• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 2308
  • Last Modified:

How to configure ISA 2006 as Firewall and Web Caching Server ?

Hi friends !

I want to install ISA Server 2006 on Windows 2003 Server. I want this ISA to work as firewall and Web Caching Server. The network scenario is as following:

(ISP) 10.10.1.1---10.10.1.3 ( Fa 0/1) Router (Fa 0/0) 41.197.41.1---41.197.41.2 (Ext) ISA 172.20.0.1 (Int)---Internal Switches


The machine where I want to install ISA has following configuration. (Please tell me if the machine is strong enough to serve 500 users or not.)

Model : HP Compaq dc5100 MT (Multi Processor PC)
Processor :
RAM : 1. Intel(R) Pentium(R) 4 CPU 3.40 Giga Hertz
          2. Intel(R) Pentium(R) 4 CPU 3.40 Giga Hertz

HDD : SATA HDD with 80 GB Capacity ( I will attach one more HDD to keep cache and log files, give your opinion)

NIC Cards: 1. Broadcom NetXtreme Gigabit Ehternet (ISA External Interface<---->Cisco Router's FastEhternet 0/0 port )
                 2. Gigalink NIC Card (ISA Internal Interface<---->Internal Switch)

On Cisco Router, I have created a reflexive access list and it is working fine. Now, I want to configure ISA as software based firewall with web caching feature.

Please note that WEB CACHING FEATURE is very important for me to configure so that web requests for already cached web pages don't go to internet, thus enabling us to have fast internet surfing.

Please provide a suitable configuration (specially for web caching).

Regards,

Hemant
0
JatinHemant
Asked:
JatinHemant
  • 8
  • 8
  • 5
13 Solutions
 
manav08Commented:
Hi Hemant,

The machine you have described above is probably of a little bit less spec. as you are planning to run 500 users. I have seen that while serving a large amount of clients, the load on the server makes the Firewall Service Stop. I would recommend to get a Xeon processor with atleast 4GB RAM, because ISA is RAM hungry. Having said this, there is no reason you cannot run ISA on the P4 machine. Make sure you do not use it as a REPLICA DC, it should be setup as a dedicated server. In order to avoid upsets later on, I will definitely recommend getting a higher spec machine.

Now a few thing to note with ISA SERVER.

1. As soon as the ISA is installed, you will loose all connection (incoming and outgoing) to that particular server, so make sure you are sitting right in front and not remoted in.
2. The next step will be to open up relevant ports etc. for incoming and outgoing access to that server, so that you can access the internet etc.
3. To use this server as a firewall, each workstation on the network will need to have "Firewall Client for ISA Server" installed. This can be downloaded from http://www.microsoft.com/DownLoads/details.aspx?FamilyID=05c2c932-b15a-4990-b525-66380743da89&displaylang=en and will replace.
4. The firewall Client can be easily rolled out to all the clients using Group Policy.
5. A good place to learn how to configure outgoing access for clients is do this free virtual lab from microsoft http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032343311&EventCategory=3&culture=en-US&CountryCode=US
6. Setting up WEB CACHING is a piece of cake. Just follow this guide http://www.isaserver.org/tutorials/ISA-2006-Web-Caching.html

As per connecting a 80GB HDD to the server via USB 2.0 is not really recommended. This is because you have a network of 500 clients. USB 2.0 has a transfer rate of 480Mb/s and moreover it works as a HALF-DUPLEX. This will greatly limit the speed with which clients retrieve the websites of the cache. I would recommend you to use instead a LINUX BOX setup as a NAS SERVER instead.

I hope I have answered all your questions. Feel free to ask me and I will try my best to answer. Just a disclaimer ;-) - I haven't used ISA 2006 for about 6 months now as I now use LINUX technologies, but what I have answered is pretty accurate based on the experiences I've had.

0
 
Keith AlabasterCommented:
USB? Where does USB come into it? He has a SATA drive.

Web caching is defined in the ISA gui under configuration - cache. here you can define and enable cache areas and the rules for what you do and don't want cached.

No - I will not provide a configuration for the total setup and configuration. Hemant, you are asking here for us to do your job for you. As I have mentioned to you before, we are here to help you with issues you may have and to provide guidance; we are not here to be your system admnistrator.

