Start with 7 free days of training.

Gain instant access to our entire IT training library, free for your first week.
Train anytime on your desktop, tablet, or mobile devices.

Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition

This exam is retired. For a complete list of retiring Microsoft exams, click here.

E-mail filtering, internet firewalls and web caching are just some of the things you'll learn with these videos on the Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition. By time you complete this course, you will be able to understand, install, and configure ISA Server 2000 Firewall and Caching features to support a worldwide, enterprise organization.

Turn your ISA Server into a top-notch e-mail filtering system allowing you to screen e-mails based on keyword, sender, and attachment type or size, and use the latest optimization and tuning tricks to ensure ISA Server runs at peak performance levels. In addition, you will find out how to make ISA Server 2000 integrate seamlessly with Windows 2003.

All trademarks and copyrights are the property of their respective holders....
This exam is retired. For a complete list of retiring Microsoft exams, click here.

E-mail filtering, internet firewalls and web caching are just some of the things you'll learn with these videos on the Microsoft Internet Security and Acceleration (ISA) Server 2000, Enterprise Edition. By time you complete this course, you will be able to understand, install, and configure ISA Server 2000 Firewall and Caching features to support a worldwide, enterprise organization.

Turn your ISA Server into a top-notch e-mail filtering system allowing you to screen e-mails based on keyword, sender, and attachment type or size, and use the latest optimization and tuning tricks to ensure ISA Server runs at peak performance levels. In addition, you will find out how to make ISA Server 2000 integrate seamlessly with Windows 2003.

All trademarks and copyrights are the property of their respective holders.
 show less
1. Introduction to ISA Server 2000 (24 min)
2. Pre-Install Planning and Installation (29 min)
3. ISA Server Management and Client Configuration (30 min)
4. Understanding and Configuring Policy Elements (23 min)
5. Creating Rules and Using Authentication (36 min)
6. Configuring Caching (29 min)
7. Designing and Configuring Virtual Private Networking (29 min)
8. ISA Firewalls Part 1: Server Security & Firewall Design (35 min)
9. ISA Firewalls Part 2: Packet and Application Filters (43 min)
10. Publishing Part 1: Overview and Web Publishing (29 min)
11. Publishing Part 2: Publishing and H.323 (45 min)
12. Monitoring and Reporting (46 min)
13. Enterprise Strategies Part 1: ISA Server Arrays (31 min)
14. Enterprise Strategies Part 2: Scaling ISA Server (39 min)
15. Optimization and Integration with Windows 2003 (30 min)

Introduction to ISA Server 2000


Introduction to ISA Server 2000. The goal of this Nugget is simple. By the time you're done here, you'll understand what ISA Server is and how it could apply to your network. And I'm going to do that through four major objectives. First off, I'm going to introduce what ISA Server 2000 is, what does it mean to you.


And when you hear Microsoft refer to ISA Server, they usually call it the ISA Web Caching and Firewall Server. Well, what does that marketing garb mean? What is web caching and what is a firewall? Because, when a lot of people think of a firewall, they think of going down to CompUSA and picking up one of those Linksys routers that has the built-in firewall.


Is this the same thing? Does it give us any more options? Does it do anything else. We'll talk about that. Finally, it doesn't matter whether your network has a single internet connection that's maybe using DSL, or it could be a huge network with hundreds of locations around the world, ISA Server could be used in either one of those deployments.


We'll look at some of the deployment scenarios and how we would use it in each. So let's start with the obvious question-- what is the ISA Server. Well, overall, it's a piece of software that installs on any Windows 2000 or 2003 server platform that acts as a gateway between your internal network and the internet.


And when you install the ISA Server, you get the following benefits. Number one is web caching, this allows you to store content from the internet locally on your ISA server. Imagine this-- you have 100 users on your internal network. And I'll represent those 100 users with this one computer right here.


Like standard users, every morning at about 8:00 AM, they'll open their web browser and download CNN.com or USA Today. What that would mean, without the server in place, is that they would go to the internet 100 times to get that content, even though it's the same content, again and again and again.


