Microsoft Internet Security and Acceleration Server 2000

Server View

ISA Server works at various communication layers to protect the corporate network. At the packet layer, ISA Server implements packet filtering. When packet filtering is enabled, ISA Server can statically control data on the external interface, evaluating inbound traffic before it has the chance to reach any resource. If the data is allowed to pass the packet filtering layer, it is passed to the Firewall and Web proxy services, where ISA Server rules are processed to determine if the request should be serviced.

The following figure shows in detail the architecture of the ISA Server array.

An ISA Server may be included in an array, to allow for load balancing and fault tolerance. This is described further in the ISA product documentation. The following explanation focuses on the architecture of a single ISA server. The server includes these components:

•    IP packet filter. As shown, the ISA server as a whole relies on the function of the IP packet filter. For more information, see IP Packet Filtering.

•    SecureNAT. A function of ISA Server that performs network address translation (NAT) in place of the Windows 2000 NAT function. For more information, see Secure Network Address Translation.

ISA Server also makes use of the bandwidth control of Quality of Service (QOS) in Windows 2000. QOS is a collection of components that manages bandwidth use for a network. ISA Server applies QOS to connections according to rules established by the ISA administrator.

As shown in the diagram, ISA Server protects three types of clients:

Note  Firewall client and SecureNAT clients are mutually exclusive — that is, a client computer cannot be both a Firewall client and SecureNAT client. However, Firewall client computers and SecureNAT client computers might also be Web proxy clients. If the Web application on the computer is configured explicitly to use the ISA Server, then all Web requests (HTTP, FTP, HTTP-S, and Gopher) are sent directly to the Web proxy service. All other requests are handled first by the Firewall service.