Server View

ISA Server works at various communication layers to protect the corporate network. At the packet layer, ISA Server implements packet filtering. Data then passes to the Firewall and to the Web proxy, where ISA Server rules are processed to determine if the request should be serviced.

The following figure shows in detail the architecture of the ISA Server array.

An ISA Server may be included in an array, to allow for load balancing and fault tolerance. This is described further in the Internet Security and Acceleration Server 2004 product documentation. The following explanation focuses on the architecture of a single ISA Server. The server includes these components:

• The firewall, consisting of the Microsoft Firewall service, the ISA Server Web proxy, and application filters:
  • IP packet filter.
  • SecureNAT. A function of ISA Server that performs network address translation (NAT) in place of the Windows NAT mechanism. For more information, see Secure Network Address Translation.
  • Web proxy. Includes Web filters and the cache.
  • Firewall service. Handles connect requests sent by Firewall clients and SecureNAT clients. HTTP requests are diverted to the Web proxy.
  • Application filters. Third-party filters can be developed to extend the Firewall service by using the application filter interfaces.

ISA Server also makes use of the bandwidth control of Quality of Service (QoS) in Windows 2000. QoS is a collection of components that manages bandwidth use for a network. ISA Server applies QoS to connections according to rules established by the ISA Server administrator.

As shown in the diagram, ISA Server protects three types of clients:

• Firewall clients are computers that have the Firewall Client software installed. Requests from Firewall clients are directed to the Firewall service on the ISA Server computer to determine whether access is allowed. Subsequently, the requests can be filtered by application filters and other add-ins. If the Firewall client requests an HTTP object, the Firewall service redirects the request to the Web proxy. The Web proxy may also cache the requested object, or serve the object from the ISA Server cache. For more information on Firewall clients, see Firewall Clients.
• SecureNAT clients are computers that send requests to the ISA Server computer but do not have the Firewall Client software installed. Requests from SecureNAT clients are directed first to the NAT driver, which substitutes a global IP address that is valid on the Internet for the internal IP address of the SecureNAT client. The client request is then directed to the Firewall service, to determine whether access is allowed. Finally, the request can be filtered by application filters and other add-ins. If the SecureNAT client requests an HTTP object, the Firewall service redirects the request to the Web proxy. The Web proxy may also cache the requested object, or serve the object from the ISA Server cache.
• Web proxy clients are any browser applications compatible with the standards of Conseil Europeen pour la Recherche Nucleaire (CERN). ISA Server redirects Web requests from clients to the Web proxy on the ISA Server computer to determine whether access is allowed. The Web proxy can also cache the requested object or serve the object from the ISA Server cache.

Note  Firewall client and SecureNAT clients are mutually exclusive — that is, a client computer cannot be both a Firewall client and SecureNAT client. However, Firewall client computers and SecureNAT client computers might also be Web proxy clients. If the Web application on the computer is configured explicitly to use the ISA Server, then all Web requests (HTTP, FTP, HTTP-S, and Gopher) are sent directly to the Web proxy. All other requests are handled first by the Firewall service.