Microsoft® Windows® 2000 Server, the foundation of Microsoft Business Solutions Customer Relationship Management (Microsoft CRM), provides sophisticated standards-based network security. The Kerberos version 5 authentication protocol is integrated directly into Active Directory®, which provides you with powerful standards-based authentication. In addition, users are able to use a single user name and password logon combination for the network.
On This Page
.gif)
About Security
Employees
Physical Security
Virus Protection
Locking Down the Servers by Using Group Policy
Locking Down the Web Servers Using IIS Lockdown
Client Communication Security
Network Security Strategies
Publishing to the Internet Using ISA Server
Interaction with Other Network Services
About Security
Hackers represent a threat to network security, but a potentially greater threat comes from within your organization. Although there is no easy formula for successful network security, you can use several solutions to help protect your servers and data.
Technology by itself is not enough to guarantee security. That is, there will never be a product that you can simply unpack, install on your network, and instantly achieve perfect security. Instead, security is a result of both technology and policy—that is, it is how the technology is used that ultimately determines whether your network is secure. Microsoft delivers the technology, but only you and your corporate management can determine the right policies for your company. Plan for security early. Understand what you want to protect and what you are willing to do to protect it. Finally, develop contingency plans for emergencies before they happen. Couple thorough planning with solid technology and you will have great security.
For more information about general security, see "The Ten Immutable Laws of Security Administration," located at http://www.microsoft.com/technet/archive/community/columns/security/essays/10salaws.mspx.
Employees
Disgruntled and former employees are a threat to network security. Keep the following personnel issues in mind when developing policy:
-
Conduct pre-employment background investigations.
-
Make sure that you delete all associated accounts and passwords when an employee leaves.
-
Train your users to be alert and to report suspicious activity.
-
Do not grant privileges automatically. If users do not need access to particular computers, computer rooms, or sets of files, ensure that they do not have access.
-
Train supervisors to identify and respond to potential employee problems.
-
Expect "revenge" from disgruntled employees and former employees.
-
Monitor system usage for unusual activity.
-
Make sure that your employees understand their roles in maintaining network security.
-
Give a copy of your company policies to every employee.
-
Do not allow users to install their own software.
For the Administrator
-
Use a strong password at all times, one that includes both uppercase and lowercase characters, numbers, and symbols (example: diT$34ppK).
-
Log on by using your alias and not "Administrator."
-
Never leave a computer unattended while logged on with an account in the administrator group.
-
Do not give out the administrator password.
-
Rename the administrator account.
-
Use Windows 2000 delegated management instead of giving out administrative rights.
Physical Security
It is important to remember physical security considerations when developing security policies and procedures. Consider the following physical security issues when developing a policy:
-
Ensure that you lock server rooms and places where software and manuals are stored.
-
Keep unauthorized users away from the power and reset switches on the server.
-
Consider removing the floppy disk drive from client workstations.
-
Ensure that you have basic burglar alarms installed regardless of how sensitive your data is.
-
Ensure that you store backups of critical data off-site and that software is stored in fireproof containers when not in use.
External Security - Firewall
A firewall is a piece of hardware or software that prevents data packets from either entering or leaving a specified network. To control the flow of traffic, numbered ports in the firewall are either opened or closed to information packets. The firewall looks at several pieces of information in each arriving or departing packet: the protocol through which the packet is being delivered, the destination or sender of the packet, the type of content that is contained in the packet, and the port number to which it is being sent. If the firewall is configured to accept the specified protocol through the targeted port, the packet is allowed through. Microsoft Small Business Server 2000 ships with Microsoft Internet Security and Acceleration (ISA) Server 2000 as its firewall solution.
ISA Server 2000
Microsoft ISA Server securely routes requests and responses between the Internet and client computers on the internal network.
ISA Server acts as the secure gateway to the Internet for clients on the local network. The ISA Server computer is transparent to the other parties in the communication path. The Internet user should not be able to tell that a firewall server is present, unless the user attempts to access a service or go to a site where the ISA Server computer denies access. The Internet server that is being accessed interprets the requests from the ISA Server computer as if the requests originated from the client application.
