NOTE You can configure whether the ISA server will cache SSL objects. To do so, you must use the FPCWebRequestConfiguration COM object. Normally, cacheable Web objects are cached by the ISA server. These steps represent only one possible SSL bridging scenario. Note that a great deal of encrypting and decrypting is going on to maintain the security of the object. SSL Bridging with Incoming Web Requests Let’s look at how incoming Web requests are handled. First, the ISA server must be configured to listen for SSL requests on the port with which the external client will connect, as illustrated in Figure 3.11. By default, this is port 443. This is done by enabling SSL listeners on the Incoming Web Requests tab of the array’s Properties sheet. You have the following options: · Use the same listener configuration for all internal IP addresses · Configure listeners individually per IP address NOTE If you want to use SSL for two different Web servers, you need to select the second choice and configure the listeners individually. Figure 3.11 Configure the Array Properties to Enable and Configure SSL Listeners Additionally, a server certificate for Web requests must be specified. If you selected the first option, you can now edit the IP address properties. If you selected the second option, you might need to first add an IP address before you can configure its properties. In either case, you then check the “Use a server certificate to authenticate to Web clients” check box and choose a certificate from the list. TIP You will not be able to configure this option unless you have certificates installed on the ISA server. For this configuration to work properly, each internal Web server should be published on different public IP address and a server certificate mapped to each. Now the incoming Web requests will be handled as follows: 1. The external client sends an HTTPS request for a Web object on the internal Web server. 2. ISA Server decrypts the request and terminates the SSL connection. 3. ISA Server sends the request to the Web server using HTTP, FTP, or SSL, depending on how the Web publishing rules are configured. 4. If the Web publishing rules specify HTTPS, ISA Server creates a new SSL connection with the Web server and sends the request to port 443, acting as an SSL client to the Web server. 5. The Web server must respond with a server-side certificate. 6. If the Web server is configured to require a certificate, the ISA server must respond with a client-side certificate. SSL Bridging with Outgoing Web Requests SSL tunneling is normally used for internal client requests of HTTPS objects from external servers. However, you can use routing rules to configure clients to use SSL bridging instead if the client supports secure communication directly with the ISA server (that is, if its browser or Web application supports SSL communications). In this case, you configure the Outgoing Web Requests tab similarly to the way you configured incoming requests earlier, enabling SSL listening (on port by default) and enabling or selecting certificates. NOTE For more detailed instructions on configuring SSL tunneling and bridging in ISA Server, see Chapter 7, “Configuring ISA Server for Outbound Access Control,” and Chapter 8, “Configuring ISA Firewall Functionality.” Summary This chapter covered a lot of ground. Even so, we barely went past the tip of the iceberg when it comes to computer, network, and Internet security issues. The chapter provided many excellent resources that you can consult for more details on the basic security concepts, specific security threats, and development of security plans and policies. Although this chapter is a review for some readers, it is very important that before you deploy ISA Server as part of your overall security plan, you review that plan as a whole and ensure that you have addressed physical access factors, prevention of accidental data compromise, prevention of deliberate internal security breaches, and prevention and detection of unauthorized external intrusions. To get the most out of ISA’s features, you must be able to recognize the security threats to which your network is subject and understand a little about the motivations of typical intruders. It is not necessary that you be a hacker in order to prevent your network from hacking attempts, but it will benefit you to know something about how unscrupulous hackers think and how they do their dirty work. You must be aware of the various types of attacks with which you could be confronted and understand how to protect your network from social engineering attacks, DoS attacks, scanning and spoofing, source routing and other protocol exploits, software and system exploits, and Trojans, viruses, and worms. A number of hardware-based security solutions and even more software-based firewalls are on the market. You should have a basic understanding of the capabilities and limitations of each type and how ISA Server compares—in terms of features and cost—to some of the others. We think you will find that ISA Server offers an excellent value in comparison to competitive products, along with easy configurability and options to integrate third-party programs for even more functionality. Your comprehensive security plan is integral to protecting your network from both internal and external threats. There is no “one size fits all” when it comes to corporate security plans and policies; yours should be based on the nature of the business in which your organization engages, the nature of the data stored on your network, the number and types of connections your network has to the “outside world,” and your management’s philosophy regarding organizational