ISA Server 2004 Enterprise Edtion in a Workgroup

  • Article

A workgroup is a simple grouping of computers that does not offer the centralized user accounts and authentication offered by domains.

You may want to install your ISA Server firewall servers in a workgroup because the workgroup is separated from your domain. You may have specific reasons for wanting to isolate a small portion of your corporate network from the domain.

For example, you may want to install an ISA Server array in a workgroup for:

  • Web publishing
  • Microsoft Outlook® Web Access publishing
  • Handling of virtual private network (VPN) connections

About This Document

Three scenarios are described in this document. There are many procedures that are common to all of the scenarios. Therefore, the solution for each scenario is presented in a walk-through, as a concise series of steps, and the detailed procedures for the steps are provided in Appendix A: Procedures in this document.

This document focuses on the configuration of workgroup scenarios. The scenarios described are based on the assumed connectivity of the workgroup ISA Server array to a Configuration Storage server, as in the case where the workgroup array is in the main office of an enterprise. If your scenario requires the establishment of a VPN site-to-site connection, in addition to this document, see the procedures provided in Appendix B of the document Introduction to Branch Deployment of ISA Server 2004 Enterprise Edition (https://www.microsoft.com).

This document also provides troubleshooting information in Appendix B: Troubleshooting.

Workgroup Authentication Issues

When you install ISA Server in a workgroup, consider these configuration issues:

  • When you set up an ISA Server array in a workgroup, you must create mirrored user accounts on all of the computers in the array. Mirrored accounts are identical local users (same user name and password) that you create on each computer in the array. You will use the credentials of this user when you open ISA Server Management and want to connect to the workgroup array. Similarly, any other workgroup arrays should have the same local user as in the other workgroups, created on each computer, so that you can manage them all from a single ISA Server Management instance. Note that intra-array communication, used for the monitoring and reporting functionalities of ISA Server, also depends on the mirrored user account. These user accounts do not have to be local administrators.
  • In a scenario where the Configuration Storage server is in a domain, ISA Server roles will be dependent on Windows authentication. To simplify logon and connection procedures, you may want to create a local user on each workgroup array member, paralleling a domain user with the required ISA Server role. This way, when you log on to the workgroup array, you can connect to the Configuration Storage server using your logon credentials, rather than providing different credentials. This is described in Assigning Roles in this document.
  • In a scenario where the Configuration Storage server is in a workgroup, ISA Server roles will be dependent on recognition by the Configuration Storage server. Users that are defined on the Configuration Storage server can be assigned ISA Server roles. In this case, you may want to create a local user on each workgroup array member, paralleling the user defined on the Configuration Storage computer with the required ISA Server role. This way, when you log on to the workgroup array, you can connect to the Configuration Storage server using your logon credentials, rather than providing different credentials
  • Because the workgroup cannot access domain user accounts, workgroup clients cannot be authenticated using Windows authentication. You can use Remote Authentication Dial-In User Service (RADIUS) authentication or RSA SecurID® authentication to authenticate clients. For more information about client authentication, see ISA Server 2004 Enterprise Edition Help.
  • User mapping of VPN clients is supported only for Password Authentication Protocol (PAP) and Shiva Password Authentication Protocol (SPAP) in a workgroup scenario. If you are using a different authentication method, make sure that the Enable User Mapping check box is cleared (its default condition), on the User Mapping tab of the VPN Clients properties page. If you do use user mapping, the user to which you are mapping has to be a local user on the workgroup array member, and should be mirrored on every member of the ISA Server workgroup array.
  • Firewall Client software depends on access to domain user accounts. Therefore, Firewall Client software will not work in a workgroup setting.
  • Client requests through a workgroup array will fail with a 502 error in this situation: an ISA Server array in a workgroup, a second array in the domain, a Web chaining rule on the workgroup array that points to the domain array and provides credentials, and a domain array that requires all users to authenticate.

Scenarios

Three scenarios are presented in this document:

  • A simple installation of an Internet Security and Acceleration (ISA) Server array in a workgroup, where the Configuration Storage server is in a domain. This is described in the Workgroup Solution—Walk-through in this document.
  • Installation of both the Configuration Storage server and the ISA Server array in a workgroup, creating an isolated enterprise. This is described in the Workgroup Enterprise Solution—Walk-through in this document.
  • A back-to-back installation of two ISA Server arrays, where the back array is part of a corporate domain, and the front (edge) array is in a workgroup. This is described in the Back-to-Back Solution—Walk-through in this document.

This document also describes how to reconfigure your Configuration Storage server to allow workgroup arrays, even if during the initial installation of the Configuration Storage server you planned on having only the same domain or trusted-domain arrays. This is described in Changing Your Configuration to Allow Workgroup Arrays—Walk-through in this document.

Notes

  • A Configuration Storage server that is installed in a workgroup will be unable to communicate with other Configuration Storage servers (precluding the creation of Configuration Storage server replicates), and must be installed as a complete, independent enterprise, rather than as part of a larger enterprise.
  • When you install ISA Server in a workgroup, you must create an identical (mirrored) local user account on each of the ISA Server firewall computers. This account will later be used by ISA Server Management to communicate with the firewall computers, particularly for monitoring and reporting purposes. You must provide the credentials of that local user each time you connect ISA Server Management to a workgroup array. Remember this requirement when considering whether to install a firewall array in a workgroup, and in determining the size of the deployment. For more information, see Assigning Roles in this document.

Solutions

A solution is provided for each of the scenarios, and a solution is provided for changing your configuration to allow workgroup arrays:

  • Workgroup Solution—Walk-through
  • Workgroup Enterprise Solution—Walk-through
  • Back-to-Back Solution—Walk-through
  • Changing Your Configuration to Allow Workgroup Arrays—Walk-through

For detailed procedures that are common to all solutions, see Appendix A: Procedures in this document.

Workgroup Solution—Walk-through

In this walk-through, an ISA Server array is installed in a workgroup, protecting a specific resource, such as a group of computers publishing a Web site or Outlook Web Access. The Configuration Storage server for the workgroup is located in a domain, as shown in the following figure.

This walk-through provides information that is specific to the workgroup scenario, with hyperlinks to procedures in Appendix A in this document.

To configure the workgroup solution, follow these steps:

  1. Create and export a server authentication certificate, and ensure that the certificate export file is accessible to the computer that will be the Configuration Storage server, as described in Installing a Certificate for Workgroup Authentication.

  2. Install the main office Configuration Storage server, following the procedure in Installing the Configuration Storage Server. During the installation, on the Enterprise Deployment Environment page, choose to use certificate authentication, and provide the location of the server certificate.

  3. Install the first array in the main office following the procedure in Creating an ISA Server Array.

  4. Install the root certificate (matching the server certificate you installed in step 1) on the workgroup computers that will host ISA Server services, following the procedure in Installing a root certificate.

  5. Optional. Before you install ISA Server services on the workgroup computers, you can check LDAPS connectivity between the workgroup computers and the Configuration Storage server, using the Ldp.exe tool. To do so, follow the procedure in Testing LDAPS Connectivity.

