Deployment Recommendations for ISA Server 2004 in a Workgroup or Domain
Microsoft® Internet Security and Acceleration (ISA) Server 2004 can be installed in workgroup mode, as part of an existing corporate domain, or in a dedicated domain that has one-way or two-way trust with the corporate domain configuration. This document reviews configuration options, the advantages and disadvantages of each type of deployment, typical scenarios, and best practice recommendations.
The following table summarizes the possible workgroup and domain configurations for ISA Server 2004 Standard Edition and ISA Server 2004 Enterprise Edition.
| Version | ISA Server firewall | Installation Options |
|---|---|---|
ISA Server 2004 Standard Edition |
Firewall computer running ISA Server services |
Domain or Workgroup |
ISA Server 2004 Enterprise Edition |
Firewall computer running ISA Server services and Configuration Storage server |
Domain or Workgroup |
ISA Server 2004 Enterprise Edition |
|
|
|
Firewall computer |
Domain |
|
Single Configuration Storage server |
Domain |
ISA Server 2004 Enterprise Edition |
|
|
|
Firewall computer |
Domain |
|
Single Configuration Storage server |
Workgroup |
ISA Server 2004 Enterprise Edition |
|
|
|
Firewall computer |
Workgroup |
|
Single Configuration Storage server |
Domain |
ISA Server 2004 Enterprise Edition |
|
|
|
Firewall computer |
Workgroup |
|
Single Configuration Storage server |
Workgroup |
ISA Server 2004 Enterprise Edition |
|
|
|
Firewall computer |
Domain |
|
Multiple Configuration Storage servers |
Domain |
ISA Server 2004 Enterprise Edition |
|
|
|
Firewall computer |
Workgroup |
|
Multiple Configuration Storage servers |
Domain |
Deployment Scenarios
In some scenarios, domain deployment is required:
- If you want to replicate for multiple Configuration Storage servers, they must belong to a domain.
- Firewall client requests automatically send user credentials, and ISA Server must belong to a domain to authenticate the requests. You can authenticate outgoing Firewall client access with user accounts that are mirrored to accounts stored in the local Security Accounts Manager (SAM) on the ISA Server computer, but this requires some administrative overhead for secure management. Outgoing Web proxy requests can be authenticated against a Remote Authentication Dial-In User Service (RADIUS) server.
- In Web publishing scenarios, domain account authentication or certificate authentication requires that ISA Server belong to a domain. For RADIUS authentication, ISA Server can belong to a domain or a workgroup.
- When ISA Server acts as a virtual private network (VPN) server, domain account authentication or certificate authentication requires that ISA Server belong to a domain. For RADIUS authentication, ISA Server can belong to a domain or a workgroup.
- User mapping of VPN clients enables you to map users of operating systems other than Microsoft Windows® to domain user accounts. User mapping is only supported when ISA Server is installed in a domain.
Domain and Workgroup Considerations
This section provides information about domain deployment and workgroup deployment.
Domain Deployment
A domain deployment has the following advantages:
- When you install ISA Server as a domain member, you can lock down the ISA Server computer using Group Policy, rather than by configuring only a local policy. For more information, see ISA Server 2004 Security Hardening Guide at the Microsoft TechNet Web site and Understanding Group Policy on Windows Server 2003 at the Microsoft TechNet Web site.
- When policy rules require users to authenticate, ISA Server can authenticate domain user accounts against an Active Directory® directory service domain controller.
In addition, in ISA Server 2004 Enterprise Edition:
- As an array administrator, you can manage the array from any computer in the domain using your logon credentials.
- If computers running ISA Server services and the Configuration Storage server are installed in a domain, server certificates do not need to be configured, simplifying the authentication process.
- There is no need to manage mirror accounts for array management, monitoring, and intra-array communication. This results in a simpler deployment. When you install ISA Server in a workgroup, you must create an identical (mirrored) local user account on each array member. This account is then used by ISA Server Management to communicate with array members, particularly for monitoring and reporting purposes. You must provide the credentials of this local user each time you connect ISA Server Management to a workgroup array.
A domain deployment has the following disadvantages:
- If Active Directory is compromised, for example by an internal attack, the firewall can also be compromised, because a user with Domain Administrator rights can administer every domain member, including computers running ISA Server. Similarly if the firewall is compromised, the domain in which ISA Server is located is also at risk.
- When the ISA Server array is in a domain, every domain administrator can administer ISA Server, because the Domain Admins group is by default in the Administrators group on the ISA Server array members.
Workgroup Deployment
There may be specific reasons for installing ISA Server in a workgroup, including:
- Your existing network configuration dictates that ISA Server must be installed in workgroup mode.
- If you do not require domain or Active Directory functionality for the ISA Server computer, you may consider installing the ISA Server computer in a workgroup for security reasons. For example, if ISA Server is protecting the edge of the network, consider installing the computer in a workgroup.
A workgroup configuration has the following advantage:
- When ISA Server is installed in a workgroup, in the event of a firewall compromise, an attacker will have no access to the domain or to Active Directory. In addition, attacks against the domain will have no impact on ISA Server.
A workgroup configuration has the following disadvantage:
- ISA Server can apply a firewall policy to specific users, and can authenticate user credentials against Active Directory servers (for Windows authentication). ISA Server in workgroup mode cannot access domain user accounts, and client credentials cannot be authenticated using Windows authentication. As an alternative, you can authenticate clients against a RADIUS server for forward or reverse proxy, or an RSA SecurID® server (in reverse publishing scenarios only).
