Software filtering; visitors could be accepted or rejected, redirected and modified based mostly on content material by way of clever filtering of:
    • HTTP.
    • FTP.
    • Easy Mail Switch Protocol (SMTP) e-mail.
    • H.323 (multimedia) conferencing.
    • Streaming media.
    • Distant Process Name (RPC).
  • Intrusion detection; ISA Server consists of intrusion detection based mostly on Web Safety Techniques (ISS) know-how.
  • It can save you bandwidth through the use of streaming media filters.
  • ISA Server supplies help for safe VPN entry to the company personal community via the Web.
  • ISA Server can present safe server publishing and Net server publishing capabilities. Net publishing guidelines shield inner Net servers.
  • You should use the Safety Configuration wizard to harden the system.
  • ISA Server helps robust authentication with its help for Home windows authentication strategies corresponding to Kerberos and NTLM, and help for shopper certificates.

ISA Server Net Caching Overview

ISA Server consists of the Net Proxy service that can be utilized to cache often requested Net objects. Subsequent shopper requests are checked towards the cache to see if they are often serviced from the cache. A brand new request is initiated if the ISA Server cache can’t beutilized to serve the shopper request. ISA Server shops most often accessed gadgets in RAM. The gadgets are then retrieved from reminiscence as an alternative of from disk.

Objects stay within the ISA Server cache till both of the next occasions happens:

  • A extra updated model of the cached object is obtained.
  • Area is required for different extra lately requested objects.

ISA Net Server caching might be carried out utilizing both of those strategies:

  • Ahead Net caching.
  • Reverse Net caching.
  • Scheduled caching.
  • Distributed caching.
  • Hierarchical caching (chaining).

Once you configure ISA server as a ahead Net caching server, inner shoppers are capable of entry the Web, and ISA Server maintains a cache of regularly requested Web objects which could be accessed by any Net browser behind the firewall. Shopper browser efficiency is improved as a result of utilizing the cache leads to much less processing than requesting objects from the Web. Bandwidth utilization on Web connections stays low. Consumer response time is decreased as properly.

How ahead caching works

  1. A consumer requests a Net object.
  2. The request is forwarded to the ISA Server pc on the community.
  3. ISA Server checks whether or not the thing exists within the cache.
  4. If the requested Net object doesn’t exist within the cache, the request is forwarded to a server on the Web.
  5. The server on the Web returns the requested object to the ISA Server.
  6. The ISA Server locations the Net object in its cache.
  7. The ISA Server forwards the item to the consumer that requested it.
  8. When one other consumer requests the identical object, the request is forwarded to the ISA Server pc, and the ISA Server pc returns the item to the consumer from its cache.

With reverse caching, objects requested from inner servers by exterior shoppers are saved on the ISA Server. Incoming Net requests are forwarded to the ISA Server and are serviced from the cache. Requests are solely forwarded to the Net server when the cache can’t be used to serve the request.

How reverse caching works

  1. A request is shipped to the ISA Server.
  2. ISA Server checks whether or not the item exists within the cache.
  3. If the requested object doesn’t exist within the cache, the request is shipped to the Net server.
  4. The house web page is returned to the ISA Server.
  5. The ISA Server locations the item in its cache.
    1. The house web page is forwarded to the person who requested it.
    2. One other request is shipped for a similar Net web page.
    3. ISA Server checks whether or not the thing exists within the cache, and returns it from its cache. The request is just not despatched to the Net server.

You should use the ISA Server Scheduled Content material Obtain function to obtain the content material to the ISA Server cache as per a predefined schedule. You’ll be able to proactively make sure that necessary content material is all the time out there immediately from the ISA Server cache and that the knowledge is present.

You possibly can immediately obtain the next to the ISA Server cache:

  • A single URL.
  • A number of URLs.
  • Complete Website.

You may also restrict which content material ought to be downloaded. You possibly can outline scheduled content material downloading for outgoing Net requests and for incoming Net requests.

The ISA Server Enterprise Version makes use of Cache Array Routing Protocol (CARP) to offer scaling and enhance effectivity. Whenever you set up a number of ISA Server computer systems, ISA Servers are routinely put in in arrays. The array of ISA Servers is then handled as a single logical cache. A hashing algorithm determines the situation for storage, and hash-based routing is used to retrieve the situation of the saved object when requests are made.

