Installation Process (ISA Server 2004 Getting Started Guide)

  • Article

Before installing this software, refer to the release notes provided with the CD.

Before you install ISA Server, you must set up the hardware and configure the software of the computer that will run ISA Server.

3.1 Installation requirements

To use ISA Server, you need:

  • A personal computer with a 550 megahertz (MHz) or higher CPU.

  • Microsoft Windows Server™ 2003 or Windows® 2000 Server operating system.

    Note

    If you install ISA Server on a computer running Windows 2000 Server, note the following additional requirements: Windows 2000 Service Pack 4 or later must be installed. Internet Explorer 6 or later must be installed. If you are using the Windows 2000 SP4 slipstream, you must also install the hotfix specified in article 821887, “Events for Authorization Roles Are Not Logged in the Security Log When You Configure Auditing for Windows 2000 Authorization Manager Runtime,” in the Microsoft Knowledge Base https://go.microsoft.com/fwlink/?LinkId=22792) . For more up-to-date information about setup and system requirements for ISA Server 2004, see ISA Server Setup and System Requirements (https://go.microsoft.com/fwlink/?LinkId=20538).

  • 256 megabytes (MB) of memory.

  • 150 MB of available hard disk space. This is exclusive of hard disk space you want to use for caching.

  • One network adapter that is compatible with the computer’s operating system, for communication with the Internal network.

  • An additional network adapter for each network connected to the ISA Server computer.

  • One local hard disk partition that is formatted with the NTFS file system.

    Note

    You can use ISA Server on a computer that has only one network adapter. Typically, you will do so when another firewall is located on the edge of the network, connecting your corporate resources to the Internet. In this single adapter scenario, ISA Server typically functions to provide an additional layer of application filtering protection to published servers, or to cache content from the Internet. For more information, see 3.6 ISA Server computers with a single network adapter.

    Warning

    Do not install ISA Server on a multi-processor computer with more than four processors.

3.2 Network requirements

ISA Server requires both a Domain Name System (DNS) server and Dynamic Host Configuration Protocol (DHCP) server. We recommend that you have both a DHCP and DNS server installed on a computer running Windows Server 2003 or Windows 2000 Server in your Internal network. If necessary, you can host the DNS and DHCP servers on the ISA Server computer.

3.2.1 DNS server

DNS is the name resolution protocol for TCP/IP networks, such as the Internet. A DNS server hosts the information that enables client computers to resolve memorable, alphanumeric DNS names to the IP addresses that computers use to communicate with each other.

3.2.2 DHCP server

DHCP servers centrally manage IP addresses and related information and provide it to clients automatically. This allows you to configure client network settings at a server, instead of configuring them on each client computer.

3.2.3 Configuring the DNS and DHCP servers

To open the Configure Your Server Wizard, click Start, point to All Programs, point to Administrative Tools, and then click Configure Your Server Wizard. You will have to run the wizard twice: once to configure the DNS server, and once to configure the DHCP server.

When you configure your server to include a DNS server, when the Configure Your Server Wizard completes, the Configure a DNS Server Wizard appears. Review the DNS checklists by clicking DNS Checklists, and then follow the wizard instructions to configure the DNS server.

When you configure your server to include a DHCP server, the Configure Your Server Wizard launches the New Scope Wizard. Follow the instructions of the New Scope Wizard to define the scope for the DHCP server.

3.3 Installation procedure

To install ISA Server software follow these steps:

  1. Insert the ISA Server CD into the CD drive, or run ISAautorun.exe from the shared network drive.

  2. In Microsoft ISA Server Setup, click Install ISA Server.

  3. After the setup program prompts that it has completed determining the system configuration, on the Welcome page, click Next.

  4. If you accept the terms and conditions stated in the user license agreement, click I accept the terms in the license agreement, and then click Next.

  5. Type your customer details, and then click Next.

  6. Click Typical Installation, Full Installation or Custom Installation.

    There are four components that can be installed:

    • ISA Server Services. The services that comprise ISA Server.
    • ISA Server Management. The ISA Server Management user interface.
    • Firewall Client Installation Share. A location from which client computers can install the Firewall Client software. This is typically installed on a computer other than the ISA Server computer, so it is not part of the Typical Installation option. The Firewall Client Share can be installed on computers running Windows Server 2003, Windows 2000 Server, or Windows XP.
    • Message Screener. A component that you configure to screen e-mail messages for keywords and attachments. This component must be installed on a Simple Mail Transfer Protocol (SMTP) server, which is typically not your ISA Server computer.
    • Typical Installation installs ISA Server Services and ISA Server Management. Full Installation installs all four components. Custom Installation enables you to select which components you will install.

  7. Click Next.

  8. Configure the Internal network. Follow these steps:

    1. Click Add.
    2. Click Select Network Adapter.
    3. Select Add address ranges based on the Windows Routing Table.
    4. Select one or more of the adapters that are connected to the Internal network. These addresses will be included in the Internal network that is defined by default for ISA Server.
    5. Clear the selection of Add the following private IP ranges, unless you want to add those ranges to your Internal network.
    6. Click OK. Read the Setup Message, click OK, click OK again to finish the Internal network configuration, and then click Next.

  9. On the Firewall Client Connection Settings page, select whether you want to allow nonencrypted connections between Firewall clients and the ISA Server computer. The ISA Server 2004 Firewall Client software uses encryption, but older versions do not. Also, some versions of Windows do not support encryption. You can select to allow computers running earlier version of Firewall client software to connect.

