Feature Overview (ISA Server 2004 Getting Started Guide)
The following table lists new and improved ISA Server 2004 features. More detail is provided in the sections that follow.
Multi-networking
| New or improved | Feature | Description |
|---|---|---|
New |
Multiple network configuration |
You can configure one or more networks, each with distinct relationships to other networks. Access policies are defined relative to the networks, and not necessarily relative to a given Internal network. Whereas in ISA Server 2000, all traffic was inspected relative to a local address table (LAT) that included only address ranges on the Internal network, ISA Server 2004 extends the firewall and security features to apply to traffic between any networks. |
New |
Unique per-network policies |
The new multi-networking features of ISA Server enable you to protect your network against internal and external security threats, by limiting communication between clients even within your own organization. Multi-networking functionality supports sophisticated perimeter network (also known as a DMZ, demilitarized zone, or screened subnet) scenarios, so that you can configure how clients in different networks access the perimeter network. |
New |
Stateful inspection of all traffic |
You can examine data crossing the firewall in the context of its protocol and the state of the connection, no matter the source or destination. |
New |
NAT and route network relationships |
You can use ISA Server to define relationships between networks, depending on the type of access and communication allowed between the networks. In some cases, you may want more secure, less transparent communication between the networks. For these scenarios, you can define a network address translation (NAT) relationship. In other scenarios, you want to simply route traffic through ISA Server. In these cases, you can define a route relationship. |
New |
Network templates |
ISA Server includes network templates, which correspond to common network topologies. You can use the network templates to configure the firewall policy for traffic between networks. When you apply a network template, ISA Server creates the necessary set of rules to allow traffic, in accordance with your specified policy. |
Virtual private networking
| New or improved | Feature | Description |
|---|---|---|
Improved |
VPN administration |
ISA Server includes a highly integrated virtual private network (VPN) mechanism. You can administer VPN connections through ISA Server Management as you would administer physically connected networks and clients. You have the full functionality of ISA Server available for VPN connections, including monitoring, logging, and session management. |
New |
Stateful inspection for VPN |
VPN clients are configured as a separate network. Therefore, you can create distinct policies for VPN clients. The rule engine discriminately checks requests from VPN clients, statefully inspecting these requests and dynamically opening connections, based on the access policy. |
New |
Interoperability with third-party VPN solutions |
Because of support for industry standard Internet Protocol security (IPSec), ISA Server 2004 can plug into environments with existing VPN infrastructures from other vendors, including those employing IPSec tunnel mode configurations for site-to-site connections. |
New |
Quarantine Control |
VPN clients can be quarantined by ISA Server in the Quarantined VPN Clients network, until their compliance with corporate security requirements is verified. |
Security and firewall
| New or improved | Feature | Description |
|---|---|---|
New |
Extensive protocol support |
ISA Server 2004 extends ISA Server 2000 functionality, by allowing you to control access and usage of any protocol, including IP-level protocols. You can use applications such as ping and tracert, and create VPN connections using the Point-to-Point Tunneling Protocol (PPTP). In addition, Internet Protocol security (IPSec) traffic can be enabled through ISA Server. |
Improved |
Authentication |
Users can be authenticated using built-in Microsoft Windows® or Remote Authentication Dial-In User Service (RADIUS) authentication types, or other namespaces. Rules can be applied to users or user groups in any namespace. Third-party vendors can use the software development kit to extend these built-in authentication types, offering additional authentication mechanisms. |
Improved |
Publishing |
With ISA Server, you can place servers behind the firewall, either on the corporate network or on a perimeter network, and securely publish their services. |
Cache
| New or improved | Feature | Description |
|---|---|---|
Improved |
Cache rules |
With the centralized cache rule mechanism of ISA Server, you can configure how objects stored in the cache are retrieved and served from the cache. |
Management
| New or improved | Feature | Description |
|---|---|---|
Improved |
Management |
ISA Server includes new management features, making it easier to secure your networks. New user interface features include a task pane, a Help tab, an improved getting started wizard, and a new look for the firewall policy editor. |
New |
Export and import |