  6. Install the firewall on the workgroup computer that will be the first server in the ISA Server array, following the procedure in Creating an ISA Server Array. You will create a new array. For credentials, you must use a user that is recognized by the main Configuration Storage server as an enterprise administrator. You must also be an administrator on the local workgroup computer. On the Configuration Storage Server Authentication Options page, select Authentication over SSL encrypted channel and Use an existing trusted root CA certificate.

  7. Install additional computers running ISA Server services, as described in Adding Servers to the ISA Server Array.

  8. Because the workgroup array does not have access to domain user information, intra-array communication will require use of a mirrored account, a user account that is defined on all array members. Follow the procedures in Configuring Intra-Array Credentials for a Workgroup Array.

  9. Assign administrative roles, using mirrored administrative credentials, as described in Assigning Roles.

  10. Establish intra-array communication, as described in Configuring Intra-Array Credentials for a Workgroup Array.

  11. Connect ISA Server Management to the Configuration Storage server and the array, following the procedure in Connecting ISA Server Management.

    Important

    Because the workgroup does not have access to the Active Directory® directory service, it cannot depend on Windows authentication. This has important configuration implications, described in Workgroup Authentication Issues.

Workgroup Enterprise Solution—Walk-through

In this walk-through, an ISA Server Configuration Storage server and an ISA Server array are installed in a workgroup, as shown in the following figure.

You will install the Configuration Storage server on one computer, and ISA Server services on one or more other computers. The Configuration Storage server will not be able to communicate with any other Configuration Storage server outside of the workgroup, so this installation will represent an independent ISA Server enterprise located in the workgroup. Also, you cannot install more than one Configuration Storage server in a workgroup, so there will be no replicate Configuration Storage server.

This walk-through provides information that is specific to the workgroup enterprise scenario, with links to procedures in Appendix A in this document. To configure the workgroup enterprise solution, follow these steps:

  1. Create and export a server authentication certificate, and ensure that the certificate export file is accessible to the computer that will be the Configuration Storage server, as described in Installing a Certificate for Workgroup Authentication.

  2. Install the Configuration Storage server in the workgroup, following the procedure in Installing the Configuration Storage Server. During the installation, on the Enterprise Deployment Environment page, choose to use certificate authentication, and provide the location of the server certificate.

  3. Install the root certificate (matching the server certificate you installed in step 1) on the workgroup computers that will host ISA Server services, following the procedure in Installing a root certificate.

  4. Optional. Before you install ISA Server services on the workgroup computers, you can check LDAPS connectivity between the workgroup computers and the Configuration Storage server, using the Ldp.exe tool. To do so, follow the procedure in Testing LDAPS Connectivity.

  5. Install the firewall on the workgroup computer that will be the first server in the ISA Server array, following the procedure in Creating an ISA Server Array. You will create a new array. For credentials, you must use a user that is recognized by the main Configuration Storage server as an enterprise administrator. On the Configuration Storage Server Authentication Options page, select Authentication over SSL encrypted channel and Use an existing trusted root CA certificate.

  6. Install additional computers running ISA Server services, as described in Adding Servers to the ISA Server Array.

  7. Because the workgroup array does not have access to domain user information, intra-array communication will require use of a mirrored account, a user account that is defined on all array members. Follow the procedures in Configuring Intra-Array Credentials for a Workgroup Array.

  8. Assign administrative roles, using mirrored administrative credentials, as described in Assigning Roles.

  9. Establish intra-array communication, as described in Configuring Intra-Array Credentials for a Workgroup Array.

  10. Connect ISA Server Management to the Configuration Storage server and the array following the procedure in Connecting ISA Server Management.

    Important

    Because the workgroup does not have access to Active Directory, it cannot depend on Windows authentication. This has important configuration implications, described in Workgroup Authentication Issues.

Back-to-Back Solution—Walk-through

In this walk-through, you want to protect a perimeter network by putting it behind an ISA Server firewall array hosted in a workgroup, and further protect your corporate network by having a second ISA Server firewall array behind the perimeter network, as shown in the following figure.

This walk-through provides information that is specific to the back-to-back scenario, with links to procedures in Appendix A in this document. To configure the back-to-back scenario, follow these steps:

  1. Create and export a server authentication certificate, and ensure that the certificate export file is accessible to the computer that will be the Configuration Storage server, as described in Installing a Certificate for Workgroup Authentication.

  2. Install the main office Configuration Storage server, following the procedure in Installing the Configuration Storage Server.

  3. Install the first array in the main office, following the procedure in Creating an ISA Server Array.

  4. On the main array, create a network that contains the IP addresses of the ISA Server workgroup array, for example, 206.73.118.1–206.73.118.2, following the procedure in Creating a Network.

  5. Create the perimeter network on the main array, following the procedure in Creating a Network. An example IP range for the perimeter network is 131.107.1.1–137.107.1.255, as shown in the preceding figure.

  6. Use a network rule to create a relationship between the Internal and perimeter networks, following the procedure in Creating a Network Rule:

    • If you plan to use server publishing to allow access to the Configuration Storage server (recommended), you can create a network address translation (NAT) relationship between the Internal and perimeter networks.
    • If you plan on creating an access rule to allow access to the Configuration Storage server, you should create a route relationship between the Internal and perimeter networks.

  7. Set the default gateway on the internal adapter of the front array to be the external network adapter of the back array, or add a static route so that the internal IP range of the main office can be accessed from the external adapter of the back ISA Server array.

  8. Allow access to the Configuration Storage server. This can be done in two ways:

    • Server publish the Configuration Storage server. Create three server publishing rules, one publishing LDAPS server, one publishing LDAP, and another publishing DNS. To do this, you must define an LDAPS server protocol (inbound port 2172), following the procedure Creating a Protocol Definition. Create server publishing rules, following the procedure Creating a Server Publishing Rule. Change the DNS server on the front end to be the external IP address of the back-end ISA Server array. Ensure that the DNS server resolves the name of the Configuration Storage server to the external network adapter of the back server. Alternatively to configuring DNS, you can make a Hosts file entry to point NameofConfigurationStorageServer to ExternalIPofISAServerComputer.
    • Create an access rule allowing LDAPS, LDAP, and DNS traffic from the front array to the back array and vice versa, following the procedure Creating an Access Rule.

  9. Install the root certificate (matching the server certificate you installed in step 1) on the workgroup computers that will host ISA Server services, following the procedure in Installing a root certificate.

  10. Optional. Before you install ISA Server services on the workgroup computers, you can check LDAPS connectivity between the workgroup computers and the Configuration Storage server, using the Ldp.exe tool. To do so, follow the procedure in Testing LDAPS Connectivity.

  11. Install the firewall on the workgroup computer that will be the first server in the front ISA Server array, following the procedure in Creating an ISA Server Array. You will be creating a new array. For credentials, you must use a user that is recognized by the main Configuration Storage server as an enterprise administrator. On the Configuration Storage Server Authentication Options page, select Authentication over SSL encrypted channel and Use an existing trusted root CA certificate.

