INSTALLATION DECISIONS
Network Considerations
2 |
NETWORK CONSIDERATIONS
You can install SurfControl on a single ISA Server or in
DEPLOYMENT RECOMMENDATIONS
SurfControl recommends the following when deploying Web Filter for ISA Server:
•If Web Filter for ISA Server is used as a proxy, it does not need to be installed in a specific location in the LAN. However, if it is used as a firewall, consult the Microsoft ISA templates for network placement recommendations.
•Use a firewall to deny HTTP traffic from all IP addresses except for the ISA server.
•Firewall clients should be configured so that the browser uses a proxy service.
DMZ RECOMMENDATIONS
In a perimeter network (DMZ) installation, Web Filter is installed on one or more ISA Servers located between a perimeter firewall and an internal firewall. SurfControl recommends the following when deploying Web Filter for ISA Server in the DMZ:
•If the ISA Server is part of the DMZ domain, Web Filter for ISA Server should be a member of the domain that users log into.
•Is there a
•Are there multiple domain controllers? The ports required to query the domain controllers should already be open via System Policy LDAP to localhost. If not, check to see which ports if any, must be opened for this purpose.
When Web Filter for ISA is deployed in a DMZ, it may be unable to query the domain controllers for a variety of reasons:
•It cannot resolve the IP addresses of the domain controllers.
•It is unable to authenticate to the domain controllers.
•Access is blocked by a firewall, preventing Web Filter from enumerating groups using NT objects.
To Resolve a domain controller name resolution issue:
•Add an entry to the LMHosts file on the Web Filter server(s) for the domain controllers. See the following Microsoft KB article for more information: http://support.microsoft.com/ Default.aspx?kbid=180094
•Enable NETBIOS over IP on the Web Filter server(s).
SurfControl Web Filter for ISA v5.5 | Starter Guide | 9 |
