Moving From Squid to ISA
Company profile
The New York State agency that is the subject of this case study has an environment that consists of over 400 Servers and more than 20,000 workstations across New York State. The agency as a whole consists of over 15,000 personnel and is one of the largest and most prestigious organizations of its type in the country.
In addition, the agency handles approximately 5 million cases each year. There are several aspects of technology involved in an organization this large. Email, antivirus, backup and file sharing are among the most basic but there are several more specific technology systems in place for security and surveillance. But one of the most important is Internet Access and how to ensure access across such a large environment quickly and securely. With multiple Internet access points and several firewall and security concerns, this agency needed an all in one solution that was easy to use and even easier to maintain.
Problem
The agency had recently migrated from a Novell Directory structure to Microsoft Active Directory. Their old method of providing internet access to their employees was via a Linux based SQUID forward proxy server with a utility to authenticate via Novell. However, if the user had been migrated to active directory, they needed to enter their credentials numerous times in order access the internet. There was no way to track internet usage or limit the type of traffic allowed. With more and more users being migrated over time, the old method proved obsolete and a new solution was desperately needed. The agency needed one that would offer a way to control internet access and authenticate through Microsoft Active Directory, providing single sign-on (SSO).
Solution
After listening and understanding the agency’s complex problem, Lucid Solutions Group recommended Microsoft Internet Security & Acceleration Server 2006 (ISA), a firewall & proxy solution for enterprises that provides granular internet access control and centralized management over all internet policies. The agency already had firewall and security appliances in place. The purpose of ISA in their environment was to provide forward proxy services and Active Directory authentication but they were excited about the additional features they now had available. Previously, there was no logging and reporting functions. Now reports were being emailed weekly showing detailed internet usage by protocol, sites and users. It also showed them information by data count and graphic charts. ISA provided them with the ability to create very granular rules based on Active Directory users, user groups, internet protocols, networks and subnets. It even included application layer filtering, giving the agency the ability to allow http traffic but stop streaming over http. A redundant failsafe design was implemented which directed users through a second line in the event the primary connection went down. The solution is highly scalable, making it easy to expand its capabilities in the future. Lastly, the entire UCS was sub divided with group policy to route the traffic between the two internet access points equally. ISA is an extremely reliable solution that is easy to administer and maintain.
Benefits
- Centralized configuration storage with a Configuration Storage Server
- Centralized logging and reporting services
- Redundant forward based proxy servers in Albany and New York City with failover to each other
- Group policy utilized to sub divide the traffic to the 2 ISA servers based on location
- Internet caching
- Easy expansion and load balancing between servers
- Enterprise and Local ISA Server policies including granular control over allow/deny, protocol, user & multi network permissions & traffic
- Authentication via windows, LDAP, radius and more.
Products and Services Used
Lucid Solutions Group implemented Microsoft ISA using the following products and services:
- Microsoft Windows Server 2003 R2 64bit
- Microsoft ISA Server 2006
- Microsoft System Center Operations Manager 2007
- Dell PowerEdge 2950 servers