Chapter 1: How to Use the Guide

  • Article

This chapter of the ISA Server 2004 Configuration Guide will:

  • Help you learn about ISA Server 2004 features
  • Provide advice on how to use the Guide to configure the ISA Server 2004 firewall
  • Describe the details of the ISA Server 2004 Configuration Guide Lab Configuration

Learn about ISA Server 2004 features

ISA Server 2004 is designed to protect your network from intruders located on the inside of your network and those outside of your network. The ISA Server 2004 firewall does this by controlling what communications can pass through the firewall. The basic concept is simple: if the firewall has a rule that allows the communication through the firewall, then it is passed through. If there is no rule that allows the communication, or if there is a rule that explicitly denies the connection, then the communication is stopped by the firewall.

The ISA Server 2004 firewall contains dozens of features you can use to provide secure access to the Internet and secure access to resources on your network from machines located on the Internet. While this Guide can’t provide comprehensive step-by-steps for all the possible features included with ISA Server 2004, we have provided for you a number of step-by-step walkthroughs that will allow you to learn how the most common, and most popular, features of the ISA Server 2004 work.

Firewalls do not work in a vacuum. A number of networking services are required to assist the firewall protect your network. This guide provides you with detailed information on how to install and configure these services. It’s critical that the network is set up properly before you install and configure the firewall. Proper network service support will help you avoid the most common problems seen in ISA Server 2004 firewall deployments.

This guide will walk you through setup and configuration of the following network services and ISA Server 2004 firewall features:

  • Install and configure Microsoft Certificate Services
  • Install and configure Microsoft Internet Authentication Services (RADIUS)
  • Install and configure the Microsoft DHCP and WINS Services
  • Configure WPAD entries in DNS to support autodiscovery and autoconfiguration of Web Proxy and Firewall clients
  • Install the Microsoft DNS server on a perimeter network server
  • Install the ISA Server 2004 firewall software
  • Back up and restore the ISA Server 2004 firewall configuration
  • Use ISA Server 2004 Network Templates to configure the firewall
  • Configure ISA Server 2004 clients
  • Create Access Policy on the ISA Server 2004 firewall
  • Publish a Web Server on a Perimeter network
  • Use the ISA Server 2004 firewall as a spam filtering SMTP relay
  • Publish Microsoft Exchange Server services
  • Make the ISA Server 2004 firewall into a VPN server
  • Create a site to site VPN connection between two networks

Practice configuring the ISA Server 2004 firewall

The firewall is your first line of defense against Internet attackers. A misconfigured firewall can potentially allow Internet attacks access to your network. For this reason, it’s very important that you understand how to configure the firewall for secure Internet access.

By default, the ISA Server 2004 prevents all traffic from moving through the firewall. This is a secure configuration because the firewall must be explicitly configured to allow network traffic through it. However, this level of security can be frustrating when you want to get connected to the Internet as quickly as possible.

We strongly encourage you to create a test lab and perform each of the walkthroughs in this guide. You will learn how to configure the ISA Server 2004 firewall correctly and become familiar with the ISA Server 2004’s configuration interface. You can make mistakes in the practice lab and not worry about attackers taking control of machines on your network. On the lab network, you’ll be able to learn from your mistakes instead of suffering from them.

The ISA Server 2004 Configuration Guide Lab Configuration

We will use a lab network configuration to demonstrate the capabilities and features of ISA Server 2004 in this ISA Server 2004 Configuration Guide. We recommend that you set up a test lab with a similar configuration. If you do not have the resources to create a physical test lab, you can use operating system virtualization software to create the test lab. We recommend that you use the Microsoft Virtual PC software to create your test lab. You can find more information about Virtual PC at https://www.microsoft.com/windowsxp/virtualpc/.

In this section, we will review the following:

  • The ISA Server 2004 Configuration Guide network
  • Installing Windows Server 2003 on the domain controller machine and then promoting the machine to a domain controller
  • Installing Exchange Server 2003 on the domain controller and configuring the Outlook Web Access site to use Basic authentication

ISA Server 2004 Configuration Guide Network Diagram

The following figure depicts the lab network. There are seven computers on the lab network. However, none of the scenarios we will work with in this ISA Server 2004 Configuration Guide requires all the machines to be running at the same time. This will make it easier for you to use operating system virtualization software to run your lab network.

