|
Microsoft® Internet Security and Acceleration (ISA) Server 2006 uses various communication layers to protect the corporate network. At the packet layer, ISA Server implements a firewall policy, to control data on the network interface and evaluate traffic before it reaches any resource. Data is allowed to pass only after the Microsoft Firewall service processes rules to determine whether the request will be serviced.
ISA Server protects three types of clients: Firewall clients, SecureNAT clients, and Web Proxy clients, as illustrated in the figure.
 Deployment Considerations
Choosing which ISA Server clients to support depends on the ISA Server deployment scenario and existing network infrastructure. The following table summarizes client requirements and deployment details.
| Feature |
SecureNAT client |
Firewall client |
Web Proxy client |
|
Deployment details
|
No software deployment required. To configure a computer as a SecureNAT client, set the computer's default gateway address to route Internet requests to the ISA Server computer.
|
Firewall Client software must be installed on client computers.
|
No software deployment required. To configure a computer as a Web Proxy client, configure Web browser settings on the computer to use the ISA Server computer as a Web proxy. For automatic detection of Web browser settings, Web Proxy Automatic Discovery (WPAD) must be configured in Domain Name System (DNS) or Dynamic Host Configuration Protocol (DHCP).
|
|
Operating system support
|
Any operating system that supports TCP/IP can be used.
|
Microsoft Windows Server™ 2003 or Windows® 2000 Server operating systems are required.
|
All platforms are supported, but by way of the Web application. Web browsers that can be configured to use a proxy server can act as Web Proxy clients.
|
|
Protocol support
|
Supports all simple protocols. Complex protocols requiring multiple primary or secondary connections require an application filter on the ISA Server computer.
|
All Winsock applications are supported.
|
The Web Proxy client supports Hypertext Transfer Protocol (HTTP), HTTP over SSL (HTTPS), and File Transfer Protocol (FTP) for download requests.
|
|
User-level authentication
|
SecureNAT clients cannot be authenticated by ISA Server.
|
The Firewall client automatically sends client credentials with requests to the ISA Server computer.
|
Web Proxy clients can be authenticated if ISA Server requests credentials. No credentials are supplied if anonymous access is enabled.
|
|
Other considerations
|
Use for clients that are not Windows clients. Use if support for protocols other than TCP or UDP (such as ICMP or GRE) is required. Configure published servers as SecureNAT clients if you want to forward the original source IP address of the client to the published server.
|
Use when support for secondary protocols is required. Use for strong access controls. Records user names in logs.
|
Use for user-based Web access, Web proxy chaining, and automatic detection of configuration settings. Good performance because Web requests are forwarded directly to Web Proxy Filter.
|
The way in which ISA Server handles a request from a client in its internal networks depends on how the client computer is configured, and the type of request being made. For example:
- On a Firewall client computer (with Firewall Client software installed and enabled), requests generated by applications that use Winsock application programming interfaces (APIs) are intercepted by the Firewall Client software. If the address requested is local, the connection is made directly. Otherwise, it is sent to the Firewall service on the ISA Server computer.
- On a Firewall client computer or a SecureNAT client computer that does not have Web Proxy client settings configured, Web requests (HTTP, HTTPS, or FTP for downloads) from the client are passed transparently to the Web proxy listener for the network on which the request is received. This is known as transparent network address translation (NAT).
- On any computer that is configured as a Web Proxy client, Web requests are sent directly to the Web proxy listener.
(责任编辑:admin) |