  10. On the Services page, review the list of services that will be stopped or disabled during installation of ISA Server. To continue the installation, click Next.

  11. Click Install.

  12. After the installation is complete, if you want to invoke ISA Server Management immediately, select the Invoke ISA Management check box, and then click Finish.

3.4 Default settings

After installation, ISA Server uses the default settings that are listed in the following table.

Feature Default setting

User permissions

Members of the Administrators group on the local computer can configure firewall policy.

Network settings
  • The following network rules are created:
  • Local Host Access. Defines a routed network relationship between the Local Host network and All Networks. This defines a network relationship to other networks, needed by services running on the ISA Server computer.
  • Internet Access. Defines a NAT network relationship from the Internal network, the Quarantined VPN Clients network, and the VPN Clients network, to the External network. Access will be allowed only if you configure the appropriate access policy.
  • VPN Clients to Internal Network. Defines a routed network relationship between the VPN Clients network and the Internal network. Access will be allowed only if you enable VPN client access.

Access rules
  • The following default rules are created:
  • Default rule. This rule denies all traffic between all networks.
  • System policy rules. A series of rules that allow the ISA Server computer to interact with other network resources.

Publishing

No internal servers are accessible to external clients.

Web chaining

Default Rule. This rule specifies that all Web Proxy client requests are retrieved directly from the Internet.

Caching

The cache size is set to 0. All caching is therefore disabled.

3.5 New ways to do familiar tasks

The following table lists common tasks you can perform using ISA Server 2004 and compares these tasks to how they were performed using ISA Server 2000.

If you want to In ISA Server 2000 In ISA Server 2004

Publish co-located servers.

Create a static packet filter allowing access to the specific server located on the ISA Server computer.

Create a server publishing rule.

Enable an application on the ISA Server computer to access the Internet

Create a static packet filter allowing access to the specific port on the ISA Server computer

Verify that the default network rule, which is created upon installation, accurately defines a relationship between the Local Host network and the External network. Then, create an access rule that allows access to the specific protocol.

Configure the local address table (LAT).

Click Local Address Table on any service’s properties.

The Internal network replaces the local address table, and is configured as part of the setup process. You can subsequently reconfigure the Internal network.

Configure IP-based protocol support.

IP-based protocols were supported in a limited fashion.

Create a protocol definition, specifying any of the following protocols: TCP, UDP, ICMP, or IP-level. If you select IP-level, you can specify any low-level protocol.

Configure virtual private networking.

Use the VPN wizards to configure client-to-router or router-to-router VPN.

Configure and enable VPN properties and monitor VPN connections.

Configure outgoing Web request properties.

On the array properties, click the Outgoing Web requests tab and configure listener properties.

Each network has its own listener, the network adapter that is responsible for listening for requests bound for that network.

Configure incoming Web request properties.

On the array properties, click the Incoming Web requests tab and configure listener properties.

Web listeners are used as part of each Web publishing rule. When you configure a Web publishing rule, you specify which Web listener to use for that rule.

3.6 ISA Server computers with a single network adapter

You can install ISA Server on computers with a single network adapter. Typically, you will do so when another firewall is located on the edge of the network, connecting your corporate resources to the Internet. In this single adapter scenario, ISA Server is typically used to cache content from the Internet for use by clients on the corporate network.

3.6.1 Internal network

One of the fundamental features of ISA Server is its ability to connect multiple networks. When ISA Server is installed on a single adapter computer, however, it recognizes only one network-the Internal network. The Internal network comprises all IP addresses, with the following exceptions: 0.0.0.0, 255.255.255.255, and the address range 127.0.0.0-127.255.255.255.

3.6.2 Installing ISA Server on a single adapter computer

As part of the setup process, you specify the addresses in the Internal network. When you install ISA Server on a computer with one network adapter, be sure to include all addresses except 0.0.0.0, 255.255.255.255, and the address range 127.0.0.0-127.255.255.255.

You can use the Single Network Adapter network template to configure your single adapter ISA Server computer. To use the template, in ISA Server Management, expand the Configuration node, and select Networks. In the task pane, on the Templates tab, select Single Network Adapter to start the Network Template Wizard. Follow the wizard steps to complete the configuration. We recommend that you use the default settings provided by the Network Template Wizard.

3.6.3 Caching

You can deploy ISA Server on a single adapter computer as a forward proxy and caching server, which provides clients with optimized access to the Internet. In this scenario, you can configure ISA Server to maintain a centralized cache of frequently requested Internet objects that can be accessed by any Web browser client, and use cache rules to manage the cache. In this scenario, you will modify the default firewall policy to allow internal clients access to the Internet. Although all IP addresses are considered to be on the same Internal network, ISA server will deny Web traffic due to the default Deny All rule. You therefore need to create a rule that allows Web traffic to pass between the networks. To enable this caching scenario, you must create an access rule that allows all clients to use HTTP (and HTTPS and FTP, as appropriate). Because the Internal network is uniquely defined to include all addresses, the source and destination networks for this rule should be internal.

3.6.4 Single adapter mode functionality

When you install ISA Server on a computer with a single adapter, the following ISA Server features cannot be used:

  • Firewall clients
  • Virtual private networking
  • IP packet filtering
  • Multi-network firewall policy
  • Server publishing
  • Application level filtering

This results in a limited security role for ISA Server in your network.

[Topic Last Modified: 02/27/2008]