Microsoft Serves Up ISA

MicrosoftCorp.’s Proxy Server has long needed an update -- an overhaul, really -- thatminor version upgrades could never provide. This summer, a replacement appearedon the horizon: Microsoft's Internet Security and Acceleration (ISA) Server.Actually, calling ISA Server an update of Proxy Server is a little like callinga 747 an update to the Wright brothers’ flier.

ISA Serveris available for download in beta form. The version we tested, Beta 3, is animpressive collection of Internet border services. In addition to a traditionalfirewall, forward, and reverse proxy servers, ISA makes it possible to donetwork address translation (NAT) and advanced caching, and to extend to itsbasic administrative toolset.

We triedthe beta software twice. First we inserted ISA Server as a gateway between apublic Internet connection and a 100 Mb Ethernet LAN, then we used ISA as asimple NAT server. We ran ISA Server on an HP E800 server with 512 MB of RAMand running Windows 2000 Advanced Server. The beta software installation toolis nicely designed, linking preinstallation and configuration tools with theserver setup application. In our case, the first time we ran the installationutility, setup failed because we had improperly uninstalled IIS. We expect thefinal product release will do a better job of identifying dependencies andfinding problems with the underlying server prior to attempting the install. Weuninstalled, rebooted, and then successfully had a running copy of ISA Server.

The heartof any proxy tool is cache management. ISA Server supports most of thetechniques we’ve come to expect on enterprise caches. For instance, intraditional forward proxy services ISA Server supports both the usual passivecaching -- entering pages in the cache as a result of direct user requests --and the far more effective active cache. We set up ISA Server to rank the mostcommonly visited Web sites, determine how often those sites update theircontent, and then automatically obtain and cache new content when the pages inthe cache had expired. In our tests, turning on active cache managementincreased the hit rate from 31 percent to 39 percent. Turning on active cachingwas as simple as writing a program to set the ActiveCachingEnable property ofthe cache configuration object to “True” and then saving the configuration.

Microsoftcalls reverse proxy caching “secure Web publishing.” That’s an accuratedescription of a service reverse proxy can provide, but it’s curious that thebeta version of the software uses some unusual terms for some pretty commonservices.

If theproxy server gives ISA Server its ability to produce better performance forusers, the firewall service provides the foundation for secure networking. Thefirewall service is built from a combination of a firewall client and a servicerunning on ISA Server. This strategy is wonderful for Windows-based networkswhere a custom winsock.dll can communicate with the firewall service. Thismakes any Winsock compatible application -- like mail, news, chat, or RealAudio-- seem like it’s directly connected to the Internet. That feature eliminatesthe need for individual protocol gateways.

Unfortunately,in our mixed network there was no way to extend these benefits to ourLinux-based workstations.

One of thebest features of ISA Server is that the entire management suite is exposed forprogramming and scripting. ISA Server exposes a family of COM objects thatallow you to use and extend ISA Server’s administration tools. This meansanything that can be done through traditional administration tools can beautomated via Visual Basic or C++. This extensibility lets third-party vendorsextend ISA Server’s functionality using the supplied PCVendorParametersSetobject.

Anotherimpressive feature of ISA Server is its improvement over Windows 2000’s nativeNAT capabilities. Some networks use NATs as a mechanism to conserve scarce IPv4allocations. In our testbed, we merely used NAT as a mechanism to hide internalnetwork structure from devices on the public side of the ISA server. WhileWindows 2000 has a NAT driver, ISA Server improves upon it by supporting awider range of protocols, including FTP, Internet Control Message Protocol,H.32., and Point-to-Point Tunneling Protocol.

We triedthis by pointing an internal client’s default gateway at the IP address of theISA Server. We got this working fairly quickly and the ISA Server began makingrequests on behalf of the internal client while continuing to support theprivate address space on the internal network. When we tried this we noticedsome immediate limitations -- such as only IP-address/application policiesworked. This is because no identity information is passed from client to server-- a limitation of the NAT architecture and not a defect in the ISA Server.

One featurethat was especially useful was the ability to reroute HTTP requests through theNAT. We were able to establish a default policy for ISA Server NAT clients thatsent all HTTP requests to a separate cache server. Another rule let us setaside a group of IP addresses that were never rerouted to the cache. On our1,500-node network, the NAT server passed a peak of 3.8 HTTP requests persecond to the cache -- which returned a cache hit rate of 31 percent. ISAServer’s flexibility, along with its strength of caching, translated intomeasurably better performance for the clients behind the NAT and a bandwidthsavings on our upstream ISP connection.

It’simportant to remember that the product we tested is a beta version of a productto come later this year. The documentation, for example, is geared atthird-party developers and not network administrators. While support for NATsolutions is wonderful in some cases, Microsoft doesn’t warn the personimplementing the product of the things that break, such as IPsec-basedapplications, when NAT boxes are put in the end-to-end transport path. Also, aninstall script that doesn’t anticipate every possible combination of installedsoftware shouldn’t be held against the beta version software.

These smallnagging problems will probably be addressed by the time a final version becomesavailable. And these limited problems can’t hide the enormous promise ISAServer brings to network administrators who depend on the Internet.

Internet Securityand Acceleration Server (Beta 3)
MicrosoftCorp., Redmond, Wash.
(425) 882-8080


ISA Server Beta 3 is a free download from version of the software is anticipated to cost $1,495.


+ Outstanding collection of network border services

+ Ease of extension and customization for administration

+ Integration with Active Directory

+ Excellent active caching algorithms

+ SecureNAT services are better than Windows 2000 native NAT services


- Beta installation tool has rough edges

- Extended firewall services are Windows-centric

- Beta's documentation oriented at developers, not administrators

- Some tools configured through .INI files