structure. A good security plan is one that meets the needs of IT administration, company management, and network users. The best way to ensure that your security plan meets these criteria is to involve people from all levels of the organization in the planning process. Once you have a good, comprehensive security plan and corresponding policies worked out, you will be able to use ISA Server as an important element in your security plan, to implement and enforce those policies and provide monitoring, notification, and record keeping to document the successful functioning of your security plan. The following chapters show you how to do just that. Solutions Fast Track Security Overview n Network security solutions can be loosely divided into three categories: hardware, software, and human. Defining Basic Security Concepts n To protect your network resources from theft, damage, or unwanted exposure, you must understand who initiates these events, why they do it, and how they do it. n A good network security system will help you easily remove the temptations (open ports, exploitable applications) and will be as transparent to your users as possible. ISA Server, when properly configured, meets these requirements. Addressing Security Objectives n File servers on which sensitive data is stored and infrastructure servers that provide mission-critical services such as logon authentication and access control should be placed in a highly secure location. At a minimum, servers should be in a locked room to which only those who need to work directly with the servers have access. Keys should be distributed sparingly, and records should be kept of issuance and return. n Don’t depend on access permissions and other software security methods alone to protect your network. If a potential intruder can gain physical access to a networked computer, he or she is that much closer to accessing your valuable data or introducing a virus onto your network. n Although switches and routers are somewhat more secure than hubs, any device through which the data passes is a point of vulnerability. Replacing hubs with switches and routers makes it more difficult for an intruder to “sniff” on your network, but it is still possible to use techniques such as Address Resolution Protocol (ARP) spoofing. n Despite the many benefits of these wireless technologies, they also present special problems, especially in the area of network security. Data traveling over wireless media is more vulnerable to interception than data over cabled media. Radio and microwave are known as broadcast media. n According to most computer security studies, as documented in RFC 2196, actual loss (in terms of money, productivity, computer reputation, and other tangible and intangible harm) is greater for internal security breaches than for those from the outside. n Like Windows NT, Windows 2000 provides for granular auditing of security- related events and records the information to a security log. The log can be viewed (by users with administrative privileges only) via the Windows Event Viewer. Recognizing Network Security Threats n There are probably as many different specific motives as there are hackers, but we can break the most common intruder motivations into a few broad categories: recreation, remuneration, revenge. n In some instances, hackers working for competitors will go “undercover” and seek a job with your company in order to steal data that they can take back to their own organizations. n Unlike the other attack types, social engineering does not refer to a technological manipulation of computer hardware or software vulnerabilities and does not require much in the way of technical skills. Instead, this type of attack exploits human weaknesses—such as carelessness or the desire to be cooperative—to gain access to legitimate network credentials. n Because social engineering is a human problem, not a technical problem, prevention must come primarily through education rather than technological solutions. n Although they do not destroy or steal data as some other types of attacks do, the objective of DoS attackers is to bring down the network, denying service to its legitimate users. The purpose of a DoS attack is to render a network inaccessible by generating a type or amount of network traffic that will crash the servers, overwhelm the routers, or otherwise prevent the network’s devices from functioning properly. n Distributed DoS (DDoS) attacks use intermediary computers, called agents, on which programs called zombies have previously been surreptitiously installed. The hacker activates these zombie programs remotely, causing the intermediary computers (which can number in the hundreds or even thousands) to simultaneously launch the actual attack. n The DNS DoS attack exploits the difference in size between a DNS query and a DNS response, in which all the network’s bandwidth is tied up by bogus DNS queries. The attacker uses the DNS servers as “amplifiers” to multiply the DNS traffic. n Synchronization request (SYN) attacks exploit the TCP “three-way handshake,” the process by which a communications session is established between two computers. Because TCP (unlike UDP) is connection-oriented, a session, or direct one-to-one communication link, must be created prior to sending data. The client computer initiates the communication with the server (the computer that has the resources it wants to access). n The ping-of-death attack is launched by creating an IP packet (sometimes referred to as a killer packet) larger than 65,536 bytes, which is the maximum allowed by the IP specification. This can cause the target system to crash, hang, or reboot. ISA allows