  12. Install additional computers running ISA Server services, as described in Adding Servers to the ISA Server Array.

  13. Because the workgroup array does not have access to domain user information, intra-array communication will require use of a mirrored account, a user account that is defined on all array members. Follow the procedure in Configuring Intra-Array Credentials for a Workgroup Array.

  14. Assign administrative roles, using mirrored administrative credentials, as described in Assigning Roles.

  15. Establish intra-array communication, as described in Configuring Intra-Array Credentials for a Workgroup Array.

  16. Connect ISA Server Management to the Configuration Storage server and the array, following the procedure in Connecting ISA Server Management.

    Important

    Because the workgroup does not have access to Active Directory, it cannot depend on Windows authentication. This has important configuration implications, described in Workgroup Authentication Issues.

    Note

    This solution is based on the availability of a physical connection between all of the networks. Configuration of site-to-site VPN connections is described in the document Site-to-Site VPN in ISA Server 2004 Enterprise Edition on the ISA Server Guidance page (www.microsoft.com).

Changing Your Configuration to Allow Workgroup Arrays—Walk-through

If you initially installed your Configuration Storage server without a certificate, so that only same-domain or trusted-domain arrays can communicate with it, and now want to allow workgroup arrays, follow these steps:

  1. Create and export a server authentication certificate, and ensure that the certificate export file is accessible to the computer that will be the Configuration Storage server, as described in Installing a Certificate for Workgroup Authentication.

  2. ISA Server associates the certificate with the appropriate service. You can do this in one of two ways:
    Run ISA Server Setup. On the Program Maintenance page, select Repair. On the Enterprise Deployment Environment page, select I plan to deploy in a workgroup or in domains without trust relationship. Under Server certificate, provide the location and name of the certificate you created and exported in Installing a Certificate for Workgroup Authentication, or use the Browse button to locate the file. Provide a password if the certificate is password protected. Click Next. On the Ready to Repair the Program page, click Install.

    Note

    We recommend that you run ISACertTool, rather than using ISA Server Setup Repair.

    Run ISACertTool, available on the ISA Server Downloads page (https://www.microsoft.com). To use the ISACertTool, follow these steps:

    1. Copy the ISACertTool program to the directory \Program Files\Microsoft ISA Server on the Configuration Storage server.
    2. From a command prompt in the \Program Files\Microsoft ISA Server directory, type ISACertTool, using this syntax:
      ISACertTool (/st file_name [/pswd password]) | /fw file_name
      /st filename Install a server authentication certificate to the
      Configuration Storage service store.
      /pswd password Specify the password to use when installing a server
      authentication certificate.
      /keepcerts Do not delete existing certificates installed in the
      Configuration Storage service store.
    3. Perform the same steps on each member of a workgroup array that will use this Configuration Storage server. Copy the ISACertTool program to the directory \Program Files\Microsoft ISA Server on the array member.
    4. From a command prompt in the \Program Files\Microsoft ISA Server directory, type ISACertTool, using this syntax:
      ISACertTool (/st file_name [/pswd password]) | /fw file_name
      /fw filename Install a root Certification Authority (CA) certificate to
      the local computer store.
      If you have an ISA Server array that is using windows authentication, and you want to change it to use certificate authentication (for example, if you want to move the array to a workgroup), follow these steps:

  3. Install a root certificate on each member of the ISA Server array, as described in Installing a root certificate.

  4. In ISA Server Management, right click the array node and select Properties.

  5. On the Configuration Storage tab, click Select to open the Select Authentication Type dialog box.

  1. Select Authentication over SSL encrypted channel, and click OK. Click OK to close the array properties.

  1. In the details pane, click Apply to apply the changes.

Appendix A: Procedures

This appendix includes the following procedures:

  • Installing the Configuration Storage Server
  • Assigning Roles
  • Creating Enterprise Networks
  • Installing a Combined Server
  • Creating a Network
  • Creating a Network Rule
  • Creating an ISA Server Array
  • Adding Servers to the ISA Server Array
  • Creating an Access Rule
  • Connecting ISA Server Management
  • Creating a Protocol Definition
  • Creating a Server Publishing Rule
  • Changing the Configuration Storage Server for an Array
  • Configuring Intra-Array Credentials for a Workgroup Array
  • Testing LDAPS Connectivity
  • Installing a Certificate for Workgroup Authentication
  • Creating and Restoring a Backup File

Installing the Configuration Storage Server

The Configuration Storage server stores the configuration information for all of the arrays in the enterprise. This procedure describes how to install the Configuration Storage server. Perform this procedure on the computer that you have designated as a Configuration Storage server.

To install a Configuration Storage server, follow these steps:

  1. Log on to the Configuration Storage server. If the computer is in a domain, log on as a domain user. The user that installs the Configuration Storage server will automatically become an enterprise administrator.

  2. Insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  3. In Microsoft ISA Server Setup, click Install ISA Server.

  4. After the setup program prompts that it has completed determining the system configuration, on the Welcome page, click Next.

  5. If you accept the terms and conditions stated in the user license agreement, click I accept the terms in the license agreement, and then click Next.

  6. Type your customer details, and then click Next.

  7. On the Setup Scenarios page, select Install Configuration Storage Server, and then click Next.

  8. On the Component Selection page, you can review the settings, and then click Next.

  9. On the Enterprise Membership page, select Create a New Enterprise if you are creating a new enterprise, or Create a replica of the enterprise configuration if you are creating a replicate Configuration Storage server. Note that you cannot create a replica of a Configuration Storage server that is installed in a workgroup. Click Next. Do one of the following:

    • If you are creating a new enterprise, on the New Enterprise Warning page, click Next. This page warns you not to install more than one enterprise. Because you are creating a new enterprise, you can ignore the warning. On the Create a New Enterprise page, provide a name for the enterprise. Optional: provide a description of the enterprise. Click Next.
    • If you are creating a replica of the enterprise configuration, on the Locate Configuration Storage Server page, provide the fully qualified domain name of the Configuration Storage server you want to replicate, or click Browse to locate the server on the network. Click Next.
    • If you are creating a replicate Configuration Storage server, the next wizard page will be the ISA Server Configuration Replicate Source page. This page provides options for the initial ISA Server replication, which may take a long time over a slow link. If you are replicating over a slow link, you may want to choose to replicate from a Windows backup file. For information about creating a backup file, see Creating and Restoring a Backup File. Click Next.

  10. On the Enterprise Deployment Environment page, select I plan to deploy in a workgroup or in domains without trust relationship. Under Server certificate, provide the location and name of the certificate you created and exported in Installing a Certificate for Workgroup Authentication, or use the Browse button to locate the file. Provide a password if the certificate is password protected. Click Next.

    Note

    A network service account is a predefined local account with limited privileges that is used to start a service and provide the security context for that service. Using an account with limited privileges for the Configuration Storage server is an important security measure. If you want the Configuration Storage server to run using an account you specify, be sure to create an account with limited privileges for this purpose.

