Even after all these years that the ISA Firewall has been out in the wild, I’m surprised to hear from people who have never heard of it, or more surprisingly, aren’t sure what the ISA Firewall is all about. I suppose I shouldn’t be that surprised – just because I work with the ISA Firewall everyday doesn’t mean that anyone else should necessarily know anything about it. I’m sure that Office Communications Server MVPs would be shocked by my lack of knowledge on their product
But even people who have heard of the ISA Firewall aren’t completely sure what it’s all about. If you go to the www.microsoft.com/isaserver site you won’t find a good description of what the ISA Firewall is, and even if you look around here at www.isaserver.org, you’ll find plenty of articles on how to make the ISA Firewall work, but there’s really nothing here that provides a good Q & A about the ISA Firewall that would allow someone new to it to have a good idea of what it’s all about.
To help solve this problem, I’ve put together a table of questions and answers that help clarify what the ISA Firewall is, what it isn’t, and most importantly, what the ISA Firewall can do to help secure your organization.
Frequently Asked Questions
Is ISA 2006 primarily a firewall, a Web proxy and caching server, or a remote access VPN server and site to site VPN gateway?
ISA 2006 can be configured as an integrated firewall and Web proxy and caching solution, or can be deployed as a locked-down firewall only.
Organizations require a robust firewall solution. The ISA 2006 firewall secures networks with ISA Server 2006 stateful packet inspection, application layer inspection, and intrusion detection and prevention.
Unlike ISA Server 2000, ISA Server 2006 does not include a caching-only mode. However, like ISA 2004 the new ISA firewall can be configured in single-NIC Web proxy and caching mode. However, the firewall components are not eliminated and the stateful packet and application layer inspection features are used to create robust protection for the ISA firewall device itself.
ISA 2006 can also be configured as a remote access VPN server allowing users to connect to the ISA firewall to access corporate resources and granular control can be enforced on what remote access VPN users can access through the VPN link. The site to site VPN feature allows the ISA firewall to connect to other VPN gateways (either ISA firewall based VPN gateways or third party VPN gateways) to connect entire networks to one another.
ISA Server 2006 is always a sophisticated, hardened and secure firewall, regardless of the deployment options you choose.
Does implementing the Web proxy and caching function compromise the security of ISA 2006 as a firewall?
No. The cache is a sophisticated memory and disk based storage engine that allows improved network access performance by storing frequently retrieved objects.
The Web proxy and cache features are integrated into the firewall engine and provides Hypertext Transfer Protocol (HTTP) connectivity, application layer inspection capabilities and security-related tasks such as content screening, Uniform Resource Locator (URL) blocking and HTTP protocol inspection.
Can I migrate from Proxy Server 2.0 or ISA Server 2000 to ISA Server 2006?
There is no upgrade path from Proxy 2.0 and ISA Server 2000 to ISA Server 2006.
There is a supported upgrade path from ISA 2004 to ISA Server 2006.
Must I buy Windows Server 2003 to run ISA Server 2006, or will it run on Windows 2000? Do I have to buy a super powerful computer to run it on?
You can install ISA Server 2006 only Windows Server 2003. Minimum system requirements are: 300MHz or better processor, 256MB of RAM, 20MB of disk space (for the OS; this does not include disk space for caching); one network adapter for each network connected to the ISA server, including the default Internal Network.
You must have one partition formatted in NTFS. However, some ISA firewall functions, such as application layer inspection, are processor or memory intensive, so you’ll want more than the minimum supported configuration. ISA server 2006 will run very well on any modestly configured current PC (1GHz processor or above, 512MB of RAM).
Does the ISA Firewall computer have to have multiple network interface cards?
To act as a network firewall, the ISA Firewall needs at least two NICs (multi-homed machine).
ISA 2006 can be installed on a single-homed machine (one NIC) to act as a Web proxy and caching only server. The single-homed ISA 2006 can be placed on the internal network or a perimeter network and proxy requests for both internal and external network clients.
This is a popular configuration for publishing Outlook Web Access, Exchange ActiveSync, and SharePoint Portal Server sites for organizations that already have a well-established firewall infrastructure in place.
Is Active Directory required to run ISA 2006?
No. If you do have Active Directory deployed on your network, the ISA 2006 firewall can leverage users and groups contained in the Active Directory to provide granular inbound and outbound access control in a way that no other firewall on the market can provide. However, you do not have to have an Active Directory or NT domain to benefit from an ISA Server 2006 firewall.
ISA Server 2006 does not need to be a domain member computer to benefit from the Active Directory user database. ISA 2006 introduces LDAP authentication, so that a non-domain member ISA firewall can benefit from user/group authentication for incoming connections.
Does ISA Server 2006 support reverse caching?
Yes. Reverse caching means placing a cache in front of a Web server or e-commerce application. This is called reverse because the decision to cache or distribute content from the servers or to offload processing is implemented by the administrators of the Web servers, rather than by the clients.
