Enterprise Management for ISA and TMG Firewall Arrays
Many of us started with the ISA firewall using Standard Edition (SE) . ISA and TMG SE is pretty straightforward – you install the firewall and away you go. OK, it’s not that easy, but when configuring an SE firewall, you only have to worry about one firewall at a time.
In contrast, ISA and TMG Enterprise Edition firewalls are managed a bit differently. When you install ISA and TMG firewalls into an Enterprise, you are actually putting into place the machinery required to create firewall arrays. An ISA or TMG Firewall array is a collection of firewalls that work as a single logical firewall (for the most part). When you create a firewall rule for the firewall array, all the firewalls in the array receive the same configuration and enforce the same rule or policy.
The challenging part of working with Enterprise Edition is that you have the option to create rules and network elements at either or both the enterprise or array level. When you create a rule or network element at the enterprise level, you can make those configuration settings available to one or more arrays in the ISA or TMG enterprise. An “enterprise” is a collection of arrays that can be managed together. In contrast, when you configure settings at an array level, those settings apply only to that particular array.
In addition, you have to deal with issues related to intra-array communications, communications between firewall array members and the Configuration Storage Server (the machine that contains the array configuration, which is stored in an ADAM or AD LDS database), and potentially Network Load Balancing issues.
For a nice review of the issues that you should consider in advance before deploying Enterprise Edition and firewall arrays, check out this article on the Microsoft site Enterprise Management in ISA Server 2006
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer