Considering Cost and Complexity
One of items that must be considered in the deployment of ISA Server is the impact of client deployment and network configuration. We have already noted the different types of clients and commented on the configuration issues for each, as well as the changes that might be necessary to network infrastructure. Now that you have some knowledge of the possibilities, how do you make sound choices that ensure that client choices meet your needs while reducing the cost and complexity of the roll out? To assess client requirements consider three areas:
General client needs assessment
Network infrastructure changes
Considering Authentication Issues
Requiring client authentication is generally used to ensure that only qualified individuals can access Internet resources, and/or to ensure that a detailed log of who accessed what can be kept. While this provides important control over user access, it increases complexity and thus the potential cost of deployment and management. The fallout will be felt in several areas:
Requirements for the use of specific ISA Server clients.
Increased knowledge of and implementation of user rules and ISA Server configuration to support the authentication methods and clients chosen.
Potential infrastructure changes to provide services required.
Not all clients can pass authentication information to the ISA Server. SecureNAT clients cannot do this. This means that either Web proxy, or Firewall clients must be used. Additional configuration is therefore required.
If Web proxy clients are used, then further issues must be considered. The Web proxy software must be capable of forwarding authentication information to the ISA Server. Internet Explorer can do this. Netscape Navigator cannot. You will need to check carefully as to the capabilities of any Web proxy client you may want to use. In addition, if Web proxy clients are used, the ISA Server must be configured to require authentication of all users. This is because a browser is configured to perform anonymous authentication and the ISA Server, by default is configured to accept it. If you want IE to pass authentication information to the ISA Server, you must force it to do so.
Configuring clients can be as simple as changing the client default gateway (SecureNAT client), or as complex as configuring individual client configuration files (Firewall client). The more complex the client, the more knowledge is needed to ensure that clients and servers are correctly configured during deployment and maintained during production. There is also a heavier burden on help-desk staff and firewall administrators as they cope with client issues. Because client systems can be configured to utilize multiple ISA Server clients, the diagnosis of access problems is increased. Not only is there more to configure, more can go wrong.
Chained Authentication When a client request is passed from one ISA Server to another, authentication information can also be transferred. However, in some cases the upstream server may not be able to determine the client that is requesting the object. This may be because the upstream server requires that the downstream server use an account in order to connect. In this case, it is this account information that is passed to the upstream server. Otherwise, the client's authentication information will be passed to the upstream server. If authentication information is not required for all clients, then it is possible that access rules that rely on user identification may not be processed in the manner that you require.
Requiring client authentication may not specifically impact network infrastructure. If Windows 2000 domain structures are already in place and the ISA Server computer is a member of a domain in the forest, then Windows 2000 security groups and accounts can be used for authentication. If the ISA Server computer is a Windows 2000 standalone system, then its account database can be used. If deployment of the ISA Server computer is the deciding factor in initializing an Windows 2000 Active Directory infrastructure, then significant infrastructure changes will be involved. The scope of these changes is beyond that of this chapter or this book. Several good Windows 2000 infrastructure books are recommended at the end of this chapter.
However, if client authentication via SSL is required, then you may need to deploy a Public Key Infrastructure (PKI) including a certificate server or otherwise obtain client certificates that may be used by the servers requiring their use. For assistance on deploying a PKI and/or in deploying and using Microsoft certificate services please see the references at the end of the chapter.
Assessing General Client Needs
To assess client needs you should ask the following questions:
Is your only usage of ISA Server forward caching of Web objects? Then consider using only SecureNAT clients. There is no software installation required; you are only obligated to ensure that Web requests are forwarded to the ISA Server.
Do you want the least cost, least complex solution? Most, if not all clients should be SecureNAT clients. SecureNAT clients can utilize the benefits of ISA Server application filters to utilize many Web protocols in addition to typical Web protocols.
Do you require that all clients authenticate before they can access the Web? Are you configuring user-based rules? Firewall clients are your best choice. While Web proxy clients can be used, you must ensure that authentication is requested of all clients and that the Web proxy application is capable of passing authentication information to the ISA Server. SecureNAT clients do not support user authentication.
Will you be publishing servers located on your internal network? These servers should be configured as SecureNAT clients. These servers can be firewall clients, but the configuration will increase the complexity of the arrangement.
Do you want to improve efficiency of the ISA Server computer for caching? Web proxy clients will directly use the Web proxy service. SecureNAT clients and Firewall clients use the firewall service and their HTTP requests are forwarded to the Web proxy service.
Do you have client operating systems and types other than Windows? Other clients such as Macintosh, Unix, and Linux can utilize SecureNAT and Web proxy client types.
Would you like to cache FTP requests? Use Web proxy clients. FTP requests made through the Web proxy application can be cached.
Evaluating Network Infrastructure Changes
Installing ISA Server(s) to provide Internet access control and/or Web caching capability can result in numerous network infrastructure changes. The cost and complexity of deploying and maintaining these changes is dependent on the type of clients to be used as well as the nature of your infrastructure.
SecureNAT client's potential entails few infrastructure changes. This does not mean the cost will be low, rather that the modifications are simple. If SecureNAT clients need to be pointed directly to the internal interface of the ISA Server that information can be provided in DHCP or manual configured for those clients with static IP addresses. If multiple SecureNAT clients must be directly visited, then you must budget your time and cost accordingly. In a larger environment, however, SecureNAT clients may already be pointed to network routers for internal routing. These routers must be configured to route Internet requests to the ISA Server. Your time and cost is dependent on the number of routers that must be configured and the complexity of this configuration change.
If Web proxy or Firewall clients need to be configured for automatic discovery then you may need to configure DHCP and/or DNS servers to provide information on where to locate the ISA Server. The protocol used in the Win Proxy Automatic Discover (WPAD) protocol.