  11. On the Ready to Install the Program page, click Install to begin the installation.

  12. After the installation is complete, click Finish.

Assigning Roles

In addition to the typical ISA Server roles that you assign for your enterprise and array administrators, you must create a mirrored user account on each member of the ISA Server array in the workgroup. The mirrored user account is an identical account on each computer. It has the same user name and password. This account is critical for enabling management of the array.

Scenario 1: Array in a workgroup, Configuration Storage server in a domain

If the computer running ISA Server 2004 services belongs to a workgroup, and the Configuration Storage server belongs to a domain, user accounts configured on the domain should be used to access the Configuration Storage server. When you create the array and indicate the Configuration Storage server it will point to, you must provide credentials for connection to the Configuration Storage server.

You should then create mirrored accounts on each array member. Create identical users accounts—same user name and same password—on each array member. We recommend that you use the same user name that you used for the domain-based account.

Then, you must assign roles to each of these users: a domain-based role for management of ISA Server, and the workgroup-based role for monitoring the ISA Server array.

For example, suppose that the Configuration Storage server belongs to the microsoft.com domain. Two computers running ISA Server services each belong to a workgroup. Amaya is the enterprise administrator, and Bourne is the array administrator. Both Amaya and Bourne have domain user accounts. For this example, the following actions are required:

  1. Create mirrored accounts for Amaya on both computers running ISA Server services. The accounts for Amaya must have identical credentials, but will not be the same as the domain user Amaya. In this example, call the mirrored account credentials Amaya2
  2. Create mirrored accounts for Bourne on both computers running ISA Server services. The accounts for Bourne must have identical credentials, but will not be the same as the domain user Bourne. In this example, call the mirrored account credentials Bourne2.
  3. Assign roles on the enterprise level:
    1. In ISA Server Management, right-click the Enterprise node, and select Properties.
    2. On the Assign Roles tab, below the top frame, click Add, to open the Administration Delegation dialog box. Provide the domain user name (DomainName\Amaya) and from the Role drop-down menu, select a role, such as ISA Server Enterprise Administrator. Click OK.
    3. On the Assign Roles tab, below the bottom frame, click Add, to open the Administration Delegation dialog box. Provide the mirrored account user name (Amaya2) and from the role drop-down menu, select a role, such as ISA Server Enterprise Administrator. Do not use the computer name before the user name Amaya2. Click OK, and then click OK again.
  4. Assign roles on the array level:

    1. In ISA Server Management, expand Arrays, right-click the applicable array, and then select Properties.

    2. On the Assign Roles tab, below the top frame, click Add, to open the Administration Delegation dialog box. Provide the domain user name (DomainName\Bourne) and from the Role drop-down menu, select a role, such as ISA Server Array Administrator. Click OK.

    3. On the Assign Roles tab, below the bottom frame, click Add, to open the Administration Delegation dialog box. Provide the mirrored account user name (Bourne2) and from the Role drop-down menu, select a role, such as ISA Server Array Administrator. Do not use the computer name before the user name Bourne2. Click OK.

      Note

      When you are connecting ISA Server Management in a workgroup scenario, the user you use to connect to the Configuration Storage server will be the domain user (either Bourne or Amaya).

      The user you use to connect to the array on the Array Connection Credentials Details page of the Enterprise Connection Wizard will be the mirrored account (Amaya2, or Bourne2). For details, see Connecting ISA Server Management.

Scenario 2: Array and Configuration Storage server in a workgroup

If you installed both the Configuration Storage server and the ISA Server array in a workgroup, you will assign roles just as you did in the scenario where the Configuration Storage server is in a domain. However, the user account for connecting to the Configuration Storage server and the mirrored account on the array members can be identical, because there are no domain user accounts in this scenario.

Creating Enterprise Networks

As enterprise administrator, you should define enterprise networks. This will enable you to create access rules on the enterprise level, which refer to the enterprise networks. This will enable your array administrators to define array networks, to easily create rules for networks throughout the enterprise. This will also assist spoof detection through the proper definition of networks.

In this procedure, you will create a corporate network, which will include all of the IP addresses of the main and branch Internal networks.

To create an enterprise network, follow these steps:

  1. On the Configuration Storage server, expand the Enterprise node, and click Enterprise Networks.

  2. In the task pane, on the Tasks tab, select Create a New Network to start the New Network Wizard.

  3. In Network name, provide a name for the new network, such as Internal, and then click Next.

  4. On the Network Addresses page, click AddRange to open the IP Address Range Properties dialog box. In the Start address, type the low end of the IP address range, such as 10.1.0.0 and in the End address, type the high end of the IP address range, such as 10.2.255.255, and then click OK. This range of addresses will cover all of the internal IP addresses for the Main and Branch arrays. On the Network Addresses page, click Next.

  5. On the summary page, review the properties of the enterprise network you are creating, and then click Finish.

Installing a Configuration Storage Server and ISA Server Services on a Single Computer

You can install the Configuration Storage server and ISA Server services on a single computer. Follow these steps:

  1. On the computer, log on to the domain as an enterprise administrator.

  2. Insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  3. In Microsoft ISA Server Setup, click Install ISA Server.

  4. After the setup program prompts that it has completed determining the system configuration, on the Welcome page, click Next.

  5. If you accept the terms and conditions stated in the user license agreement, click I accept the terms in the license agreement, and then click Next.

  6. Type your customer details, and then click Next.

  7. On the Setup Scenarios page, select Install both ISA Server services and Configuration Storage server, and then click Next.

  8. On the Component Selection page, you can review the settings, and then click Next.

  9. On the Enterprise Membership page, select Create a New Enterprise, and then click Next.

  10. On the New Enterprise Warning page, click Next. This page warns you not to install more than one enterprise. Because you are creating a new enterprise, you can ignore the warning.

  11. On the Enterprise Membership page, select Create a New Enterprise if you are creating a new enterprise, or Create a replica of the enterprise configuration if you are creating a replicate Configuration Storage server. Click Next. Then, do one of the following:

    1. If you are creating a new enterprise, on the New Enterprise Warning page, click Next. This page warns you not to install more than one enterprise. Because you are creating a new enterprise, you can ignore the warning. On the Create a New Enterprise page, provide a name for the enterprise. Optional: provide a description of the enterprise. Click Next.
    2. If you are creating a replica of the enterprise configuration, on the Locate Configuration Storage Server page, provide the fully qualified domain name of the Configuration Storage server you want to replicate, or click Browse to locate the server on the network. Click Next.

  12. On the Service Account Selection page, select whether the Configuration Storage server will run using the network service account (recommended), or a specific account that you supply, and then click Next.

  13. On the Internal Network page, specify the IP address range that will constitute the Internal network for this array. Select Add, and then click Add Adapter to define the Internal network with the IP addresses associated with the Internal network adapter. Click Next.

