CHAPTER 2
INSTALLING MICROSOFT INTERNET
SECURITY AND ACCELERATION
SERVER 2000
Lesson 1:
Planning for an ISA Server Installation
When you install ISA Server, you will be asked to provide information that you should have
gathered in advance.
Planning your ISA Server installation required you to weigh your network needs against the
practical limitations of cost and maintenance.
ISA Server.
ISA Server Needs:
Microsoft Windows 2000 DataCenter Server Operating System.
network.
for communicating with the Internet.
Remote Administration Requirements
For remote ISA Server administration, you need only to install ISA Management, which runs
Windows 2000 Professional or any edition of Windows 2000 Server.
=======================================================================
winisa2.html PAGE 2 2002/05/14
Firewall Requirements
ISA Server can be installed as a dedicated firewall that acts as the secure gateway to the Internet for
internal clients.
Forward Caching Requirements
ISA Server can be installed as a forward Web and File Transfer Protocol (FTP) caching server
that maintains a centralized cache of frequently requested Internet objects.
Memory and Disk
Requirements
====================================================================
# Users ISA Server Computer RAM
(MB) Disk Size
Caching
====================================================================
Up to 250 Single ISA server with Pentium II 256 2 to 4 GB
300Mhz
Up to 2,000 Single ISA server with Pentium III 256 10GB
500Mhz
More than 1 ISA Server with Pentium III, 550Mhz 256/ 10GB/
2,000 for each 2,000 users 2,000 users 2,000
users
If necessary, you can use Performance
Monitor to identify bottlenecks and
Determine whether to add servers to the
Array.
=====================================================================
If your current server disk volume uses file allocation table (FAT) partitions, you can convert these
partitions to NTFS by using convert.exe, which is included with Windows 2000 Server.
Publishing and Reverse Caching Requirements
ISA Server can be deployed in front of an organization’s Web server that is hosting a commercial
Web business or providing access to business partners.
=======================================================================
winisa2.html PAGE 3 2002/05/14
Hardware Requirements
for Various Hit Rates
========================================================================
Hits/Second ISA Server RAM (MB)
========================================================================
Less than 500 Single ISA server with Pentium II 256
300 Mhz
500-900 Single ISA server with Pentium III 256
500 Mhz
More than 900 1 ISA server with Pentium III, 500Mhz 256/server
for each 800 hits/second increment
=========================================================================
Array Considerations
If you determine that you will need multiple computers to handle your network load, consider setting
up an array of ISA Server Computers.
A unique array policy can be applied to each array in the enterprise.
An array installation also means improved performance with less hardware. Because load is distributed
across the servers in the array, you can achieve good performance even with moderate hardware.
If you choose not to install ISA Server as an array member, you can install ISA Server as a standalone
server. If you perform a standalone server installation, the computer does not have to belong to a
Windows 2000 domain.
Standalone Servers and Single-Server Arrays
Even if you are installing just one ISA Server computer, you should consider installing it as an
array member. When ISA Server Enterprise Edition is installed as an array member, enterprise
policy can be applied to the array.
***** See the chart
page 52 ******
ISA Server Mode
When you use Firewall or Integrated modes, you can secure network communications by
configuring rules that control communications between your corporate network and the
Internet.
=======================================================================
winisa2.html PAGE 4 2002/05/14
Internet Connectivity Considerations
The business of providing connectivity to the Internet is quite competitive, and many access
methods are now available, including Digital Subscriber Line (DSL), cable modems, satellite,
bundled phone lines, and T-1 service. When deciding which of these options is best for you,
consider price, data throughput, and reliability.
You can connect ISA Server to the Internet with either a direct link or a dial-up link. If you
connect using a direct link or using DSL or cable modem, you must set up an external network
adapter. Connect ISA to the EXTERNAL NIC.
Publishing and Connectivity
When you publish internal servers, you must obtain IP addresses with which to associate the
domain or server name. When external clients access your Web site or domain, the ISP’s
DNS server will find the IP address associated with the requested Web site name, usually an
IP address on your ISA Server computer or on a perimeter network (DMZ).
ISA Server in the Network
ISA Server secures and connects an existing network of services, which may be centralized
on a single server or dispersed across many servers.
