Chapter 7: Installing ISA Server 2004 on Windows Server 2003

In this ISA Server 2004 Configuration Guide document we will install the ISA Server 2004 software onto the Windows Server 2003 computer we installed and configured in Chapter 1. Installing ISA Server 2004 is straightforward as there are only a few decisions that need to be made during installation.

The most important configuration made during installation is the Internal network IP address range(s). Unlike ISA Server 2000, ISA Server 2004 does not use a Local Address Table (LAT) to define trusted and untrusted networks. Instead, the ISA Server 2004 firewall asks for the IP addresses defining a network entity known as the Internal network. The internal network contains important network servers and services such as Active Directory domain controllers, DNS, WINS, RADIUS, DHCP, firewall management stations, and others. These are services the ISA Server 2004 firewall needs to communicate with immediately after installation is complete.

Communications between the Internal network and the ISA Server 2004 firewall are controlled by the firewall’s System Policy. The System Policy is a collection of predefined Access Rules that determine the type of traffic allowed inbound and outbound to and from the firewall immediately after installation. The System Policy is configurable, which enables you can tighten or loosen the default System Policy Access Rules.

In the document we will discuss the following procedures:

  • Installing ISA Server 2004 on Windows Server 2003
  • Reviewing the Default System Policy

Installing ISA Server 2004

Installing ISA Server 2004 on Windows Server 2003 is relatively straightforward. The major decision you make during setup is what IP addresses should be part of the Internal network. The Internal network address configuration is important because the firewall’s System Policy uses the Internal network addresses to define a set of Access Rules.

Perform the following steps to install the ISA Server 2004 software on the dual-homed Windows Server 2003 machine:

  1. Insert the ISA Server 2004 CD-ROM into the CD drive. The autorun menu will appear.
  2. On the Microsoft Internet Security and Acceleration Server 2004 page, click the link for Review Release Notes and read the release notes. The release notes contain useful information about important issues and configuration options. After reading the release notes, close the release notes window and then click the Read Setup and Feature Guide link. You don’t need to read the entire guide right now, but you may want to print it out to read later. Close the Setup and Feature Guide window. Click the Install ISA Server 2004 link.
  3. Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2004 page.
  4. Select the I accept the terms in the license agreement option on the License Agreement page. Click Next.
  5. On the Customer Information page, enter your name and the name of your organization in the User Name and Organization text boxes. Enter Product Serial Number. Click Next.
  6. On the Setup Type page, select the Custom option. If you do not want to install the ISA Server 2004 software on the C: drive, then click the Change button to change the location of the program files on the hard disk. Click Next.
    Cc302599.8db93492-b8e6-476a-8da4-cafd656403ef(en-us,TechNet.10).gif
  7. On the Custom Setup page you can choose which components to install. By default, the Firewall Services and ISA Server Management options are installed. The Message Screener, which is used to help prevent spam and file attachments from entering and leaving the network, is not installed by default; neither is the Firewall Client Installation Share. You need to install the IIS 6.0 SMTP service on the ISA Server 2004 firewall computer before you install the Message Screener. Use the default settings and click Next.
    Cc302599.017fe27f-b956-44fc-af75-15576f793999(en-us,TechNet.10).gif
  8. On the Internal Network page, click the Add button. The Internal network is different from the LAT, which was used in ISA Server 2000. In the case of ISA Server 2004, the Internal network contains trusted network services the ISA Server 2004 firewall must be able to communicate. Examples of such services include Active Directory domain controllers, DNS, DHCP, terminal services client management workstations, and others. The firewall System Policy automatically uses the Internal network. We will look at the System Policy later in this document.
    Cc302599.2979dc0c-7b5e-4c0a-b3ad-b3a93a94d6d9(en-us,TechNet.10).gif
  9. In the Internal Network setup page, click the Select Network Adapter button.
    Cc302599.20987136-e97d-429a-8a0b-8b0d52d7a7c1(en-us,TechNet.10).gif
  10. In the Select Network Adapter dialog box, remove the check mark from the Add the following private ranges… check box. Leave the check mark in the Add address ranges based on the Windows Routing Table check box. Put a check mark in the check box next to the adapter connected to the Internal network. The reason why we remove the check mark from the add private address ranges check box is that you may want to use these private address ranges for perimeter networks. