The ISA Team Answers Your Technical Questions
Read the ISA Server team's responses to readers' wide-ranging technical questions.
March 28, 2005
Respondents to our survey about Internet Security and Acceleration (ISA) Server 2004 asked numerous technical questions that we didn't have space to discuss in Hey Microsoft!, "How Trustworthy Is ISA Server 2004?" However, the ISA Server team responded to queries about using ISA Server to block spyware and viruses, download Windows updates, and filter packets; running ISA Server in conjunction with an existing firewall; and setting up a VPN between ISA servers at different sites.
Can I control access to certain web sites with ISA Server? Can I block installation of Spyware?
To answer the first question: yes, you can control access to certain web sites with ISA Server 2004. More information on securing internet access for your users is found in this document: http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/controllingsecureinternetaccess.mspx
“Spyware” is a broad term that encompasses a wide range of unwanted software. For ISA server customers, Microsoft works with a number of third parties who provide a variety of individual solutions. Some of these partners have solutions that provide URL also Filtering and Content Filtering capabilities, which can help address certain spyware threats. These can be found here: http://www.microsoft.com/isaserver/partners/default.asp.
Can I use ISA to download Windows Security Update without using SUS or Windows update or SMS 2003? Can patch management be handled more efficiently?
ISA Server 2004 should not be used to download Windows security updates without Microsoft Software Update Services (SUS), Windows Update or Systems Management Server (SMS) 2003. We recommend that customers continue to use their existing patch management solutions such as SUS or SMS 2003 to ensure they are obtaining the highest level of security as possible.
What is Enterprise vs Standard?
The focus of ISA Server 2004 Enterprise Edition is to enhance three main areas for enterprise deployments: scalability, manageability, and availability. Similar to the differences seen in ISA Server 2000, updated features will address synchronizing firewall policies across and organization, enabling large scale deployments of ISA Server, and building fault-tolerant ISA Server network infrastructure.
Can ISA Server 2004 avoid viruses without an antivirus?
ISA Server 2004 is specifically designed to provide more advanced protection, ease of use, and high performance for your Microsoft applications, such as Exchange Server 2003, Internet Information Services (IIS), and SharePoint Portal Server 2003. While it is a viable and valuable Web caching, firewall, and VPN solution, Microsoft does encourage customers to additionally protect themselves from attack by using a recommended anti-virus product to maximize security benefits. Anti-virus partners with solutions integrated with ISA Server 2004 can be found at: http://www.microsoft.com/isaserver/partners/default.asp
Does ISA Server 2004 perform deep packet filtering?
ISA Server 2004 performs filtering at three levels: packet, circuit, and application layer filtering. Packet filtering configuration options include settings for modifying IP fragments, IP options, and IP routing.
Can ISA Server run on Server 2003 Web Edition?
No, it cannot. The main purpose of Windows Server 2003 Web Edition is to be used to deploy Web pages, Web sites, Web applications, and Web services.
Can it be used in conjunction with our already in place firewall?
Yes. ISA Server 2004 can be used in conjunction with a pre-existing firewall. As such, it features a completely updated security architecture that has been specifically designed to help protect Microsoft applications, such as Exchange Server and Outlook Web Access (OWA), SharePoint and Internet Information Systems (IIS). Its integration with Windows® Active Directory® services also enables administrators to apply user-level policy and authentication across a broad range of scenarios, including firewall policy, VPN authentication, and outbound Web proxy and access control.
Can you create some templates and/or wizards for common needs such as OWA or RPC of HTTP?
ISA Server 2004 includes templates and wizards for easily and securely enabling Exchange on the Internet for these common scenarios. For more information on ease of use features of ISA Server 2004 in enabling Exchange on the Internet, please take a look at the following documents:
ISA + Exchange Deployment Kit
http://download.microsoft.com/download/1/8/8/188ab94a-4ec5-4746-ac0f-a18177040fbf/ISA2004SE_exchangekit-Rev%201%2005.doc
Using ISA Server 2004 with Exchange Server 2003:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/exchage2003.mspx
Outlook Web Access Server Publishing in ISA Server 2004:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/owapublishing.mspx
What is ISA Server 2004’s compatibility with SBS 2003?
More information on ISA Server 2004 and SBS 2003 can be found here:
http://www.microsoft.com/windowsserver2003/sbs/techinfo/overview/generalfaq.mspx.
How do I easily set up a tunnel between two ISA servers in two different sites?
Information on implementing site-to-site VPN with ISA Server can be found in the following documents:
Site-to-Site VPN in ISA Server 2004:
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/sitetositevpn.mspx
ISA Server 2004 VPN Deployment Kit:
http://download.microsoft.com/download/3/7/b/37b0cbc4-e578-4082-a779-de4fbe876f06/ISA2004SE_vpnkit-Rev%201%2004.doc
I'm a bit dubious about SSL to SSL bridging. This means that the message does not stay encrypted from source to destination. Is this a security hole? Could messages be intercepted and decrypted by a 'rogue' ISA server?
SSL bridging requires that certificates of published sites be installed on the ISA Server. SSL bridging also provides the benefit of the advanced application layer filtering of ISA Server to inspect all traffic. The ISA Server SSL-to-SSL bridging feature allows stateful inspection of SSL connections and prevents attackers from hiding exploits inside the SSL channel. ISA Server decrypts the packets, inspects them for attack code, and then re-encrypts them. The re-encrypted packets are forwarded to the secure SSL Web server on the corporate network.
When is Enterprise Edition available?
ISA Server 2004 Enterprise Edition will be available the first half of 2005.
Where can I find tutorial of ISA Server 2004?
There is a wealth of information available to customers and those interested in trying out ISA Server 2004. The following links will send you to a number of customer case studies and how-to guides on installation and usage:
http://www.microsoft.com/isaserver/techinfo/default.asp
Main Website:
http://www.microsoft.com/isaserver
Trial software:
http://www.microsoft.com/isaserver/evaluation/trial/default.asp
Evaluation VPC environment:
http://www.microsoft.com/technet/traincert/virtuallab/isa.mspx
About the Author
You May Also Like