Blog du Tristank

So terrific that 3 of 4 readers rated it "soporific"

Blogs

ISA 2004 FAQ: What Happened To Cache-Only Mode?

  • Comments 1
  • Likes

[Update 20050210 - emphasis added] Well, it's not called that any more, and we use Network Templates to repurpose an existing ISA box without reinstallation now. Much nicer, don't you think?

If you've a single network adapter ISA 2004 installation and are sitting behind a firewall (eg, the box is only ever going to have one NIC), you should use the Single Network Adapter template.

From the Help, here's the breakdown on how that affects general operation:

Single Network Adapter network template
 
You can install ISA Server on computers with a single network adapter. Typically, you will do so when another firewall is located on the edge of the network, connecting your corporate resources to the Internet. In this single adapter scenario, ISA Server typically functions as a cache server, caching content from the Internet, for use by clients on the corporate network.
...
 
Single adapter mode functionality
When you install ISA Server on a computer with a single adapter, the following ISA Server features cannot be used:
 
Firewall clients
Virtual private networking
IP packet filtering
Multi-network firewall policy
Server publishing
Application level filtering

The following protocols are supported: HTTP, HTTPS, and FTP over HTTP.
 
This results in a limited security role for ISA Server in your network.

So, basically the equivalent of ISA 2000's Cache-Only mode.

One other point of interest - the Internal network is defined as being basically everything when you use this template. That's mentioned on the same page, but I thought I'd call it out anyway, as it tends to surprise and delight:

Internal network
One of the fundamental features of ISA Server is its ability to connect multiple networks. When ISA Server is installed on a single adapter computer, however, it recognizes only one network—the Internal network. The Internal network comprises all IP addresses, with the following exceptions: 0.0.0.0, 255.255.255.255, and the address range 127.0.0.0–127.255.255.255.

If you're using a multiple NICs, you can still do the caching thing, but you also retain all the other bits that aren't available with only one NIC above.

Comments
  • I was really trying to work an Animal Farm joke in here, but I can't make it work.
    Susan brings up a...