Microsoft Internet Security & Acceleration Server (ISA) 2000 - Glossary
A
access control list (ACL) : A level of Windows NT permission that can be set on a file or a directory allowing specified users access within an NTFS directory. An access control entry (ACE) is an entry in the list. For details, see the Windows NT documentation.
access policy : A set of protocol rules and site and content rules that determines the behaviour of an enterprise or array.
active caching : An ISA Server feature that automatically initiates new requests to update cached file objects without user intervention. Requests can be activated based on the length of time an object has been cached or was last retrieved from the object's source location. This type of caching can be used to assure the validity of specified data in the cache.
Active Directory : The directory service that is included with Windows 2000 Server.
address resolution : The mapping of an IP address to a hardware address.
address resolution protocol (ARP) : A protocol in the TCP/IP suite that provides IP address-to-MAC address resolution for IP packets.
alerting : A feature that warns administrators about suspicious network events, such as rejected packets and protocol violations. Alerting is made available when packet filtering is turned on and is recorded in the packet filtering log. A message generated as the result of an alert can be sent to a user account by e-mail.
anonymous logon : A feature that allows a user remote access to a computer on the Internet without supplying a user name or password, but only with the guest permissions assigned to that account. Commonly used in FTP requests.
application filter : Software that can perform protocol-specific or system-specific tasks, such as authentication. An application filter provides an extra layer of security for the Firewall service.
array : A group of ISA Server computers grouped together to provide distributed caching, load balancing, and fault tolerance. Arrays allow a group of ISA Server computers to be treated and managed as a single, logical enterprise.
array member : An ISA Server computer that is part of an array.
authentication : Validation of a user's logon information to determine permission to access a resource or perform an operation.
automatic discovery : A feature that allows clients to be configured so that they automatically find the appropriate ISA Server computer.
B
bandwidth control : An ISA Server mechanism which informs the Windows 2000 QoS packet scheduling service how to prioritize connections which pass through ISA Server.
bandwidth priority : A priority level set with bandwidth rules to define priority for connections passing through ISA Server.
Bandwidth rules : A mechanism used to determine which connection gets priority over another.
basic authentication : A method of authentication that encodes the user name and password. Basic authentication is called plaintext because the encoding (base-64) can be decoded by anyone with a common decoding utility. Note that encoding is not the same as encryption.
broadcasting : The delivery of data packets to all computers on a network.
C
cache : A store of frequently-retrieved objects and URLs located on the cache drive of an ISA Server computer. Instead of retrieving an object directly from an Internet Web server, the object is stored and retrieved from the cache instead. Caches improve network performance by reducing the number of objects which need to be retrieved from the Internet. This means faster client access to popular objects and less bandwidth overhead.
Cache Array Routing Protocol (CARP) : A routing algorithm used to provide efficiency and prevent duplication of cache contents when multiple ISA Server computers are arrayed as a single logical cache.
cache drive : The amount of space reserved on a selected server disk drive for use in storing cached files.
cache mode : One of the selections available during the setup process to define features available for ISA Server. If caching mode is chosen, caching features will be available.
cache filtering : The ability to either cache or not cache objects retrieved from World Wide Web, FTP, or Gopher sites.
cache policy : A set of rules and configuration parameters which determine the behaviour of the ISA Server cache.
CARP : See Cache Routing Array Protocol.
chaining : A method of linking multiple ISA Server computers together. Individual ISA Server and proxy computers and arrays or any combination can be chained. Communication is in an upstream, hierarchical order.
chained authentication : The authentication that an ISA Server computer provides when routing requests to an upstream server.
client certificate : Used when the SSL protocol provides authentication by checking the contents of an encrypted digital identification submitted by the client's Web browser during the logon process. This certificate contains information about the client and about the organization that issued the certificate.
client set : A group of one or more local client computers, joined together for the purpose of applying rules and policies to the set.
.cdat : The .cdat file is created when a cache drive is configured. The size of the .cdat file will be the size of the cache drive specified.
D
datagram : See packet
database logging : A feature that logs events that are generated by ISA Server services to a database instead of a text file.
default gateway : In TCP/IP, the intermediate network device on the local network that has knowledge of the network IDs of the other networks in the Internet, so it can forward the packets to other gateways until they are delivered to the one connected to the specified destination.
destination set : A group of one or more computer or folders on specific computers, grouped together for the purpose of applying rules and policies.