you to specifically enable detection of ping-of-death attacks. n A worm is a program that can travel across the network from one computer to another. Sometimes different parts of a worm run on different computers. Worms make multiple copies of themselves and spread throughout a network. Categorizing Security Solutions n Hardware security solutions come in the form of network devices. Firewalls, routers, even switches can function to provide a certain level of security. n Hardware-based firewalls are often referred to as firewall appliances. A disadvantage of hardware-based firewalls is the proprietary nature of the software they run. Another disadvantage of many of these products, such as Cisco’s highly respected PIX, is the high cost. n Software security solutions cover a much broader range than hardware solutions. They include the security features built into network operating systems as well as additional security software made by Microsoft or third-party vendors. Designing a Comprehensive Security Plan n A widely accepted method for developing your network security plan is laid out in RFC 2196, Site Security Handbook, and attributed to Fites, et al (1989). n It is important to understand that a security plan is not the same thing as a security policy, although the two words are sometimes used interchangeably. n A LAN that is self-contained and has no Internet connectivity nor any modems or other outside connections does not require the degree of protection (other than physical security) that is necessary when an intruder can take many avenues “in.” n The best security policy is to have as few connections from the internal network to the outside as possible and control access at those entry points (collectively called the network perimeter). n An organization’s management model can have a profound influence on what is or isn’t acceptable in planning security for the network. n The U.S. government provides specifications for rating network security implementations in a publication often referred to as the Orange Book, formally called the Department of Defense Trusted Computer System Evaluation Criteria, or TCSEC. The Red Book, or Trusted Network Interpretation of the TCSEC (TNI), explains how the TCSEC evaluation criteria are applied to computer networks. n Best practices dictate that no one person should have complete authority or control. Besides, in an enterprise-level network, it would be difficult for any single person to handle all facets of developing and implementing the security plan. n Best practices for password creation require that you address the following: password length and complexity, who creates the password, and forced changing of passwords Incorporating ISA Server in your Security Plan n ISA Server’s firewall function prevents unauthorized packets from entering your internal network. ISA also provides monitoring of intrusion attempts as well as allowing you to set alerts to notify you when intrusions occur. n The goal of system hardening is to create as many barriers as possible to unauthorized persons who would try to access your network. n Secure Sockets Layer (SSL) is a protocol that can be used to manage the security of Internet communications. SSL operates between HTTP at the Application layer and TCP at the Transport layer. n SSL tunneling allows a client computer to create a tunnel through the ISA server to a Web server whenever the browser on a client machine requests a secure HTTP object, thus allowing the client to connect to and communicate directly with the external Web server. n Using SSL bridging, ISA Server can encrypt or decrypt requests from clients and forward the requests to a Web server. FAQs Q: Does IP spoofing allow a hacker to communicate on the network anonymously? A: Not really. IP spoofing makes the source address appear to be other than that of the original sender. However, responses to a message with a spoofed IP address go back to the spoofed address, not to the real address of the original sender. Hackers use spoofing in situations in which they do not need to receive a response. For example, a hacker can use a spoofed IP address to initiate a ping flood or a UDP flood. A hacker cannot, however, hide his identity by pretending to be someone else while engaging in two-way communications, because he will not receive the responses to his messages. Q: The laws regarding import and export of cryptography to and from various countries is very confusing. Where can I find more information on this topic? A: An excellent document, International Law Crypto Survey, provides information about laws and regulations pertaining to cryptography at the Bert-Jaap Koops homepage at http://cwis.kub.nl/~frw/people/koops/lawsurvy.htm. Q: Why does SSL work with ISA Server (and Microsoft Proxy Server 2.0) when it does not work with some other proxy servers? A: SSL regards Application layer proxies such as the CERN proxy server as “middlemen,” and SSL was designed to prevent man-in-the-middle attacks. Because Microsoft Proxy Server and ISA Server use packet filtering, which operates at the Network layer, they can be configured to open a trusted, reserved port (443 for secure HTTP and 563 for secure NNTP) to allow SSL traffic to “tunnel” through the proxy. Q: What is ingress filtering, and how can it be used to protect against network intrusions? A: Ingress filtering is a method of preventing attackers in a particular network from perpetrating network intrusions and attacks using spoofed IP addresses that don’t comply with the ingress-filtering rules. ISPs can use ingress filtering to prevent the use of forged source addresses that aren’t in the range of legitimate prefixes. When ingress filtering is used, the origin of attempted intrusions can be traced to their actual source because a valid source address must be used. Information about ingress filtering is contained in RFC 2267, the text of which is available on the Web at http://info.internet.isi.edu/in-notes/rfc/files/rfc2267.txt. Q: What solutions have been developed to provide better security over wireless LAN links? A: Vendors such as 3Com have developed security solutions for wireless networks, including Layer 3 wireless tunneling that is easier to implement than earlier Layer 2 tunneling implementations. 