Module 1: Overview of Microsoft ISA Server

Instructor Notes This module provides students with an introduction to Microsoft® Internet Security and Acceleration ISA Server 2000 and defines the associated functions and underlying c

Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended

to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

 2001 Microsoft Corporation All rights reserved

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

Other product and company names mentioned herein may be the trademarks of their respective owners

Instructor Notes

This module provides students with an introduction to Microsoft® Internet Security and Acceleration (ISA) Server 2000 and defines the associated functions and underlying concepts The module is organized as a preview of the

course content and will be entirely lecture based

After completing this module, students will be able to:

Explain the use of ISA Server

Describe the use of Web caching

Describe the use of firewalls

Identify common deployment scenarios for ISA Server

Materials and Preparation

This section provides the materials and preparation tasks that you need to teach this module

Required Materials

To teach this module, you need the Microsoft PowerPoint® file 2159A_01.ppt

Preparation Tasks

To prepare for this module, you should:

Read all of the materials for this module

Study the review questions and prepare alternative answers to discuss

Anticipate questions that students may ask Write out the questions and provide the answers

Review the ISA Server Web page (www.microsoft.com/isaserver/) for updated information about ISA Server

Read “Deployment scenarios” in ISA Server Help

Read “ISA Server Usage Scenarios” in the white paper entitled “Internet Security and Acceleration Server 2000 Installation and Deployment Guide”

under Additional Reading on the Trainer Materials compact disc

Read the white paper titled “Internet Security and Acceleration Server 2000 Enterprise Edition: Deploying the Secure Firewall, Proxy, and Web Cache

at Microsoft” under Additional Reading on the Trainer Materials compact

disc

Read RFC 2979, “Behavior of and Requirements for Internet Firewalls,”

under Additional Reading on the Trainer Materials compact disc

Read RFC 2196, “Site Security Handbook,” under Additional Reading on

the Trainer Materials compact disc

Read RFC 2504, “Users' Security Handbook,” under Additional Reading

on the Trainer Materials compact disc

Read RFC 2828, “Internet Security Glossary,” under Additional Reading

on the Trainer Materials compact disc

Presentation:

45 Minutes

Module Strategy

Use the following strategy to present this module:

Introducing ISA Server Introduce ISA Server to students by briefly describing the product benefits Mention that the NET Enterprise Servers animation is available on the Student Materials compact disc

Using Caching Use the animated slide to describe the process that ISA Server uses to cache Web content Explain the three types of caching that ISA Server can use to accelerate Web performance for both internal and external clients

Using Firewalls Discuss how a firewall protects the internal network from intruders on the Internet by allowing only specific network traffic to come in to or to go out

of an internal network

Describe the three types of firewall designs presented in the module

Explain that this course uses the term perimeter network to refer to a

network that is separate from both the Internet and the private network and that contains resources to make available to users on the Internet in a secure

manner Because the terms DMZ and screened subnet are also commonly

used, tell students that these terms are interchangeable

Ensure that students understand the terms and concepts associated with controlling network access These terms and concepts will be presented in more detail throughout the course

Deployment Scenarios for ISA Server Before you discuss the different deployment scenarios, explain that the examples that the module presents are just some of many possible scenarios Tell students that they can find more deployment scenarios in ISA Server Help and in the printed product documentation

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware

There are no labs in this module, and as a result, there are no lab setup requirements or configuration changes that affect replication or customization

Overview

Introducing ISA Server

Using Caching

Using Firewalls

Deployment Scenarios for ISA Server

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

The Internet enables organizations to connect with customers, partners, and employees Although this presents new business opportunities, it can also cause concerns about security, performance, and manageability

Microsoft® Internet Security and Acceleration (ISA) Server 2000 is designed to address the needs of today’s Internet-enabled organizations ISA Server includes caching features that enable organizations to save network bandwidth and provide faster Web access for users ISA Server also includes a firewall service that helps protect network resources against unauthorized access from outside of the organization’s network, while enabling efficient authorized access Finally, ISA Server includes management and administration features that enable organizations to centrally control and manage Internet use and access

After completing this module, you will be able to:

Explain the use of ISA Server

Describe the use of Web caching

Describe the use of firewalls

Identify common deployment scenarios for ISA Server

In this module, you will learn

about using ISA Server as a

cache server and as an

enterprise firewall

Introducing ISA Server

ISA Server Editions

Benefits of ISA Server

Installation Modes

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

ISA Server is an enterprise firewall and cache server running on the Microsoft Windows® 2000 Server operating system that provides policy-based access control, acceleration, and management of internetworking ISA Server is available in two editions that are designed to meet the business and networking needs of your organization Whether deployed as separate components or as an integrated firewall and caching server, ISA Server provides organizations with a unified management console that is designed to simplify security and access management

