Server View

ISA Server works at various communication layers to protect the corporate network. At the packet layer, ISA Server implements packet filtering. When packet filtering is enabled, ISA Server can statically control data on the external interface, evaluating inbound traffic before it has the chance to reach any resource. If the data is allowed to pass the packet filtering layer, it is passed to the Firewall and Web proxy services, where ISA Server rules are processed to determine if the request should be serviced.

The following figure shows in detail the architecture of the ISA Server array.

An ISA Server may be included in an array, to allow for load balancing and fault tolerance. This is described further in the ISA product documentation. The following explanation focuses on the architecture of a single ISA server. The server includes these components:

•    IP packet filter. As shown, the ISA server as a whole relies on the function of the IP packet filter. For more information, see IP Packet Filtering.

•    SecureNAT. A function of ISA Server that performs network address translation (NAT) in place of the Windows 2000 NAT function. For more information, see Secure Network Address Translation.

• The firewall, consisting of the Web proxy service, Firewall service, and application filters:
  • Web proxy service. Includes Web (ISAPI) filters and the cache.
  • Firewall service. Handles connect requests by Firewall service and SecureNAT clients. HTTP requests are diverted to the Web proxy service by the HTTP redirector filter.
  • Application filters. These include the HTTP redirector filter, which redirects HTTP requests to the Web proxy service, and other protocol filters provided with ISA Server. Third-party filters can be developed for the ISA firewall by using the application filter interfaces.

ISA Server also makes use of the bandwidth control of Quality of Service (QOS) in Windows 2000. QOS is a collection of components that manages bandwidth use for a network. ISA Server applies QOS to connections according to rules established by the ISA administrator.

As shown in the diagram, ISA Server protects three types of clients:

• ISA Firewall clients are computers that have ISA Firewall client software installed. Requests from ISA Firewall clients are directed to the ISA Firewall service on the ISA Server computer to determine whether access is allowed. Subsequently, the requests can be filtered by application filters and other add-ins. If the ISA Firewall client requests an HTTP object, the HTTP redirector filter redirects the request to the Web proxy service. The Web proxy service may also cache the requested object, or serve the object from the ISA Server cache. For more information on Firewall clients, see Firewall Clients.
• SecureNAT clients are computers that do not have ISA Firewall client software installed. Requests from SecureNAT clients are directed first to the NAT driver, which substitutes a global IP address that is valid on the Internet for the internal IP address of the SecureNAT client. The client request is then directed to the ISA Firewall service, to determine whether access is allowed. Finally, the request can be filtered by application filters and other add-ins. If the SecureNAT client requests an HTTP object, the HTTP redirector filter redirects the request to the Web proxy service. The Web proxy service may also cache the requested object, or serve the object from the ISA Server cache.
• Web proxy clients are any browser applications compatible with the standards of Conseil Europeen pour la Recherche Nucleaire (CERN). ISA redirects requests from Web proxy clients to the Web proxy service on the ISA Server computer to determine whether access is allowed. The Web proxy service can also cache the requested object or serve the object from the ISA Server cache.

Note  Firewall client and SecureNAT clients are mutually exclusive — that is, a client computer cannot be both a Firewall client and SecureNAT client. However, Firewall client computers and SecureNAT client computers might also be Web proxy clients. If the Web application on the computer is configured explicitly to use the ISA Server, then all Web requests (HTTP, FTP, HTTP-S, and Gopher) are sent directly to the Web proxy service. All other requests are handled first by the Firewall service.