Manage Learn to apply best practices and optimize your operations.

More ISA tips

Answers to user questions on the Internet Security and Acceleration Server.

More ISA tips
Roberta Bragg

Thinking about deploying Microsoft's Internet Security and Acceleration (ISA) Server 2000? Check out solutions to common ISA problems from security consultant, columnist and author Roberta Bragg fielded over 60 security questions from Windows IT pros in a live expert Q&A on July 25. Here are her answers to many of your pressing ISA security questions.

Got a Windows Security tip? Why not send it in? We'll post it on our site, and we'll also enter you in our tips contest for some nifty prizes.

Q: What special configuration is needed when installing ISA into an NT4 network? Are there benefits to installing on a native 2000 network?
A: On a Win2k network you can create ISA arrays and gain many advantages.

Q: When we set up our ISA system, we noticed that though the ISA part worked, after we installed it we couldn't use IE to get on the Internet on that machine. Must the proxy client be loaded on the firewall machine as well? A: No, no, NO! Do not load the firewall client on the ISA server! This is a security risk! You can use IE from the ISA Server but you must configure its LAN settings to point to the proxy address.

Q: What's the difference between ISA LAT and General Firewall NAT?
A: LAT is local address table. It records which subnets or ranges are on the internal network. All others are considered to be on the external. This allows ISA to determine if it needs to NAT the request and pass it external. ISA does do NAT. It uses and enhances the NAT service of Win2k.

Q: Will we have to upgrade the ISA server once the XP ISA Server is released and/or when you have XP servers?
A: There is no public information available on that.

Q: Does ISA Server provide low-layer, stateful packet inspection?
A: Yes.

Q: I want to use dial-on-demand together with Secure NAT. Is this possible or do I have to install Firewall Client everywhere?
A: Dial-on-demand is implemented via RRAS. As such, a request for a resource outside the LAT will prompt a dialup connection. It really has nothing to do with what client is used. You will want to test your configuration thoroughly before implementation.

Did you like this tip? Why not let us know? Email to sound off.

Related Book

MCSE Training Guide (70-227): ISA Server 2000
Author : Roberta Bragg
Publisher : New Riders
Published : Jul 2001
Summary :
To round out our line of Training Guide products for the Windows 2000 exams, New Riders offers this title on ISA Server 2000. This exam is currently one of the hottest Microsoft .NET-family product certifications, targeting the part of the administrator audience involved with security. This book is based on the objectives of Microsoft MCSE Exam 70-227, which is already in development at Microsoft as part of the MCSE 2000 curriculum. It covers all relevant exam material. This will not just prepare individuals to answer questions on an exam, but will help the individual understand the product and learn to work with it.

Dig Deeper on Windows Server storage management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.