Microsoft Internet Security and Acceleration Server 2000

Firewall Scenario

This scenario describes deployment of Microsoft Internet Security and Acceleration (ISA) Server as a dedicated firewall. The procedures and VBScript examples provided in this topic parallel the Firewall Scenario of the ISA product documentation, in which a similar configuration is created through ISA Management.

Network configuration

In the small office network configuration, the ISA Server computer can be placed between the corporate local area network (LAN)/wide area network (WAN) and the Internet. A small office network might have fewer than 250 clients on a single LAN segment, use the Internet protocol (IP) network protocol, and demand-dial connectivity to an Internet service provider. A single ISA Server computer can provide Internet connectivity and security for the entire network, as shown in the figure.

The scenario illustrated here and described as follows assumes a small organization, so the array contains just one ISA Server computer. To allow for future expansion, the server is set up as an array member. For more information, see Enterprise and Array Policy.

In a slightly larger organization, an array of ISA Server computers might be set up. Assuming that most of the clients are located on a single site and in a single domain, one ISA Server array can be set up to serve the entire organization. The array can contain one or more ISA Server computers, depending on bandwidth and cache requirements.

Setting up clients

Firewall Client software can be installed and made available on client desktops in the organization to ensure secured access for Winsock applications. Only Firewall Clients can be identified and fully authenticated by ISA Server, which can process rules on a per-user basis. For example, a site and content rule might limit access to a particular authenticated user; in this case, only Firewall clients can be granted access. For more information, see Restricting Site Access or the ISA product documentation.

If the organization does not want to deploy client software to all its users, the users can be set up as secure network address translation (SecureNAT) clients. For more information on SecureNAT clients, see Secure Network Address Translation.

For Web Proxy clients, the Web browsers are configured so that the proxy server is the ISA Server computer or ISA Server array. The proxy server port on the Web browser should be set to 8080—assuming that the ISA Server computer's outgoing Web request settings are also set to listen on port 8080.

If the desktop users have the Firewall Client software installed, then the Web browser need not be set up as a Web Proxy client. Instead, HTTP requests are forwarded to the ISA Server computer, which determines whether access is allowed. If it is, then the HTTP redirector filter, installed as part of ISA Server, forwards the request to the Web Proxy Service, which determines whether the requested object is in the cache.

In this scenario, the ISA Server computer is set up by using the automatic dial-out feature of ISA Server. The ISA Server computer also has a network card connected to the internal network.