Link to home
Start Free TrialLog in
Avatar of pcbrat
pcbratFlag for United States of America

asked on

ISA 2000/2004 Web Caching

Hey all,

I have a large enterprise environment. I also have many layers of defense....But I am changing a few things....I want your opinions..

There is the Pix.....then there is a Lightspeed Appliance that does IDS, Spam. Antivirus yada yada yada....(this is a new thing going in)...I have Websense....(its getting to expensive so its getting dumped)...I am changing that and using the Lightspeed for the rules based outgoing....but I want to stop everyone going out all ways to the Internet....hence the new spyware stuff and key loggers that are out there (thats where the lightspeed comes in).....

I want a Web Cache Server...Basic Proxy.....2 of the for fault tolerance....appliances were to expensive..I have ISA licenses....I already have an ISA out there for OWA...but now I want another in between the clients and the lightspeed.....so it goes this way

client---dns server---web proxy----lightspeed----pix---internet-----

one point of exit....

Now the question

Do I install the ISA as an Enterprise Policy and tie it into AD? Or do I leave it as stand alone and use and Array Policy? Also how do I make them failover?

I suck at ISA...my expertise lies more in AD and Exchange and I am now learning the deep secrets of SMS...But I need help with ISA..
I am a EE member so dont send me to web site links I have seen them all....
I want your IT advice

This is aprox 1300 or so users in a HiPPA and DOJ protected LAN....

Thanks
Dawne
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

you say you have licences - be aware ISA is licenced by processor, so you need two on a dual processor server etc

have you installed it yet?

if so ENSURE you ticked caching only

The best reason for the diag you drew above - is, ease of admin on the PIX (have no clue what a lightspeed is - but Im sharp on websense I'll presume its a similar product)

>>Do I install the ISA as an Enterprise Policy and tie it into AD?

Mmm well you have two options, if all your clients use DHCP then change your scopr and add option 252 (proxy settings) then everyone will get them anyway.
The M$ way is to send it out via policy, this is pretty simple to do
Group policies can be applied on a domain or an Organisational Unit, to apply a group policy in a 2000/2003 domain environment, do the following.

On a domain controller open "Active directory Users and computers"

NOTE: As said above you can apply a GP to an OU in this instance we will deal with a domain GP, if you are concerned with a GP for an OU insert the "OU name" instead of the "Domain Name"

1. Locate the domain (top of the Tree) and right click it, then select "Properties"
2. Select the group policy Tab.
3. You will see the Default domain policy (and any other policies applied at this level)
4. You can create another domain policy by clicking "New" giving it a name and configuring it"
5. Ensure the default domain policy is highlighted and select "Edit" (unless you are working on another policy)
6. The Group policy object editor will open.
7. You can now edit the policy and close the editor when you are finished.
8. Back in the domain properties click "apply" and "OK"

Troubleshooting Group Policy in Windows Server 2003
http://www.microsoft.com/downloads/details.aspx?FamilyId=B24BF2D5-0D7A-4FC5-A14D-E91D211C21B2&displaylang=en

Group Policy Infrastructure White Paper
http://www.microsoft.com/downloads/details.aspx?FamilyId=D26E88BC-D445-4E8F-AA4E-B9C27061F7CA&displaylang=en

COMMON POLICIES

Set Proxy Server: user configuration >windows settings >internet explorer maintenance >connection >proxy settings
Avatar of pcbrat

ASKER

Thanks for your response Pete...

I am aware of GPO's....however.....you are saying that in order to force everyone to use the Proxy..(since I already have 1300ws out there) use a GPO to change the IE settings?...OK Got that...so in order to do that I have to integrate it with AD? Hence the Enterprise install of ISA.

Yes I have an ISA out there...I didnt set it up the guy who I am replacing did....he said that he set it as a stand alone to do OWA SSL only....

If you know what Websense is then you know the allow Internet access is done via AD...groups to be exact....Light speed is an all in one tool that will do the content filtering that Websense does as well as SPam and Virus...see link.....so it will get the access to what people are allowed to see via rules (instead of using the ISA) we want the ISA to do nothing but Cache....we have open license and all our servers are Dual Processors.....we basically want it to do all the access instead of many connections to the WEb and not controlling what comes in......