  14. On the Firewall Client Connection Settings page, you can select which firewall clients will be allowed to connect. Click Next.

  15. On the Services Warning page, read the warning, and then click Next.

  16. On the Ready to Install the Program page, click Install to begin the installation.

  17. After the installation is complete, select Invoke ISA Management when the wizard closes, and then click Finish.

  18. You will be prompted to restart the computer. Click Yes to restart the computer.

    Note

    If you want to create an ISA Server array in a workgroup and have it use this Configuration Storage server, you must reconfigure the server after you complete the installation. Follow the procedure in Changing Your Configuration to Allow Workgroup Arrays: Walk-through in this document.

Creating a Network

This procedure describes how to create a new network:

  1. Open Microsoft ISA Server Management, expand the ISA Server array node, expand Configuration, and then click Networks.

  2. In the details pane, select the Networks tab.

  3. In the task pane, on the Tasks tab, click Create a New Network.

  4. On the Welcome page, type a name for the network, and click Next.

  5. On the Network Type page, select a network type, and click Next.

  6. On the Network Addresses page, click Add Adapter to open the Select Network Adapters dialog box. Select the network adapter that connects the ISA Server computer to the appropriate network. Click OK, and click Next. Or, you can click Add Network to configure the network relative to enterprise networks.

  7. On the Completing the New Network Wizard page, review the settings, and click Finish.

Creating a Network Rule

This procedure describes how to create a new network rule:

  1. Open Microsoft ISA Server Management, expand the ISA Server array node, expand Configuration, and then click Networks.

  2. In the details pane, click the Network Rules tab. In the task pane, on the Tasks tab, select Create a Network Rule to start the New Network Rule Wizard.

  3. On the Welcome page of the wizard, enter the name for the network rule, and then click Next.

  4. On the Network Traffic Sources page, click Add to open the Add Network Entities dialog box. Expand Networks, select the specific source network, click Add, and then click Close. On the Network Traffic Sources page, click Next.

  5. On the Network Traffic Destinations page, click Add to open the Add Network Entities dialog box. Expand Networks, select the destination network, click Add, and then click Close. On the Network Traffic Destinations page, click Next.

  6. On the Network Relationship page, select either a Network Address Translation (NAT) relationship, or a Route relationship, and then click Next.

  7. Review the information on the wizard summary page, and then click Finish.

  8. In the ISA Server details pane, click Apply to apply the new network rule.

Creating an ISA Server Array

You can create an ISA Server array on the Configuration Storage server. This will be an empty array, for which you can configure enterprise policy. The enterprise or array administrator can then add servers to the array. Alternatively, the array can be created on the first array server, and other servers can then be added. Follow these steps:

  1. On the Configuration Storage server, open ISA Server Management.
  2. Click Arrays. In the task pane, on the Tasks tab, click Create New Array to start the New Array Wizard.
  3. On the Welcome page, provide a name for the new array, such as Main, and then click Next.
  4. On the Array DNS Name page, provide the Domain Name System (DNS) name of the array. This is the name that Firewall clients and Web client will use to connect to the array. Click Next.
  5. On the Array Enterprise Policy page, from the drop-down menu, select the enterprise policy that will be applied to the new array. Select a policy, and then click Next.
  6. On the Array Policy Rule Types page, select the types of rules the array administrator is allowed to make, and then click Next.
  7. On the summary page, review the array configuration, and then click Finish. When the progress bar indicates that the array has been created, click OK.
  8. After the array has been created, you can assign array administrator privileges to the Main array. In ISA Server Management, right-click the name of the array and select Properties.
  9. On the Assign Roles tab, click Add. Add the appropriate user or group. From the drop-down Role menu, select ISA Server Array Administrator, and then click OK.
  10. Click OK to close the properties page.
  11. In the Firewall Policy details pane, click Apply to apply the changes.

Adding Servers to the ISA Server Array

Now that you created an array, you can add ISA Server computers to the array. Perform this procedure for each computer you want to add to the array:

  1. Log on to the domain using the credentials of the array administrator.

  2. Insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  3. In Microsoft ISA Server Setup, click Install ISA Server.

  4. After the setup program prompts that it has completed determining the system configuration, on the Welcome page, click Next.

  5. If you accept the terms and conditions stated in the user license agreement, click I accept the terms in the license agreement, and then click Next.

  6. Type your customer details, and then click Next.

  7. On the Setup Scenarios page, select Firewall Server Components, and then click Next.

  8. On the Component Selection page, you can review the settings, and then click Next.

  9. On the Locate Configuration Storage Server page, specify the Configuration Storage server to which this computer will connect. You can click Browse to locate the Configuration Storage server. Note that the name you use to refer to the Configuration Storage server is its name on the network, and not the enterprise name. On this page, you must provide the credentials of an enterprise or array administrator, to connect to the Configuration Storage server. This user must be recognized by the Configuration Storage server, either as a domain user, or a local user on the Configuration Storage server. Click Next.

  10. On the Array Membership page, select Join an Existing Array, and then click Next.

  11. On the Join an Existing Array page, provide the name of the array. You can also click Browse to open the Arrays to join dialog box, and select the array from the list. Click Next.

  12. On the Configuration Storage Server Authentication Options page, select the authentication type that will be used for connections between the ISA Server computer and the Configuration Storage server. For the back array in the back-to-back scenario, select Windows authentication. For the front array in the back-to-back scenario, or for the workgroup scenario, select Authentication over SSL encrypted channel. Click Next.

    Note

    If you want to use authentication over an SSL encrypted channel, the root certificate of the certification authority must be installed on the computers running ISA Server services, as described in Installing a root certificate in this document.

  13. This step will only take place on the first server you install in the array. On the Internal Network page, specify the IP address range that will constitute the Internal network for this array. You can map your Internal network to an enterprise network:

    1. Click Add to open the Addresses dialog box.
    2. Click Add Network to open the Select Enterprise Networks dialog box.
    3. Select Internal, and then click OK.
    4. In the Addresses dialog box, click OK.
    5. On the Internal Network page, click Next.

    Alternatively, you can select Add Adapter and define the Internal network with the IP addresses associated with the internal network adapter, rather than mapping to an enterprise network.

  14. On the Firewall Client Connection Settings page, you can select which firewall clients will be allowed to connect. Click Next.

  15. On the Services Warning page, review the list of services that will be stopped or disabled during installation of ISA Server. To continue the installation, click Next.

  16. Click Install.

  17. After the installation is complete, click Finish.

  18. You will be prompted to restart the computer. Click Yes to restart the computer.

Repeat this procedure for the other servers that you want to add to the array.

Creating an Access Rule

This procedure describes the New Access Rule Wizard in general terms:

  1. In the Microsoft ISA Server Management console tree, click Firewall Policy.

  2. In the task pane, on the Tasks tab, select Create ArrayAccess Rule to start the New Access Rule Wizard.

  3. On the Welcome page of the wizard, enter the name for the access rule. Use a descriptive name, such as Internet access for staff during work hours, and then click Next.