The ISA server can store that content locally. So for the 99 extra accesses, it can retrieve it from its own hard drive rather than going out to the internet. That does two things. One is it saves your internet bandwidth in a big way. You don't have to go out to the internet 100 times.


Two is from the perspective of those internal users. You have a killer internet connection because they're getting it at-- what-- probably 100 megabits per second, if you're using a modern network interface and modern network switches. 100 megabit per second is really fast to start receiving that data into your web browser.


Furthermore, ISA Server has improved on that-- and they have features like active caching and we'll talk about all these in a future Nugget-- but active caching allows the ISA Server to become intelligent. It can predict what your users are going to do based on the traffic patterns of the past.


It will see everybody going to CNN.com at 8:00 in the morning. And what it will do is learn that it can download CNN at 7:30 in the morning before anybody gets there to minimize that traffic load when everybody arrives. You can also do scheduled content download, which means you can say, well, at 1:00 o'clock AM, I want to download the following sites and go through that checklist of what you want to download locally for the next upcoming day.


The second major benefit that we get with the ISA Server is a multilayered firewall. I mentioned on the previous slide that I would tell you the difference between ISA Server and one of the D-link or Linksys routers that you could pick from CompUSA, and this is it-- the ability to use it as a multilayered firewall, meaning you can monitor at all seven layers of the OSI model.


Here's the scenario-- we have a fairly technical user, represented by this squiggly-faced computer on our internal network. And at our company, we have a T3 line in place. Now this user might be downloading a ton of files using FTP because they realize they can get it much faster here than they could at home.


That wastes our valuable internet bandwidth. So we might think, well, I want to put a firewall in place for my internal users and I want to block anything going out on TCP Port 21. That's what a standard firewall can do. It can block port numbers. But this is a technical user, you can tell by his face there.


He knows that, at some points and some FTP servers that he accesses on the internet, the port numbers are different. Maybe they're 210 or 2100 or some other port number that's in the valid TCP range. Well, if they change the port number for the outgoing request, then our firewall becomes invalid.


But not with ISA Server. At ISA Server, instead of saying block Port 21, we can say, block FTP, and it can monitor at the application layer and recognize FTP traffic on any port number that is going out. At that point, the user can no longer change the port number to get out to the internet.


They are blocked completely from using FTP across our network. That's one of the abilities that you can get with this multilayer firewall. It also includes things like intrusion detection services, which detects virus attacks and worm attacks that have signatures to them.


And we'll talk more about that in a future Nugget. Some people deploy ISA Server only for the multilayer firewall capabilities. The third thing that ISA Server allows you to have is called Unified Management. Imagine that we had a corporation with four locations.


The top one is in Canada, the bottom three is Arizona, California, and Florida. Each location has its own ISA Server connecting to the internet. Now we'll let's say that Canada is the headquarters of this company. In Canada, you might have a corporate policy applied at the VP level that says, at any location no more than 300 kilobits per second could be used for web traffic.


We can actually deploy bandwidth restrictions using ISA Server. Now this corporate policy will replicate down to all the ISA Servers at each location. And each location can develop its own policies. For example, California might block web traffic completely, Arizona might allow FTP traffic and web traffic, and Florida might have an internal email server that they allow access to from the outside.


So they can create all their own policies as long as it doesn't violate the primary corporate policy. That's one of the features that you get when you deploy an ISA Server-- meaning, multiple servers combined under Unified Management. As a matter of fact, let me show you the console that we administer ISA Server from.


Now I know we haven't gotten into the administration of ISA Server at all. I just want to show you how this Unified Management works. You see down here, I have the ISA Management Console. I'm going to open that up. And this familiar view is the Microsoft Management Console, the MMC.


And up here you see the ISA Server, Internet Security and Acceleration, plugin for the MMC. Now right here I have the Servers and Arrays that I have installed. And so far, I only have one server installed. It's not really an array because it is of type stand-alone.


So I can come under here, and I see my one server that I have installed so far. I expand this out and I see right here my Access Policies. This is where I can go if I wanted to start deploying policies for the entire array or, in this case, just for this one server.