3Com’s SuperStack II Router 400 can be set up between the wired network infrastructure and the wireless clients, and the Microsoft Point to Point Encryption Protocol can be used to provide secure communications between the two. Other vendors offer similar solutions for securing wireless connections. Q: What are smart cards, and how do they work? A: A smart card is a device the size and shape of a credit card that is used to securely store public and private keys, passwords, and other types of personal information. A smart card reader is required to use the card. Smart cards can be used for access control to a physical site or for logon authentication to a computer network. Windows 2000 supports smart card authentication, using certificate-based cryptography. This feature provides for stronger security than a username/password logon alone because, in order to log on to the network, a user must have access to the card itself in addition to entering the correct user credentials. (In this case, the user enters a personal identification number, or PIN, instead of the username and password.) Smart cards can be an important part of a public key infrastructure (PKI) that provides security for Windows 2000 networks. Q: How does IPSec protect data as it travels over the network? A: IPSec is a set of protocols that are implemented at the Network layer (Layer 3) to encapsulate and encrypt data to prevent it from being read if it is intercepted while it travels across the network. Packet sniffers can be used to capture data in transit, and if the data is not encrypted, the contents of the packets can be read. The implementation of IPSec at the Network layer means that applications do not have to be IPSec-aware. (Security mechanisms implemented at higher layers, such as SSL, require that applications support the security method.) Unlike security that is implemented at a lower level, such as Link layer encryption, all links along the data path are protected, resulting in end-to-end security. All applications and services that utilize IP for transport can be secured with IPSec. Other protocols can be protected if the packets are encapsulated by IP. Both computers in a transaction must support IPSec. IPSec uses ISAKMP to initiate security negotiations, and the two computers perform a key exchange and establish an ISAKMP security association, using a shared secret key. They can they negotiate the level of security that will be used for the data transmission. The IPSec driver on the sending computer signs outgoing packets for integrity and encrypts the packets for confidentiality. When the destination computer receives the packets, its IPSec driver checks the signature and decrypts the packets. Windows 2000 IPSec uses the Authentication Header (AH) and the Encapsulating Security Payload (ESP) protocols to provide authentication, integrity, and confidentiality for the IPSec communication. Chapter 4 ISA Server Deployment Planning and Design Solutions in this chapter: ISA Deployment: Planning and Designing Issues Active Directory Implementation Mission-Critical Considerations Planning the Appropriate Installation Mode Introduction To this point, we’ve talked about general concepts as they relate to network security and enterprise design considerations. In this chapter, we start getting into the specifics of planning and implementing an ISA Server solution for your network. Planning your ISA Server installation before actually performing it is absolutely critical. As with Windows 2000, the amount of thought and analysis you put into your design will help optimize ISA performance and will minimize the chance of making a substantial error that will adversely affect your security or access schemes. ISA Deployment: Planning and Designing Issues When you decide to put together an ISA Server solution for your organization, you should plan ahead. ISA Server is an integral part of your security configuration scheme, and you do not want to merely install the server and hope that everything works out right. Carpenters have an old saying: “Measure twice, cut once.” If you thoroughly map out your design, you’ll avoid pitfalls in your deployment and further down the line. In this section, we focus on planning and design issues as they relate to the installation of ISA Server. The primary issues of concern are: · Network and hardware specifications · The edition of ISA Server to be installed · The mode in which ISA Server will be installed · Standalone versus array configurations · Client configuration requirements · ISA Server Internet connectivity You should make firm decisions about each of these ISA Server design issues before you begin your installation. The conclusions you reach at this point will determine your choices when it comes time to install ISA Server. Assessing Network and Hardware Requirements Prior to installing ISA Server, you need to assess hardware requirements to meet the needs of your organization’s ISA Server deployment plan. An organization that has 50 network clients and chooses to utilize only the Web proxy service will have very