You define and post your security policy and your security requirements and I will help you to create the rules as necessary within ISA Server if you run into problems. Sorry if this sounds harsh but you need to face up to the fact that you need training in this area.

Keith
0
 
JatinHemantAuthor Commented:
Thanks to both of you for your comments.

@manav08 ! I have read out your comment and applying them. I will soon let you know about the progress.

@Keith ! I again thank you for being here on this discussion. I feel and admit that I need training in this area. I know you are not going to work for me in my place because I am not going to give you my salary. But I hope that you will give me some suggestions as you gave me in that another discussion. (I learnt a lot from that discussion, truely speaking)

Well...I need your suggestion regarding Domain and Workgroup.

Here is our server information :

DNS  + DHCP  + Active Directory Server = Running on same machine (Compaq ProLiant ML310)
Kaspersky Administration Kit (Enterprise Antivirus Server) = Running on an XP Operating System
Proposed ISA Server = Installation procedure is on going

Now, our basic needs are internet connectivity with restrictions (through ISA firewall) and Cisco ACL. I have created Reflexive ACL and it is working well. And definately I will configure ISA myself.

Now, our IT staff people are not very serious and even don't know much about domain. We are also not providing services to outsiders such as web server, ftp server or any other services like VPN etc.

I have been working on website related issues and so don't think that even if we use domain environment, it will work fine as nobody else is very much interest. I want to switch back to workgroup environment. Please give me your suggestions regarding ISA in workgroup environment.

Regards,

Hemant





@
0
A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

 
Keith AlabasterCommented:
I am sorry to hear that your colleagues are not interested in the domain approach - this is the natural way forward especially if security is to play a part in the setup.

ISA will work in a workgroup scenario - but it will not be able to restrict access based on Active Directory memberships if there is no active Directory (domain) servers available. The only other way of controlling access through ISA would be to assign known ip addresses to each machine (reservations through dhcp scopes or static addresses) and blok/allow by groups that way.

If you are not interested in even that level of protection then just create a single outbound rule allowing all protocols from internal and localhost to external.
0
 
JatinHemantAuthor Commented:
Thanks Keith !

Good idea. I think your second suggestion will be suitable for us. Because in some PCs where we want complete access, we can give them fixed IP addresses through DHCP reservation and allowing that block to full internet access while keeping others on limited access

Regards,

Hemant
0
 
Keith AlabasterCommented:
Absolutely. :)
0
 
JatinHemantAuthor Commented:
Hi manav08 !

I asked my ICT director that we should go for a strong server machine and he asked me the specifications.

As you told that the machine I am using is not enough capable of supporting 500 users, will you please suggest me a strong server machine that can handle 500-700 Users.

Hi Keith ! You are also invited.

Regards,

Hemant
0
 
manav08Commented:
Hi Hemant,

It really depends on your IT BUDGET I guess. If they have money to spend this year you would wanna buy a decent server that could be utilized for other things as well. What do you think about DELL SERVERs. They have a basic range as well.

My recommendations for your environment for a HIGH SPEC server would be -

1. Quad Core Xeon E5320, 2 x 4MB CACHE (No additional processor)
2. 5 SAS DRIVES each 250GB(or more) configured in a RAID 5 with one hot spare.
3. DUAL POWER SUPPLY for redundancy.
4. 4 x 2GB RAM (which is pretty common these days).
5. 64 bit version of Windows Server 2003 to utilize the 8GB of RAM (remember 32-bit only utilizes 4GB).

This kind of server should cost you about AU$6000 + just for the hardware, if thats the kind of money you are looking to spend. I suggest you to go to DELL WEBSITE and have a look at their POWER-EDGE range of servers (http://www.dell.com/content/products/compare.aspx/tower?c=us&l=en&s=biz&cs=555) and see what fits your budget.

The above machine will allow you growth for expansion in case you wanna put some FILTERING SOFTWARE etc. on this machine in future and use it as a proxy etc. or maybe use it as a SNMP SERVER. You can do all sorts of stuff.
0
 
manav08Commented:
Once again Hemant, buying which BRAND of server comes to your personal choice and environment needs. I know that DELL comes with 3 year warranty. HP is the leader in servers as per my knowledge. Evaluate your IT BUDGET and see how you go.