Topic Objective

To introduce ISA Server

Lead-in

ISA Server provides benefits

and deployment options to

help organizations manage

Internet security and

access

ISA Server Editions

ISA Server Standard Edition

ISA Server Enterprise Edition

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

ISA Server is available in two editions that are designed to meet the business and networking needs of your organization

ISA Server Standard Edition

The standard edition provides firewall security and Web caching capabilities for small businesses, workgroups, and departmental environments The standard edition provides robust security, fast Web access, intuitive management, and excellent price and performance for business-critical environments

ISA Server Enterprise Edition

The enterprise edition is designed to meet the performance, management, and scalability needs of high-volume Internet traffic environments with centralized server management, multiple levels of access policy, and fault-tolerant

capabilities The enterprise edition provides secure, scalable, and fast Internet connectivity for mission-critical environments

Topic Objective

To identify the ISA Server

editions

Lead-in

ISA Server is available in

two editions that are

designed to meet the

business and networking

needs of your organization

Benefits of ISA Server

Acceleration Fast Web Access with a High-Performance Cache

Security Secure Internet Connectivity Through a Multilayered Firewall Secure Internet Connectivity Through a Multilayered Firewall

Management

Extensibility

Unified Management with Integrated Administration

Extensible and Open Platform

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

ISA Server is a key member of the NET Enterprise Server family The products in NET Enterprise Server family are Microsoft’s comprehensive family of server applications for building, deploying, and managing scalable, integrated, Web-based solutions and services ISA Server offers several benefits

to organizations that want fast, secure, and manageable Internet connectivity

For more information about the NET Enterprise Server family, view the NET Enterprise Servers animation, which is included on the Student Materials compact disc

Fast Web Access with a High-Performance Cache

ISA Server provides the following Web performance benefits:

Provides faster Web access for users by retrieving objects locally rather than over a slower connection to the potentially congested Internet

Reduces bandwidth costs by reducing network traffic from the Internet

Distributes the content of Web servers and e-commerce applications efficiently and cost-effectively to reach customers worldwide

The capability for distributing Web content is available only in the ISA Server Enterprise Edition

Topic Objective

To describe the benefits

offered by ISA Server

To present more information

about the NET Enterprise

Server family, play the NET

Enterprise Servers

animation The animation is

included on the Trainer

Materials compact disc Note

Note

Secure Internet Connectivity Through a Multilayered Firewall

ISA Server provides the following security benefits:

Protects networks from unauthorized access by inspecting network traffic at several layers

Protects Web, e-mail, and other application servers from external attacks by using Web publishing and server publishing to securely process incoming requests to internal servers

Filters incoming and outgoing network traffic to ensure security

Enables secure access for authorized users from the Internet to the internal network by using virtual private networks (VPNs)

Unified Management with Integrated Administration

ISA Server provides the following management benefits:

Controls access centrally to ensure and enforce corporate policies

Improves productivity by limiting Internet use to approved applications and destinations

Allocates bandwidth to match business priorities

Provides monitoring tools and produces reports that show how Internet connectivity is used

Automates commonly performed tasks by using scripts

Extensible and Open Platform

ISA Server provides the following extensibility and customization benefits:

Addresses security and performance needs that are specific to an organization by using the ISA Server Software Development Kit (SDK) for in-house development of add-on components

Extends security and management functionality with third-party solutions

Automates administrative tasks with scriptable Component Object Model (COM) objects

Installation Modes

Cache Mode

Firewall Mode

Integrated Mode

Features Available with Each Mode

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

You can install ISA Server in three different modes: cache mode, firewall mode, and integrated mode

Cache Mode

In cache mode, you can improve network performance and save bandwidth by storing frequently accessed Web objects closer to the user You can then route requests from clients to a cache server that holds the cached objects

Firewall Mode

In firewall mode, you can secure network traffic by configuring rules that control communication between an internal network and the Internet You can also publish internal servers, which enables an organization to share data on its network with partners or customers

Integrated Mode

In integrated mode, you can combine the firewall and cache services on a single host computer Although organizations can deploy ISA Server as a separate firewall or as a separate caching server, you can combine the firewall and cache server by choosing integrated mode Many organizations can benefit from unified administration of caching and firewall functions

Topic Objective

To identify the installation

modes and associated

features of ISA Server

Lead-in

There are three modes for

installing ISA Server

Features Available with Each Mode

Depending on which mode you select, different features are available The table below lists the features that are available for the firewall and cache modes In integrated mode, all of the features are available