When you choose Internet Protocol (IP) fragment filtering, you enable the Web Proxy and Firewall services to filter packet fragments. By filtering packet fragments, all fragmented IP packets are dropped. A well-known "attack" involves sending fragmented packets and then reassembling them in such a way that may cause harm to the system.
ISA Server features an intrusion detection mechanism, which identifies the time when an attack is attempted against a network and performs a set of configured actions (or alerts) in case of an attack.
If Internet Information Services (IIS) is installed on the ISA Server computer, you must configure it to not use the ports that ISA Server uses for outgoing Web requests (by default, 8080) and for incoming Web requests (by default, 80). For example, you can change IIS to monitor port 81, and then configure the ISA Server computer to direct the incoming Web requests to port 81 on the local computer running IIS.
If there is a conflict between ports that ISA Server and IIS use, the setup program stops the IIS publishing service. You can then change IIS to monitor a different port, and then restart the IIS publishing service.
ISA Server Policies
You can define an ISA Server policy that dictates inbound and outbound access. Site and content rules specify which sites and content can be accessed. Protocol rules indicate whether a particular protocol is accessible for inbound and outbound communication.
You can create site and content rules, protocol rules, Web publishing rules, and IP packet filters. These policies determine how the ISA Server clients communicate with the Internet and what communication is permitted.
Virus Protection
A computer virus is an executable file that is designed to replicate itself, erase or corrupt data files and programs, and avoid detection. In fact, viruses are often rewritten and adjusted so that they cannot be detected. Viruses are often sent as e-mail attachments. Antivirus programs must be updated continuously to look for new and modified viruses. Viruses are the number one method of computer vandalism.
Antivirus software is specifically designed for the detection and prevention of virus programs. Because new virus programs are created all the time, many makers of antivirus products offer periodic updates of their software to customers. Microsoft strongly recommends that you use antivirus software in your environment.
Virus software is usually installed at each of these three places: user workstations, servers, and the network where e-mail comes in to (and in some cases, leaves) the organization. The Microsoft CRM-Exchange E-mail Router (the Router) works by intercepting e-mail as it enters the organization and posts an e-mail event to the Microsoft CRM server. If you have antivirus software installed at the client workstation and on the Microsoft Exchange 2000 servers that host mailboxes, but you do not have it on the Exchange 2000 servers that receive e-mail from the Internet, it is possible that the Router will receive a message infected with a virus and post it to Microsoft CRM before the message is received by the Exchange 2000 mailbox server and then detected and deleted.
This means that if your Exchange 2000 organization has front-end Simple Mail Transfer Protocol (SMTP) servers, you should install virus protection software in front of the front-end SMTP server or on the front-end SMTP server itself. This way, as messages are received from the Internet, they are scanned by the virus protection software before they enter the organization.
If your organization does not use SMTP front-end servers, but you only have a virus scanning product that scans the Exchange Information Stores for viruses, you should install a virus protection component that scans incoming SMTP e-mail. This way, messages will be scanned before they are sent to Microsoft CRM.
The one thing that you need to communicate to users is that at this point in time, a virus cannot do any damage to computer systems unless a user runs the virus. If a user receives a virus as an attachment in an e-mail message, for instance, the user can delete the virus without any harm to the e-mail server or the user's local computer.
Types of Viruses
There are three main types of viruses that infect computer systems: boot-sector viruses, file-infecting viruses, and Trojan horse programs.
Boot-Sector Viruses
When a computer starts, it scans the boot sector of the hard disk before loading the operating system or any other startup files. A boot-sector virus is designed to replace the information in the hard disk's boot sectors with its own code. When a computer is infected with a boot-sector virus, the virus' code is read into memory before anything else. After the virus is in memory, it can replicate itself onto any other disks that are in use in the infected computer.