If I did have an array set up, these policies would trickle down to all of the servers in that array and I can set up different levels, such as the corporate policies or individual site policies, one at a time, just like I was demonstrating on the previous slide.


If there's one thing that Microsoft is good at, it's definitely this Unified Management structure. They have made ISA Server plug right into the management consoles so the look and feel of that interface is going to be very easy to use. The final benefit that we see here is the extensibility of ISA Server.


Microsoft has created this full-blown ISA SDK, Software Development Kit. So you can actually create your own snap-ins and in your own plugins for server to add functionality. As a matter of fact, there are many different third-party organizations that have already done this.


As a matter of fact, let me take you to one of the coolest public websites that's available for ISA Server. It's isaserver.org. And I'm going to take you to their software section over here, which is pretty much vendors who have written plugins for ISA Server using the software development kit.


Underneath here, we have, you see, Access Control, 14 programs, Anti Virus, Authentication. Let me just click on this Access Control. And underneath this, you see all these different programs-- the Web Filter, Sentian for Microsoft ISA Server. Yeah, some of them can cost some money.


As we scroll down here, you see all of these third parties that have written plugins to make ISA Server even more feature-ific. So the extendability of ISA Server allows you to add plugins as later and greater utilities come out. Microsoft has released two versions of ISA Server, the Standard Edition and the Enterprise Edition, and here's the difference.


The Standard Edition is meant for those small to medium businesses that have a single ISA Server connected to the internet protecting an internal network. Overall, this ISA Server will have all the features that the Enterprise Edition has except for array management capabilities and anything that requires multiple ISA Servers.


The only time you need an Enterprise Edition of ISA Server is when you have multiple servers or multiple locations that are managed from that central source, kind of like that Unified Management example I just gave where we had Canada pushing out those centralized policies.


This Enterprise Edition allows you to have those arrays and multiple levels of access policies and fault tolerance inside of your ISA Server so that you can have more than one for those mission-critical environments. So you can see, I've taken you to the Microsoft website where it's comparing the Standard and the Enterprise Edition.


And as you scroll through this list of features, you can get the feel that the Enterprise Edition is of course designed for large organizations that have multiple ISA Servers in place. You have, of course, limited scalability-- I love the marketing-speak-- hierarchical only for the hierarchical versus distributed caching.


We'll talk about that feature in the caching Nugget. We'll also have limited Active Directory Integration. With Enterprise Edition, all your policies are fully stored in Active Directory so that they can replicate to all the different ISA Servers. A tiered policy, which is the example I gave with the Canada and the lower level ISA Servers in Arizona, Florida, and California-- that's an ISA Server Enterprise feature.


And the multi-server management is also the Enterprise Edition. So to give you the idea-- Enterprise Edition is again for a multi-server environment. Regardless of the installation that you use, when you go to install the ISA Server, you will have the option of one of three modes-- cache, firewall, or integrated mode.


Cache and firewall mode will dedicate the server to one of those two functions. If you install this in a cache mode, it will be a cache-only server. It has no firewall capabilities, no access control, nothing. If you install it as a firewall mode, it will only be a firewall and it will not be able to cache.


Integrated brings both of those features, both the firewall and the cache, into one box. Now I would say about 90% of the time, integrated mode will be what you use. And you might wonder, well, who would use cache or firewall mode only. That's usually the large organizations that have a decent budget when they're putting these things together because they can dedicate servers to caching and dedicate servers to firewall.


Because if you strip out caching functions or you strip out firewall and make it one or the other, you end up with a very efficient server. It's kind of a server that is geared directly for just one function, making it very good at that function. With integrated mode, yes, it is still very efficient.


However, your resources on your server is divided between both the firewall and the cache features of the ISA Server. Well, let's focus in on the caching features of the ISA Server. Caching, again, allows the ISA Server to store content from the internet locally-- we'll say CNN.com-- so that, as more users access it, it does not have to go to the internet any longer.


For example, after it was returned once here, the next PC to go to CNN.com only has to go to the ISA Server. Now there are some things to think about when you're looking at caching, like some websites change more often than others, like CNN.com will probably be updated quite frequently.


