INSTALLATION DECISIONS

Network Considerations

2

NETWORK CONSIDERATIONS

You can install SurfControl on a single ISA Server or in multi-server arrays. In an ISA Standard Edition installation, Web Filter is installed on a single ISA Server. In an ISA Enterprise Edition environment, Web Filter is installed on multiple servers.

DEPLOYMENT RECOMMENDATIONS

SurfControl recommends the following when deploying Web Filter for ISA Server:

If Web Filter for ISA Server is used as a proxy, it does not need to be installed in a specific location in the LAN. However, if it is used as a firewall, consult the Microsoft ISA templates for network placement recommendations.

Use a firewall to deny HTTP traffic from all IP addresses except for the ISA server.

Firewall clients should be configured so that the browser uses a proxy service.

DMZ RECOMMENDATIONS

In a perimeter network (DMZ) installation, Web Filter is installed on one or more ISA Servers located between a perimeter firewall and an internal firewall. SurfControl recommends the following when deploying Web Filter for ISA Server in the DMZ:

If the ISA Server is part of the DMZ domain, Web Filter for ISA Server should be a member of the domain that users log into.

Is there a one-way or two-way trust relationship between the Web Filter ISA Server and the corporate domains? Two-way trust relationships are very reliable. One-way trusts will cause problems if configured to trust the wrong way.

Are there multiple domain controllers? The ports required to query the domain controllers should already be open via System Policy LDAP to localhost. If not, check to see which ports if any, must be opened for this purpose.

When Web Filter for ISA is deployed in a DMZ, it may be unable to query the domain controllers for a variety of reasons:

It cannot resolve the IP addresses of the domain controllers.

It is unable to authenticate to the domain controllers.

Access is blocked by a firewall, preventing Web Filter from enumerating groups using NT objects.

To Resolve a domain controller name resolution issue:

Add an entry to the LMHosts file on the Web Filter server(s) for the domain controllers. See the following Microsoft KB article for more information: http://support.microsoft.com/ Default.aspx?kbid=180094

Enable NETBIOS over IP on the Web Filter server(s).

SurfControl Web Filter for ISA v5.5

Starter Guide

9

Page 14
Image 14
Surf Control v5.5 manual Network Considerations, Deployment Recommendations, DMZ Recommendations