On a side note, were those virtual labs helpful to you??
0
 
JatinHemantAuthor Commented:
Thanks manav08 !

Let me explore Dell and HP websites for servers. Well...those virtual labs were quite helpful. But something is still messing up in my mind.

1. As I have configured Caching on ISA, for temporary arrangement I used another 80 GB SATA HDD. Now I set it to hold the Cache. And now this HDD has a folder named "urlcache" and Dir1 is a virtual disk inside it. (Does this mean that Caching is configured properly !!!)

Then why the speed of internet is not even little faster. How can I find out that the webpage that client is accessing is being served by Cache or by real site ?

2. My ISA server's Gigabit NIC is connected to a Switch (D-Link DES0-1026G) 1000 Mbps uplink port, then why on my ISA Server, Network Connection Pop up Window states (in system tray) that " Internal LAN 100 Mbps is connected. It is very strange to me why it is not saying 1000 Mbps or 1 Gbps connected. Why ???

3. Our ISP has given us 3 Mbps / 1 Mbps link. Have a look on our network utilization at:
www.artel.rw/KIE. We are not able to use the complete bandwidth available. We are using very less. What may be the cause.

Please clear my doubts.

Hemant
0
 
Keith AlabasterCommented:
This is getting out of hand. For starters, ISA is not supported on a 64-bit operating system - period.
ISA does not require this level of server either - bear in mind that a single ISA server can handle thousands of concurrent connections - you are talking of a mere 500 or so.

I will refer you - once again - to the ISA Server 2006 sizing chart - for both the standard and enterprise editions.
http://technet.microsoft.com/en-us/library/bb794835.aspx

I will repeat - again - that the prime driver for ISA performance is not down to its own server specification but to the bandwidth that is available to carry traffic between itself and the Internet.

Its your money Hemant, so it is your call.

Yes - Caching is set correctly. Dir1 is the name of the first configured cache in the ISA cache configuration.
use the ISA realtime monitor - gui - monitoring - logging - start query. Drill down to the header info on web request lines and you will see if a page has been brought from cache or has been accessed directly from the site. Altermnatively, use the cache tool from www.isatools.org.
open the NIC propertied on the ISA Server - what is the duplex/speed settings set to? If it is 100Mb and the other end is at auto, then that is your reason.
The likelihood is that you are not driving 3Mb's worth of concurrent traffic. With only 500 users, it is not surprising. Get 20 of them and ask them to simultaneously to download the Windows XP service pack or something. See what that does tyo your monitoring.

Hmmmm - lets see. 100Mb ethernet from ISA to the router - 3Mb Internet connection from the router to the ISP/Internet - I doubt if ISA is your bottleneck here.....
Keith
ISA MVP.
0
 
manav08Commented:
Keith, I guess you need to chill out here a little bit mate.  We are not in some sort of argument. Nor you are the most clever guy in the world.
Hemant, sorry about the misleading information as I was not aware that ISA 2006 doesn't support 64 bit of windows. I was gonna recheck this in the morning and get back to you anyway as I thought about it last night.

Secondly, the specs of the server I gave you is a very basic server and according to me not expensive at all. Keith failed to read but I repeatedly said above that this machine (that I am suggesting) will allow you growth for expansion as well. If your IT Department has the right amount of budget I will suggest going for this machine so in future you can use the resources for something else. Remember that in REAL WORLD scenario on an average only 3% of the processing power is used by a server (hence they talk about virtualization).
The reason I am suggesting you to buy a better server is that I have had experience before running ISA on a P4 machine and during times of heavy load the firewall service sued to often crash (so I had to write a script to check the firewall service every 2 minutes). Now bear in mind that I was running this machine as a proxy with another FILTERING SOFTWARE (smart filter) on top. Once again based on what you are doing your machine maybe OK but having worked in organizations that have ebough budget I always plan ahead. Say think about the projects you might wanna do in the near future. :-).

As per question 1 I would like to remind you that most internet pages these days use DYNAMIC CONTENT, so make sure your caching is configure correctly. Please refer to  - http://www.isaserver.org/tutorials/Configuring_A_Cache_Policy.html and make sure you have done it on similar lines
0
 
JatinHemantAuthor Commented:
Really confuesd what to do !!! Help me.

Bye the way, thanks to both of you for pointwise explainations.