So I have to tie it into AD to use the GPO? Should I use the Enterprise Policy? Or the Domain Array? What is the difference?

Also what power do I need in the servers? I use all Dell (not by choice) so I am thinking a PE2600....should I use RAID5 or just Mirror with alot of space for Cache?
Yes my clients all use DHCP...so you say add 252 to the options.....ok what about DNS? They have installed a Root server in the DMZ and have all the internal access point to it. I want to get rid of this...and have my internal dpo forwarders....how does this affect ISA? Do I need to tell ISA to use the internal? Or point it to the DMZ root? Do I have to install DNS on it?

you know I am making you earn your points! LOLOL...tell Geek I miss him and HI for me!

Dawne


ASKER CERTIFIED SOLUTION
Avatar of Pete Long
Pete Long
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
Start Free Trial
Avatar of pcbrat

ASKER

Thanks Pete you rock!

I used to be a Proliant chick but I now I work for government and they use the Dells (yuck)

Thanks for all the info I believe I have my plan... I will be using more than one ISA..for fault tolerance so I assume I need an array.....I need to make sure that if one goes down the other picks up where the other left off. I cant have the DA or Supervisors have no Internet Access! LOL

Should I just team the NICS?

dawne
hello ad ThanQ :)

Network Teaming - is all well and good - remember to set the team for fault tolerance and not load balancing
Ive not done that on a power edge though.

Pete
Avatar of pcbrat

ASKER

Ok Pete just where in the heck do you see a Option 252 in DHCP?

I have over 20 scopes....I guess it would be easier to use the GPO huh?
I prefer the GPO Route :)

dhcp options http:Q_21046206.html#11458336

Start DHCP Manager.
Right-click the appropriate DHCP server, and then click Select Predefined Options.
In the Option Class dialog box, click Standard Options, and then click Add.
In the Name column, type Proxy Autodiscovery Option.
In the Data Type dialog box, click String, and then click to clear the Array check box.
Click the Code box, and then type 252.
Click the Description box, type a brief description of the option, and then click OK.
Click the String box, and then type the URL that points to the location of your configuration file.
Click OK, and then quit DHCP Manager.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;252898
Avatar of pcbrat

ASKER

So this will be set at the server and not at all the scope ooptions for all my various scopes? Ok I will read up on it. And I think the GPO will be easier but I need to have an alternative to present to the board.

Thanks Pete :)
my pleasure - go for the GPO it takes about 35 seconds to set up :)
Avatar of pcbrat

ASKER

Hey Pete are you still out there?

I have a small issue...

I have setup ISA2004 in a test lab and then just manually set the proxy on some test clients...

they cant get out...

I see that you have to have the firewall installed when you install Proxy...this sucks..lol

I also see that everything is turned off....no one is let outside...

So i went in and set a rule to allow all outbound access in the firewall....I noticed that you cant delete the default rule that says no access( why?)

Then I configured a rule to allow Proxy and set the drives as well as the protocols out.

When I wait I can get to MS site but noting else...I get an ISA error and when I looked it up the error said I needed a RUle in the firewall (duh i did that)

So what the heck?

I cant seem to find a simple "How To" article reagrding ISA 2004 anywhere. they sure have changed alot aroud from ISA 2000.

Please help

dawne
Avatar of Network_MD
Network_MD

Hey Dawne... still need help with ISA?  I'm 80% finished with an ISA 2004 implementation, and I've had about all of the same questions you asked at some point.  Got most of 'em figured out. (Pete's answers to other threads helped with most of it... thanks Pete).  Let me know if you're still goin on this one and need help.

Eric
Avatar of pcbrat

ASKER

Ill let you know.
I have been busy relocating about 75 servers to their new home in a new building and had tp put ISA on the back burner. I am now back in the lab and working on it again. I figured that I have to let everything out and then let Websense pick and choose.

I will keep you posted. If I come across something which at some time I know I will I will post here. k?
thanks


Dawne :)
<still subscribed>

been skinving :)