Microsoft Internet Security and
Acceleration Server 2004 SDK
ISA Server works at various communication layers to protect the
corporate network. At the packet layer, ISA Server implements
packet filtering. Data then passes to the Firewall and to the Web
proxy, where ISA Server rules are processed to determine if the
request should be serviced.
The following figure shows in detail the architecture of the ISA
An ISA Server may be included in an array, to allow for load balancing and
tolerance. This is described further in the Internet
Security and Acceleration Server 2004 product documentation. The
following explanation focuses on the architecture of a single ISA
Server. The server includes these components:
Firewall service. Handles connect requests sent by Firewall
clients and SecureNAT clients. HTTP requests are diverted to the
Application filters. Third-party filters can be developed to
extend the Firewall service by using the application filter
ISA Server also makes use of the bandwidth control
of Service (QoS) in Windows 2000. QoS is a collection of
components that manages bandwidth use for a
network. ISA Server applies QoS to connections according to rules
established by the ISA Server administrator.
As shown in the diagram, ISA Server protects three types of
Firewall clients are computers that have the Firewall Client
software installed. Requests from Firewall clients are directed to
the Firewall service on the ISA Server computer to determine
whether access is allowed. Subsequently, the requests can be
filtered by application filters and other add-ins. If the Firewall
client requests an HTTP object, the Firewall service redirects the
request to the Web proxy. The Web proxy may also cache the
requested object, or serve the object from the ISA Server cache.
For more information on Firewall clients, see Firewall Clients.
SecureNAT clients are computers that send requests to the ISA
Server computer but do not have the Firewall Client software
installed. Requests from SecureNAT clients are directed first to
the NAT driver,
which substitutes a global IP address that is valid on the Internet
for the internal IP address of the SecureNAT client. The client
request is then directed to the Firewall service, to determine
whether access is allowed. Finally, the request can be filtered by
application filters and other add-ins. If the SecureNAT client
requests an HTTP object, the Firewall service redirects the request
to the Web proxy. The Web proxy may also cache the requested
object, or serve the object from the ISA Server cache.
Web proxy clients are any browser applications
compatible with the standards of Conseil Europeen pour la Recherche
Nucleaire (CERN). ISA Server redirects Web requests from clients to
the Web proxy on the ISA Server computer to determine whether
access is allowed. The Web proxy can also cache the requested
object or serve the object from the ISA Server cache.
Note Firewall client and
SecureNAT clients are mutually exclusive — that is, a client
computer cannot be both a Firewall client and SecureNAT client.
However, Firewall client computers and SecureNAT client computers
might also be Web proxy clients. If the Web application on the
computer is configured explicitly to use the ISA Server, then all
Web requests (HTTP,
HTTP-S, and Gopher)
are sent directly to the Web proxy. All other requests are handled
first by the Firewall service.