  4. On the Rule Action page, select Allow if you are allowing access, or Deny if you are denying access, and then click Next.

  5. On the Protocols page, the default setting of This rule applies to is All outbound traffic. You may want to select Selected protocols and use the Add button to add the specific protocols from the Add Protocols dialog box. When you have made these selections, click Next.

  6. On the Access Rule Sources page, click Add to open the Add Network Entities dialog box, click the category for which you are creating access, select the specific object, click Add (repeat to add additional network objects), and then click Close. On the Access Rule Sources page, click Next.

  7. On the Access Rule Destinations page, click Add to open the Add Network Entities dialog box, click Networks, select the select the specific object, click Add, and then click Close. On the Access Rule Destinations page, click Next.

  8. On the User Sets page, if your rule applies to all users, you can leave the user set All Users in place and proceed to the next page of the wizard. If the rule applies to specific users, select All Users and click Remove. Then, use the Add button to open the Add Users dialog box, from which you can add the user set to which the rule applies. The Add Users dialog box also provides access to the New User Sets Wizard through the New menu item. When you have completed the user set selection, click Next.

  9. Review the information on the wizard summary page, and then click Finish.

  10. In the Firewall Policy details pane, click Apply to apply the new access rule. It may take a few moments for the rule to be applied. Order your access rules to match your Internet access policy. If you change the order, you will need to click Apply to apply the changes.

Connecting ISA Server Management

When your ISA Server Management console is not connected to the Configuration Storage server, you cannot view the ISA Server policy or status in the console. Follow these steps to connect to the Configuration Storage server:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and click ISA Server Management.

  2. In the task pane, on the Tasks tab, click ConnecttoConfigurationStorageServer to open the Connection Wizard. On the Welcome page, click Next.

  3. On the Configuration Storage Server Location page, verify that On remote computer is selected. Provide or browse to the fully qualified domain name of the Configuration Storage server, such as storage1.east.fabrikam.com. Click Next.

  4. On the Configuration Storage Server Credentials page, you can select to connect to the Configuration Storage server using the credentials of the current user on the management computer, or provide other credentials. If you are logged on with the credentials of a user with permissions to connect to the Configuration Storage server, you can select Credentials of the logged-on user. Otherwise, select Credentials of the following user, and provide appropriate credentials. Click Next. The following figure shows the use of the credentials of Bourne, who is in the EAST domain. These credentials were established in Assigning Roles in this document.

  5. On the Array Connection Credentials page, you can select to connect to the array using the same credentials with which you connected to the Configuration Storage server or to provide different credentials. Because the array is in a workgroup, you must select Different credentials. Click Next.

  6. On the Array Connection Credentials Details page, provide credentials that are recognized locally by the array. These credentials are for the mirrored account that you established to have rights on the array in Assigning Roles (such as Bourne2). Click Next.

  7. On the summary page, click Finish.

    Note

    You can only be connected to one Configuration Storage server at a time. If you run the Enterprise Connection Wizard again and connect to a different Configuration Storage server, you will be disconnected from the first Configuration Storage server.

Creating a Protocol Definition

This procedure describes how to create a protocol definition:

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management to open ISA Server Management.

  2. In the ISA Server Management console, select Firewall Policy.

  3. In the task pane, select the Toolbox tab, and click Protocols.

  4. Under Protocols, click New, and then click Protocol to open the New Protocol Definition Wizard.

  5. On the New Protocol Definition Wizard Welcome page, in the Protocol definition name box, type LDAPS Server, and then click Next.

  6. On the Primary Connection Information page, click New.

  7. In the New/Edit Protocol Connection dialog box, in the Protocol type list, select the protocol type. For LDAPS server, this would be as TCP.

  8. In Direction, select the direction. For LDAPS server this would be Inbound.

  9. In From and To, type the port range. For LDAPS server, both from and to would be 2172. For LDAP, the port would be 2171. These are ports that are specific to LDAPS and LDAP in ISA Server 2004 Enterprise Edition.

  10. Click OK to close the New/Edit Protocol Connection dialog box.

  11. On the Primary ConnectionInformation page, click Next.

  12. On the Secondary Connections page, in Do you want to use secondary connections, select No, and then click Next. If the protocol requires secondary connections, select Yes, and click New to define the secondary connection.

  13. Click Finish to close the New Protocol Definition Wizard. Notice that the LDAPS server protocol definition is listed in the User-Defined folder under the Protocols menu.

Creating a Server Publishing Rule

To create a server publishing rule, follow these steps:

  1. In ISA Server Management, select Firewall Policy.

  2. In the task pane, on the Tasks tab, click Create New Server Publishing Rule to open the New Server Publishing Rule Wizard.

  3. On the New Server Publishing Rule Wizard Welcome page, provide a name for the rule, and then click Next.

  4. On the Select Server page, in Server IP address, type the IP address of the computer that you want to publish, such as the Configuration Storage server, and then click Next.

  5. On the Select Protocol page, from the Selected protocol drop-down list, select the protocol on which you want to publish the server, and then click Next.

  6. On the IP Addresses page, under Listen for requests from these networks, select the networks on which you want to listen for requests. For example, in a back-to-back perimeter network scenario, the front-end ISA Server computer will be communicating with the external network adapter of the back-end ISA Server computer, so select External.

    Note

    You can select specific IP addresses that ISA Server will listen on. To do this, click the Address button, and then for the selected network, specify the IP addresses that ISA Server will listen on.

  7. Click Next.

  8. Click Finish to close the New Server Publishing Rule Wizard. Notice that in the ISA Server Management console, in the details pane, on the Firewall Policy tab, the new rule is listed.

  9. In the details pane, click the Apply button to apply the publishing rule that is effective for the incoming traffic.

Changing the Configuration Storage Server for an Array

If you want to change the Configuration Storage server that an ISA Server array refers to, follow these steps:

  1. In ISA Server Management, expand Arrays, right-click the array you want to configure, and select Properties.

  2. On the Configuration Storage tab, enter the new storage location. Click OK, and then click Apply in the details pane to apply your changes.

Configuring Intra-Array Credentials for a Workgroup Array

Because the workgroup array does not have access to domain user information, intra-array communication will require use of the mirrored account, the user that is defined on all array members.

To configure intra-array credentials for a workgroup array, follow these steps:

  1. On each member of the ISA Server array, create a mirrored account—a user with the identical name and password. There is no need to create this account on the Configuration Storage server.

  2. In ISA Server Management, expand Arrays, right-click the array you want to configure, and select Properties.

  3. On the Intra-Array Credentials tab, select Authenticate using this account (for workgroup configuration only) and click Set Account to provide the mirrored user account information.

  4. Click OK, and then click Apply in the details pane to apply your changes.

Testing LDAPS Connectivity

You can use the Ldp.exe tool to check the LDAPS connectivity between a computer on which you will install ISA Server services and the Configuration Storage server. LDAPS is the protocol on which the two computers will communicate, using the server authentication certificate for authentication.