So what we can do is we can go into ISA server and specify that maybe CNN has a maximum cache time of 30 minutes. Now some other websites, like Datek.com are stock trading websites that need to be instantaneous, so we can put a no cache over the Datek so that anything from that website will not be cached on the ISA Server.


Also, from the internet authoring perspective, people can specify in the HTML code of their web page that this content should not be cached. And thankfully, a lot of people, like the people at CNN.com, will go into their code and say, do not cache this.


So when it's received at the ISA Server, it doesn't need any special configuration. It already sees that code and recognizes that it should not be cached. Furthermore, another thought with caching is that you can't turn it on for FTP files. Matter of fact, it's on by default, which is really nice if you have a lot of people downloading the same files, but also can eat up a lot of hard drive space on your ISA Server if you don't watch out.


And especially, it loses its efficiency if people don't really download the same files via FTP. We'll look more into FTP and some of the strategies for caching in a future Nugget. But these are just some caveats and things to consider when you're thinking about caching.


When I initially thought of caching with the ISA Server, I thought of it just as I've been describing it so far, where we have the ISA Server retrieving content from the internet for our internal clients so they don't have to go to the internet every single time.


That is a valid mode, and it's called forward caching. But it is just one of the modes that's available. Reverse caching is just what it sounds like. If we have internal web servers on our local area network, there might be common pages that are accessed from the internet on those internal pages.


For example, maybe we have a price list on our internal web server that people frequently access. Well, that can actually be cached on the ISA Server-- I'll mark it with the I-- so that the next time somebody comes to the web server it doesn't need to go that far.


The ISA Server can cache the request and bounce it back with a valid response. It can save a lot of the load on your internal web server, especially if it has a lot of frequently-accessed pages. Now distributed caching is a pretty wild feature. It allows your ISA Servers to work in conjunction with one another.


Now as soon as you see something like this, ISA Server Enterprise Edition should come to mind because we're combining the features of multiple ISA Servers. This is how it can work-- now this is a rough example and it doesn't work exactly like this, but it's close.


We might have ISA Server 1 over here on the left-hand side. And it can be designated dynamically through the array to cache web pages that start with A through H. The one in the middle might cache web pages that start with I through N. And the one on the right might cache web pages that start with O through Z.


This allows it to become very efficient when it's caching the web pages, and it can give you a very speedy response when it's responding to an internal client request for one of those web pages. This is a way that we can combine not only the hard drive space but the processing power of multiple web servers for a common goal.


Turning our attention from the cache to the firewall considerations, we can control traffic entering the network from the internet, as well as we can control traffic leaving our network to the internet. And when we get to the firewall Nugget, we will explore each one of these tools in depth.


But just to give you a basic overview, the packet filters are what most people think of as a firewall, filtering on protocol and important port numbers. Application filters can filter based on the type of application, like FTP or HTTP. Intrusion detection filters are awesome.


They allow you to detect based on certain signatures, types of worms and viruses that could be entering your ISA Server or into your network. Now when you're leaving the network, you have some specific rules that you can deploy as well-- protocol rules saying not all protocols are created equal when they're leaving the network, meaning, I can block some completely or I can limit the bandwidth of some.


Now I also have the site and content rules that allow me to specify exactly what sites and what content is allowed. Get this-- we can get this detailed-- I can say, not only you can only access this one site, but I can also say, you can only access this content on this site.


ISA Server supports things like keyword filtering so that when it sees certain words on web pages, it knows to block that content. It supports graphic and content filtering, saying, I only want to allow text through, no graphics or vice versa. So you can get very detailed with exactly what sort of traffic leaves and comes in to your network through the firewall.


Using the firewall and caching features, ISA Server can be deployed in any number of ways. This diagram right here is one of the simplest deployments that you can have. We have a single ISA Server that is standing as the single host between an internal network on the right-hand side and the external network on the left.


Now don't let me fool you. Just because I say this is a simple deployment doesn't mean this is one of those mom and pop shop sort of setups. This could easily support anywhere from one to in the range of 500 users, depending on what your company is and does and what they use the internet access for.


