Downstream ISA/TMG Server Deployment

This option, which uses either a Microsoft Internet Security and Acceleration (ISA) server or a Microsoft Forefront Threat Management Gateway (TMG) server, is based on the Explicit Deployment. This deployment is different in that it includes an ISA/TMG server (and optionally an Active Directory server) between users and the Web Appliance.

  • Allows the Web Appliance to work with an ISA/TMG Server.
  • If the Sophos ISA/TMG plug-in is installed, and an Active Directory server is on the network side of the ISA or TMG server, then clients (users) can be seen as usernames.
  • Allows you to use multiple Web Appliances in a simple load-balancing deployment.
  • If the Sophos ISA/TMG plug-in is not installed, all traffic will be identified as coming from one user: the ISA/TMG server.
  • If the Sophos ISA/TMG plug-in is not installed or an Active Directory server is not on the network side of the ISA/TMG server, then clients (users) will appear as IP addresses only.
  • Does not support individual user opt-out, although with the ISA/TMG plug-in installed custom policy can be applied to an individual user or group.

Operation

  • Users' HTTP and HTTPS requests are passed through an ISA/TMG server that uses NTLM or IWA Authentication.
  • The ISA/TMG server passes URL requests to the Web Appliance .
  • The Web Appliance assesses the URL.
  • The Web Appliance blocks disallowed requests, checks if allowed URL requests are currently cached, and passes URL requests that are not cached through to the firewall .
    Note
    Port 80 and 443 requests from users are blocked at the firewall , which retrieves the URL's material from the internet ; URLs are only accepted by the firewall if they are from the Web Appliance .
  • The Web Appliance receives new pages or files, caches them, and passes the page or file on to the users .
  • The users receive only safe and allowed pages and files or a notification page.
Note
If the Sophos ISA/TMG plug-in is installed, clients (users) are identified individually; otherwise, all traffic is identified as coming from one user: the ISA/TMG server .
Note
If the Sophos ISA/TMG plug-in is installed, and an Active Directory server is on the network side of the ISA/TMG server , then clients (users) can be seen as usernames; if the Active Directory server is not appropriately located, clients (users) appear only as IP addresses in reports and user activity logs.

The ISA/TMG plug-in can be downloaded from the Configuration > Network > Hostname page. The ISA/TMG plug-in is compatible with Microsoft ISA Server 2004 and 2006, and Microsoft Forefront TMG 2010.

Configuration

Important
The Web Appliance may not catch malware stored in the ISA/TMG server's cache. To avoid this risk, be sure to clear the ISA/TMG cache prior to enabling this network deployment.

Follow the configuration instructions for the Explicit Deployment scenario, but with the following differences:

  • Ensure that your ISA/TMG server is between the clients and your Web Appliance.
  • Ensure that your ISA/TMG server is configured to pass traffic through the Web Appliance if it is configured in an Explicit Deployment.
  • Ensure that your Active Directory server, if you are using one, is located on the network side, between your clients (users) and your ISA/TMG server. The ISA/TMG server must also be configured to allow communications between your Web Appliance and your Active Directory server.
    Note
    Web Appliance policy will be applied to users authenticated by the Active Directory server using the pre-Windows 2000 format DOMAIN\username only.
  • If the ISA/TMG plug-in is installed, enter the IP address of the downstream ISA/TMG server in the Accept authentication from downstream ISA/TMG servers section on the Configuration > Network > Hostname page.
Note
A simple way to set up load balancing amongst multiple Web Appliances is to set up a DNS round robin scheme. If you do this, you should disable DNS caching because Windows DNS caching can mask the round robin effect. To disable Windows DNS caching, see the Microsoft Support article http://support.microsoft.com/kb/318803. You must ensure that you have a firewall with network address translation (NAT), but not an ISA or TMG server in firewall mode, between the Web Appliances and the internet. This firewall must be configured to present a single IP for the Web Appliances to the sites on the internet. The NAT, or IP masquerading, prevents sites that check and record the IP address of visitors in cookies from encountering multiple IP addresses.
Note
Explaining how to configure an ISA/TMG Server is beyond the scope of this documentation. For details on ISA/TMG Server configuration, see the Microsoft ISA Server Deployment page or the Microsoft Forefront TMG Deployment page.