ISA is an application that sits on the top of the Windows OS and consumes many OS features and functionalities. Many administrators still confused about what it is and what it is not an ISA related issue. I decided to enumerate the top five common questions (or misconceptions if you will) about ISA in four core areas: Encryption, VPN, Load Balance and Authentication.
1) I want to force ISA Server to use SSL V3. How do I do this?
This is not an ISA question. ISA Server consumes the cryptography system from the OS, more precisely from the SCHANNEL security provider. If you want to play with the SSL version, ciphers and hashes use the KB below:
How to Restrict the Use of Certain Cryptographic Algorithms and Protocols in Schannel.dll. Whatever is used by the OS will be respected by ISA.
VPN 2) Does ISA 2006 Radius authentication support Radius access-challenge message?
RRAS not ISA is responsible for that. ISA server just consumes RRAS functionalities and features. In this particular question the answer can be found at http://technet.microsoft.com/en-us/library/cc728366(WS.10).aspx, where it says that Access-Challenge is an attribute supported by MS implementation of RADIUS.
3) Can ISA Server assign a specific IP address to my VPN Client?
RRAS not ISA is responsible for handling this. For this particular case you can use Active Directory feature that allows you to assign a static IP for one specific user. See http://technet.microsoft.com/ru-ru/library/cc759712(WS.10).aspx for more information
Load Balance 4) Does ISA Server NLB support Switch Layer 3?
ISA Server uses Windows NLB capabilities, hence the same supportability statement used on Windows NLB for this matter is true for ISA. In this case refer to the following NLB Q&A:
Switch is operating in Layer-3 mode
NLB is not supported when the hosts are homed to a switch operating at Layer-3. Instead, create a VLAN for all the nodes in the NLB cluster, and configure that VLAN to operate in Layer-2 mode.
Authentication 5) Why ISA Server needs bi-directional (two-way) trust between domains in order to use Kerberos Constrained Delegation?
Windows not ISA imposes this. For more details explanation on this read http://technet.microsoft.com/en-us/library/cc752953.aspx
Have a good day and keep in mind that not always it’s an ISA issue neither is an ISA question :)