In the tutorial's next steps, you configure additional firewall-related features, including IP packet filtering and intrusion detection. Finally, the tutorial prompts you to configure settings related to upstream firewall traffic routing (including client Web traffic) and to caching.
Making Up the Rules
After you define the policy elements that your rules will require, you're ready to start configuring the rules. If you completed the tutorial, you already have firsthand experience with creating examples of the two most important rule types used within ISA Server: a site and content rule and a protocol rule. ISA Server uses site and content rules to determine which users or machines can access which Internet locations and when. Protocol rules define which traffic types can pass through ISA Server.
All access to the Internet through ISA Server is disabled by default, so you must define at least one protocol access rule that permits the traffic type you want to use through the server. If your clients can't connect to the Internet after your initial ISA Server configuration but your server can ping hosts on the Internet, the problem is probably that you didn't create a protocol access rule.
In addition to site and content and protocol rules, you can define three other primary rule types within ISA Server. You use bandwidth rules to assign relative priorities to various types of traffic to the Internet and between the internal clients that ISA Server protects. This feature gives administrators an unprecedented level of control over the utilization of network and Internet bandwidth. For example, if your company's CEO has an important videoconference with shareholders, you might decide to implement a bandwidth rule that assigns his traffic higher priority than Web browsing traffic from the general employee populace. You use the ISA Server Administration tool to define and manage site and content rules and bandwidth rules.
The other two rule types, Web publishing rules and server publishing rules, fall under the array-specific publishing rules container in the ISA Server Administration tool's contents pane. Web publishing rules control how ISA Server responds to incoming client HTTP, HTTP over Secure Sockets Layer (HTTPS), and FTP requests (e.g., denying requests or routing them to another server).
Server publishing rules are a catchall for all other redirections from ISA Server to internal servers for various incoming client requests. You also use server publishing rules to configure ISA Server to handle and redirect incoming and outgoing email traffic with an internal email server. To set up email publishing rules, right-click the Server Publishing Rules container in the ISA Server Administration tool's contents pane and select Publish Mail Server. This action launches the Mail Server Setup Wizard, which Figure 5 shows. This wizard prompts you for the necessary information to configure ISA Server to filter and redirect mail for the network, including the external and internal IP addresses assigned to the mail server and the types of mail services that ISA Server intercepts.
Odds and Ends
During my experiences with ISA Server, I deduced miscellaneous tips and discoveries. First, I formed an answer to the question of whether you should install on Windows-based network workstations the firewall client that ISA Server includes. Although ISA Server doesn't require the client for firewall operation, the firewall client provides benefits such as the ability to specify usernames and group names within rules rather than specify only client IP addresses. If you need to secure your firewall by using rules that leverage SAM or AD-based usernames or group names, install the client.
A second benefit of the firewall client is that it automatically configures client browsers for the firewall server during installation. ISA Server's firewall client is almost identical to Proxy Server's Winsock client in both installation and function.
ISA Server is an open-development platform. Microsoft has made writing add-on products that enhance the server's functionality very easy for third-party vendors. The product even includes an ISA Server software development kit (SDK—in the CD-ROM's \sdk subdirectory). As of this writing, several Internet security product vendors have announced products designed to work on top of ISA Server.
Although my overall impression of ISA Server was favorable, I had concerns about its performance. Although my test server was a relatively capable system (i.e., a 400MHz Pentium II processor system with 196MB of RAM), I noticed that ISA Server often ran quite sluggishly. I'm hoping that I can attribute this slow performance to the fact that I was working with a beta version of the product.
In addition, if you're upgrading to ISA Server from Proxy Server, read the special document that the ISA Server CD-ROM includes that addresses Proxy Server-specific migration concerns. You can access this useful and informative document from the installation CD-ROM's main menu or by opening the file Pre-Migration-Considerations.htm in the CD-ROM's root directory. The beta 3 CD-ROM also includes an installation guide, cmtstart.htm, and the release notes, readme.htm, in the CD-ROM's \ISA subdirectory, and the main ISA Server Help file, isa.chm, is in the CD-ROM's \ISA\CHMBOOK subdirectory.
Winner in the Wings
Microsoft appears to have a winner on its hands with ISA server. The product enhances Proxy Server's access and caching benefits with the addition of industrial-strength firewall features and client transparency through NAT support. I couldn't get an official release date from Microsoft, but I predict that the company will release ISA Server by the end of 2000.
Although ISA Server requires Win2K Server or Win2K Advanced Server to run, the ability to use ISA Server in a standalone configuration on non-AD networks means that organizations don't have to wait until they migrate to AD to take advantage of ISA Server's offerings. In addition, ISA Server's greatly improved security, performance, and transparency features will help it gain acceptance in IT shops in which Proxy Server 2.0 didn't make the grade. For Win2K-based and NT networks that need to accelerate and secure their Internet connections, ISA Server appears to be an excellent choice.