Deploying ISA Server Arrays with Active Directory

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Updated : December 11, 2003

On This Page

Overview
Extending the Schema
Storage and Replication Requirements
ISA Server Permissions
Authenticating Users on ISA Server Rules

Overview

When installing Microsoft® Internet Security and Acceleration (ISA) Server in an array, the Microsoft Active Directory® directory service must be installed on the ISA Server domain, and all ISA Server configuration information is saved to Active Directory. All ISA Server computers in the array will share a common configuration for ease of management and improved response times, because load is distributed across multiple array servers. You can configure and apply an enterprise policy to arrays, allowing centralized management of multiple arrays. To install ISA Server as an array member, the computer must belong to a Windows® 2000 Server or Windows Server™ 2003 domain. We do not recommend that ISA Server be installed on the domain controller.

Before installing ISA Server in array mode, the ISA Server schema must be installed to Active Directory. ISA Server includes an Enterprise Initialization tool to do this, available from Setup. After the ISA Server schema is imported, all subsequent ISA Server installations to computers in the domain can use the ISA Server schema. You do not have to install the schema again. The Active Directory import file can be found on the ISA Server CD in isa\schema.ldif, and includes both Enterprise and Array schema extensions

Extending the Schema

ISA Server uses the base schema objects provided by Active Directory, such as domains, computers, and users. It also adds ISA Server extensions to Active Directory. ISA Server does not extend any native Active Directory classes with additional ISA Server properties.

ISA Server stores configuration information in Active Directory, and only writes to Active Directory when you make configuration changes in items such as rules or policy elements. ISA Server logging, reporting, and monitoring do not require Active Directory read/write permission.

ISA Server stores information in the following Active Directory partitions:

  • ISA Server enterprise policies and objects are stored in the Configuration partition, making enterprise information global to all domains in the forest.

  • ISA Server domain array objects are stored in the Domain partition, which is replicated to all domain controllers in a domain.

  • ISA Server stores some information about array properties in the global catalog, (approximately 200 bytes per array).

The following table provides details of some of the more important ISA Server Active Directory objects.

Object

Partition

Storage

Details

Enterprise Root object

Configuration

<1 kilobyte (KB)

This is the root ISA Server object that includes all Enterprise configuration information in Active Directory.

Domain Root object

Domain

<1 KB

This is the root ISA Server object that includes all Array configuration information within this domain.

Array object

Domain

1–5 KB

This Array root object (under the Domain root object) contains some array properties (such as name, description, and ACL) and all the array configuration information under it.

Access rule object

Domain/Configuration

1–5 KB

Enterprise Policy and Domain Policy levels.

Protocol rule object

Domain/Configuration

1–5 KB

Enterprise Policy and Domain Policy levels.

Web publishing rule object

Domain

1–5 KB

Domain Policy level.

Server publishing rule object

Domain

1–5 KB

Domain Policy level.

Routing rule object

Domain

1–5 KB

Domain Policy level.

Bandwidth rule object

Domain

1–5 KB

Domain Policy level.

Protocol definition object

Domain

<1 KB

Approximately 170 protocol definitions in total.

Destination set object

Domain/Configuration

Number of URLs × 150 bytes

Enterprise Policy and Domain Policy levels.

For details about each object or attributes, see https://www.microsoft.com/isaserver/techinfo/schemadoc.xml.

Storage and Replication Requirements

ISA Server configuration information is replicated as follows:

ISA Server objects in the configuration container are replicated to all domain controllers in a forest, like all Configuration container objects. Note that replication latency between domains can be a few days, depending on network topology.

ISA Server objects in the domain container are replicated to all domain controllers in the domain.

The following table lists upper bounds on Active Directory storage and replication traffic that ISA Server generates for some typical tasks.

Action

Domain partition storage/replication

Configuration container memory requirements

Global catalog memory requirements

Install ISA Server

Storage 1 megabyte (MB)

Replication 1 MB

Storage 1 MB

Replication 1 MB

Storage 1 MB

Replication 1 MB

Create a domain array

Storage 0.5 MB

Replication 1 MB

Storage 0.5 MB
Replication 1 MB

Storage 0.5 MB

Replication 1 MB

Add an additional computer to an array

Storage <100 KB

Replication <100 KB

None

None

Create a protocol rule using a policy element at Enterprise level

None

Storage <10 KB

Replication <10 KB

None

Create a protocol rule using a policy element at Array level

Storage <10 KB

Replication <10 KB

None

None

Logging, reporting, monitoring

None

None

None

ISA Server Permissions

The table below lists permissions required for some common array tasks.

Action

Full permissions

Install schema

Enterprise Admin

Install array

Domain Admin

Add an ISA Server to an array

Domain Admin

Modify enterprise policy

Enterprise Admin, or Domain

Account with permissions on the Array

Modify array policy

Enterprise Admin, Domain Admin, local Administrator, or Domain

Account with permissions on the Array object

To delegate permission for other domain accounts to install the first array in a domain, create new arrays, or join an ISA Server computer to an existing array, you should install a hotfix that modifies ACL settings on newly created objects. For instructions and more information, see KB article 318859 (https://go.microsoft.com/fwlink/?LinkId=21534).

To allow other domain accounts to modify array, enterprise, and enterprise policy objects, you can delegate permissions in ISA Management console. For example, to delegate permission for array policy, do the following:

In the console tree of ISA Management, right-click the applicable array and then click Properties.

On the Security tab, to give additional users or groups permission to modify the array configuration, select the user you want to change and then, in Permissions, select the appropriate check boxes: Read or Full Control.

Authenticating Users on ISA Server Rules

The process of reading ISA Server rules from Active Directory, and authenticating users on those rules is as follows:

  1. ISA Server asks a client to authenticate as necessary. For Firewall clients, this happens without looking at access rules. For Web Proxy requests, the client is authenticated if any rule requires authentication.

  2. Rule attributes, including user access attributes, are saved in Active Directory as a binary large object. When ISA Server reads the rule, there are no additional Active Directory queries involved, such as converting a user name to a security identifier (SID).

  3. ISA Server matches users specified on the rule with the user authentication information, to check whether the user can access the rule.

  4. There is no special impact caused by a possible scenario of authenticating many users on many rules. In reading the rule, the binary large object size overhead is negligible. The only overhead is the client authentication itself.