different requirements than an organization with 30,000 network clients that wants to avail itself of all the networking services ISA Server has to offer. System Requirements Whether you choose to install one or 100 ISA servers, each server must meet minimum hardware and software requirements. The minimum requirements for any ISA server— regardless of the role the machine might play on the network—are: · Windows 2000 Server family operating system with Service Pack 1 or later installed · A Pentium II or K7 (Athlon) Processor running at 300MHz or faster · A minimum of 256 MB of RAM (Microsoft recommended) · A minimum of 20 MB for the program files · A minimum of 2 GB for the Web cache · At least two network interfaces—one to the internal network and a second to an external network, such as the Internet or corporate backbone (the exception is an internal caching-only server) · Partitions formatted as NTFS to store the program, log, and cache files · A Windows 2000 Domain if Enterprise Policies will be implemented Each of these components requires thoughtful consideration before implementing the ISA server on your network. Let’s look at each one of them in more detail. Software Requirements ISA Server must be installed on a Windows 2000 Server family computer. It will not install on Windows NT 4.0 or Windows 2000 Professional. If you try to install ISA Server on a Windows 2000 Server machine that does not have Service Pack 1 installed, you will get an error message during the installation, informing you that you must first install the service pack before the installation routine can continue. If you do not have Windows 2000 Service Pack 2 installed, you must install a pre- Service Pack 2 hotfix that is included on the CD-ROM. The file, q27586_w2k_sp2_x86_en.exe, is contained in a folder named HotFix. The hotfix will update several system files. Although doing so is not required, you should restart your machine after installing the hotfix. ISA Server Standard Edition can be installed on any member of the Windows 2000 Server family. The Enterprise Edition of ISA Server must be installed on either Windows 2000 Advanced Server or Datacenter Server. Therefore, if you organization has only the “ Server” version of Windows 2000, not the Advanced or Datacenter versions, you need to upgrade before installing ISA Enterprise Edition. Processor Requirements Processor requirements are somewhat flexible. It is rather unusual to see a production server in a corporate environment running at 300MHz or less; such a server would be rather long in the tooth at this point. If your servers are even a year old, it’s unlikely that they are slower than 500MHz. Because the address translation and rule processing performed by ISA Server is processor intensive, you will benefit from a more powerful processor or multiple processors. If you configure a large number of packet filters or content and site rules, you’ll want to maximize the processor configuration on your server. If you don’t plan to implement a lot of rules on the server and will use it primarily for Web caching, a 300MHz machine should present no problems. Table 4.1 will help you assess your processor requirements. TIP The rate-limiting factor when it comes to processor requirements can be boiled down to the number of rules per second that ISA Server needs to evaluate. An ISA server with a few rules but high throughput could have roughly the same requirements as a machine that has many rules but little throughput through its external interface. Note that we cannot make a decision based on throughput on the internal interface, because it is assumed that other types of traffic that are not processed by any ISA services could flow through this interface. Therefore, you can use the speed of the external interface as a guideline for the level of processor support your ISA server requires. T able 4.1 ISA Server Processor Requirements We have included AMD processor offerings along with the Intel specifications that Microsoft includes in its documentation. Microsoft still doesn’t like to talk too much about A MD because of Microsoft’s long association with Intel. However, AMD has closed the gap, a nd its K7/Athlon processors provide superior performance at lower cost. The only reservation you might have regarding the K7 series is its multiprocessor support. At this j uncture, it might be wise to go with Intel when designing a multiprocessor solution. Multiprocessor Support Keep in mind that ISA Server and Windows 2000 support multiprocessor system setups. I f you are configuring the server as an integrated firewall and Web cache server, and if t he server is performing any other duties (such as acting as a domain controller for a d edicated ISA Server domain), you’ll want to strongly consider a multiprocessor machine. I SA Server has been certified as Windows 2000 compliant, and part of the certification process included its ability to take advantage of symmetric multiprocessing. Windows 2000 Server supports up to 4 processors. Windows 2000 Advanced Server supports up to 8 processor, and Windows 2000 Datacenter Server supports up to 32 processors. The number of processors determines how much you’ll pay for ISA Server, because t he licensing fees are based on the number of processors on the server. Since the costs c an increment outrageously for a multiprocessor machine, you should consider installing I SA Server on a system with a single processor, then carry out performance monitoring to a id you in making a cost/benefit analysis of a multiple-processor solution. Table 4.2 contains the pricing structure for ISA Server at the time of this book’s publication. T able 4.2 ISA Server Price