Microsoft Serves Up ISA - Software Review - Evaluation

ENT, Sept 20, 2000 by Mark Mcfadden

Microsoft Corp.'s Proxy Server has long needed an update -- an overhaul, really -- that minor version upgrades could never provide. This summer, a replacement appeared on the horizon: Microsoft's Internet Security and Acceleration (ISA) Server. Actually, calling ISA Server an update of Proxy Server is a little like calling a 747 an update to the Wright brothers' flier.

ISA Server is available for download in beta form. The version we tested, Beta 3, is an impressive collection of Internet border services. In addition to a traditional firewall, forward, and reverse proxy servers, ISA makes it possible to do network address translation (NAT) and advanced caching, and to extend to its basic administrative toolset.

We tried the beta software twice. First we inserted ISA Server as a gateway between a public Internet connection and a 100 Mb Ethernet LAN, then we used ISA as a simple NAT server. We ran ISA Server on an HP E800 server with 512 MB of RAM and running Windows 2000 Advanced Server. The beta software installation tool is nicely designed, linking preinstallation and configuration tools with the server setup application. In our case, the first time we ran the installation utility, setup failed because we had improperly uninstalled IIS. We expect the final product release will do a better job of identifying dependencies and finding problems with the underlying server prior to attempting the install. We uninstalled, rebooted, and then successfully had a running copy of ISA Server.

The heart of any proxy tool is cache management. ISA Server supports most of the techniques we've come to expect on enterprise caches. For instance, in traditional forward proxy services ISA Server supports both the usual passive caching -- entering pages in the cache as a result of direct user requests -- and the far more effective active cache. We set up ISA Server to rank the most commonly visited Web sites, determine how often those sites update their content, and then automatically obtain and cache new content when the pages in the cache had expired. In our tests, turning on active cache management increased the hit rate from 31 percent to 39 percent. Turning on active caching was as simple as writing a program to set the ActiveCachingEnable property of the cache configuration object to "True" and then saving the configuration.

Microsoft calls reverse proxy caching "secure Web publishing." That's an accurate description of a service that reverse proxy can provide, but it's curious that the beta version of the software uses some unusual terms for some pretty common services.

If the proxy server gives ISA Server its ability to produce better performance for users, the firewall service provides the foundation for secure networking. The firewall service is built from a combination of a firewall client and a service running on ISA Server. This strategy is wonderful for Windows-based networks where a custom winsock.dll can communicate with the firewall service. This makes any Winsock compatible application -- like mail, news, chat, or RealAudio -- seem like it's directly connected to the Internet. That feature eliminates the need. for individual protocol gateways.

Unfortunately, in our mixed network there was no way to extend these benefits to our Linux-based workstations.

One of the best features of ISA Server is that the entire management suite is exposed for programming and scripting. ISA Server exposes a family of COM objects that allow you to use and extend ISA Server's administration tools. This means anything that can be done through traditional administration tools can be automated via Visual Basic or C++. This extensibility lets third-party vendors extend ISA Server's functionality using the supplied PCVendorParametersSet object.

Another impressive feature of ISA Server is its improvement over Windows 2000's native NAT capabilities. Some networks use NATs as a mechanism to conserve scarce IPv4 allocations. In our testbed, we merely used NAT as a mechanism to hide internal network structure from devices on the public side of the ISA server. While Windows 2000 has a NAT driver, ISA Server improves upon it by supporting a wider range of protocols, including FTP, Internet Control Message Protocol, H.32., and Point-to-Point Tunneling Protocol.

We tried this by pointing an internal client's default gateway at the IP address of the ISA Server. We got this working fairly quickly and the ISA Server began making requests on behalf of the internal client while continuing to support the private address space on the internal network. When we tried this we noticed some immediate limitations -- such as only IP-address/application policies worked. This is because no identity information is passed from client to server -- a limitation of the NAT architecture and not a defect in the ISA Server.

One feature that was especially useful was the ability to reroute HTTP requests through the NAT. We were able to establish a default policy for ISA Server NAT clients that sent all HTTP requests to a separate cache server. Another rule let us set aside a group of IP addresses that were never rerouted to the cache. On our 1,500-node network, the NAT server passed a peak of 3.8 HTTP requests per second to the cache -- which returned a cache hit rate of 31 percent. ISA Server's flexibility, along with its strength of caching, translated into measurably better performance for the clients behind the NAT and a bandwidth savings on our upstream ISP connection.