The network has a local network and a remote network. There is an ISA Server 2004 firewall at the edge of the local and remote networks. All the machines on the local network are members of the msfirewall.org domain, including the ISA Server 2004 firewall machine. No other machines on the lab network are members of the domain.

On our lab network, the external interfaces of the ISA Server 2004 firewalls connect to the production network, which allows them access to the Internet. You should create a similar configuration so that you can test actual Internet connectivity for the clients behind the ISA Server 2004 firewalls.

If you are using operating system virtualization software, then you should note that there are three virtual networks in this lab setup. The Internal network (which contains the domain controller) is on a virtual network, the TRIHOMELAN1 machine on a perimeter network is on another virtual network, and the REMOTECLIENT machine is on a third virtual network. Make sure you separate these virtual networks by placing the machines on different virtual switches to prevent Ethernet broadcast traffic from causing unusual results.

Cc302574.5e0f362f-6782-45b4-800f-a23bfbfa0714(en-us,TechNet.10).gif

Table 1: Details of the Lab Network Configuration

Setting EXCHANGE 2003BE EXTCLIENT LOCALVPNISA REMOTEVPN REMOTECLIENT

IP Address

10.0.0.2

10.0.0.3

Int: 10.0.0.1

Ext: 192.168.1.70

Int: 10.0.1.1

Ext: 192.168.1.71

10.0.1.2

Default Gateway

10.0.0.1

10.0.0.1

192.168.1.60

192.168.1.60

10.0.1.1

DNS

10.0.0.2

10.0.0.2

10.0.0.2

NONE

NONE

WINS

10.0.0.2

10.0.0.2

10.0.0.2

NONE

 

OS

Windows Server 2003

Windows 2000

Windows Server 2003

Windows Server 2003

Windows 2000

Services

DC

DNS

WINS

DHCP

RADIUS

Enterprise CA

IIS:

WWW

SMTP

NNTP

FTP

ISA Server 2004

ISA Server 2004

IIS:

WWW

SMTP

NNTP

FTP
Setting TRIHOMELAN1 CLIENT

IP Address

172.16.0.2

10.0.0.3

Default Gateway

10.0.0.1

10.0.0.1

DNS

10.0.0.2

10.0.0.2

WINS

10.0.0.2

10.0.0.2

OS

Windows Server 2003

Windows 2000

Services

DC

DNS

WINS

DHCP

RADIUS

Enterprise CA

IIS:

WWW

SMTP

NNTP

FTP

Installing and Configuring the Internal Network Domain Controller

Other than the ISA Server 2004 firewall computer itself, the second most influential machine used in the scenarios discussed in the ISA Server 2004 Configuration Guide is the domain controller. The domain controller computer will also be used to support a number of network services that are used in the variety of ISA Server 2004 scenarios discussed in this guide. It is for this reason that we will walk through the installation and configuration of the domain controller together.

You will perform the following steps to install and configure the Windows Server 2003 domain controller:

  • Install Windows Server 2003
  • Install and Configure DNS
  • Promote the machine to a domain controller

The machine will be a functioning domain controller by the time you have completed these steps and will be ready for you to install Microsoft Exchange Server 2003.

Installing Windows Server 2003

Perform the following steps on the machine that acts as your domain controller computer:

  1. Insert the CD into the CD-ROM tray and restart the computer. Allow the machine to boot from the CD.
  2. Windows setup begins loading files required for installation. Press ENTER when you see the Welcome to Setup screen.
  3. Read the Windows Licensing Agreement by pressing the PAGE DOWN key on the keyboard. Then press F8 on the keyboard.
  4. On the Windows Server 2003, Standard Edition Setup screen you will create a partition for the operating system. In the lab, the entire disk can be formatted as a single partition. Press ENTER.
  5. On the Windows Server 2003, Standard Edition Setup screen, select the Format the partition using the NTFS file system by using the up and down arrows on the keyboard. Then press ENTER.
  6. Windows Setup formats the hard disk. This can take quite some time if the disk is large. Setup will copy files to the hard disk after formatting is complete.
  7. The machine will automatically restart itself after the file copy process is complete.
  8. The machine will restart in graphic interface mode. Click Next on the Regional and Language Options page.
  9. On the Personalize Your Software page, enter your Name and Organization and click Next.
  10. On the Your Product Key page, enter your 25-digit Product Key and click Next.
  11. On the Licensing Modes page, select the option that applies to the version of Windows Server 2003 you have. If you have per server licensing, enter the value for the number of connections you have licensed. Click Next.
  12. On the Computer Name and Administrator Password page, enter the name of the computer in the Computer Name text box. In the walkthroughs in this Guide, the domain controller/Exchange Server machine is named EXCHANGE2003BE, so we will enter that into the text box. Enter an Administrator password and Confirm password in the text boxes. Be sure to write down this password so that you will remember it later. Click Next.
  13. On the Date and Time Settings page, set the correct date, time and time zone. Click Next.
  14. On the Networking Settings page, select the Custom settings option.
  15. On the Network Components page, select the Internet Protocol (TCP/IP) entry in the Components checked are used by this connection list and click Properties.
  16. On the Internet Protocol (TCP/IP) Properties dialog box, select the Use the following IP address option. In the IP address text box, enter 10.0.0.2. In the Subnet mask text box enter 255.255.255.0. In the Default gateway text box enter 10.0.0.1. In the Preferred DNS server text box, enter 10.0.0.2.
  17. Click the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box. In the Advanced TCP/IP Settings dialog box, click the WINS tab. On the WINS tab, click the Add button. In the TCP/IP WINS Server dialog box, enter 10.0.0.2 and click Add.
  18. Click OK in the Advanced TCP/IP Settings dialog box.
  19. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
  20. Click Next on the Networking Components page.
  21. Accept the default selection on the Workgroup or Computer Domain page. We will later make this machine a domain controller and the machine will be a member of the domain we create at that time. Click Next.
  22. Installation continues and when it finishes, the computer will restart automatically.
  23. Log on to the Windows Server 2003 using the password you created for the Administrator account.
  24. On the Manage Your Server page, put a check mark in the Don’t display this page at logon check box and close the window.

Install and Configure DNS

The next step is to install the Domain Naming System (DNS) server on the machine that will be the domain controller. This is required because the Active Directory requires a DNS server into which it registers domain-related DNS records. We will install the DNS server and then create the domain into which we will promote the machine.

Perform the following steps to install the DNS server on the domain controller machine:

  1. Click Start and point to Control Panel. Click Add or Remove Programs.
  2. In the Add or Remove Programs window, click the Add/Remove Windows Components button on the left side of the window.
  3. In the Windows Components dialog box, scroll through the list of Components and click the Networking Services entry. Click Details.
  4. Place a check mark in the Domain Name System (DNS) check box and click OK.
  5. Click Next in the Windows Components page.
  6. Click Finish on the Completing the Windows Components Wizard page.
  7. Close the Add or Remove Programs window.

Now that the DNS server is installed, we can add forward and reverse lookup zones to support our network configuration. Perform the following steps to configure the DNS server:

  1. Click Start and then click Administrative Tools. Click DNS.
  2. In the DNS console, expand the server name and then click the Reverse Lookup Zones node. Right-click the Reverse Lookup Zones and click New Zone.
  3. Click Next on the Welcome to the New Zone Wizard page.
  4. On the Zone Type page, select the Primary zone option and click Next.
  5. On the Reverse Lookup Zone Name page, select the Network ID option and then enter 10.0.0 in the text box below it. Click Next.
  6. Accept the default selection on the Zone File page, and click Next.
  7. On the Dynamic Update page, select the Allow both nonsecure and secure dynamic updates option. Click Next.
  8. Click Finish on the Completing the New Zone Wizard page.