ISA Server introduces the ability to export and import configuration information. You can use this feature to save configuration parameters to an .xml file and then import the information from the file to another server, enabling simple replication of firewall configurations for multiple site deployment. |
New |
Dashboard |
A single view presents a summarized version of key monitoring information. If you note a problem, you can open detailed monitoring views for more information. |
New |
Log viewer |
The ISA Server log viewer displays the firewall logs in real time. You can display logs in an online real time mode, or in a historic review mode. You can apply filtering on log fields to identify specific entries. |
Improved |
Reporting |
You can generate recurring or one-time-only reports on Web usage, application usage, network traffic patterns, and security. |
2.1 Multi-networking and firewall policy
Previously, the concept of an Internal network was all computers at your corporation. The External network was all computers outside your corporation, generally accessible by means of the Internet. Today’s view of the network includes users accessing their corporate networks using mobile computers, thereby making themselves virtually part of different networks. Branch offices connect to headquarters, and they want to use headquarters resources as if they are part of the network. Many corporations make their servers on the corporate network — and especially their Web servers — publicly available, but want to do so by separating those servers into a different network. The multi-networking functionality of ISA Server enables you to secure these more complex network scenarios. Multi-networking support affects most ISA Server firewall features.
You can use the multi-networking features of ISA Server to protect your network against internal and external security threats by limiting communication between clients, even within your own organization. You can define relationships between the various networks you define in ISA Server, thereby determining how computers on each network communicate with each other by way of ISA Server. You can also group computers into ISA Server network objects such as computer sets and address ranges, and configure an access policy specific to each network object.
In a common publishing scenario, you might want to isolate the published servers on their own network, such as a perimeter network. The multi-networking functionality of ISA Server supports such a scenario, so that you can configure how clients on the corporate network access the perimeter network and how clients on the Internet access the perimeter network. You can configure the relationships between the various networks, defining different access policies between each network. Configuring a perimeter network topology is made easier through network templates and network template wizards in ISA Server.
The following figure illustrates a multi-networking scenario.
.gif "Cc302506.683ba623-b144-44f6-80bb-996b462e298b(en-us,TechNet.10).gif")
In the figure, the ISA Server computer connects between the Internet (External network), the corporate network (Internal network), and the perimeter network. Three network adapters are on the ISA Server computer, each connected to one of the networks. Using ISA Server, you can configure different access policies between any pair of networks. You can determine if and how computers on each of the networks communicate with each other. Each network is isolated from the other, and is only made accessible when you configure rules to allow communication.
To implement the multi-networking scenarios, ISA Server introduces the following concepts:
- Networks. From an ISA Server perspective, a network is a rule element that can contain one or more ranges of IP addresses and domains. Networks include one or more computers, always corresponding to a specific network adapter on the ISA Server computer. You can apply rules to one or more networks.
- Network objects. After you create networks, you can group them into sets of network objects (subnets, address ranges, computer sets, URL sets, or domain name sets). Rules can be applied to networks or to network objects.
- Network rules. You can configure network rules to define and describe a network topology. Network rules determine if there is connectivity between two networks, and what type of connectivity will be allowed. Networks can be connected in one of the following ways: network address translation (NAT) or route.
2.1.1 Networks and network objects
Networks include one or more computers, typically corresponding to a physical network, defined by ranges of IP addresses. Network objects are any group of computers that you define, for example, single networks, network sets of two or more networks, or computers sets for which you want to create distinct access rules. You can apply rules to one or more networks or network objects, or to all addresses except those in the specified network or network object. Each network adapter on the computer can be mapped to a single network. You can establish the types of ISA Server clients that are supported on a particular network: Firewall, Web Proxy, or both.