Feature Description

Firewall mode

Cache mode

Access policy Defines which protocols and Internet

content that clients who are located behind an ISA Server computer can use and which content they can gain access

to

Yes HTTP

and FTP only

Web caching Stores frequently retrieved Web objects

in random access memory (RAM) and

on the hard disk of an ISA Server computer

No Yes

VPNs Extend a private network by using links

across shared or public networks like the Internet

Yes No

Packet filtering Controls the flow of IP packets to and

from the external adapter of an ISA Server computer

Yes No

Application filters Perform protocol-specific or

system-specific tasks, such as authentication, to provide an extra layer of security for the firewall service

Yes No

Web publishing Makes internal Web servers available to

external clients

No Yes

Server publishing Makes internal application servers

available to external clients

Yes No

Real-time monitoring

Enables you to centrally monitor the ISA Server computer activity, including alerts, sessions, and services

Yes Yes

Alerts Notify you when specific events occur

and execute corresponding actions

Yes Yes

Reports Summarize and analyze the activity

occurring on one or more ISA Server computers

Yes Yes

Delivery Tip

Explain that the tasks

associated with each of

these features will be

presented during the

course

Using Caching

The Caching Process

Types of Caching

Cache

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Caching improves network performance by maintaining a cache of frequently accessed Web objects You can deploy ISA Server as a forward caching server

to improve the speed at which users on your internal network can access Internet resources You can also deploy ISA Server as a reverse caching server

to improve the speed at which external users can access selected Web resources that you make available to the Internet In addition, you can distribute the cache across multiple ISA Server computers By distributing the cache, a client can access content from the ISA Server computer that is closest to the client Distributed caching also provides load balancing and fault tolerance in a network that has multiple ISA Server computers

Topic Objective

To introduce the topics

related to the use of

The Caching Process

GET www.nwtraders.msft

GET www.nwtraders.msft

GET www.nwtraders.msft

Object is sent from Internet

Object is sent from cache

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

The process that ISA Server uses to cache content is similar to the process that

a Web browser uses to save temporary Internet files Most Web browsers cache objects locally, storing requested Web pages in a folder on a computer’s hard disk The Web browser then gains subsequent access to the same objects by retrieving the objects from the local hard disk ISA Server takes this concept one step further and maintains a centralized cache of frequently requested Web objects to improve performance for multiple users

The following steps describe the caching process that ISA Server uses to retrieve Web objects for clients:

1 Client 1 requests a Web object

2 If the object is not already in the ISA Server cache, ISA Server retrieves the object from the Web server on the Internet

3 The Web server on the Internet returns the object to the ISA Server computer ISA Server retains a copy of the object in its cache and returns the object to Client 1 The time that it takes the client to receive the object and the resulting Internet traffic are approximately the same as if the client had assessed to the object directly

4 Client 2 requests the same Web object

5 ISA Server returns the object from its cache rather than obtaining it from the Web server on the Internet The client receives the object much quicker and the request requires no Internet traffic

Topic Objective

To describe the process that

ISA Server uses to cache

content

Lead-in

The process that ISA Server

uses to cache content is

similar to the process that a

Web browser uses to save

temporary Internet files

Delivery Tip

The slide for this topic

includes animation Click or

press the SPACEBAR to

advance the animation

Types of Caching

Forward Caching

Reverse Caching

Distributed Caching

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

The caching service accelerates Web performance for both internal and external clients ISA Server supports both forward caching for outgoing requests and reverse caching for incoming requests In addition, the cache can be distributed across multiple ISA Server computers

Reverse Caching

You can use reverse caching to provide external clients with access to Web objects from an internal Web server The ISA Server computer, which is located in front of the Web server, forwards requests to the internal Web server only when it cannot retrieve a requested object from its cache ISA Server improves the speed at which external clients receive Web objects

Distributed Caching

You set up an array of ISA Server computers to perform distributed caching

An array is a group of ISA Server computers that that you manage as a single,

logical entity Distributing cached objects enhances caching performance through load balancing and provides fault tolerance if an ISA Server computer

is unavailable You can distribute both forward caching and reverse caching

Distributed caching is available in only the ISA Server Enterprise Edition

Topic Objective

To describe the types of

caching supported by ISA

Using Firewalls

Firewall Overview

Bastion Host

Perimeter Network with Three-Homed Firewall

Perimeter Network with Back-to-Back Firewalls

Filters and Network Access

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

A firewall is a system, consisting of hardware, software, or a combination of

both, that is designed to protect private networks from unauthorized access There are several types of firewall designs, including bastion hosts and perimeter networks with a three-homed firewall or with back-to-back firewalls Firewalls use packet filtering and other types of filtering to control network access

Topic Objective

To identify the topics related

to the use of firewalls

Lead-in

A firewall is a system that is

designed to protect private

networks from unauthorized

access