A bevy of ISA tips
Thinking about deploying Microsoft's Internet Security and Acceleration (ISA) Server 2000? Check out solutions to common ISA problems from security consultant, columnist and author Roberta Bragg. Bragg fielded over 60 security questions from Windows IT pros in a live expert Q&A on July 24. Here are her answers to many of your pressing ISA security questions.
Got a security tip? Why not send it in? We'll post it on our site, and we'll also enter you in our tips contest for some nifty prizes.
Q: To fully utilize client software, does the ISA Server need to be a member of the domain?
A: If you are going to require authenticated access, any and many of the reasons for loading the client are to use applications that may require this. Consequently, to really take advantage, there needs to be some domain membership of ISA used as proxy. On the other hand, I'd make my 'firewall' a standalone server and make sure domain used ports are not open to external network.
Q: Should DNS be on the ISA Server or on a different internal server?
A: While it is not impossible to run DNS service on ISA server, I would not recommend it. I'd put DNS for internal network on a separate internal server.
Q: When using VPN on ISA with L2TP, is there an alternative to using certificates to provide authentication. Does it handle IKE packets?
A: The wizards are going to set up with certs. Microsoft has a knowledge base article that says how to set up RRAS VPNs without certs. I've not tried to do this with ISA. It's theoretically possible. If you mean by handling IKE that you can put a tunnel endpoint behind ISA and it will pass L2TP over IPSec, no. If you mean, is IKE used to negotiate keys? Then the answer is yes.
Q: When using VPN through ISA, my Win2k and NT4 users are unable to browse the internal network. Mapping is successful but users are required to authenticate to these resources. Is there a way to have a single point of authentication for my end users? Win9x users are authenticated when the tunnel is created.
A: Have you checked http://support.microsoft.com/support/kb/articles/q150/8/00.asp for general remote network browsing issues? You say "unable to browse" then mention authentication problems. The article above should help with browsing. Are you saying Win98 clients are not challenged when then attempt to access some resource? Have you included the ISA as RRAS server in Win2k? Then consider adding additional DNS suffixes in client configurations.
Configuring ISA Server 2000: Building Firewalls for Windows 2000
Author: Tom Shinder
Publisher: Syngress Media
Published: April 2001
The complete guide to implementing ISA Server in the enterprise. Because security and network performance -- the two-pronged purpose of ISA Server -- are so important in today's interconnected world, ISA Server plays a vital role in your overall network design. "Configuring ISA Server 2000" will play an equally vital role in helping you understand Microsoft's much-anticipated Web-caching, filtering and connection-sharing software package, Internet Security and Acceleration Server.