ISA Server comes preconfigured with the following networks:
- External. This network includes all computers (IP addresses) that are not associated with any other Internal network. The default External network cannot be deleted.
- Internal. Upon installation, this network includes all computers (IP addresses) associated with the internal network address card on the ISA Server computer.
- Local Host. This network represents the ISA Server computer. The Local Host network cannot be modified or deleted.
- Quarantined VPN Clients. This network contains addresses of VPN clients that have not yet been approved to access the corporate network. Typically, computers in this network are allowed limited access to the corporate network.
- VPN Clients. This network contains addresses of VPN clients that are currently connected. It is dynamically updated as VPN clients connect or disconnect from the ISA Server computer. The VPN Clients network cannot be deleted.
The Local Host, VPN Clients, and External networks are built-in networks, which cannot be deleted or created by the user. The Internal network is a predefined network, which is created upon installation, and it can be modified or deleted.
Network sets can be configured to include specific networks. Alternatively, network sets can be defined to not include (that is, exclude) specific networks.
These rules can be applied to networks, network sets, or network objects:
- Network rules
- Access rules
- Publishing rules
For access rules, you specify a destination network and a source network to which the rule is to be applied. The source network indicates which networks are allowed or denied access to the specified destination networks. For server publishing rules, you specify a source network, which is allowed access to a specific computer.
2.1.2 Network rules
Network rules define and describe a network topology. Network rules determine if there is connectivity between two networks, and what type of connectivity is defined. Networks can be connected in one of the following ways:
- Network address translation (NAT). When you specify this type of connection, ISA Server replaces the IP address of the client on the source network with its own IP address. NAT network rules might be used when defining a relationship between your Internal network and the External network.
- Route. When you specify this type of connection, client requests from the source network are directly relayed to the destination network. The source client address is included in the request. A route network rule might be used when you publish a server located on the perimeter network.
Route network relationships are bidirectional. If a route relationship is defined from network A to network B, a route relationship also exists from network B to network A. Conversely, NAT relationships are unique and unidirectional. If a NAT relationship is defined from network A to network B, no network relationship can be defined from B to A. You can create a network rule defining both relationships, but the second network rule in the ordered list of rules will be ignored by ISA Server.
Upon installation, the following default rules are created:
- Local Host Access. This rule defines a route relationship between the Local Host network and all other networks.
- VPN Clients to Internal Network. This rule defines a route relationship between the two VPN client networks (VPN Clients and Quarantined VPN Clients) and the Internal network.
- Internet Access. This rule defines a NAT relationship between the Internal network and the External network.
Network rules are processed in order, for each network.
2.2 System policy
When you install ISA Server, a default system policy is created. The system policy defines access rules between the ISA Server computer and the networks connected to it, for specific resource access.
Note
All of the system policy categories are enabled by default when you install ISA Server, with the policy applied specifically to the Internal network. You can modify the settings of the system policy. We recommend that you disable the categories of the system policy that you do not require in your configuration of ISA Server.
The system policy contains the following categories:
- Network Services
- Authentication Services
- Remote Management
- Firewall Client
- Diagnostic Services
- Logging
- Remote Monitoring
- Various
When you enable or disable a system policy configuration group or an item under a configuration group, ISA Server enables or disables the related system policy access rules.
2.3 VPN integration
ISA Server helps you set up and secure a virtual private network (VPN). A VPN is a collection of computers that are connected to the corporate network securely from remote locations on the Internet. With a VPN, you can send data between two computers across a shared or public network in a manner that emulates a point-to-point private link.
VPN connections allow users who work at home or other remote sites to obtain a remote access connection to an organization server, using the infrastructure provided by a public internetwork, such as the Internet. From the user’s perspective, the VPN is a point-to-point connection between the computer (the VPN client) and an organization server (the ISA Server computer). The exact infrastructure of the shared or public network is irrelevant, because it appears as if the data is sent over a dedicated private link.
