The enterprise and arrays
Microsoft Internet Security and Acceleration (ISA) Server can be installed as a stand-alone server or as an array member. Array members share the same configuration, easing management and administration. When you modify the array configuration, all the ISA Server computers in the array are also modified, including all the access policies and cache policies.
The centralized administration can also mean greater security. All the administrative tasks can be performed from one computer and the configuration is applied to all, ensuring that all the servers have the same access policies configured. This is particularly useful in large organizations, where arrays can include many ISA Server computers.
You can create site and content rules, protocol rules, Internet Protocol (IP) packet filters, Web publishing rules, and server publishing rules at the array level. Together, these rules compose an array policy. The array policy determines how the ISA Server clients communicate with the Internet and what communication is permitted. As the name implies, the array policy applies only to the ISA Server computers in the array.
The enterprise takes this centralized management one step further, allowing you to implement one or more enterprise policies, which can be applied to the arrays in your corporate network. The enterprise policy includes site and content rules and protocol rules. The enterprise policy can be applied to any array, and can be augmented by the array's own policy. This enables administrators at branch and departmental levels to adopt governing enterprise policies, while allowing them to further restrict access, if necessary.
You can create one or more enterprise policies and a single set of policy elements. The enterprise-level policy elements can be used when configuring rules for any enterprise policy and when creating array-level rules.
For more information on administering arrays and the enterprise, see Administering stand-alone servers, arrays, and the enterprise.
Applying enterprise policy
You can determine how the enterprise policy should be used by the array administrators in the organization. The enterprise administrator might decide on a very restrictive policy. In this case, no array policies will be configurable. However, the enterprise administrator might decide on a very liberal policy, allowing the array administrators to define any rules. In this case, no enterprise policy will be applied to the array.
A mixed approach might be to allow array policies while still applying an enterprise policy. In this case, the array administrator can define array policy rules, which restrict the enterprise policy rules.
Consider the figure below, which assumes a hypothetical network topology, with the headquarters in the United States and branch offices in France and the United Kingdom.
At the array level, all the ISA Server computers in the United States array have the same configuration, as do each of the computers in France and in the United Kingdom.
At the enterprise level, you can configure all the arrays in the enterprise to use the enterprise policy. As an alternative, you can allow some arrays to create a more restrictive access policy. At the enterprise level, you can also decide which arrays are allowed to publish servers.
By allowing both enterprise and array policies, you ensure that a corporate policy is implemented all through the organization. At the same time, you can allow for nuances at the department or branch level, creating extra rules as necessary. For more information, see Applying enterprise policy.
For example, an enterprise policy might only allow access to Hypertext Transfer Protocol (HTTP) addresses and deny communication using all other protocol definitions. An array that uses this enterprise policy can add a rule that limits who can use the HTTP protocol. But the array policy cannot allow communication using other protocols.