@ manav08 !
******************************************************************************************************************************
Ist : It is OK, even if you were not aware of some facts about ISA, you have directed me to think in other direction also. Well, as purchasing of new machine may take long, I prefer to use the best availabe machine in our organization.

As I had given you the specifications, We have received another brand "HP Compaq dc7800p Small Form Factor". Other specifications are same as dc5100 MT but the processor is different.

It has two processor (Multi Processor) with this specifications :
Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33 Giga Hertz
Intel(R) Core(TM)2 Duo CPU E6550 @ 2.33 Giga Hertz

Please suggest me which one should be better among dc5100MT and dc7800p ?
****************************************************************************************************************************

@ both manav08 and Keith
******************************************************************************************************************************
It seems to me that my ISA network connections are very busy in serving and the machine is being overloaded due to it (agreed with Keith) because sometimes I see that I am not even able to open "My Computer" or "Task Manager".

Please tell me if it is possible to perform "Load balancing' internally. What I mean to say that I will use two NICs for internal network (172.20.0.1 and 172.20.0.2) and configure them in Load Balancing so that they share the load. Is it possible when I am not using any other ISA Server in ISA array. I have only single ISA Server ? Will it improve something ???
******************************************************************************************************************************

@Keith !
******************************************************************************************************************************
1st :  *****open the NIC propertied on the ISA Server - what is the duplex/speed settings set to? If it is 100Mb and the other end is at auto, then that is your reason.****

I had already checked that  property in ISA and it was/is set to Auto. Below are NIC (GigaLink 10/100/1000 Ethernet Board) Properties :

Early Tx Threshold = 15
Link Down Power Saving = Disable
Link Speed/Duplex Mode = Auto Mode
Network Address = Not Present
Receive Buffer Size = 64K bytes
WakeUp on ARP/PING = Enable
WakeUp on Link Change = Enable
WakeUp using APM Mode = Disable

Outer end is connected to a DES-1026G Switch's Up link port then also it is showing "100.0 Mbps is connected". Strange !!! Might be any other reason...

2nd: Hmmmm - lets see. 100Mb ethernet from ISA to the router - 3Mb Internet connection from the router to the ISP/Internet - I doubt if ISA is your bottleneck here.....

Yes, I was even doubting the same before. Before we had Cisco 2620 Router and when I connected that Router to ISA, I used available Fast Ethernet port so it was a 100 Mbps link. Now, again we bought a new Cisco 2801 Router but that also does not have Gigabit Ethernet port. So the link between Router and ISA is again 100 Mbps.

But you see, sometimes again I think how it can be a problem !!! Many organization are still using Routers from 2600 Series and they don't have Gigabit ports. Then connect Router to internal network (directly or through ISA) with the same Fast Ethernet port and it works fine (I think so).

So please give you your best idea.

Should I go for a higher router (i.e 2821 or 2851, as they come with two Gigabit ports) but it won't be wise as we have already purchased two Cisco 2801 Routers.
or
Should I remove the ISA and use Reflexive ACLs to block anwanted traffic but then I will not be able to use Application Layer Filtering and Web Caching Feature of ISA. Give your valuable suggestion.
******************************************************************************************************************************

In hope of your continuous support...

With regards,

Hemant
0
 
Keith AlabasterCommented:
I'll leave this to Manov - whilst I go and chill-out, just be aware that ISA is not supported as a front-end firewall on any virtualisation platform although it is now supported in a virtualised state when deployed as a back-end firewall. You have a front-end deployment.
0
 
manav08Commented:
Lol. Mate all you need to do is pick up some good articles/tutorials on ISA Server and start learning. There is nothing to be confused about. I don't know much about HP but doing a quick GOOGLE tells me that dc7800p is a better machine. If you have any issues later on and want to upgrade to a better server all you need to do is save the ISA configuration file and transfer it to your new server (KEITH can correct me on this if I am wrong).

