Although the Microsoft Internet Security and Acceleration (ISA) Server is a descendent of Microsoft Proxy Server, the new product is much more than a simple upgrade. ISA Server introduces many new features and improves Proxy Server's existing capabilities.
New firewall features. In addition to supporting packet-, circuit-, and application-level traffic filtering, ISA Server supports stateful packet inspection (i.e., the ability to examine data passing through the firewall based on its protocol and the connection's status). ISA Server can also utilize Windows 2000's Active Directory (AD) or Windows NT's Security Accounts Manager (SAM) to secure individual features and services at the group or user level. Most third-party firewall products don't have this capability because they're based on IP addresses or use a separate database for user authentication. ISA Server offers out-of-the-box support for detecting, preventing, and alerting you to various types of attack, including Windows out-of-band (e.g., WinNuke), Ping of Death, Land attacks, and User Datagram Protocol (UDP) bombs. ISA Server also provides Network Address Translation (NAT) services through its SecureNAT feature. SecureNAT lets LAN clients point their default gateways at ISA Server and securely and transparently access the Internet without client software. (See the sidebar, "Understanding NAT".)
Policy-based administration. ISA Server lets administrators define policy elements such as users and groups, client protocols, schedules, sites, and content groups, then use those elements to manage various settings through ISA Server policies (e.g., client protocol access policies, site access policies, bandwidth usage policies). You can create policies at an array level—an array is simply a group of ISA Server systems that are all housed at the same site (e.g., a branch office or department)—or an enterprise level for AD-enabled networks. (Enterprise-level policies let you enforce company-wide security policies through AD.)
RRAS and VPN integration. Unlike Proxy Server's RAS and Routing and Remote Access Service (RRAS) integration under NT 4.0, the process of establishing a Virtual Private Network (VPN) through ISA Server or to a remote RRAS VPN server is a breeze. To facilitate the setup process, ISA Server includes a VPN configuration wizard that will even launch RRAS setup if you haven't already installed the service for local VPN configurations.
Smart caching. ISA Server offers active caching features so administrators can proactively cache content from popular Web sites. Administrators can schedule cache updates to run automatically at specific times during the day.
Smart application filters. Using smart application filters, you can control traffic through ISA Server on an application-specific level. For example, you can implement an email traffic filter that blocks certain email content types or a filter that handles streaming audio or video data.
Dynamic IP filtering. Many firewall products can reduce the management burden of administrators by dynamically opening firewall ports for active client sessions to the Internet and closing them after the session terminates. ISA Server provides a similar dynamic filtering feature, so you don't need to manually open firewall ports each time a network client uses a new protocol.
Scalability. In large organizations, scalability is an important feature of a Web caching server because performance can deteriorate when a server caches a lot of data. ISA Server provides dynamic load-balancing functionality through the Cache Array Routing Protocol. CARP improves performance in ISA Server farms by automatically sending client requests to the server most likely to have the requested content. Using Win2K's Network Load Balancing (NLB) services through multiserver arrays enhances ISA Server's dynamic load-balancing capabilities and improves the overall availability of its systems. You can also configure ISA Server to have multiple or backup connections (a.k.a. routes) to other ISA Server systems to enhance server availability.
Bandwidth usage rules. By utilizing Win2K's bandwidth control and Quality of Service (QoS) features, ISA Server lets you configure rules that define the amount of bandwidth various protocols and traffic types can consume as they pass through an ISA Server between the Internet and the local network. This feature improves control over the availability and utilization of a corporate Internet connection.
Enhanced reporting. ISA Server lets you run extensive reports on user access and security events. You can schedule ISA Server to automatically run the reports and deliver them to you at specified intervals (e.g., daily, weekly, monthly).
H.323 gatekeeper service. This component lets administrators use ISA Server to manage IP telephony calls among H.323 protocol-enabled applications (e.g., Microsoft NetMeeting 3.0). After creating DNS SRV record registrations to advertise the gatekeeper services, clients use the ISA Server systems to register their names with the gatekeeper service and establish connections to other H.323 endpoints.
During my experiences with ISA Server, I made some discoveries.
- Should you install the firewall client that comes with ISA Server on Windows-based network workstations? Although ISA Server doesn't require the client for firewall operation, the firewall client provides benefits such as the ability to specify usernames and group names within rules rather than specifying only client IP addresses. If you need to secure your firewall by using rules that leverage SAM or AD-based usernames or group names, install the firewall client.
- The firewall client automatically configures client browsers for the firewall server during installation. ISA Server's firewall client is almost identical to Proxy Server's Winsock client in installation and function.
ISA Server is an open-development platform. Microsoft has made it very easy for third-party vendors to write add-on products to enhance the server's functionality. The regular product even includes an ISA Server software development kit (SDK—in the CD-ROM's \sdk subdirectory). As of this writing, several Internet security product vendors have announced products designed to run on top of ISA Server.
\[Editor's Note: This article is based on Microsoft Internet Security and Acceleration (ISA) Server beta 3.\]