Estimates for Full and Up g rade Versions N ote: All prices are in U.S. currency. If you do not qualify for the upgrade, you should consider the cost of buying Proxy External Interface Data Rate Processor Requirement Type of Connection Less than 10 Mb/second Pentium II or K6-2 300MHz ISDN, cable, or DSL 10–50 Mb/second Pentium III or K7 500MHz T3 or comparable More than 50 Mb/second Pentium III or K7 500MHz; add a processor for each increment of 50 Mb/second Very Fast ISA Server Version Estimated Price Upgrade Information ISA Standard Version $1499.00 per CPU See below ISA Enterprise Version $5999.00 per CPU See below ISA Standard Version— Upgrade $749.00 per CPU The following products qualify for upgrade: · Proxy Server 2.0 · Netscape Proxy Server · Novell Border Manager · Checkpoint Firewall-1 and VPN-1 · Axent Raptor · Inktomi Traffic Server · IBM Secure Way Firewall and Websphere cache · Cobalt cache, Cobalt Cube · Network Appliance NetCache ISA Enterprise Version— Upgrade $2999.00 per CPU [...]... “Optimizing ISA Server. ” Server Fault Tolerance There are several ways to ensure fault tolerance for ISA servers in the event of a server crash or the necessity of taking a server offline for maintenance or upgrade The best way to provide for server fault tolerance is to take advantage of arrays of ISA servers when you deploy the Enterprise Edition An ISA Server array is a collection of ISA servers that... Network (DMZ) sits between two ISA Servers ISA In Firewall Mode Perimeter Network (DMZ) Public Network ID Mail Web FTP ISA Server Integrated Mode Private Network Private Network IDs The ISA server that acts only as a Web-caching server can get by with a single internal network interface Network clients send their requests to the ISA Server s internal interface, and the ISA server forwards those requests... on a Windows NT 4.0 server? A: No ISA Server can be installed only on a Windows 2000 Server family computer that has Service Pack 1 or later installed Q: Can I install ISA Server on a Windows 2000 server that is a member of a Windows NT 4.0 domain? A: Yes ISA Server can be installed on a Windows 2000 Server family computer that is a member of a Windows NT 4.0 domain However, ISA Server must be installed... network, one that will host your Web server and a second that will host your mail server You have registered your domain name, isaserver.net You have one external IP address: 222.222.222.222 In the DNS, you enter a Host (A) address record for www.isaserver.net and mail.isaserver.net Both of these Host (A) records will point to 222.222.222.222 When a user types www.isaserver.net into his or her browser... all the networking services ISA Server has to offer Whether you choose to install one or 100 ISA servers, each server must meet minimum hardware and software requirements ISA Server must be installed on a Windows 2000 Server family computer If you do not have Windows 2000 Service Pack 2 installed, you must install a pre-Service Pack 2 hotfix that is included on the CD-ROM ISA Server and Windows 2000 support... Internet servers are returned to the single-homed Web-caching server, which in turn returns data to the ISA clients Figure 4 .3 shows what such a single-homed network configuration might look like Figure 4 .3 A Single-Homed Web-Caching-Only Server Single Homed Caching Server ISA Server with single interface receives requests and forwards them to its default gateway to the Internet Internet Default Gateway ISA. .. example, if you have a root domain of isacorp.net and subdomains of west.isacorp.net and east.isacorp.net, and you then configure an external trust (also known as an explicit trust) from the ISA Server domain to the isacorp.net domain, you will run into problems with the lack of transitivity The security accounts in the isacorp.net domain will be respected by the ISA Server domain, but the subdomains’... tacteam.net domain The entries would look something like this: isaserver.tacteam.net isaserver.tacteam.net isaserver.tacteam.net A A A 222.222.222.222 222.222.222.2 23 222.222.222.224 We also set the time-out for these records so that the DNS clients wash the entries from their DNS caches after 1 minute If a client makes a request for isaserver.tacteam.net and receives the IP address 222.222.222.222... with an untrusted network In the context of ISA Server, that untrusted network is typically the Internet Planning the Appropriate Installation Mode n n n n There are three types, or modes, of ISA Server installation: Firewall mode, cache mode, integrated mode ISA servers support virtually all ISA Server features, with the exception of the Web cache A cache mode server is best placed on the internal network,... type of ISA client to set up, because virtually no configuration is required n ISA Server supports Web publishing and server publishing By publishing servers, you are able to offer Internet clients services on your internal network ISA Server Publishing allows you to publish services such as HTTP, NNTP, SMTP, and POP mail to users on the Internet in a secure context FAQs Q: Can I install ISA Server . detailed instructions on configuring SSL tunneling and bridging in ISA Server, see Chapter 7, Configuring ISA Server for Outbound Access Control,” and Chapter 8, Configuring ISA Firewall Functionality.” . HTTPS, ISA Server creates a new SSL connection with the Web server and sends the request to port 4 43, acting as an SSL client to the Web server. 5. The Web server must respond with a server- side. a Web object on the internal Web server. 2. ISA Server decrypts the request and terminates the SSL connection. 3. ISA Server sends the request to the Web server using HTTP, FTP, or SSL, depending