The most notable challenge of Internet security is protecting your intranet from intruders while providing controlled Internet access for internal clients. You can use Microsoft Internet Security and Acceleration (ISA) Server 2000 to give selected user accounts Internet access through a proxy. Not only does ISA Server help protect your clients and your network from external attacks, its proxy server also gives you the means to track and control users' Internet activity. (ISA Server also supports reverse proxy, but this article doesn't cover that capability. For details about ISA Server's overall capabilities, see "Microsoft's Stellar ISA Server," October 2000, http://www
.winnetmag.com, InstantDoc 15477.)
For the purposes of this article, I use a simple network topology: one Windows 2000 Service Pack 3 (SP3) machine running ISA Server Enterprise Edition to provide firewall and Web proxy support. This setup is perfect for a department or small office network. Figure 1 shows my sample network with one ISA Server system (ISA-Leon), a client system (Alpha, IP address 10.0.0.2), and an external Web/FTP server (Leonbr-Hm, IP address 192.168.154.1). The ISA Server machine has two NICs, one of which (IP address 10.0.0.1) connects to the internal network and one of which (IP address 192.168.154.20) connects to the external network (i.e., the Internet).
Editions and Modes
ISA Server comes in an enterprise edition and a standard edition. ISA Server Enterprise Edition lets you run ISA Server in standalone mode or logically aggregate multiple ISA Server systems in one array (you can create an array with one computer, but doing so doesn't offer any benefits). An array configuration supports enterprisewide administrative policies, and any change you make to one machine in the array propagates to each machine, so you don't need to implement the change on each box. You can create multiple arrays to support multi-tier policies and rules, and you can delegate the administration of various arrays. Enterprise Edition integrates with Active Directory (AD) and stores ISA Server array—configuration data in AD or stores standalone ISA server—configuration data in the registry. (When you install Enterprise Edition on a non—AD-enabled network, ISA Server installs as a standalone server.) Enterprise Edition scales on machines with any number of CPUs (ISA Server Standard Edition supports a maximum of four CPUs). For the sake of simplicity, I ran my sample ISA Server system in standalone mode, not integrated with AD.
ISA Server supports three modes of operation; during installation, you select which mode to use. Firewall mode provides all the benefits of secure access, secure Web publishing, and protocol filtering. Web caching mode provides a cache repository to accelerate Internet access for internal clients. Integrated mode combines the functionality of the other two modes and is the mode I've used on my sample system.
Clients
ISA Server supports three types of clients: Secure Network Address Translation (SecureNAT) clients, Firewall clients, and Web Proxy clients. I've configured my sample client as a Firewall and Web Proxy client. Let's examine these three client options in more detail.
SecureNAT. For SecureNAT clients, the ISA Server system operates as a NAT device, receiving outgoing packets from the internal network. The server replaces the source IP addresses in the outgoing packets with the ISA Server machine's external IP address. If I configure my sample network to support SecureNAT clients, for example, when Alpha sends a request to Leonbr-Hm, Leonbr-Hm identifies the request as coming from IP address 192.168.154.20 (i.e., ISA-Leon's external NIC). The ISA Server machine hides the client machines without exposing their IP addresses. The entire process is transparent to the clients and doesn't require any additional software on the client machines. (For this reason, SecureNAT works on clients running any network OS.) The only client requirement is that you must configure the clients' default gateway to be the ISA Server system's internal-network NIC. If you configure clients to receive IP information through DHCP, you can configure your DHCP server to give the clients the correct gateway address. If you use an intranet in a subnetted environment that requires multiple routers, you must configure the final router's default gateway to be the ISA Server machine's internal-network IP address.
SecureNAT clients are responsible for name resolution, so your intranet needs a DNS server available to resolve Internet addresses. You can point internal clients to an external DNS server and create a special rule on the ISA Server machine, permitting DNS queries to go out to the DNS server. If clients need to resolve both internal and external addresses, however, you need to set up a local DNS server that can resolve internal addresses and forward external queries to external DNS servers, as needed.