Microsoft Internet Security and Acceleration (ISA) Server 2006 uses various communication layers to protect the corporate network. At the packet layer, ISA Server implements a firewall policy. In this way, ISA Server controls data on the network interface, evaluating traffic before it reaches any resource. Data is allowed to pass only after the Microsoft Firewall service processes rules to determine whether the request will be serviced.
ISA Server architectureAs illustrated in the figure, ISA Server protects three types of clients: Firewall clients, SecureNAT clients, and Web Proxy clients.
Firewall clients. Computers that have Firewall Client software installed and enabled. Requests from Firewall clients are directed to the Firewall service on the ISA Server computer, to determine whether access is allowed. Subsequently, they may be filtered by application filters and other add-ins. The Firewall service may also cache the requested object or serve the object from the ISA Server cache.
SecureNAT clients. Computers that do not have Firewall Client software installed. Requests from SecureNAT clients are directed first to the network address translation (NAT) driver, which substitutes a global IP address that is valid on the Internet for the internal IP address of the SecureNAT client. The client request is then directed to the Firewall service to determine if access is allowed. Finally, the request may be filtered by application filters and other extensions. The Firewall service may also cache the requested object or deliver the object from the ISA Server cache.
Web Proxy clients. CERN-compatible Web application. Requests from Web Proxy clients are directed to the Firewall service on the ISA Server computer, to determine if access is allowed. The Firewall service may also cache the requested object or serve the object from the ISA Server cache.
Regardless of client type, when ISA Server receives an HTTP request, the client is treated as if it is a Web Proxy client. Even when a Firewall client or a SecureNAT client makes an HTTP request, the client is considered a Web Proxy client. This has specific implications for how the client is authenticated.
Both Firewall client computers and SecureNAT client computers may also be Web Proxy clients. If the Web application on the computer is configured explicitly to use ISA Server, all Web requests are sent directly to the Firewall service, including HTTP, FTP, and HTTPS. All other requests are handled first by the Firewall service.
The following table compares the ISA Server clients.
Feature | SecureNAT client | Firewall client | Web Proxy client |
---|---|---|---|
Installation | Yes, requires some network configuration changes | Yes | No, requires Web browser configuration |
Operating system support | Any operating system that supports TCP/IP | Only Windows platforms | All platforms, but by way of a Web application |
Protocol support | Application filters for multi-connection protocols | All Winsock applications | HTTP, HTTPS, and FTP |
User-level authentication support | Yes, for VPN clients only | Yes | Yes |
For more information about clients, see Internal Client Concepts in ISA Server 2006 at the Microsoft ISA Server TechCenter Web site (http://www.microsoft.com).