File-Infecting Viruses
The most common type of virus, a file-infecting virus, attaches itself to an executable program file by adding its own code to the executable file. The virus code is usually added in such a way that it escapes detection. When the infected file is run, the virus can attach itself to other executable files. Files infected by this type of virus usually have a .com, .exe, or .sys file name extension.
Some file-infecting viruses are designed for specific programs. Program types that are often targeted are overlay (.ovl) files and dynamic-link library (.dll) files. Although these files are not run, executable files call them. The virus is transmitted when the call is made.
Damage to data occurs when the virus is triggered. A virus can be triggered when an infected file is run or when a particular environment setting is met (such as a specific system date).
Trojan Horse Programs
A Trojan horse program is not a virus. The key distinction between a virus and a Trojan horse program is that a Trojan horse program does not replicate itself; it only destroys information on the hard disk. A Trojan horse program disguises itself as a legitimate program, such as a game or utility. But when run, it can destroy or scramble data.
Virus Prevention Best Practices
You can prevent the spread of a macro virus. Here are some tips to avoid infection:
-
Install a virus protection solution that scans incoming messages from the Internet for viruses before the messages pass the Router. This will ensure that e-mails are scanned for known viruses before they are posted to Microsoft CRM.
-
Know the source of the documents that you receive. If someone sends you a document or file, be sure you know whether you can trust him or her. Is this person someone you work with? Would this person send around files from untrustworthy sources?
-
Talk to the person who created the document. If you are at all unsure whether the document is safe, contact the person who created the document.
-
Use the Microsoft Office macro virus protection. In Office, the applications alert you if a document that you open contains macros. This feature allows you to either enable or disable the macros as you open the document.
-
Use virus-scanning software to detect and remove macro viruses. Virus-scanning software can detect and often remove macro viruses from documents. Microsoft recommends the use of antivirus software that is certified by the International Computer Security Association (ICSA). You can view a current list of ICSA-certified antivirus products on the ICSA Web site (www.trusecure.com/).
For more information about viruses and computer security in general, refer to the following Microsoft Security Web sites:
Locking Down the Servers by Using Group Policy
The goal of a security policy is to define the procedures for configuring and managing security in your environment. Windows 2000 Group Policy can help you to implement technical recommendations in your security policy for all of the workstations and servers in your Active Directory domains. You can use Group Policy in conjunction with your Organizational Unit (OU) structure to define specific security settings for certain server roles.
If you use Group Policy to implement security settings, you can ensure that any changes made to a policy will apply to all servers using that policy, and that new servers will automatically obtain the new settings.
How Group Policy Is Applied
To use Group Policy safely and efficiently, it is very important to understand how it is applied. A user or computer object can be subject to multiple Group Policy objects (GPOs). These are applied sequentially, and the settings accumulate, except in the case of a conflict—where, by default, settings in later policies override those in earlier ones.
The first policy to apply is the local GPO. Every computer running Windows 2000 has a local GPO stored on it. By default, only nodes under Security Settings are configured. Settings in other parts of the namespace of the local GPO are neither enabled nor disabled. The local GPO is stored on each server in %systemroot%:\System32\GroupPolicy.
After the local GPO, subsequent GPOs are applied at the site, domain, parent OU, and, finally, child OU levels. The following diagram shows how each policy is applied:
.gif)
GPO application hierarchy
If there are multiple GPOs defined at each level, an administrator will set the order in which they are applied.
A user or computer will apply the settings defined in a Group Policy if a) the Group Policy is applied to their container and b) the settings appear in the Discretionary Access Control List (DACL) for the GPO with at least Apply Group Policy permission.
Note: By default, the built-in group, Authenticated Users, has the Apply Group Policy permission. This group contains all domain users and computers.
Group Policy Structure
Group Policy configuration settings are stored in two locations:
Changes made to the GPO are saved directly in Active Directory, whereas changes made to the security template files must then be imported back into the GPO within Active Directory before the changes can be applied.
Windows 2000 comes with a number of security templates. You can apply the following templates in a low security environment:
-
Basicwk.inf. For Windows 2000 Professional.