To test LDAPS connectivity, follow these steps:

  1. From the computer on which you will install ISA Server services, run ADAMSetup.exe, located in the \FPC\adam\ folder of the ISA Server CD. This will install the Ldp.exe tool to the %windir%\ADAM folder.

  2. In the %windir%\ADAM folder, run the Ldp.exe tool.

  3. From the menu, select Connection, and then click Connect.

  4. Provide the fully qualified domain name of the Configuration Storage server, such as ISAStorage.detroit.fabrikam.com.

  5. Under port, provide the LDAPS port number 2172. (This is the LDAPS port specific to ISA Server 2004 Enterprise Edition.)

  6. Select SSL, and then click OK. If you do not receive an error message, an LDAPS connection with the Configuration Storage server was successfully created.

Installing a Certificate for Workgroup Authentication

These procedures walk you through the creation of a certification authority (CA) and the installation of the server certificate and root certificate. These certificates are needed for the authentication of a workgroup computer running ISA Server services when it communicates with a Configuration Storage server.

This procedure is based on the use of a stand-alone CA, and describes how to install that CA.

Important

Certificates typically have an expiration period, usually no more than one year. ISA Server cannot use an expired certificate. Be sure to renew your certificates before they expire, so that ISA Server can continue to function.

Setting up the certification authority

You need a certification authority (CA) if you want to issue digital certificates. When the certificates are for internal use, we recommend that you create a local CA, negating the need to purchase a commercial certificate.

This procedure is performed on a computer running Microsoft Windows Server™ 2003 or Windows® 2000 Server. Because you will install a stand-alone root CA, this can be any computer. If you use Internet Information Services (IIS) in this procedure, we recommend that you not perform this on the Configuration Storage server. We recommend that IIS not run on the Configuration Storage server or on computers running ISA Server services.

This procedure also installs the services that will enable computers to obtain the certificates through a Web page. If you prefer a different approach for obtaining the certificates for computers, you do not have to perform the IIS and Active Server Pages installations described in this procedure.

To set up the certification authority, follow these steps:

  1. Open Control Panel.

  2. Double-click Add or Remove Programs.

  3. Click Add/Remove Windows Components.

  4. Double-click Application Server.

  5. Double-click Internet Information Services (IIS).

  6. Double-click World Wide Web Service.

  7. Select Active Server Pages.

  8. Click OK to close the World Wide Web Service dialog box, click OK to close the Internet Information Services (IIS) dialog box, and then click OK to close the Application Server dialog box.

  9. Select Certificate Services. Review the warning regarding the computer name and domain membership. Click Yes in the warning dialog box if you want to continue, and then click Next in the Windows components dialog box.

  10. On the CA Type page, select Stand-alone root CA, and then click Next. A stand-alone root CA requires that the administrator issue each requested certificate, unless you follow the procedure in Configuring a stand-alone root CA to issue certificates automatically (optional) in this document.

  11. On the CA Identifying Information page, provide a common name for the CA, check the distinguished name suffix, select a validity period, and then click Next.

  12. On the Certificate Database Settings page, review the default settings. You may revise the database locations. Click Next.

  13. On the Completing the Windows Components Wizard page, review the summary, and then click Finish.

    Note

    To allow access to a CA Web site that is behind an array of computers running ISA Server services, you must publish it. To limit access to the Web site, you can publish only the specific folders needed from the Web site to a specific set of users, rather than publishing a complete server to all users. For more information about Web publishing, see the document Publishing Web Servers Using ISA Server 2004 on the ISA Server 2004 Guidance page (https://www.microsoft.com).

Configuring a stand-alone root CA to issue certificates automatically (optional)

You can configure a stand-alone root CA to issue certificates automatically. Follow these steps:

  1. From the Start menu, click Run. Type MMC, and then click OK.

  2. In MMC, click File, and then click Add/Remove Snap-in.

  3. In Add/Remove Snap-in, click Add to open the Add Standalone Snap-in dialog box. From the list of snap-ins, select Certification Authority, and then click Add.

  4. In Certification Authority, select Local computer, and then click Finish. Click Close, and then click OK.

  5. Right-click the CAName certificates node, where CAName is the name of your certification authority, and select Properties.

  6. On the Policy Module tab, click Properties.

  7. On the Request Handling tab, select Follow the settings in the certificate template, if applicable. Otherwise, automatically issue the certificate.

  8. Click OK to close the Policy Module properties, and then click OK to close the CA properties.

  9. You will receive a message that you must restart Certificate Services. Right-click the name of your CA, point to AllTasks, and select StopService. After the service has stopped, right-click the name of your CA, point to AllTasks, and select StartService.

Obtaining a server certificate

This procedure is performed on any computer that can access the CA computer, or on the CA computer itself. If you perform this procedure on a computer in the same network as the CA computer, you will not have to publish the CA computer to another network or to the Internet. Do not perform this procedure on the computer that will be the Configuration Storage server, because ISA Server Setup uses an exported certificate file to ensure that the certificate is installed in the correct location and associated with the correct service.

After you obtain the certificate, you will export it to a file, which you can then move to the computer that will be the Configuration Storage server. To obtain a server certificate, follow these steps:

  1. Open Internet Explorer.

  2. From the menu, select Tools, and then select Internet Options.

  3. Select the Security tab, and in Select a Web content zone to specify its security settings, click Trusted sites.

  4. Click the Sites button to open the Trusted sites dialog box.

  5. In Add this Web site to the zone, provide the certificate server Web site name (https://IP address of certification authority server/certsrvname) and click Add.

  6. Click Close to close the Trusted sites dialog box, and then click OK to close Internet Options.

  7. Browse to: https://IP address of certification authority server/certsrv.

  8. Click Request a certificate.

  9. Select Advanced Certificate Request.

  10. Select Create and submit a request to this CA (Windows Server 2003 CA), or Submit a certificate request to this CA using a form (Windows 2000 Server CA).

  11. Under Name, provide a name for the certificate. To avoid the client receiving an error when trying to connect, it is critical that the common name you provide for the certificate matches the server name. In common name, type the fully qualified host name for the Configuration Storage server on which the certificate will be installed, such as server01.east.fabrikam.com.

  12. Complete the form and select Server Authentication Certificate from the Type drop-down list.

  13. Select Mark keys as exportable.

    Note

    For an explanation of the options available on the Advanced Certificate Request page, see one of the following articles for Windows Server 2003 or Windows 2000 Server:

  14. Select Store Certificate in the local computer certificate store (Windows Server 2003 CA) or Use local machine store (Windows 2000 Server CA) and submit the request by clicking Submit. Review the warning dialog box that appears, and then click Yes.

  15. If you installed a stand-alone root CA and did not configure it to automatically issue certificates, perform the following steps on the certification authority computer.