ISA Server 2004 Enterprise Edition Workgroup Considerations
When installing ISA Server 2004 Enterprise Edition, you may install:
- ISA Server array members and the Configuration Storage server in a domain.
- ISA Server array members and the Configuration Storage server in a workgroup.
- ISA Server array members in a domain and the Configuration Storage server in a workgroup, or ISA Server array members in a workgroup and the Configuration Storage server in a domain.
Installation of ISA Server components on a domain controller is supported. If either (or both) ISA Server array members or the Configuration Storage server are installed in workgroup mode, note the following:
- If ISA Server array members or the Configuration Storage server are installed in a workgroup, a server certificate is required to authenticate the Configuration Storage server to the ISA Server computer.
- Configuration Storage servers installed in a workgroup cannot be replicated. This results in a single Configuration Storage server, with no fault tolerance.
- When the Configuration Storage server is in a workgroup, only users that are defined on the Configuration Storage server can be assigned ISA Server roles. You may want to create a local user on each workgroup array member, paralleling the user defined on the Configuration Storage computer with the required ISA Server role. When you log on to the workgroup array, you can connect to the Configuration Storage server using your logon credentials, rather than providing different credentials.
- When the Configuration Storage server is a domain member, ISA Server roles are dependent on Windows authentication. If ISA Server array members are configured in workgroup mode, you may want to create a local user account on each workgroup array member to parallel a domain user with the required ISA Server role. This simplifies logon and connection procedures for ISA Server array members configured in workgroup mode. When you log on to the workgroup array, you can connect to the Configuration Storage server using your logon credentials, rather than providing different credentials.
- If array members are installed in a workgroup, you must manage mirrored accounts for array management and monitoring. This involves creating mirrored user accounts on all the computers in the array. Mirrored accounts are identical local user accounts (same name and password) that you create on each array member. You use the credentials of this user account when you open ISA Server Management and want to connect to the array member. Because all array members have the same account, you also use this account so that you can manage all array members from a single instance of ISA Server Management. Intra-array communication, used for monitoring and reporting facilities, also depends on this mirrored account. Such accounts do not have to be local administrators, but if accounts and passwords are not properly maintained, this may be a security issue.
For more information, see the following documents:
- ISA Server 2004 Enterprise Edition Configuration Guide , available for download from the ISA Server Guidance Center. This document includes an overview of concepts and techniques required for installing and deploying ISA Server 2004 Enterprise Edition.
- ISA Server 2004 Enterprise Edition in a Workgroup at the Microsoft TechNet Web site. This document provides detailed information about considerations for deploying ISA Server 2004 Enterprise Edition in workgroup mode, and walk-through installation and configuration steps for this scenario.
- Introduction to Branch Deployment of ISA Server 2004 Enterprise Edition at the Microsoft TechNet Web site. This document describes concepts and techniques for deploying branch office scenarios.
Network Topology Considerations
ISA Server is commonly used in the following network topologies:
- Edge configuration. This includes the following topologies:
- ISA Server protecting the edge, with one adapter connected to the Internal network, and the other connected to the External network.
- A back-to-back configuration, with ISA Server as the front firewall protecting the edge, with an adapter connected to the External network and an adapter connected to a perimeter network. A back-end firewall (which may be ISA Server or a third-party product) configured between the perimeter network and the Internal network.
- A three-legged configuration, with ISA Server configured with three network adapters connected to the Internal network, the External network, and a perimeter network.
In a topology in which ISA Server is deployed at the edge, ISA Server can be installed as a domain member or in workgroup mode. When the ISA Server computer at the edge is a domain member, we recommend that you install it in a separate forest (rather than in the internal forest of your corporate network), with a one-way trust to the corporate forest. (One-way trust is supported on Microsoft Windows Server™ 2003 domains only.) You help protect the internal forest from being compromised, even if an attack is mounted on the forest of the ISA Server computer. There are some limitations with this deployment. For example, in this scenario, client certificate authentication is only possible for users defined in the ISA Server domain, and not for users in the corporate internal domain or forest.
- Internal configuration. This includes the following topologies:
- ISA Server at the back end in a back-to-back scenario. A typical back-to-back scenario, with an ISA Server computer installed at the edge and a second ISA Server computer installed at the back end, is to install the front-end ISA Server computer in workgroup mode, and the back-end server as a domain member. Installing the back-end server as a domain member enables you to authenticate requests against Active Directory. For example, you can authenticate requests for secure Web publishing servers or from remote VPN clients. In addition, you can harden the internal ISA Server computer using Group Policy for ease of management.
- ISA Server configured with a single network adapter. In this scenario, ISA Server functions as a Web proxy or caching server. The main advantage of installing the ISA Server computer as a domain member in this scenario is the ease of use for authenticating users against Active Directory. For more information about this scenario, see Configuring ISA Server 2004 on a Computer with a Single Network Adapter at the Microsoft TechNet Web site.
For more information about workgroup authentication scenarios, see the following documents:
- Using RADIUS Authentication for ISA Server 2004 VPN Remote Client Connections at the Microsoft TechNet Web site
- Outlook Web Access Server Publishing in ISA Server 2004: RADIUS and Forms-based Client Authentication at the Microsoft TechNet Web site