-
Basicsv.inf. For Windows 2000 Server.
-
Basicdc.inf. For Windows 2000-based domain controllers.
To implement higher security on Windows 2000-based computers, further templates are provided. These provide additional security settings to the basic templates:
These templates are considered incremental templates because the basic templates must be applied before the incremental templates can be added. For this guide, we have created new security templates, using Hisecdc.inf and Hisecws.inf as the starting points. The aim is to create a very restrictive environment, which you can then selectively open up to provide the functionality that you require, while still keeping security of premium importance.
Note: It is important to test how any Group Policy changes will effect your CRM environment before they are implemented in your production environment. This includes adding the security Group Policy templates listed above.
Security Template Format
Template files are text-based files. You can make changes to the template files from the Security Templates Microsoft Management Console (MMC) snap-in or by using a text editor such as Notepad. The following table shows how the policy sections map to sections of the template files.
Security Template Sections Corresponding to Group Policy Settings
| Policy section | Template section |
| Account Policy | [System Access] |
| Audit Policy | [System Log]
[Security Log]
[Application Log] |
| User Rights | [Privilege Rights] |
| Security Options | [Registry Values] |
| Event Log | [Event Audit] |
| Restricted Groups | [Group Membership] |
| System Services | [Service General Setting] |
| Registry | [Registry Keys] |
| File System | [File Security] |
Some sections within the security template file, such as [File Security] and [Registry Keys], contain specific access control lists (ACLs). These ACLs are text strings, defined by the Security Descriptor Definition Language (SDDL). More information about editing security templates and about SDDL can be found on the MSDN Web site (msdn.microsoft.com).
Locking Down the Web Servers Using IIS Lockdown
IIS servers provide a great deal of functionality. However, to make your IIS servers as secure as possible, you should restrict this functionality to only that which is required. The easiest way to do this is with the IIS Lockdown tool. IIS Lockdown is a highly configurable utility that allows you to specify the nature of your Web server. It will then remove any functionality that is not required for the particular Web server. You should, of course, test any changes thoroughly before implementing them in a production environment.
Note: The IIS Lockdown tool is available as part of the Security Toolkit and as a download from the Microsoft Security & Privacy Web site (www.microsoft.com/downloads/details.aspx?FamilyID=dde9efc0-bb30-47eb-9a61-fd755d23cdec&DisplayLang=en).
IIS Lockdown can perform many steps to help secure Web servers. These can include:
-
Locking files.
-
Disabling services and components.
-
Installing URL Scan.
-
Removing unneeded Internet Server Application Programming Interface (ISAPI) DLL script mappings.
-
Removing unneeded directories.
-
Changing ACLs.
You can use IIS Lockdown to secure many types of IIS server roles. For each server, you should pick the most restrictive role that meets the needs of your Web server.
Client Communication Security
Microsoft CRM Sales for Outlook Security
Microsoft Outlook® supports remote procedure call (RPC) encryption between the Exchange server and Microsoft CRM Sales for Outlook (the Outlook client). This simple security mechanism encrypts the network communications (RPCs) between the Exchange server and the Outlook client. This means that the message itself is not encrypted, so the Microsoft CRM server and Web client can access and read the content. But the network session between the client and server is encrypted, so a malicious user capturing network packets cannot view messages as they travel between client and server.
This type of encryption, known as RPC encryption, is configured in the Outlook profile and is not configured by default.
Network Security Strategies
Because the design and deployment of an IP internetworking environment requires balancing private and public network concerns, the appropriately named "firewall" has become a key ingredient in safeguarding network integrity. A firewall is not a single component. The National Computer Security Association (NCSA) defines a firewall as "a system or combination of systems that enforces a boundary between two or more networks." Although different terms are used, that boundary is frequently known as a perimeter network. The perimeter network protects your intranet or enterprise local area network (LAN) from intrusion by controlling access from the Internet or other large networks.