Some great benefits of utilizing CARP embrace:

  • Through the use of hash-based routing, CARP finally ends up turning into extra environment friendly as further servers are added to the array. This offers enhanced scalability.
  • CARP can effectively find beforehand saved content material – content material duplications are prevented and don’t happen.
  • With CARP member servers are represented as a single logical cache.
  • You’ll be able to outline a load issue for every array server. You can even distribute content material evenly over the array.
  • CARP can mechanically adapt to modifications made to the array, corresponding to including or eradicating array members, and taking array members offline and bringing them again on-line once more.

The routing algorithm utilized by CARP works as follows:

  • The array membership listing is used to trace the standing of the servers. The array membership listing is up to date utilizing the TTL countdown which detects all lively proxy servers.
  • A hash perform is calculated for the identify of every specific server.
  • A hash perform can also be calculated for the identify of every specific URL requested.
  • The hash values of every of the above calculations are joined.
  • The proprietor of the knowledge cache is the very best worth derived from combining the server hash worth and the hash worth of the URL.
  • Subsequent requests for the cached info will use the identical location.

The ISA Server Enterprise Version allows directors to rearrange particular person ISA Server computer systems or arrays of ISA Servers hierarchically. This course of can also be known as chaining. Requests are then despatched upstream by way of the chain of servers till the thing which was requested is situated. Chaining supplies fault tolerance. Content material could be distributed to a number of places with out making requests on the Web.

The Totally different ISA Server Editions and ISA Server Roles

The totally different ISA Server editions are:

  • ISA Server Enterprise Version: Offers integration with the Lively Listing and extra advantages and options akin to centralized server administration, a number of ranges of entry coverage, server clustering via arrays, fault-tolerant, and the elevated efficiencies of hierarchical and distributed caching.
  • ISA Server Commonplace Version: Offers firewall safety and Net caching options for small enterprise, departmental environments, and workgroups.

The next options are the identical for each ISA Server editions:

  • Safety capabilities.
  • Caching capabilities.
  • Administration capabilities.
  • Efficiency capabilities.
  • Extensibility capabilities.

The options out there with the ISA Server Normal Version is listed right here:

  • Firewall, caching, or built-in modes.
  • Hierarchical Caching.
  • Array Based mostly Coverage.
  • H.323 gatekeeper.
  • Intrusion detection.
  • Packet filtering.
  • Message Screener.
  • Net publishing.
  • Server publishing.
  • Bandwidth management.
  • Logging and reporting.

The options out there within the ISA Server Enterprise Version are listed right here:

  • Lively Listing Integration.
  • Firewall, caching, or built-in modes.
  • Distributed Caching.
  • Hierarchical Caching.
  • Array Based mostly Coverage.
  • Enterprise Coverage.
  • H.323 gatekeeper.
  • Intrusion detection.
  • Packet filtering.
  • Message Screener.
  • Net publishing.
  • Server publishing.
  • Bandwidth management.
  • Logging and reporting.

For every ISA Server version, you possibly can set up ISA Server in both of those set up modes:

  • Firewall.
  • Caching.
  • Built-in.

The totally different server roles you could configure for ISA Server are:

  • Devoted firewall.
  • Safe Publishing server.
  • Ahead Net cache server.
  • Reverse Net cache server.
  • Built-in Firewall and Net Cache server.

Understanding ISA Server and Home windows Integration

The Home windows applied sciences that can be utilized with ISA Server to offer enhanced safety, higher efficiency, and administration capabilities are listed right here:

  • For those who deploy ISA Server Enterprise Version you need to use multiserver arrays, after which retailer this info within the Lively Listing listing:
  • Configuration knowledge.
  • Coverage info.

ISA Server may also apply entry management for Lively Listing customers and teams.

      • Community Handle Translation (NAT); ISA Server can implement ISA Server coverage for SecureNAT shoppers.
      • Digital Personal Networking; ISA Server may be configured as a VPN server to help:
      • Safe gateway-to-gateway communication over the Web.
      • Safe client-to-gateway distant entry communication.

You need to use Level to Level Tunneling Protocol (PPTP) or Layer 2 Tunneling Protocol (L2TP)/Safe Web Protocol (IPSec). PPTP, an extension of Level-to-Level Protocol (PPP), encapsulates PPP frames into IP datagrams to transmit knowledge over an IP internetwork. To create and handle the tunnel, PPTP makes use of a TCP connection. When L2TP is used with IPSec, the very best degree of safety is assured. This consists of knowledge confidentiality and integrity, knowledge authentication, in addition to replay safety. IPSec protects the packets of knowledge and subsequently supplies safety on nonsecure networks such because the Web.