Now we can create the forward lookup zone for the domain that this machine will be promoted into. Perform the following steps to create the forward lookup zone:

  1. Right-click the Forward Lookup Zone entry in the left pane of the console and click New Zone.
  2. Click Next on the Welcome to the New Zone Wizard page.
  3. On the Zone Type page, select the Primary zone option and click Next.
  4. On the Zone Name page, enter the name of the forward lookup zone in the Zone name text box. In this example, the name of the zone is msfirewall.org. We will enter msfirewall.org into the text box. Click Next.
  5. Accept the default settings on the Zone File page and click Next.
  6. On the Dynamic Update page, select the Allow both nonsecure and secure dynamic updates. Click Next.
  7. Click Finish on the Completing the New Zone Wizard page.
  8. Expand the Forward Lookup Zones node and click the msfirewall.org zone. Right-click the msfirewall.org and click New Host (A).
  9. In the New Host dialog box, enter the value EXCHANGE2003BE in the Name (uses parent domain name if blank) text box. In the IP address text box, enter the value 10.0.0.2. Place a check mark in the Create associated pointer (PTR) record check box. Click Add Host. Click OK in the DNS dialog box informing you that the record was created. Click Done in the New Host text box.
  10. Right-click the msfirewall.org forward lookup zone and click Properties. Click the Name Servers tab. On the Name Servers tab, click the exchange2003be entry and click Edit.
  11. In the Server fully qualified domain name (FQDN) text box, enter the fully qualified domain name of the domain controller computer, exchange2003be.msfirewall.org. Click Resolve. The IP address of the machine appears in the IP address list. Click OK.
  12. Click Apply and then click OK on the msfirewall.org Properties dialog box.
  13. Right-click the server name in the left pane of the console and point to All Tasks. Click Restart.
  14. Close the DNS console.

The machine is now ready to be promoted to a domain controller in the msfirewall.org domain. Perform the following steps to promote the domain to a domain controller:

  1. Click Start and click the Run command.
  2. In the Run dialog box, enter dcpromo in the Open text box and click OK.
  3. Click Next on the Welcome to the Active Directory Installation Wizard page.
  4. Click Next on the Operating System Compatibility page.
  5. On the Domain Controller Type page, select the Domain controller for a new domain option and click Next.
  6. On the Create New Domain page, select the Domain in a new forest option and click Next.
  7. On the New Domain Name page, enter the name of the domain in the Full DNS name for new domain text box. Enter msfirewall.org in the text box and click Next.
  8. On the NetBIOS Domain Name page, accept the default NetBIOS name for the domain, which is in this example MSFIREWALL. Click Next.
  9. Accept the default settings on the Database and Log Folders page and click Next.
  10. On the Shared System Volume page, accept the default location and click Next.
  11. On the DNS Registration Diagnostics page, select the I will correct the problem later by configuring DNS manually (Advanced). Click Next.
  12. On the Permissions page, select the Permissions compatible only with Windows 2000 or Windows Server 2003 operating system option. Click Next.
  13. On the Directory Services Restore Mode Administrator Password page, enter a Restore Mode Password and then Confirm password. Click Next.
  14. On the Summary page, click Next.
  15. The machine now starts to configure itself as a domain controller.
  16. Click Finish on the Completing the Active Directory Installation Wizard page.
  17. Click Restart Now on the Active Directory Installation Wizard page.
  18. Log on as Administrator after the machine restarts.

Installing and Configuring Microsoft Exchange on the Domain Controller

The machine is ready for installing Microsoft Exchange. In this section we will perform the following steps:

  • Install the IIS World Wide Web, SMTP and NNTP services
  • Install Microsoft Exchange Server 2003
  • Configure the Outlook Web Access Web Site

Perform the following steps to install the World Wide Web, SMTP and NNTP services:

  1. Click Start and point to Control Panel. Click Add or Remove Programs.
  2. In the Add or Remove Programs window, click the Add/Remove Windows Components button on the left side of the window.
  3. On the Windows Components page, select the Application Server entry in the Components page. Click the Details button.
  4. In the Application Server dialog box, put a check mark in the ASP.NET check box. Select the Internet Information Services (IIS) entry and click Details.
  5. In the Internet Information Services (IIS) dialog box, put a check mark in the NNTP Service check box. Put a check mark in the SMTP Service check box. Click OK.
  6. Click OK in the Application Server dialog box.
  7. Click Next on the Windows Components page.
  8. Click OK in the Insert Disk dialog box.
  9. In the Files Needed dialog box, enter the path to the i386 folder for the Windows Server 2003 CD in the Copy file from text box. Click OK.
  10. Click Finish on the Completing the Windows Components Wizard page.
  11. Close the Add or Remove Programs window.