.gif)
Basic perimeter network
The previous figure shows a perimeter network bounded by firewalls placed between a private network and the Internet in order to secure the private network.
Organizations vary in their approach to using firewalls for providing security. IP packet filtering offers weak security, is cumbersome to manage, and is easily defeated. Application gateways are more secure than packet filters and easier to manage because they pertain only to a few specific applications, such as a particular e-mail system. Circuit gateways are most effective when the user of a network application is of greater concern than the data being passed by that application. The proxy server is a comprehensive security tool that includes an application gateway, safe access for anonymous users, and other services. The following provides some information about these different options:
-
IP packet filtering was the earliest implementation of firewall technology. Packet headers are examined for source and destination addresses, Transmission Control Protocol (TCP), and User Datagram Protocol (UDP) port numbers, and other information. Packet filtering is a limited technology that works best in clear security environments where, for example, everything outside the perimeter network is not trusted and everything inside is. In recent years, various vendors have improved on the packet filtering method by adding intelligent decision-making features to the packet-filtering core, thus creating a new form of packet filtering called stateful protocol inspection. You can configure packet filtering either 1) to accept specific types of packets and deny all others, or 2) to deny specific types of packets and accept all others.
-
Application gateways are used when the actual content of an application is of greatest concern. That they are application-specific is both their strength and their limitation, because they do not adapt easily to changes in technology.
-
Circuit gateways are tunnels built through a firewall connecting specific processes or systems on one side with specific processes or systems on the other. Circuit gateways are best employed in situations where the person using an application is potentially a greater risk than the information carried by the application. The circuit gateway differs from a packet filter in its ability to connect to an out-of-band application scheme that can add additional information.
-
Proxy servers are comprehensive security tools, which include firewall and application gateway functionality, that manage Internet traffic to and from a LAN. Proxy servers also provide document caching and access control. A proxy server can improve performance by caching and directly supplying frequently requested data, such as a popular Web page. A proxy server can also filter and discard requests that the owner does not consider appropriate, such as requests for unauthorized access to proprietary files.
Take advantage of those firewall security features that can help you. Position a perimeter network in your network topology at a point where all traffic from outside the corporate network must pass through the perimeter maintained by the external firewall. You can fine-tune access control for the firewall to meet your needs and can configure firewalls to report all attempts at unauthorized access.
To minimize the number of ports that you need to open on the inner firewall, you can use an application layer firewall, such as ISA Server 2000. ISA Server allows you to position your SMTP server, Microsoft CRM server, and your Outlook Web Access (OWA) front-end server behind the firewall. Using Server Publishing and Web Publishing rules, ISA Server will impersonate internal servers to the outside world without placing those servers in the perimeter network (also known as DMZ, demilitarized zone, and screened subnet).
For more information about TCP/IP, see "Designing a TCP/IP Network," located at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/depkit/4DF061EC-CBC6-4899-9D10-056CB126EFA8.mspx.
Network Security Scenarios
The level of network security that your organization requires will depend on several factors. It usually comes down to a compromise between budget and the need to keep your corporate data safe. It is possible for a small company to provide a very complex security structure that will provide the highest level of network security possible. But the small company may not be able to afford that level of security. In this section, we will look at four scenarios and make recommendations in each that will provide varying levels of security at a relative cost.
No Firewall
If your organization has a connection to the Internet but no firewall, it is highly recommended that some measure of network security be implemented. There are simple network firewall appliances that provide a measure of security, which is enough to deter most would-be hackers.
One Simple Firewall
The minimum level of security recommended is a single firewall between the Internet and your corporate data. This firewall may not provide any level of advanced security and should not be considered very secure. But it is better than nothing.
.gif)
Simple firewall
Hopefully your budget will allow for a more secure solution that will protect your corporate data. One such solution is ISA Server. The increased cost of this additional server provides a great deal more security than your average consumer firewall that only does network address translation (NAT) and packet filtering.
.gif)
ISA Server firewall
This single firewall solution is more secure than an entry level firewall appliance and provides Windows-specific security services.