VPN connections also allow organizations to have routed connections with other organizations over a public internetwork, such as the Internet, while maintaining secure communications (for example, between offices that are geographically separate). A routed VPN connection across the Internet logically operates as a dedicated wide area network (WAN) link.
There are two types of VPN connections:
- Remote access VPN connection. A client makes a remote access VPN connection that connects to a private network. ISA Server provides access to the entire network to which the VPN server is attached.
- Site-to-site VPN connection. A VPN server makes a site-to-site VPN connection that connects two portions of a private network securely. ISA Server provides a connection to the network to which the ISA Server computer is attached.
By using the ISA Server computer as the VPN server, you benefit by protecting your corporate network from malicious VPN connections. Because the VPN server is integrated into the firewall functionality, VPN users are subject to the ISA Server access policy defined for the preconfigured VPN Clients network. All VPN clients belong to the VPN Clients network, and they are allowed access to resources on the Internal network in accordance with a predefined policy.
Although the VPN users are virtually part of the Internal network address range, they are not necessarily subject to the Internal network’s access policy, as you configured it for ISA Server. Special rules can be configured to allow users access to network resources.
Because an access policy can be configured for the VPN Clients network, VPN clients are subject to the same stateful inspection mechanisms as any client communicating between networks through ISA Server.
All VPN connections to the ISA Server computer are logged to the Firewall log. This enables you to audit VPN connections.
When you configure the VPN, you can set aside a pool of static IP addresses for the VPN users’ computers. When a VPN client connects to the local network, it is assigned an IP address from this address pool. Alternatively, you can choose to have IP addresses assigned to VPN clients dynamically, by a Dynamic Host Configuration Protocol (DHCP) server. The IP address is added to the VPN Clients network.
Additionally, you can enable quarantine mode for VPN. By enabling quarantine mode, you ensure that a client is checked for compliance with corporate software policy before it is allowed to join the VPN Clients network, typically with unlimited access to the Internal network. Quarantine Control provides phased network access for remote (VPN) clients by restricting them to a quarantine mode before actually allowing them access to the network. After the client computer configuration is either brought into or determined to be in compliance with your organization’s specific quarantine restrictions, standard VPN policy is applied to the connection in accordance with the type of quarantine you specify. Quarantine restrictions might specify, for example, that specific antivirus software is installed and enabled while connected to your network. Although Quarantine Control does not protect against attackers, computer configurations for authorized users can be verified and, if necessary, corrected before they can access the network. A timer setting is also available, which you can use to specify an interval at which the connection is dropped if the client fails to meet configuration requirements. For more information, see the document VPN Roaming Clients in ISA Server 2004 (https://go.microsoft.com/fwlink/?LinkId=20612).
You can create two different policies for each of the VPN client networks:
- Quarantined VPN Clients network. You restrict access to the servers from which the client can download necessary updates to achieve compliance with your software policy.
- VPN Clients network. You can allow access to all corporate (Internal network) resources, or restrict access as appropriate. The VPN Clients network will have a NAT relationship with the External network. A network rule defining a NAT relationship between the VPN network and the External network will be configured.olicy.
2.4 Users and authentication
With the new ISA Server functionality, you can apply access policy to Windows users or to users authenticated by different authentication mechanisms (namespaces), such as Remote Authentication Dial-In User Service (RADIUS). ISA Server supports the following authentication mechanisms:
- Web Proxy clients. Basic authentication (using Active Directory® directory service or RADIUS), Digest authentication, Integrated Windows authentication, or certificates.
- VPN clients. Challenge Handshake Authentication Protocol (CHAP), Microsoft Challenge Handshake Authentication Protocol (MS-CHAP), MS-CHAP version 2, Extensible Authentication Protocol (EAP), and RADIUS.
- Firewall clients. Kerberos or NTLM.
ISA Server features an authentication extensibility mechanism that allows third-party vendors to implement additional authentication schemes.