Windows NT 4.0 Domain. ISA Server can be installed as a standalone server in Windows
NT 4.0 domain. Arrays can also be used to connect and secure Windows NT 4.0 domain
users and client to the Internet. However, the array of ISA Server computers must be set up
on a separate Windows 2000 domain.
ISA Server Configuration Data. If you install ISA Server on a standalone server, all
configuration information is saved to the registry.
Internet Connection Server. Before ISA Server was available, you may have used Internet
Connection Sharing (ICS) to access the Internet.
WARNING: do not install or enable ICS on a computer running ISA Server. If you previously
installed and enable ICS, remove it before installing ISA Server.
Remote Access Server. ISA Server provides the remote connectivity and improved remote
access server features with more extensive and flexible security. ISA Server packet filtering
replaces the remote access server’s packet filtering.
=======================================================================
winisa2.html PAGE 5 2002/05/14
ISA Server Network Topology Scenarios
ISA Server can be deployed in various network topologies. While your actual network
configuration may differ from those described here, the basic concepts and configuration logic
will help you plan your network topology.
Small Office Scenario
In the small office network configuration, the ISA Server computer can be placed between the
corporate local area network (LAN/wide area network (WAN) and the Internet. A small office
network might have fewer than 250 clients on a single LAN segment, use the IP network protocol,
and demand-dial connectivity to an ISP.
**** See the scenario
page 56 ****
Web Publishing Topologies
The Web publishing functions of ISA Server benefit organizations that want to publish Web
content securely from within their protected intranet. The ISA Server impersonates a Web server
to the outside world, while the Web server maintains access to internal network services.
You might set the IIS Server to listen on 127.0.0.1, thereby accepting requests only from the
ISA Server computer.
Exchange Server Publishing Topologies
A common ISA Server scenario involves securing the Simple Mail Transfer Protocol (SMTP)
communications of mail servers. For example, ISA Server can protect a Microsoft Exchange
Server. The Exchange Server that you are publishing can be co-located on the ISA Server
computer or it can be located on the local network or on the perimeter network (DMZ).
=======================================================================
winisa2.html PAGE 6 2002/05/14
Perimeter Network (DMZ) Scenarios
A perimeter network, or a DMZ is a small network that is set up separately from an organization’s
private network and the Internet. The perimeter network allows external users access to the
specific servers located in the perimeter network while preventing access to the internal corporate
network.
A perimeter network, also known as screened subnet, is commonly used for deploying the
e-mail and Web servers for the company. The perimeter network can be set up in one of the
following configurations:
Back-to-back perimeter network configuration, with two ISA Server computers on either side
of the perimeter network.
Three-homed ISA Server, with the perimeter network and the local network protected by the
same ISA server.
The perimeter network may include the company’s Web server, so that Web content can be
sent to the Internet. However, the perimeter network does not allow access to any other
company data that may be available on computers in the local network.
Back-to-Back Perimeter Network Configuration
In a back-to-back perimeter network configuration, two ISA Server computers are located
on either side of the perimeter network.
Three-Homed Perimeter Network (DMZ) Configuration
In a three-homed screened perimeter network, a single ISA Server computer (or an array or
ISA Server computers) is set up with three network cards.
Lesson Summary:
clients when they access the Internet.
should set up an array of ISA Server computers instead of one standalone server.
or more ISA Server computers installed.
be located either on the same computer as the ISA server or on a different computer.
=======================================================================
winisa2.html PAGE 7 2002/05/14
Lesson 2:
Performing an ISA Server Installation
If you will be using array or enterprise policies, you must also initialize the enterprise, which installs
array schema information into the Active Directory store. During the actual ISA Server installation
process, you will need to construct a local address table (LAT) that lists your internal network
address range.
Don’t forget you will need to have 2 NIC cards an internal and external, with uniquely set-up
numbers.
Before you Install ISA Server:
TCP/IP Settings
When setting TCP/IP properties for any network adapter, you should enter a permanently reserved
IP address for the ISA Server computer and an appropriate subnet mask for your local network.
The external NIC’s address, however, can be either DHCP-enabled or statically defined, along with
the default gateway and the DNS settings.
You can run the ipconfig/all command to get the media access control (MAC) addresses of both
network adapters on your ISA Server computer and to make sure you are configuring the correct
settings on each card.
Use the PING utility to ensure all is properly connected.
=======================================================================
winisa2.html PAGE 8 2002/05/14
Setting up a Modem or ISDN Adapter
Depending on the ISDN adapter, you may not be able to view the two ISDN channels in Windows 2000.
