SurfControl Web Filter for ISA v5.5 Starter Guide 9
I
NSTALLATION
D
ECISIONS
Network Considerations
2
NETWORK CONSIDERATIONS
You can install SurfControl on a single ISA Server or in multi-server arrays. In an ISA Standard Edition
installation, Web Filter is installed on a single ISA Server. In an ISA Enterprise Edition environment, Web
Filter is installed on multiple servers.
DEPLOYMENT RECOMMENDATIONS
SurfControl recommends the following when deploying Web Filter for ISA Server:
• If Web Filter for ISA Server is used as a proxy, it does not need to be installed in a specific location in
the LAN. However, if it is used as a firewall, consult the Microsoft ISA templates for network placement
recommendations.
• Use a firewall to deny HTTP traffic from all IP addresses except for the ISA server.
• Firewall clients should be configured so that the browser uses a proxy service.
DMZ RECOMMENDATIONS
In a perimeter network (DMZ) installation, Web Filter is installed on one or more ISA Servers located
between a perimeter firewall and an internal firewall. SurfControl recommends the following when
deploying Web Filter for ISA Server in the DMZ:
• If the ISA Server is part of the DMZ domain, Web Filter for ISA Server should be a member of the
domain that users log into.
• Is there a one-way or two-way trust relationship between the Web Filter ISA Server and the corporate
domains? Two-way trust relationships are very reliable. One-way trusts will cause problems if
configured to trust the wrong way.
• Are there multiple domain controllers? The ports required to query the domain controllers should
already be open via System Policy LDAP to localhost. If not, check to see which ports if any, must be
opened for this purpose.
When Web Filter for ISA is deployed in a DMZ, it may be unable to query the domain controllers for a
variety of reasons:
• It cannot resolve the IP addresses of the domain controllers.
• It is unable to authenticate to the domain controllers.
• Access is blocked by a firewall, preventing Web Filter from enumerating groups using NT objects.
To Resolve a domain controller name resolution issue:
• Add an entry to the LMHosts file on the Web Filter server(s) for the domain controllers. See the
following Microsoft KB article for more information: http://support.microsoft.com/
Default.aspx?kbid=180094
• Enable NETBIOS over IP on the Web Filter server(s).