I mean, overall, a single standalone ISA Server running the Standard Edition of the software can support a large number of users. Now once you start growing beyond that or needing special functionality, that's where you might want to look at upgrading to one of the complex ISA Server designs.


Please don't let my wording fool you. When I say complex, I just mean more complex than the simple design. Here's an example. In this case, we have an internet connection to a single ISA Server. And then in between these two ISA Servers, we have what's called a DMZ.


It stands for a Demilitarized Zone. And this allows us to have this kind of middle ground where we have hosts accessible from the outside. See, this is good because we don't have to open up holes in our internal network just to allow access to some hosts.


This way, if somebody were to hack machines, they would be inside of the DMZ. And hopefully these machines don't contain too much mission-critical information. Those servers are going to be stored inside of our internal network where the firewall deployed on the second level ISA Server is even more intense.


There's a lot of consideration that goes into a design like this. There's a lot of thoughts, like, do I cache here or cache here or what direction do I cache and what ports are going to be allowed to hear and will this web server be able to get into the interval network.


Do I even allow access that way? This Nugget isn't really meant to answer those kind of questions-- just to get you thinking, because we'll look at all of these designs in full detail when we start looking at how we deploy a dual firewall scenario like you see in this slide.


Here's a scenario where we're distributing the caching functions of ISA Servers between three chained ISA Servers. This allows us to have a level of fault tolerance and load distribution between all of these. I don't have it shown here, but we could easily split off the internet connection so that all of the ISA Servers have access to that connection.


So if one of them fails, we have two other ways out of the network and to other areas that have cache files. This allows us to centrally administer all of our caching and access restrictions through these ISA Servers. Thanks to the ISA Management Console, we'll be able to administer all of these from a single location.


But, again, making your mind think a little bit, it can get pretty complex in the setup. I mean, imagine this is just caching, let's turn on some firewall capabilities. Where does the DMZ go? Do we add another ISA Server over here? Will we switch these around and have one located up front and three behind?


Or, what's the best strategy? Well, never fear. As we go throughout this entire Nugget series, you will understand all of the pieces of ISA Server and how they fit together. So now that you're done with this Nugget, you've seen what ISA Server 2000 is all about.


You now know what web caching and the firewall capabilities of ISA Server really are and what really makes ISA Server special when you're comparing it to other firewalls that are out on the market. Finally, we took a look at the different deployment scenarios that you could have ISA Server in.


And there are many more than what we've described here. These were designed just to get you thinking so you can see how ISA Server can be used. I hope this has been informative for you and I'd like to thank you for viewing.

Pre-Install Planning and Installation

ISA Server Management and Client Configuration

Understanding and Configuring Policy Elements

Creating Rules and Using Authentication

Configuring Caching

Designing and Configuring Virtual Private Networking

ISA Firewalls Part 1: Server Security & Firewall Design

ISA Firewalls Part 2: Packet and Application Filters

Publishing Part 1: Overview and Web Publishing

Publishing Part 2: Publishing and H.323

Monitoring and Reporting

Enterprise Strategies Part 1: ISA Server Arrays

Enterprise Strategies Part 2: Scaling ISA Server

Optimization and Integration with Windows 2003

Please help us improve by sharing your feedback on training courses and videos. For customer service questions, please contact our support team. The views expressed in comments reflect those of the author and not of CBT Nuggets. We reserve the right to remove comments that do not adhere to our community standards.

comments powered by Disqus
8 hrs 15 videos

Training Features

Practice Exams
These practice tests help you review your knowledge and prepare you for exams.

Virtual Lab
Use a virtual environment to reinforce what you are learning and get hands-on experience.

Offline Training
Our iOS and Android mobile apps offer the ability to download videos and train anytime, anywhere offline.

Accountability Coaching
Develop and maintain a study plan with one-to-one assistance from coaches.

Supplemental Files
Files/materials that supplement the video training.

Speed Control
Play videos at a faster or slower pace.

Included in this course
Pick up where you left off watching a video.

Included in this course
Jot down information to refer back to at a later time.

Closed Captions
Follow what the trainers are saying with ease.
Jeremy Cioara
Nugget trainer since 2003