Solved

ISA 2000/2004 Web Caching

Posted on 2004-08-27
13
3,104 Views
Last Modified: 2013-11-16
Hey all,

I have a large enterprise environment. I also have many layers of defense....But I am changing a few things....I want your opinions..

There is the Pix.....then there is a Lightspeed Appliance that does IDS, Spam. Antivirus yada yada yada....(this is a new thing going in)...I have Websense....(its getting to expensive so its getting dumped)...I am changing that and using the Lightspeed for the rules based outgoing....but I want to stop everyone going out all ways to the Internet....hence the new spyware stuff and key loggers that are out there (thats where the lightspeed comes in).....

I want a Web Cache Server...Basic Proxy.....2 of the for fault tolerance....appliances were to expensive..I have ISA licenses....I already have an ISA out there for OWA...but now I want another in between the clients and the lightspeed.....so it goes this way

client---dns server---web proxy----lightspeed----pix---internet-----

one point of exit....

Now the question

Do I install the ISA as an Enterprise Policy and tie it into AD? Or do I leave it as stand alone and use and Array Policy? Also how do I make them failover?

I suck at ISA...my expertise lies more in AD and Exchange and I am now learning the deep secrets of SMS...But I need help with ISA..
I am a EE member so dont send me to web site links I have seen them all....
I want your IT advice

This is aprox 1300 or so users in a HiPPA and DOJ protected LAN....

Thanks
Dawne
0
Comment
Question by:pcbrat
  • 6
  • 6
13 Comments
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
you say you have licences - be aware ISA is licenced by processor, so you need two on a dual processor server etc

have you installed it yet?

if so ENSURE you ticked caching only

The best reason for the diag you drew above - is, ease of admin on the PIX (have no clue what a lightspeed is - but Im sharp on websense I'll presume its a similar product)

>>Do I install the ISA as an Enterprise Policy and tie it into AD?

Mmm well you have two options, if all your clients use DHCP then change your scopr and add option 252 (proxy settings) then everyone will get them anyway.
The M$ way is to send it out via policy, this is pretty simple to do
Group policies can be applied on a domain or an Organisational Unit, to apply a group policy in a 2000/2003 domain environment, do the following.

On a domain controller open "Active directory Users and computers"

NOTE: As said above you can apply a GP to an OU in this instance we will deal with a domain GP, if you are concerned with a GP for an OU insert the "OU name" instead of the "Domain Name"

1. Locate the domain (top of the Tree) and right click it, then select "Properties"
2. Select the group policy Tab.
3. You will see the Default domain policy (and any other policies applied at this level)
4. You can create another domain policy by clicking "New" giving it a name and configuring it"
5. Ensure the default domain policy is highlighted and select "Edit" (unless you are working on another policy)
6. The Group policy object editor will open.
7. You can now edit the policy and close the editor when you are finished.
8. Back in the domain properties click "apply" and "OK"

Troubleshooting Group Policy in Windows Server 2003
http://www.microsoft.com/downloads/details.aspx?FamilyId=B24BF2D5-0D7A-4FC5-A14D-E91D211C21B2&displaylang=en

Group Policy Infrastructure White Paper
http://www.microsoft.com/downloads/details.aspx?FamilyId=D26E88BC-D445-4E8F-AA4E-B9C27061F7CA&displaylang=en

COMMON POLICIES

Set Proxy Server: user configuration >windows settings >internet explorer maintenance >connection >proxy settings
0
 
LVL 10

Author Comment

by:pcbrat
Comment Utility
Thanks for your response Pete...

I am aware of GPO's....however.....you are saying that in order to force everyone to use the Proxy..(since I already have 1300ws out there) use a GPO to change the IE settings?...OK Got that...so in order to do that I have to integrate it with AD? Hence the Enterprise install of ISA.

Yes I have an ISA out there...I didnt set it up the guy who I am replacing did....he said that he set it as a stand alone to do OWA SSL only....

If you know what Websense is then you know the allow Internet access is done via AD...groups to be exact....Light speed is an all in one tool that will do the content filtering that Websense does as well as SPam and Virus...see link.....so it will get the access to what people are allowed to see via rules (instead of using the ISA) we want the ISA to do nothing but Cache....we have open license and all our servers are Dual Processors.....we basically want it to do all the access instead of many connections to the WEb and not controlling what comes in......

So I have to tie it into AD to use the GPO? Should I use the Enterprise Policy? Or the Domain Array? What is the difference?

Also what power do I need in the servers? I use all Dell (not by choice) so I am thinking a PE2600....should I use RAID5 or just Mirror with alot of space for Cache?
Yes my clients all use DHCP...so you say add 252 to the options.....ok what about DNS? They have installed a Root server in the DMZ and have all the internal access point to it. I want to get rid of this...and have my internal dpo forwarders....how does this affect ISA? Do I need to tell ISA to use the internal? Or point it to the DMZ root? Do I have to install DNS on it?

you know I am making you earn your points! LOLOL...tell Geek I miss him and HI for me!

Dawne


0
 
LVL 57

Accepted Solution

by:
Pete Long earned 500 total points
Comment Utility
>>OK Got that...so in order to do that I have to integrate it with AD? Hence the Enterprise install of ISA.

no, your clients dont care if your using ISA, winroute, proxy 2.0 or whatever thet just need to know its IP (hence the proxy setting config Policy I detailed earlier)

>>we basically want it to do all the access instead of many connections to the WEb and not controlling what comes in......