DHCP : See Dynamic Host Configuration Protocol.
dial-up connection : A connection that uses a telephone device, such as a modem.
digest authentication : A means of passing credentials by a secure method known as hashing, which means that credentials cannot be deciphered by an unauthorized person. It can only be used in Windows 2000 domains.
distributed caching : A means by which the cache is distributed across an array of ISA Server computers and set up as a single, logical entity, preventing duplication and increasing efficiency.
domain controller : A computer that manages user access to a network, including logging on, authentication and access to shared resources.
DMZ : See perimeter network
DNS : See Domain Name System (DNS).
DNS server : The server containing information for name resolution involved in mapping computer IP addresses to their domain name.
Domain name : The computer name that substitutes for a network IP address. For example, you may use http://www.microsoft.com instead of the IP address 157.45.60.81.
Domain Name System : A protocol and computer-naming hierarchy used throughout the Internet to map computer IP addresses to their domain name.
Dynamic Host Configuration Protocol : A protocol that offers dynamic assignment of IP addresses and related information for temporarily connected network users. DHCP provides safe, reliable, and simple TCP/IP network configuration, prevents address conflicts, and helps conserve the use of IP addresses through centralized management of address allocation.
dynamic IP filtering : A method of controlling the flow of IP packets to and from ISA Server, by means of access policy or publishing rules. A dynamic packet filter will be applied as rule conditions are met.
E
encryption : The process of making information indecipherable to protect it from unauthorized viewing or use, especially during network transmission or when it is stored on a transportable magnetic medium.
endpoint : The originating or destination location of a call requests. Each person participating in a conference call is an endpoint.
enterprise : A collection of one or more ISA Server arrays that share common enterprise policy settings.
enterprise policy : A configuration which enables centralized management of arrays in a corporate network, allowing common rules to be applied to arrays within the enterprise.
event messages : A text message generated during the operation of Microsoft ISA Server. These messages appear in the Event Viewer, which can be used to monitor and troubleshoot events.
F
File Transport Protocol (FTP) : The Internet standard protocol for transferring files between computers. FTP uses the Telnet and TCP protocols. The server requires a client to supply a logon user name and password before honoring requests
Firewall : A system or combination of systems that enforces a boundary between two or more networks and keeps intruders out of internal networks. Firewalls serve as barriers for packets passing from one network to another.
firewall chaining : Configures how requests from Firewall clients should be routed, either directly to the Internet (with or without a dial-up connection), or to an upstream proxy server (with or without a dial-up connection).
Firewall client : A computer with Firewall client software installed and enabled.
firewall mode : One of the selections available during the setup process to define features available for ISA Server. If Firewall mode is chosen, features are available that will secure network communication between the corporate network and the Internet.
Firewall service : The Firewall service (fwsrv) is a Windows 2000 service that supports requests from Firewall and SecureNAT clients.
forward caching : Caching that is implemented for clients on the internal network accessing servers on the Internet.
FTP : See File Transport Protocol
G
gatekeeper : A program that supplies call control services for registration, address translation and bandwidth management. Gatekeepers are not required in an H.323 network, but if a gatekeeper is present, endpoints must use the gatekeeper service.
gateway : A device that connects networks that use different communication protocols. A gateway translates different transmission formats and protocols so that information can be passed from one to another.
Gopher : A hierarchical system for finding and retrieving information from the Internet or an intranet. An enhanced version, Gopher Plus, returns more information about an item, such as file size, last date of modification, and the administrator's name.
H
H.323 client : A client who has registered with H.323 Gatekeeper and who uses computer applications that support H.225 registration admission and status (RAS) protocol.
H.323 Gatekeeper : H.323 is a communications standard for audio, video and data communication across IP-based networks, including the Internet. In ISA Server, H.323 Gatekeeper works together with the H.323 protocol filter to provide full communications capabilities to H.323 registered clients using applications that are compliant with H.323 Gatekeeper. Any client who wants to be available through a well-known alias, such as someone@microsoft.com, must register with H.323 Gatekeeper. Any client using translation services when placing outbound calls, must also register with H.323 Gatekeeper.