Perform the following steps to install Microsoft Exchange:

  1. Insert the Exchange Server 2003 CD into the machine. On the initial autorun page, click the Exchange Deployment Tools link under the Deployment heading.
  2. On the Welcome to the Exchange Server Deployment Tools page, click the Deploy the first Exchange 2003 server link.
  3. On the Deploy the First Exchange 2003 Server page, click the New Exchange 2003 Installation link.
  4. On the New Exchange 2003 Installation page, scroll down to the bottom of the page. Under step 8, click the Run Setup now link.
  5. On the Welcome to the Microsoft Exchange Installation Wizard page, click Next.
  6. On the License Agreement page, select the I agree option and click Next.
  7. Accept the default settings on the Component Selection page and click Next.
  8. Select the Create a New Exchange Organization option on the Installation Type page and click Next.
  9. Accept the default name in the Organization Name text box on the Organization Name page, and click Next.
  10. On the Licensing Agreement page, select the I agree that I have read and will be bound by the license agreement for this product and click Next.
  11. On the Installation Summary page, click Next.
  12. In the Microsoft Exchange Installation Wizard dialog box, click OK.
  13. Click Finish on the Completing the Microsoft Exchange Wizard page when installation is complete.
  14. Close all open windows.

The Exchange Server is now installed and you can create user mailboxes at this point. The next step is to configure the Outlook Web Access site to use Basic authentication only. This is a critical configuration option when you want to enable remote access to the OWA site. Later, we will request a Web site certificate for the OWA site and publish the site using a Web Publishing Rule, which will allow remote users to access the OWA site.

Perform the following steps to configure the OWA site to use Basic authentication only:

  1. Click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.
  2. In the Internet Information Services (IIS) Manager console, expand the server name and then expand the Web Sites node. Expand the Default Web Site node.
  3. Click the Public node and then right-click it. Click Properties.
  4. In the Public Properties dialog box, click the Directory Security tab.
  5. On the Directory Security tab, click the Edit button in the Authentication and access control frame.
  6. In the Authentication Methods dialog box, remove the check mark from the Integrated Windows authentication check box. Click OK.
  7. Click Apply and then click OK.
  8. Click the Exchange node in the left pane of the console and right-click it. Click Properties.
  9. On the Exchange Properties dialog box, click the Directory Security tab.
  10. On the Directory Security tab, click the Edit button in the Authentication and access control frame.
  11. In the Authentication Methods dialog box, remove the check mark from the Integrated Windows authentication check box. Click OK.
  12. Click Apply and then click OK in the Exchange Properties dialog box.
  13. Click the ExchWeb node in the left pane of the console, and then right-click it. Click Properties.
  14. In the ExchWeb Properties dialog box, click the Directory Security tab.
  15. On the Directory Security tab, click the Edit button in the Authentication and access control frame.
  16. In the Authentication Methods dialog box, remove the check mark from the Enable anonymous access check box. Place a check mark in the Basic authentication (password is sent in clear text) check box. Click Yes in the IIS Manager dialog box informing you that the password is sent in the clear . In the Default domain text box, enter the name of the Internal network domain, which is MSFIREWALL. Click OK.
  17. Click Apply in the ExchWeb Properties dialog box. Click OK in the Inheritance Overrides dialog box. Click OK in the ExchWeb Properties dialog box.
  18. Right-click the Default Web Site and click Stop. Right-click the Default Web Site again and click Start.

Conclusion

In this ISA Server 2004 Configuration Guide document we discussed the goals of this guide and suggested methods you can use to get the most out of this guide. The remainder of this ISA Server 2004 Configuration Guide provided detailed step-by-step instructions on how to install and configure the domain controller computer on the internal network. In the next chapter of this guide, we will go over the procedures required to install Microsoft Certificate Services on the ISA Server 2004 firewall machine.