    1. From the Start menu, click Run. Type MMC, and then click OK. If you created the certification authority MMC console previously, open that console and skip to step f.
    2. In MMC, click File, and then click Add/Remove Snap-in.
    3. In Add/Remove Snap-in, click Add to open the Add Standalone Snap-in dialog box. From the list of snap-ins, select Certification Authority, and then click Add.
    4. In Certification Authority, select Local computer, and then click Finish. Click Close, and then click OK.
    5. Go to the Microsoft Management Console (MMC) Certification Authority snap-in, (Click Start, point to All Programs, point to Administrative tools, and then select Certification Authority.)
    6. Expand the CAName certificates node, where CAName is the name of your certification authority.
    7. Click the Pending requests node, right-click your request, select All Tasks, and then select Issue.

  16. On the computer where you requested the certificate, return to the Web page https://IP address of certification authority server/certsrv, and then click View status of a pending request.

  17. Click your request and choose Install this certificate.

Exporting the server certificate

ISA Server installation makes use of the exported certificate file (.pfx), so you must export the server certificate. This procedure takes place on the computer on which the certificate was installed.

To export the server certificate, follow these steps:

  1. From the Start menu, click Run. Type MMC, and then click OK.

  2. In MMC, click File, and then click Add/Remove Snap-in.

  3. In Add/Remove Snap-in, click Add to open the Add Standalone Snap-in dialog box. From the list of snap-ins, select Certificates, and then click Add.

  4. In Certificates snap-in, select Computer account, and then click Next. In Select Computer, verify that Local computer (the default) is selected, and then click Finish. Click Close, and then click OK.

  5. In the MMC console, expand Certificates (Local Computer), expand Personal, and click Certificates.

  6. In the details pane, right-click the certificate you just created (it shows the fully qualified domain name of the Configuration Storage server), point to AllTasks, and select Export.

  7. On the Welcome page of the Certificate Export Wizard, click Next.

  8. On the Export Private Key page, select Yes, export the private key, and then click Next.

  9. On the Export File Format page, select Include all certificates in the certification path if possible, leave the other default settings, and then click Next.

  10. On the Password page, you may provide and confirm a password, and then click Next.

  11. On the File to Export page, click Browse and browse to a location where you want to store the exported certificate file. This can be a floppy disk, a network share, or any location from which the file can be easily retrieved by ISA Server Setup when Installing the Configuration Storage Server. Click Next.

  12. On the summary page, click Finish.

  13. Close MMC. Save the console settings with a descriptive name, such as LocalCertificates.

Installing a root certificate

For a client computer to trust the server certificates that you have installed from a local CA, it must have installed the root certificate from the CA. Follow this procedure on the computer on which you are going to install the ISA Server services array.

  1. Open Internet Explorer.

  2. From the menu, select Tools, and then select Internet Options.

  3. Select the Security tab, and click Custom Level to open the Security Settings dialog box. Set the value in the Reset custom settings drop-down menu to Medium, click OK to close the Security Settings dialog box, and then click OK to close the Internet Options dialog box.

    Note

    Certificate installation is not possible when the security setting is set to High.

  4. Browse to: https://IP address of certification authority server/certsrv.

  5. Click Download a CA certificate, certificate chain, or CRL.

  6. Click Install this CA certificate chain. Read the warning, and if you want to proceed, click Yes.

    Note

    Alternatively, you can select Download CA certificate chain. In the File Download dialog box, click Save and save the file to a known location that you can refer to during the installation of ISA Server services in an array.

  7. Verify that the root certificate was properly installed. Open MMC, and go to the Certificates snap-in. Open Certificates (local computer), expand the Trusted Root Certification Authorities node, click Certificates, and verify that the root certificate is in place.

Creating and Restoring a Backup File

The Configuration Storage Server is based on Active Directory Application Mode (ADAM). These procedures walk you through the creation of a Windows backup file for ADAM data that can be used in the replication of a Configuration Storage server.

Backing up the ADAM data files

To back up the ADAM data files, on the Configuration Storage server from which you want to replicate, follow these steps:

  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Backup.

  2. If the Welcome page appears, click Advanced Mode.

  3. On the Backup tab, select the ADAMData folder, located under the installation folder (by default, Program files\Microsoft ISA Server).

  4. In Backup media or file name, type the name of the backup file (with a .bkf extension).

  5. Click Start Backup. In the Backup Job Information dialog box, click Start Backup.

  6. When the backup is complete, copy the backup files to the computer on which you want to replicate the Configuration Storage server.

Restoring the backup files

On the computer to which you want to replicate the Configuration Storage server, do the following:

  1. Click Start, point to AllPrograms, point to Accessories, point to SystemTools, and then click Backup.

  2. If the Welcome page appears, click Advanced Mode.

  3. On the Restore and Manage Media tab, right-click File, and then click Catalog File. Provide or browse to the backup file (.bkf) you copied to the local computer. Then click OK.

  4. Expand the tree nodes to navigate to the ADAMData folder. Click to select the folder.

  5. In Restore files to, select Alternate location.

  6. Specify the folder to which you want to restore the backup data files.

    Note

    The folder you specify must be on an NTFS drive, and located on a local computer, because a network location is not supported.

  7. Click Start Restore.

  8. In the Confirm Restore dialog box, click OK.

    Note

    After running restore, do not rename the folder you have specified for the restore data or copy the contents of the folder to a different location.

Appendix B: Troubleshooting

This document contains the following troubleshooting topics:

  • Connectivity Issues
  • Error Messages
  • Monitoring
  • Application Filter Registration

Connectivity Issues

If array members cannot authenticate with the Configuration Storage server, there may be a certificate authentication problem. The certification authority (CA) certificate may not be installed on the array member, or it may have expired.

To solve this problem, make sure that there is a current certificate installed on the Configuration Storage server, and that the associated root certificate is installed on each member of the ISA Server array in the workgroup.

Error Messages

When you install ISA Server in a workgroup, you may receive this error message related to the Microsoft SQL Server™ 2000 Desktop Engine (MSDE 2000) database:

"The description for Event ID ( 19011 ) in Source ( MSSQL$MSFW ) cannot be found. The local computer may not have the necessary registry information or message DLL files to display messages from a remote computer. You may be able to use the /AUXSOURCE= flag to retrieve this description; see Help and Support for details. The following information is part of the event: (SpnRegister) : Error 1355."

You can safely ignore this message. Note that the text of the message may vary slightly depending on what service pack for MSDE you have installed.

Monitoring

If you cannot monitor the workgroup array, you may not have configured appropriate administrative roles and mirrored accounts. For information about roles and mirrored accounts, see Assigning Roles in this document.

Application Filter Registration

If an enterprise administrator wants to register an application filter in the enterprise configuration from a workgroup computer, the Cmdkey command-line utility (Cmdkey.exe) or the Stored User Names and Passwords program must be used to create stored credentials for accessing the Configuration Storage server before launching the registration process. After completing the registration process, the user should run Cmdkey or open Shared User Names and Passwords again to delete the credentials.

Additional Information

Additional ISA Server 2004 documents are available on the ISA Server 2004 Guidance page(https://www.microsoft.com).

Do you have comments about this document? Send feedback.