H.323 gateway : A gateway translates different transmission formats and protocols so that information can be passed from one network to another. Gateways commonly provide translation for communications between H.323 terminals and public switched telephone devices. H.323 gateways provide H.323 clients with services so that they are able to communicate with endpoints that are not H.323 compliant.
header : In data packet communications, a specified number of bytes that precedes the actual data being transmitted. It identifies control information used to deliver, route, and process the data contents of a packet.
hierarchal caching : The forwarding of a client HTTP request from an ISA Server computer to another proxy upstream. The downstream (source) proxy forwards client requests that it cannot service from its own cache.
hit rate : The percentage of client requests fulfilled through previously cached data, in contrast to the total of all client requests that have been processed by the caching service.
host name : The name of a device on a network. For a device on a Windows NT 4.0 or Windows 2000 network, this can be the same as the computer name, but it does not have to be.
HTTPS : See Secure HTTP
I
ICMP : See Internet Control Message Protocol
Inbound bandwidth : Bandwidth allocated for requests from external clients for objects on the local network.
integrated authentication : A secure form of authentication, where user name and password are not sent across the network.
integrated mode : One of the selections available during the setup process to define features available for Microsoft ISA Server. If integrated mode is chosen, both caching and firewall features will be available.
Internet Control Message Protocol(ICMP) : An extension to Internet Protocol that supports packets containing error, control and informational messages. For example, PING uses ICMP to test an Internet connection.
Internet Protocol (IP) : Specifies the format of data in packets, also known as datagrams, and the addressing scheme for these packets. Most networks combine IP with a higher level protocol, TCP, to establish a virtual connection between a destination and a source.
Internet Service Provider (ISP) : A company that provides access to the Internet.
Intra-array addressing : The address used when sending a request to another server in the same array. This address must be in the local address table (LAT).
Intrusion detection : A mechanism to detect when an attack is attempted against a network protected by ISA Server.
IP : See Internet Protocol.
IP address : An identifier for a computer or device on a TCP/IP network, including the Internet.
IP fragment : A single IP datagram can be broken up into multiple datagrams of a smaller size, known as IP fragments. These fragments can be filtered by the ISA Server, since one method of intrusion is to send fragmented packets and then reassemble them to cause harm to the system.
ISA Management : The interface tool used to manage ISA Server enterprise, arrays and stand-alone servers.
ISA Server schema : ISA Server stores information in multiple containers within the Active Directory. This information is known as the ISA Server schema. For an ISA Server to be an array member, this ISA Server schema must be installed to Active Directory. This only needs to be done once.
ISA Server Control service : The ISA Server Control service (mspadmin) is a Windows 2000 service that is responsible for various services and functions within ISA Server.
ISP : See Internet Service Provider
J
K
Kerberos : A network authentication protocol supporting authentication services. Windows 2000 implements Kerberos V5 in its security schema.
L
L2DP : See Layer Two Tunneling Protocol
Layer Two Tunneling Protocol : An extension to the PPP protocol that enables ISP's to operate VPNs.
LAT : See local address table
LDT : See local domain table
load factor : A number which determines the proportionate amount of the cache load on each member server in an array. Different member servers can be configured to have different loads.
local address table : A table of all internal IP address ranges used by the local network behind the ISA Server computer.
local domain table : A table of all the computer names in the local network served by the ISA Server computer.
M
MCU : See Multiple control units.
MIME : See Multipurpose Internet Mail Extensions.
Multiple control units (MCU) : The central connection or hub that provides support for conferencing between three or more terminals. An MCU may also manage the media stream and audio-video negotiations between endpoints. Sometimes called Multipoint Conferencing Server (MCS)
Multipurpose Internet Mail Extensions (MIME) : A way of configuring browsers to view files that are in multiple formats. MIME makes available the exchanging of objects, different character sets, and multimedia in e-mail on different computer systems.
N
NAT : See network address translation
NAT editor : NAT provides translation of the IP, TCP, UDP headers. A NAT editor is used to make modification to the IP packet beyond the translation of these headers.
network address translation (NAT) : An Internet standard that enables a local network to use one set of IP addresses for internal traffic and a second set for external traffic. In effect it hides internal IP addresses and enables a company to use more internal IP addresses, which, since they are only used internally, will not conflict with IP addresses used by other organizations.
Network News Transfer Protocol (NNTP) : The Internet standard protocol for posting, distributing, and reading network news messages posted among news groups on the Internet. Messages are posted to NNTP servers and are accessed by NNTP clients (newsreaders).
negative caching : The caching of HTTP error conditions associated with accessing a particular URL. If the URL is unavailable, the error response message can be cached and returned to subsequent clients that request the same URL.
NIC : Network interface card
NNTP : See Network News Transfer Protocol
NTFS : An advanced file system designed for use specifically within the Windows2000 operating system.