You can use ISA Server to apply access policy or publishing policy to specific users or IP addresses. Users can be grouped into user sets, and rules can be applied to user sets. When you create a user set, you can add Windows, RADIUS, and SecurID users to the set. You can then apply access rules to that set.
2.5 Cache
With cache rules, you can specify the types of content stored in the cache, and how objects are served from the cache. Depending on your organization’s needs, cache rules can be applied to content from all sites or to specified sites, and to all content or limited to specified content types. In addition, you can limit the amount of time that objects are considered valid, and the way cache rules handle expired objects.
By default, an object is stored in the cache only if its source and request headers indicate to do so. However, you can specify which objects are stored based on the following options:
- Never, no content will ever be cached. This option disables caching for this rule.
- If source and request headers indicate to cache. An object is stored in cache if indicated by the headers.
If you select the second option, you can also choose to cache the following:
- Dynamic content. If content is dynamic, objects will be cached, regardless of the response headers.
- Content for offline browsing. This includes 302 and 307 responses.
- Content requiring user authentication for retrieval. Authentication from the user is required.
With cache rules configuration, you can define whether caching will be enabled for Hypertext Transfer Protocol (HTTP), File Transfer Protocol (FTP), and Secure Sockets Layer (SSL) responses. In addition, you can configure the cache rule to limit cached content according to file size.
Cached HTTP and FTP objects expire according to Time to Live (TTL) settings. For HTTP objects, expiration is configured based on TTL, defined in the response header, and the TTL boundaries defined in the cache rule. TTL boundaries are calculated as a percentage of content age, which is the amount of time since an object was created or modified. FTP objects expire according to the TTL defined for FTP objects in the cache rule.
As part of the cache rules configuration, you can define how objects stored in the cache are retrieved and served from the cache. Before ISA Server determines how the request will be routed, as defined in the network routing rules, ISA Server checks whether a valid copy of the object exists in the cache. An object is considered valid if its TTL period did not expire, as specified in the HTTP caching properties or on the object itself. Depending on how you configure the routing rule’s cache properties, ISA Server will retrieve the object from the cache. You can configure ISA Server to do one of the following:
- Retrieve an object from the cache, only if the object is still valid. If an object is not valid, the request is routed to the server and retrieved.
- Retrieve an object from the cache, regardless of whether the object is still valid or not. If there is no version of the object in the cache, the request is routed to the server.
- Never route the request. If no version of the object is found in the cache, an error page is returned.
Cache rules are ordered, with the default cache rule processed last. For each new connection, the ISA Server computer processes the cache rules in order (that is, the first rule is processed first). If the request matches the conditions specified by the rule, the request is routed, redirected, and cached accordingly. Otherwise, the next rule is processed. This continues until the last, default rule is processed, and applied to the request.
When you install ISA Server, it configures a default cache rule. The default rule is initially configured so that only valid, requested objects will be retrieved from the ISA Server cache. If the object in the cache is not valid, it will be retrieved directly from the Internet. You cannot modify how the default cache rule retrieves objects.
2.6 Configuration export and import
ISA Server includes an export and import feature that you can use to save the server configuration parameters to an .xml file, and then import the information from the file to another server. You can save your configuration to any directory and file name for which you have write permissions.
When a configuration is exported, all general configuration information is exported by default. This includes access policy rules, publishing rules, rule elements, alert configuration, cache configuration, and ISA Server properties. Some server specific configuration information can be exported, if you select to do so. In addition, you can select to export user permission settings and confidential information, such as user passwords. Confidential information included in the exported file is encrypted. When importing the file, a password is required to open and decrypt this information. This password is set during the export process.
When you export a specific object, the following is exported:
- The specified object, including all property values.
- All descendant objects that are contained within the hierarchy, starting at the specified object.
For example, if you export an access rule, the network objects and user sets used in the creation of that rule are also exported, and will be imported when you later import the rule.
[Topic Last Modified: 02/27/2008]