One Existing Firewall
If your organization has an existing firewall that separates your intranet from the Internet, you may want to consider an additional firewall that provides multiple ways to configure internal resources to the Internet.
One such method is Web publishing. This is when an ISA Server is deployed in front of an organization's Web server, or Microsoft CRM server, that is providing access to Internet users. With incoming Web requests, ISA Server can impersonate a Web server to the outside world, fulfilling client requests for Web content from its cache. ISA Server forwards requests to the Web server only when the requests cannot be served from its cache.
Another method is server publishing. ISA Server allows you to publish internal servers to the Internet without compromising the security of your internal network. You can configure Web publishing and server publishing rules that determine which requests should be sent to a server on your local network, providing an increased layer of security for your internal servers.
.gif)
Existing firewall
For example, you can place your Microsoft Exchange server behind the ISA Server computer and create server publishing rules that allow the e-mail server to be published to the Internet. Incoming e-mail to the Exchange server is intercepted by the ISA Server computer, which gives the appearance of an e-mail server to clients. ISA Server can filter the traffic and forward it on to the Exchange server. Your Exchange server is never exposed directly to external users and sits in its secure environment, maintaining access to other internal network services.
You can also place your Microsoft CRM server behind the ISA Server computer and create a Web publishing rule that allows Internet clients to access Microsoft CRM information through the ISA Server. Web requests destined for the Microsoft CRM server are intercepted by the ISA Server computer, which gives the appearance of the Microsoft CRM server. ISA examines the URL requests and forwards them to the Microsoft CRM server when applicable.
In this scenario you have some level of security with a traditional firewall. ISA is providing an extra level of security by publishing internal networking services on the Internet without allowing Internet hosts to directly access your corporate servers.
Two Existing Firewalls
The third scenario is where your organization has two firewalls in place with an established perimeter network (DMZ). Each one or more of these servers is providing reverse proxy services so that Internet clients are not accessing servers on the intranet directly. Rather, one of the firewalls, ideally the internal firewall, is intercepting network requests for internal servers, inspecting those packets, and then forwarding them on behalf of the Internet host.
.gif)
Two existing firewalls
This scenario is similar to the second scenario after the second firewall is added. The only difference is that the internal firewall that supports reverse proxy is not an ISA Server. In this scenario, it is recommended that you work closely with the members of your organization that manage each firewall to define the server publishing rules so that they adhere to your security policy.Extending Network Security on the Microsoft CRM Server
If you have one of the four previous scenarios, it is possible to add an additional layer of security. This is done by creating an additional network segment between the Microsoft CRM server and the internal firewall. This is done by adding a second network interface card (NIC) to the Microsoft CRM server and to an Exchange 2000 front-end SMTP server and segmenting the physical network connections so that the front-net is not on the same physical segment as the back-net. The Microsoft CRM server and the Exchange 2000 front-end server straddle the front-net and back-net network segments.
.gif)
Multihome servers
Routing is not configured between the two NICs on the Microsoft CRM server or the Exchange 2000 front-end SMTP server. Microsoft CRM and Exchange 2000 will initiate all network communication on the network segment that is appropriate for the destination host. This way, Internet hosts cannot get past the Microsoft CRM server or the Exchange 2000 front-end server to servers on the back-net, adding an additional level of security between Internet hosts and your back-end servers.
Publishing to the Internet Using ISA Server
ISA Server integrates a multilayer enterprise firewall to provide security and a scaleable, high-performance Web cache to accelerate network performance. ISA Server comes in two versions. ISA Server Standard Edition is a stand-alone server supporting a maximum of four processors. ISA Server Enterprise Edition is designed for larger-scale deployments, supporting server arrays, multilevel policy, and computers with any number of processors.
ISA Server combines both the firewall and cache functions of the "network edge" in a single product. It can be integrated in a single server or an array of servers or deployed in a modular fashion using separate computers for each component while sharing the administration and policy.