O
outbound bandwidth : Bandwidth allocated for requests from internal clients for objects on the Internet.
P
packet : A piece of a message transmitted as a fixed number of bytes over a packet-switching network, which is a network using a protocol that divides messages into packets before sending them. Each packet is transmitted individually, perhaps through different routes, and the original message is reassembled at the destination. A packet will contain the destination address, as well as the data. In an IP network, these packets are often known as datagrams.
packet filtering : A method of controlling the flow of IP packets to and from ISA Server. When packet filtering is enabled, all packets are dropped unless explicitly allowed by a packet filter.
pass-through authentication : A feature of ISA Server that allows a client's authentication information to be passed on to a destination server for both incoming and outgoing Web requests.
performance counter : A tool that tracks ISA Server activity to monitor array performance and usage.
perimeter network(DMZ) : A network set up separately from an organization's private network and the Internet. The advantage of a perimeter network is that it allows external users access to specific servers located in the perimeter network, while preventing access to the internal corporate network.
PING : A TCP/IP utility that verifies connections to one or more remote computers by sending ICMP packets and listening for reply packets.
Point-to-Point Tunneling Protocol (PPTP) : A newer networking protocol that enables remote users to access corporate networks securely across the Internet by dialing into an Internet Service Provider (ISP) or by connecting directly to the Internet. PPTP supports multiprotocol virtual internal networks (VPNs). Because PPTP allows multiprotocol encapsulation, users can send any packet type over an IP network.
policy element : A group of properties defined for a rule.
POP : See Post Office Protocol
Post Office Protocol (POP) : A network protocol that permits a client computer to access e-mail on a server. Usually, this means that a POP3 server is used to allow a client computer to retrieve mail that an SMTP server is holding for it.
port : In TCP/IP networks, a port is an endpoint to a logical connection. Certain services and protocols will often use default port numbers, identifying a certain Internet application with a specific connection.
PPTP : See Point-to-Point Tunneling Protocol
protocol : Software that allows computers to communicate over a network. The Internet protocol is TCP/IP.
publishing rule : ISA Server uses publishing rules to control the handling of incoming requests for internal network resources. Web publishing rules are configured to decide how incoming requests to internal Web servers are handled, while server publishing rules are used to deal with incoming requests to servers (such as SMTP and FTP) on the internal network.
Q
Q931 address : The combination of the IP address and the port address. Each registered endpoint has a unique Q931 address.
QoS : See Quality of Service
QoS Admission Control : A Windows 2000 Server feature which can be installed and configured to centrally control how, by whom, and when shared network resources are used.
QoS Packet Scheduling service : A Windows 2000 Server feature used by ISA Server in setting bandwidth priorities. ISA Server bandwidth control does not limit bandwidth used. It informs the Windows 2000 QoS packet scheduling service how to prioritize network connections. If there is no bandwidth rule for a connection, a default priority will apply.
Quality of Service(QoS) : A Windows 2000 Server set of service requirements that the network must meet to assure an adequate service level for data transmission. Implementing QoS enabled real-time programs to make the most efficient use of network bandwidth.
R
remote administration : The practice of administering a computer from another computer connected across the network.
reverse caching : Caching implemented for incoming requests to local Web servers from the Internet.
routing : The process of routing client requests for one ISA Server to a specified upstream server.
S
scheduled cache : A cache feature that can be customized to download HTTP content directly to the ISA Server cache, upon request or by configuring a schedule. This means that cache content can be updated in anticipation of client requests.
secondary connection : A range of port numbers, protocol and direction used for additional connections or packets that follow the initial connection. One or more secondary connections can be configured.
Secure HTTP (HTTPS) : A proposed extension to HTTP that supports various encryption and authentication measures to keep all transactions secure from end to end.
SecureNAT : See secure network address translation clients
secure network address translation clients (SecureNAT clients) : Client computers that do not have Firewall client software installed. Requests from SecureNAT clients are essentially handled by the Firewall service and derive the benefits provided by this service.
Secure Sockets Layer (SSL) : A protocol that supplies secure data communication through data encryption and decryption. SSL enables communications privacy over networks.
security template : A snap-in provided with ISA Server that provides a view of the configuration see with the ISA Server security wizard, which is used to apply a full range of predefined system security settings to all the servers in the array.
server certificate : A means of identifying information about the server. When a client requests an SSL object from a server, it requests that the server authenticate itself to the client. A server certificate does this
server publishing rule : A rule that is configured to specify how incoming requests to internal servers on the local network should be handled.
