Planning an ISA Server Deployment (Part 1)

Security Policy: Hopefully, your company will have a network security policy in place already, but if you don’t, now is definitely the time to get one, since that’s probably one of the main reasons you are putting up a firewall in the first place – to help enforce your security policy. The security policy should plainly tell what actions are acceptable and which are not, and dictate which protocols, ports, and services should be allowed both into and out of your network. It should define authentication requirements and mechanisms. It should define levels of information security, and how each level is protected. In short, your security policy should define the requirements that your company management, with the advice of the IT security folks, have determined. Then it will be up to you to translate these policies into the configuration requirements of the ISA server.

Client Requirements: You must carefully plan how your clients will use the ISA server to get secure access to the Internet or to other networks. This involves knowing what your installed client base is, in terms of operating systems and what applications they run. It also involves knowing how the client software works, when you will need to install it, and how to configure it on your clients. You will have three basic types of clients that connect to the ISA server, about which we will go into more depth in a later article. The three types are: SecureNAT clients, Web Proxy clients, and firewall clients. You also need to know how these clients will authenticate to the ISA server.

Branch Office Requirements: If you are going to include more than one location in your network behind the ISA server, you will need to determine exactly what kind of configuration you will use, and how the connection will be protected. You may use a site-to-site VPN connection for the branch office to connect to the main network, so this will have to be planned in advance.

VPN Connections: These connections definitely require advanced planning, because there are several considerations that must be taken into account when configuring a VPN. First, you need to decide how it will be implemented, as a site-to-site VPN or as a remote access server for mobile clients, or both. Issues such as encryption, authentication, and VPN quarantine are likely to be key issues you will need to know about before you set up the VPN.