ISA Server will help protect your servers from being attacked. However, you also need to protect the data that is traveling to and from your servers. When Web browser clients on the Internet access Microsoft CRM using Hypertext Transfer Protocol (HTTP), the following occurs:
-
An HTTP request is sent to the ISA Server from the Web browser. If permitted by the ISA publishing rules, the requests are passed to the Microsoft CRM servers.
-
ISA Server establishes a new HTTP connection to the Microsoft CRM server with its own IP address as the source IP address.
-
The HTTP requests are processed on the Microsoft CRM server. As part of the processing, the Microsoft CRM server authenticates the user and contacts against the global catalog server.
For more information, see "Microsoft Internet Security and Acceleration Server 2000 (ISA) Technical Overview," located at http://www.microsoft.com/technet/prodtechnol/isa/2000/evaluate/isatecov.mspx.
ISA Server Planning
How ISA Server is implemented in your organization will depend on several factors, which include the physical and logical makeup of your organization as well as your organization's security requirements. Never before have so many security options been available. Part of the planning process is identifying the security components necessary to meet your organization's security requirements.
When using ISA Server as a firewall, you benefit from features and technologies, including:
-
Multilayer firewall
-
Stateful inspection
-
Broad application support
-
Integrated virtual private networking (VPN)
-
System hardening
-
Integrated intrusion detection
-
Smart application filters
-
Transparency for all clients
-
Advanced authentication
-
Secure publishing
-
E-mail content screening
-
Inspect Secure Sockets Layer (SSL) traffic
Caching can significantly improve network performance, reducing traffic and latency, and improving the user experience by providing faster access. It also saves valuable network bandwidth, by locally storing and serving the most frequently requested content.
When using ISA Server for Web caching, you benefit from features and technologies, including:
-
High-performance Web cache
-
Scalability
-
Distributed and hierarchical caching
-
Active caching
-
Scheduled content download
-
Streaming media support
-
Programmable cache control
The functions of ISA Server that you implement will depend on the services that you will provide to Internet users. Microsoft CRM allows you to publish Microsoft CRM information on the Internet for Microsoft CRM users. A minimum requirement for ISA Server is to secure your connection to the Internet so that unauthorized users do not have access to your corporate data. The services listed previously, along with protocol encryption, can help to secure your valuable corporate assets.
To plan for these services, you must define four areas of ISA Server:
-
Capacity planning guidelines
-
Selecting ISA Server features
-
Assessing client requirements
-
Interaction with other network services
Determining Services That Your Internal Clients Require
| If you want to | Then use |
| Improve the performance of Web requests for internal clients | Web Proxy clients. |
| Avoid deploying client software or configuring client computers | SecureNAT clients. SecureNAT clients do not require any software or specific configuration. |
| Improve Web performance in an environment with non-Microsoft operating systems | SecureNAT clients. SecureNAT client requests are transparently passed to the Firewall service of the ISA Server and then to the caching service for caching. |
| Publish servers that are located on your internal network | SecureNAT clients. Internal servers can be published as SecureNAT clients, which eliminates the need for creating special configuration settings on the publishing server. It is not recommended to set up publishing servers as Firewall clients. |
| Allow Internet access only for authenticated users | Firewall clients. You can configure user-based access policy rules for Firewall clients. |
For more information about planning ISA Server, see:
Interaction with Other Network Services
Previously, you may have used Routing and Remote Access (RRAS) in Windows 2000 Server to make network services and computers available to remote clients. ISA Server provides the remote connectivity and extends RRAS by offering more extensive and flexible security features. ISA Server packet filtering replaces RRAS packet filtering. ISA Server uses the dial-up connections that you configured for RRAS.
Similarly, you may have previously used the Internet Connection Sharing (ICS) or network address translation (NAT) features of Windows 2000 to access the Internet. ISA Server can be used instead of ICS or NAT, replacing and enhancing their functions in the organization. ISA Server provides the connectivity enabled by ICS or NAT and adds sophisticated security and caching features.