Bang on the nose - hence my comment about ease of administration on the PIX - its easier (and more secure) to have 1 outbound rule for port 80 and https.

>>So I have to tie it into AD to use the GPO?

only to the point of telling GPO its IP address

>>Should I use the Enterprise Policy? Or the Domain Array? What is the difference?

only if you have an ISA array (multiple ISA servers) do you need to worry about this
"ISA Server supports array and enterprise policies. Array policies apply to the ISA Servers that are participating in a particular array. Array policies do not span multiple arrays. Enterprise policies are used to create centralized ISA Server access controls that can be applied to one or more arrays in the same domain."
http://support.microsoft.com/default.aspx?scid=kb;en-us;315667&sd=tech


>>Also what power do I need in the servers? I use all Dell (not by choice) so I am thinking a PE2600....
>>should I use RAID5 or just Mirror with alot of space for Cache?

Ive not put a power edge in for some time (Im a Proliant dude these days :) but Ive ran Websense on an ML350 with one 2Ghz Processor and 128Mb of RAM - that was running ISA, Websense and Websense reporter - as your retiring websense you dont have the hit of running MSDE or SQL so the impact is even less. a caching only server doesnt need a lot of processing power.
As to storage  - try to mount the cache on RAID 5 in its own partition this makes things a bit more slick, and easier to troubleshoot should anything go wrong.



>>what about DNS? They have installed a Root server in the DMZ and have all the internal access point to it. I want to get rid >>of this...and have my internal dpo forwarders....how does this affect ISA? Do I need to tell ISA to use the internal? Or >>point it to the DMZ root? Do I have to install DNS on it?

Well a caching only server needs to resolve at speed - it dont matter where its pointed for DNS as long as the server can resolve public names :)

phew - thats a lot of typing for a sunday morning LOL

good luck
Pete

0
 
LVL 10

Author Comment

by:pcbrat
Comment Utility
Thanks Pete you rock!

I used to be a Proliant chick but I now I work for government and they use the Dells (yuck)

Thanks for all the info I believe I have my plan... I will be using more than one ISA..for fault tolerance so I assume I need an array.....I need to make sure that if one goes down the other picks up where the other left off. I cant have the DA or Supervisors have no Internet Access! LOL

Should I just team the NICS?

dawne
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
hello ad ThanQ :)

Network Teaming - is all well and good - remember to set the team for fault tolerance and not load balancing
Ive not done that on a power edge though.

Pete
0
 
LVL 10

Author Comment

by:pcbrat
Comment Utility
Ok Pete just where in the heck do you see a Option 252 in DHCP?

I have over 20 scopes....I guess it would be easier to use the GPO huh?
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
I prefer the GPO Route :)

dhcp options http:Q_21046206.html#11458336

Start DHCP Manager.
Right-click the appropriate DHCP server, and then click Select Predefined Options.
In the Option Class dialog box, click Standard Options, and then click Add.
In the Name column, type Proxy Autodiscovery Option.
In the Data Type dialog box, click String, and then click to clear the Array check box.
Click the Code box, and then type 252.
Click the Description box, type a brief description of the option, and then click OK.
Click the String box, and then type the URL that points to the location of your configuration file.
Click OK, and then quit DHCP Manager.
http://support.microsoft.com/default.aspx?scid=kb;EN-US;252898
0
 
LVL 10

Author Comment

by:pcbrat
Comment Utility
So this will be set at the server and not at all the scope ooptions for all my various scopes? Ok I will read up on it. And I think the GPO will be easier but I need to have an alternative to present to the board.

Thanks Pete :)
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
my pleasure - go for the GPO it takes about 35 seconds to set up :)
0
 
LVL 10

Author Comment

by:pcbrat
Comment Utility
Hey Pete are you still out there?

I have a small issue...

I have setup ISA2004 in a test lab and then just manually set the proxy on some test clients...

they cant get out...

I see that you have to have the firewall installed when you install Proxy...this sucks..lol

I also see that everything is turned off....no one is let outside...

So i went in and set a rule to allow all outbound access in the firewall....I noticed that you cant delete the default rule that says no access( why?)

Then I configured a rule to allow Proxy and set the drives as well as the protocols out.

When I wait I can get to MS site but noting else...I get an ISA error and when I looked it up the error said I needed a RUle in the firewall (duh i did that)

So what the heck?

I cant seem to find a simple "How To" article reagrding ISA 2004 anywhere. they sure have changed alot aroud from ISA 2000.

Please help

dawne
0
 

Expert Comment

by:Network_MD
Comment Utility
Hey Dawne... still need help with ISA?  I'm 80% finished with an ISA 2004 implementation, and I've had about all of the same questions you asked at some point.  Got most of 'em figured out. (Pete's answers to other threads helped with most of it... thanks Pete).  Let me know if you're still goin on this one and need help.

Eric
0
 
LVL 10

Author Comment

by:pcbrat
Comment Utility
Ill let you know.
I have been busy relocating about 75 servers to their new home in a new building and had tp put ISA on the back burner. I am now back in the lab and working on it again. I figured that I have to let everything out and then let Websense pick and choose.

I will keep you posted. If I come across something which at some time I know I will I will post here. k?
thanks


Dawne :)
0
 
LVL 57

Expert Comment

by:Pete Long
Comment Utility
<still subscribed>

been skinving :)
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this tutorial you'll learn about bandwidth monitoring with flows and packet sniffing with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're interested in additional methods for monitoring bandwidt…
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now