Secondly, I have not setup LOAD BALANCING on ISA so I am not sure how it is setup but when you talk about LOAD BALANCING traffic on 2 NICs I guess you would not be able to achieve any better performance as far as CPU and RAM/Pagefile is concerned. If you are on a Gigabit Network, 1 NIC should be more than enough. Just check the network utilization in "Windows Task Manager" and see how that is going during peak hours. I would be surprised if it is even hitting 20% for your scenario. Your inability to open up My Computer or Task Manager more likely relates to RAM usage by ISA Firewall Service. I suggest take a look at this article on technet http://support.microsoft.com/default.aspx/kb/909636. (Also on a side note, I read somewhere a while ago that Network Load Balancing is only possible in the Enterprise version of ISA 2006, keith can shed some light maybe if I am wrong).

Re- Questions directed at Keith

May I suggest changing property called "Flow control" to disabled. I had the same problem in another network and this is what I did. Also change RECIEVE BUFFERS to 512. If none of this works do a FACTORY RESET on the DLINK switch. Since it is unmanaged it won't make any difference to the configuration.
I don't believe you should change the router as this is just for the internet link which you mentioned is 3Mbps only. The only thing to be worried about would be your internal network which is running at 100Mbps.
0
 
JatinHemantAuthor Commented:
Thanks !

I changed the ISA cards and I found that now the ISA internal interface connecting to IDES switch is indicating 1 Gbps connected. Before I had tried your suggestion but it didn't work. Any way, now it is showing 1 Gbps, seems other network card has the problem.

Ok...on the matter of perfomance, as I told you I will definately go for a higher end server machine. But I want to tell you a very amazing thing that is happening to my ISA.

I have two 80 GB HDD.

Ist is partitioned as : C: (50 GB) and D: (30 GB)
IInd is not partitioned : E: (80 GB)

Now, I used D: and E: for caching.

When I set Caching. In Cache Drives, I found this information:

Server : isa-kie
Cache Size on NTFS Drives (MB): 89000
Disk Size on NTFS Drives (MB): 152616
Free Space on NTFS Drives (MB): 57558

So it is Ok. But when I open the ISA console to verify it again. I find that:

Disk Size on NTFS Drives (MB):  Unavailable
Free Space on NTFS Drives (MB): Unavialable

But when I refresh it, it again show the right information. I just want to ask why this strange thing is happening. Is it a serious issue or I should just ignore it ?

Regards,

Hemant
0
 
manav08Commented:
re:But when I refresh it, it again show the right information. I just want to ask why this strange thing is happening. Is it a serious issue or I should just ignore it ?

---------------------------------------------------------------------------------------------------------------------

Lol. Thats the way microsoft is mate, so doesn't surprise me. I don't think anything to worry about here. Keith maybe you can shed some light. I don't have an ISA Server in front of me to test. Thats all.
0
 
JatinHemantAuthor Commented:
Thanks for your continuous cooperation.

Let me try the tips from the link (http://support.microsoft.com/default.aspx/kb/909636. ) you provided for RAM utilization.

Regards,

Hemant
0
 
manav08Commented:
So have you gt it all sussed now??
0
 
manav08Commented:
Hi Hemant,

Keith and myself have tried best to help you. Could you please award us points for our effort.
I suggest splitting the points as keith made a significant effort too.

If you have any other questions relating to having issues with IIS configuration etc. you should open up another question as we have alread gone past the scope of the question :)
0
 
JatinHemantAuthor Commented:
Hi manav08 ! Hi Keith !

Definately, both of you did the best for me. I thank you. I still have one query unsolved. But it was for Keith.

************************************************************************************
Keith said:
*****2nd: Hmmmm - lets see. 100Mb ethernet from ISA to the router - 3Mb Internet connection from the router to the ISP/Internet - I doubt if ISA is your bottleneck here.***

I asked:
*****Yes, I was even doubting the same before. Before we had Cisco 2620 Router and when I connected that Router to ISA, I used available Fast Ethernet port so it was a 100 Mbps link. Now, again we bought a new Cisco 2801 Router but that also does not have Gigabit Ethernet port. So the link between Router and ISA is again 100 Mbps.*****

But you see, sometimes again I think how it can be a problem !!! Many organization are still using Routers from 2600 Series and they don't have Gigabit ports. They connect Router to internal network (directly or through ISA) with the same Fast Ethernet port and it works fine for them(I think so).

So please give you your best idea.
************************************************************************************

But I myself feel that this discussion was quite interesting and I asked questions again and again. So let me give you the awards and open a new question.

Regards,

Hemant
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 8
  • 8
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now