HTTPS : See Secure HTTP
Simple Mail Transport Protocol (SMTP) : An Internet standard protocol used for exchanging e-mail between SMTP servers on the Internet.
Simple Network Management Protocol (SNMP) : A standard protocol used for monitoring your network.
SMTP : See Simple Mail Transport Protocol
SNMP : See Simple Network Management Protocol
socket : A logical communications channel used by TCP/IP applications. Sockets are data structures created by using a combination of device IP addresses and reserved TCP/UDP port numbers to indicate connection and delivery service information. Winsock is a Windows-based implementation of sockets.
SOCKS filter : The SOCKS filter provided with ISA Server forwards requests from SOCKS applications to the Firewall service.
SSL : See Secure Sockets Layer
SSL bridging : The ability of ISA Server to encrypt or decrypt client requests and pass on the request to a destination Web server.
SSL tunneling : The ability of ISA Server to allow a client to establish a tunnel through the ISA Server directly to the Web server with the requested HTTPS object. Whenever a client browser requests an HTTPS object through the ISA Server, SSL tunneling is used.
static IP filtering : A type of IP filter that involves configuration of a static, ever-present IP packet filter. In most cases, dynamic IP filtering is preferred, meaning that the creation of access policy rules results in an IP packet filter, which is dynamically applied as policy rule conditions are met.
stand-alone server : A single ISA Server that is not installed as an array member. Stand-alone servers do not require that the computer belong to a Windows 2000 domain, do not require Active Directory, and have no enterprise policy.
subnet mask : A TCP/IP configuration parameter that extracts network and host configuration from an IP address. This 32-bit value enables the recipient of IP packets to distinguish the network ID portion (domain name) of the IP address from the host ID (host name.
T
TCP : See Transmission Control Protocol
TCP/IP : See Transmission Control Protocol/Internet Protocol
terminals : Equipment that provides real-time communications. Terminals must support audio communications, but support for video or data communications is optional. A computer running Microsoft NetMeeting 3.0 or higher is an example of an H.323 terminal.
time-to-live : A custom setting that can be set to 0 or to a specified percentage of the age of an HTTP object. This setting determines the expiration policy of HTTP objects held in the ISA Server cache.
Transmission Control Protocol (TCP) : The Internet standard transport protocol that provides the reliable, two-way connected service that allows an application to send a stream of data end-to-end between two computers across a network. The Internet protocol suite is often called TCP/IP.
Transmission Control Protocol/Internet Protocol(TCP/IP) : A family of networking protocols that allows computers with diverse hardware architectures and various operating systems to communicate across interconnected networks and the Internet. TCP/IP includes standards for how computers communicate and conventions for connecting networks and routing traffic. Every computer on the Internet supports TCP/IP.
TTL : See time-to-live
U
UDP : See User Datagram Protocol
User Datagram Protocol (UDP) : A standard transport protocol in TCP/IP networking that provides connectionless service for unacknowledged delivery of packets. UDP adds port addresses to the service provided by IP.
V
verbose logging : An option that supplies additional or supplemental information for a network event in a log file.
Virtual Private Network (VPN) : A network that is constructed using public systems such as the Internet but uses security mechanisms to ensure privacy and that only authorized users are allowed access.
VPN : See Virtual Private Network
W
Web Proxy client : A client computer that has a Web browser application, which complies with HTTP 1.1, and is configured to use the Web Proxy service of ISA Server.
Web Proxy service (w3Proxy) : A Windows 2000 service that supports requests from any Web browser. It works at the application level on behalf of a client requesting an Internet object that can be retrieved by one of the Web Proxy supported protocols: FTP, HTTP, HTTPS, and Gopher.
Web publishing rule : A rule that is configured to specify how incoming requests to internal Web servers should be handled.
well-known alias : An alternative name that is used to direct calls or connection to a person at a terminal. An alias can be a phone number, account name, computer name, e-mail address, or other similar name.
well-known port : A well-known port is any port in the range of 1-2048.
Windows NT challenge/response authentication : A method of authentication in which a server uses Windows NT security to allow access to its resources.
Winsock : A Windows implementation of the widely used UC Berkeley Sockets API. Windows Sockets is a networking API used to create TCP/IP-based sockets applications. Windows Sockets provides interfaces between applications and the transport protocol and works as a bidirectional connection for incoming and outgoing data. Also called WinSock.