Array communication (Enterprise Edition)

ISA Server 2006 Enterprise Edition only

The servers that comprise a Microsoft Internet Security and Acceleration (ISA) Server 2006 array communicate with each other on secure, sealed channels. This includes intra-array communication, as well as communication from each array member to the Configuration Storage server.

Computers running ISA Server services are listed in the Servers node of ISA Server Management for each array. These are referred to as the array members. Array members communicate with the Configuration Storage server, using the MS Firewall Storage protocol. Computers running ISA Server Management also use the MS Firewall Storage protocol to read from and write to the Configuration Storage server. The MS Firewall Storage protocol, which is based on LDAP, is an outbound TCP protocol on port 2171.

All monitoring communication is done using remote procedure calls (RPC). ISA Server Management computers use RPC to query real-time and local information from the computers running ISA Server services.

All communication channels between firewalls, management consoles, and configuration servers are sealed.

Intra-array address

Communication between array members is passed using the intra-array address, which is initially set to the default IP address of the array member's network adapter on the Internal network. As array administrator, you can modify the intra-array address.

Array communication in workgroup scenarios

In a workgroup scenario, computers running ISA Server services access the configuration storage (on the Configuration Storage server) using MS Firewall Storage over SSL protocol (on port 2172). The Configuration Storage server, which runs an instance of Active Directory® Application Mode (ADAM), supports the LDAPS protocol. To enable this communication, you must install a certificate (from a certification authority), which is trusted by the computers running ISA Server services. Then, install server certificates on the Configuration Storage servers.

ISA Server Management computers authenticate to the Configuration Storage server and to the computers running ISA Server services using domain accounts or local mirrored accounts. Local mirrored accounts must be created on each array member.

In a workgroup environment, computers running ISA Server services use ADAM accounts to authenticate to the Configuration Storage server. The LDAPS channel seals the authentication sequence. An ADAM account is generated for each array member during setup, while the server object is created in the central storage, on the Configuration Storage server.

System policy rules

ISA Server includes the following predefined system policy rules, which enable communication among the array members, Configuration Storage servers, and management consoles.

Scenario group Configuration group Rule name Rule description
Configuration Storage server Remote Configuration Storage Server Access Allow remote access to Configuration Storage server Allows access from Local Host to the Enterprise Configuration Storage Server computer set, using the MS Firewall Storage protocol.
Configuration Storage server Local Configuration Storage Server Access Allow access from trusted servers to the local Configuration Storage server Allows access to Local Host from the Array Servers, Enterprise Remote Management Computers, Managed ISA Server Computers, Remote Management Computers, and Replicate Configuration Storage Servers computer sets, using CIFS (TCP and UDP) and MS Firewall Storage protocols.
Configuration Storage server Replicate Configuration Storage Server Access Allow replication between Configuration Storage servers Allows communication to and from the Replicate Configuration Storage Servers computer set, using MS Firewall Control and RPC protocols.
Intra-array communication Array Member Communication Allow intra-array communication Allows intra-array communication using MS Firewall Control and RPC protocols to and from the Array Servers computer set.
Remote management Microsoft Management Console (MMC) Allow remote management from selected computers using MMC Allows communication from the Array Servers, Enterprise Remote Management Computers, and Remote Management Computers computer sets to Local Host, using the MS Firewall Control, NetBIOS Datagram, NetBIOS Name Service, NetBIOS Session, and RPC (all interfaces) protocols.
Remote management Terminal Server Allow remote management from selected computers using Terminal Server Allows communication from the Enterprise Remote Management Computers and Remote Management Computers computer sets to Local Host, using the RDP (Terminal Services) protocol.
Remote management ICMP Allow ICMP (PING) requests from selected computers to ISA Server Allows communication from the Enterprise Remote Management Computers and Remote Management Computers computer sets to Local Host, using the ICMP protocol.

Computer sets and domain name sets

The following computer sets should be modified, as necessary, depending on the array configuration:

In addition, the Enterprise Configuration Storage Server domain name set is automatically configured to include the name of the Configuration Storage server for the array. If you specify an alternate Configuration Storage server, it is also included in this domain name set.

Protocols

The following proprietary protocols are defined to allow intra-array communication:




web link Get latest ISA Server content at ISA Server Guidance(http://www.microsoft.com/).
Send feedback about this page Send feedback about this page.