In this article we’ll focus on best practices specifically to Microsoft Internet Security and Acceleration (ISA) Server.

Let’s start looking at some recommendations to configure then Microsoft ISA firewall so it provides the best level of security, reliability and performance possible. There are too many items to describe all of them in this article, so we’ll focus on the most important items that you should pay attention to. The overview is not in any particular order so items higher in the list are not necessarily more important.

1. ISA Server comes with a Firewall and Web Proxy client. You should deploy these clients to get superior performance over what a hardware firewall provides. The combination of ISA server and its clients provide an intelligent security solution, more so than an appliance without clients can offer.
2. The ISA firewall should have only one DNS server configured on its interfaces, and that DNS server address must be configured on its internal interface (or whatever interface is closest to an internal DNS server that can resolve Internet host names). Never put an external DNS server on any of the ISA firewall’s interfaces, and never enter a DNS server address on more than one ISA firewall interface.
3. When investigating a possible attack, use www.arin.net and do a Whois search on the IP address. This should be the first thing you do when you detect unusual activity in your firewall logs.
4.  Use DMZ networks connected to the ISA firewall to limit access to different security zones within your organization. Put ISA firewalls between different security zones to make sure you are protected against attacks sourcing from different security zones.
5. Do not consolidate other server functions (file server, web server, etc) with the ISA server. The ISA firewall is a just that; a firewall.
6.  Harden the server using the ISA firewall hardening guides located at http://www.microsoft.com/isaserver/techinfo/guidance/2004/planning.mspx
7. Typically there is no reason to enable NetBT on the external interface of the ISA firewall. If you don’t need it, disable it.
8. There typically isn’t a reason to enable the Server service on the external interface of the ISA firewall, as it is used to enable access to shared resources on the ISA firewall. In general, the Server service should be disabled on all interfaces of the ISA firewall, but there can be side effects, such as being unable to access the Firewall client share on the ISA firewall if you installed it there. It is best to place the client installation files on a network share hosted by a file server. You shouldn’t run into any issues if the Server service is unbound only from the external interface.
9. On Windows 2000, the Alerter and Messenger services should be disabled on the ISA firewall. Windows Server 2003 turns off these services by default, or they are turned off as part of running the Security Configuration Wizard on a Windows Server 2003 Service Pack 1 ISA firewall.
10. Install Network monitor for troubleshooting issues. Microsoft Network Monitor comes with Windows, and you can install it Monitor either before or after the ISA firewall software is installed.
11. The ISA firewall shouldn’t be used as a workstation; it is a network firewall representing an important component of your network security infrastructure. Don’t use client applications, such as Internet Explorer, on the ISA firewall and don’t disable the enhanced IE security configuration that is part of Windows Server 2003 Internet Explorer.
12. If users complain about decreased performance of the Web, configure the clients as Web Proxy clients and configure the web browsers to use HTTP 1.1.
13. Make sure to patch the base operating system before installing ISA. Innstall the base operating system on a protected network, so that you can safely install the operating system and then update the operating system before installing the ISA firewall software. Connect the ISA firewall device to the Internet only after the operating system is patched and the ISA firewall software is installed.
14.  You can rename the network interfaces installed on the ISA firewall from Local Area Connection 1 and Local Area Connection 2 to something more meaningful, such as WAN, LAN, and DMZ. This is helpful when you have a lot of interfaces installed on the ISA firewall device.
15. The ISA firewall can mitigate worm and other automated attacks by enforcing connection limits. You can configure connection limits by going to the General node in the ISA firewall console and Define Connection Limits.

The above list represents only some of the recommendation to configuring your ISA Firewall and certainly doesn’t cover all of the aspects. If you want to analyze your implementation of ISA Server it is a good idea to download the Microsoft Best Practice Analyzer Tool from the Microsoft website and run this against your ISA Server. The tool is compatible with ISA Server 2004, 2006, and Forefront TMG: http://www.microsoft.com/download/en/details.aspx?id=811.

The Microsoft TechNet website is a great resource that offers a lot of information about how to configure your ISA server for your environment, performance best practices (http://technet.microsoft.com/en-us/library/cc302518.aspx) , and troubleshooting performance issues (http://technet.microsoft.com/en-us/library/cc302601.aspx)