      • The next Home windows authentication strategies are supported by ISA Server:
      • Primary authentication.
      • NT LAN Supervisor (NTLM) authentication.
      • Kerberos.
      • Digital certificates.
      • System hardening might be carried out by means of Home windows safety templates.
      • Should you set up the ISA Server Enterprise Version, you’ll be able to prolong the distributed nature of Lively Listing listing providers by configuring one or a number of enterprise insurance policies after which making use of the insurance policies to arrays within the enterprise.
      • ISA Server Net filters can look at and handle Hypertext Switch Protocol (HTTP) and File Switch Protocol (FTP) visitors over the gateway. The ISA Server Net filters are based mostly on Web server software programming interface (ISAPI).
      • ISA Server helps Net Proxy Autodiscovery Protocol (WPAD). Which means Firewall Shopper software program operating on ISA Server shoppers are capable of mechanically join with ISA Server on the community.
      • MMC administration can be utilized. The administration interface for ISA Server is ISA Administration, which is a MMC snap-in. You’ll be able to combine third-party merchandise into the ISA Server administration console.
      • To enhance efficiency, ISA Server makes use of the Home windows symmetric multiprocessing (SMP) structure.
      • The Home windows High quality of Service (QoS) functionality is utilized by ISA Server to offer bandwidth management administration.
      • ISA Server data alerts to the Home windows Occasion Log.

The Administration Options of ISA Server

The administration interface for ISA Server is ISA Administration, which is a MMC snap-in. You possibly can combine third-party merchandise into the ISA Server administration console. ISA Administration offers graphical taskpads and in addition a lot of ISA Server wizards that can be utilized to handle your ISA Server surroundings.

The executive duties which you’ll be able to carry out by means of the ISA Server wizards are listed right here:

      • Use the Getting Began Wizard.
      • Configure native, distant and client-to-server VPNs.
      • Configure safe publishing.
      • Specify a protocol rule.
      • Create a website and content material rule.
      • Create a bandwidth rule.
      • Configure a mail server behind ISA Server and outline coverage for the mail providers.
      • Implement system hardening.

You need to use the identical administration interface for the ISA Server firewall and Net caching. Each the firewall and Net caching share the next:

      • Reporting.
      • Logging.
      • Alerting.

You may as well use the identical entry management insurance policies to handle the ISA Server firewall and Wb cache server. You possibly can although configure logging individually for

      • Packet filters.
      • Firewall service.
      • Caching service.

The predefined stories which you can configure ISA Server to generate are listed right here:

      • Abstract report, exhibits visitors utilization.
      • Net utilization stories; exhibits Net utilization info by widespread responses and browsers, and prime consumer info.
      • Software utilization reviews; exhibits software utilization by incoming and outgoing visitors, locations, shopper purposes and consumer info.
      • Visitors and utilization stories; illustrates complete Web utilization by software, course, and protocol.
      • Safety Stories; exhibits makes an attempt to compromise community safety.

You possibly can configure a coverage for an ISA Server array or an ISA Server Enterprise. The totally different policy-based guidelines which you could configure are:

      • Bandwidth guidelines; used to outline priorities for requests, based mostly on:
        • Protocol definitions.
        • Vacation spot units.
        • Shopper handle set.
        • Content material group.
        • Required precedence.
      • Protocol guidelines; used to outline which protocols shoppers can use to entry the Web.
      • Website and content material guidelines; used to outline which websites and content material could be accessed.

ISA Server guidelines are affected by coverage parts. Coverage parts pertain to an element or element of a coverage. They don’t seem to be created explicitly for every rule. Coverage parts are predefined, and may be reused and customised.

The coverage parts that you could outline in ISA Administration are listed right here:

    • Vacation spot units; IP addresses of particular computer systems, or pc names.
    • Shopper tackle units; IP addresses of particular shopper computer systems, or authenticated customers and teams.
    • Schedules; when a rule is carried out.
    • Bandwidth priorities; outline the precedence degree of a connection.
    • Protocol definitions; consists of port quantity, TCP or UDP, and path.
    • Content material teams; MIME varieties or filename extensions, and content material varieties that exist on the Net.

About the author


Read More