Windows 2000 Routing Table
Before installing ISA Server, configure the routing table on the ISA Server computer to include all
of the IP address ranges in your internal network. You can use the Windows 2000 route utility to
view and configure the routing table.
Then, during installation, ISA can construct the LAT based on your Windows 2000 routing table.
A correctly configured LAT ensures that ISA Server knows which network adapter to use in order
to access different portions of your internal network.
Initializing the
With ISA Server Enterprise Edition, an ISA Server computer can be set up as a member of an
array. Before you can set up an ISA Server computer as a member of an array, the ISA Server
schema updates must be installed to the Active Directory schema on the Domain Controller.
NOTE: In order to install the ISA Server schema updates, you must be a member of the
Enterprise Admins group.
The array creation process takes place for the first computer in the array. The information
added to the Active Directory store may take some time to replicate. It is therefore recommended
that you wait before creating another array.
Installation Procedure on Warrens Machine:
=======================================================================
winisa2.html PAGE 9 2002/05/14
Local Address Translation Table
If you install ISA Server in Firewall mode or in Integrated mode, as part of the setup process,
you must specify the local address table, or LAT. The LAT is a table of internal IP address
ranges used by the internal network behind the ISA Server computer. ISA Server uses the
LAT to control how machines on the internal network communicate wit external networks.
The default LAT includes addresses known as private IP addresses.
The LAT is maintained centrally at the ISA Server computer. Firewall clients automatically
download and receive LAT updates at preset intervals. When a firewall client requests an
object, the client checks the LAT.
Secure network address translation (SecureNAT) clients do not have a local copy of the LAT.
Windows 2000 Routing Table
If you fail to set the routing table correctly, the ISA Server LAT may not be built correctly.
This can result in a client request for an internal IP address being routed in the Internet or
being redirected through the Firewall service.
Troubleshooting ISA Server Installation
If you can rule out hardware problems and are still experiencing installation errors, check
your network configuration for errors by viewing the logs in Event Viewer.
Also, when initializing the enterprise, verify that you are a member of the Enterprise Admins
group: this group has permission to write to the Active Directory schema.
NOTE: ISA Server requires Windows 2000 Service Pack or later.
Lesson Summary:
network connectivity of the computer that will run ISA Server.
the ISA Server schema updates to the Active Directory schema on the domain controller.
=======================================================================
winisa2.html PAGE 10 2002/05/14
Lesson 3:
Migrating from Proxy Server 2.0
Compared to Proxy Server, ISA Server offers significantly improved features in Internet Security,
Web caching, management, and extensibility.
In addition, ISA Server will continue to support WINsock proxy client software, together with its
own Firewall Client software, in a heterogeneous client base.
IMPORTANT: Make sure to perform a full backup of the current Proxy 2.0 settings prior to
upgrade. To back up a Proxy Server configuration, open Internet Services Manager, right-click
the server icon of the server you want to back up, and select Backup/Restore Configuration.
RMISA—Removes ISA Server package at the command prompt. Works well, leave no trail
ends.
ISASUPGRADE.LOG – is the log file created for ISA.
Migrating Proxy Server 2.0 Configuration
Most Proxy Server rules, network settings, monitoring configuration, and cache configuration will
be migrated to ISA Server.
Proxy Chains. Mixed chains of Proxy 2.0 and ISA Servers are supported.
Web Proxy Client Requests. Whereas Proxy 2.0 listens for client HTTP requests
on port 80, ISA Server is configured upon installation to listen on port 8080.
Publishing. ISA Server allows you to publish internal servers, without requiring any special
configuration or software installation on the publishing server.
Cache. Proxy 2.0 cache content will not be migrated due to the vastly different
cache storage engine in ISA Server.
SOCKS. ISA Server includes a SOCKS application filter, which allows client
SOCKS applications to communicate with the network, using the applicable array
or enterprise policy to determine if the client request is allowed. Migration of Proxy
2.0 SOCKS rules to ISA Server policy is not supported.
=======================================================================
winisa2.html PAGE 11 2002/05/14
Lesson Summary:
security, caching, management and extensibility features.
configuration information is migrated to the ISA Server array in different ways,
depending on the ISA Server array’s default enterprise settings. Policy elements
are created, as necessary, for the new rules.