Understanding ISA Server Arrays and Policies

Microsoft Internet Security and Acceleration (ISA) Server introduces several terms that you need to understand to effectively configure and deploy ISA Server within your network. Arrays are simply a group of ISA Server systems that are all housed at the same site (e.g., a branch office or department). Two types of arrays exist: domain arrays and independent arrays. Domain arrays require an Active Directory (AD)-enabled network and must all be housed in the same Windows 2000 domain. Independent arrays store their information in a local configuration database rather than in AD. If you're running ISA Server on a Windows NT 4.0 domain, configure your systems in an independent array. If your systems are in an AD-enabled Win2K network, choose a domain array—even if you have only one ISA Server system. The reasons for this recommendation are that domain arrays leverage AD for configuration data storage, they can support the application of companywide policies, and you can easily extend this type of array in the future.

You can create a variety of rules at the array level, including rules related to site and content, protocols, Web publishing, and IP packet filters. This collection of rules constitutes an array policy, which controls how ISA Server permits clients to communicate with the Internet. You can apply an array policy only to ISA Server systems within an array. Enterprise policies contain similar rules, but you can apply enterprise policies across arrays. A local array policy can modify an enterprise policy, but only by making it more strict—array policies can't relax or reverse enterprise policies. Enterprise policies are the obvious choice for AD networks because they let high-level administrators define companywide policies that can be applied throughout the organization.