ISA 2006 supports reverse caching, allowing Web managers to cache and distribute content, therefore improving user response time.
Does ISA 2006 support stateful packet inspection?
Yes. Stateful packet inspection allows the ISA firewall to perform all the network layer protection provided by traditional “hardware” firewalls. Stateful packet inspection is able to determine the validity of packets based on the information contained with the IP and transport later headers.
I already have a non-Microsoft firewall at the Internet edge. Can I still use ISA 2006 in conjunction with it? How would the multiple firewalls be deployed? What are the advantages of doing this?
ISA 2006 works well with all firewalls and I would never suggest that a “rip and replace” approach is best.
The ISA 2006 firewall can be placed on the Internet edge in front of your current firewall installation, it can be placed at the corporate LAN, or it can be placed between your current Internet edge and LAN firewalls.
In addition, the ISA 2006 firewall can be placed at branch offices. The branch office can connect to the main office VPN gateway using an ISA 2006 site to site link. This link can be created with virtually any site to site VPN gateway using ISA 2006’s support for IPSec tunnel mode.
In addition, in the branch office scenario, the ISA firewall can leverage it’s support for BITS caching and QoS to significantly improve performance over the site to site VPN link.
What protocols does ISA Server 2006 support?
ISA Server 2006 can evaluate and control virtually all protocols. These include Transmission Control Protocol (TCP), User Datagram Protocol (UDP), ICMP and IP-based (such as GRE and ESP).
The firewall is pre-loaded with an extensive list of predefined protocols (e.g., HTTP, SMTP, POP3, GRE) and allows administrators to easily add to this list. Complex protocols requiring secondary connections require either the firewall client software or an application filter.
ISA 2006 includes many built-in application filters for the most popular protocols, enabling additional functionality such as allowing highly secure access to Exchange RPC services, filtering HTTP connections, or SMTP content inspection to attacks against mail servers.
Does ISA 2006 inspect encrypted content?
ISA 2006 inspects encrypted content at several levels. ISA 2006 can help you set up a secure, encrypted VPN channel to remote networks. The channel then can transport any data in a secure manner and all content moving over remote access and site to site VPN connections are exposed to the ISA firewall stateful packet and application layer inspection engines.
ISA 2006 can enforce the use of encrypted Web access (i.e., SSL) on incoming Web requests and can serve as an end point of an encrypted SSL session. This enables the ISA firewall to provide secure, encrypted SSL sessions from end to end and perform both stateful packet and application layer inspection on the session contents.
Internal network clients can establish an end to end secure SSL tunnel to an Internet Web server and the ISA firewall can provide application layer inspection on the outbound SSL connections using an add-in named ClearTunnel from Collective Software
Can ISA 2006 use the Network Load Balancing (NLB) services?
Yes, ISA 2006 takes advantage of Network Load Balancing (NLB) in Windows Server 2003 for increased scalability, performance and availability.
ISA 2006 Enterprise Edition integrates with the Windows NLB service to provide bidirectional affinity for all Networks. Integrated NLB is also Firewall service and NIC aware so that if one of the members of the enterprise array is dysfunctional, the dysfunctional server is removed from the NLB array until it become functional again.
Does ISA 2006 work with streaming media?
ISA 2006 includes application filters that manage complex media streaming connections. It specifically supports Microsoft Windows Media–based streaming, RealAudio and Apple QuickTime.
Can I place a VPN server behind the ISA Server 2006 firewall?
Yes. You can publish non-TCP/UDP protocols using ISA 2006. You can publish a PPTP or NAT-T compliant L2TP/IPSec VPN server located behind the ISA Server 2006 firewall. In fact, you can make the ISA Server 2006 firewall a VPN server itself and publish a VPN server located behind the ISA Server 2006 firewall. You can also place third party IPSec tunnel mode servers behind the ISA firewall, as long as they are RFC NAT-T compliant.
How does using ISA 2006’s caching functionality improve network performance?
The Web Proxy and caching features of ISA 2006 offers a cache of Web objects that fulfills client requests from the cache. If the request cannot be fulfilled from the cache, a new request is initiated on behalf of the client. When the Internet Web server responds to the ISA Firewall, the ISA Server caches the response to the original client request. Then the client receives a response. Fast RAM caching allows the ISA Firewall to keep most frequently accessed items in memory. This optimizes response time by retrieving items from memory rather than from disk. ISA 2006 gives you an optimized disk cache store that minimizes disk access for both read and writes operations. These techniques optimize response time and your overall system performance.
Table 1: Frequently Asked Questions about ISA 2006
In this article we went back to basics to help our brethren better understand the ISA Firewall and its features and capabilities. If you ever run into someone who doesn’t know about the ISA Firewall, send them over to this article and hopefully they’ll have their questions answered. If there are most questions, just click on the discussion board link in this article and I’ll be alerted to the question and will answer it as soon as possible. Thanks! –Tom.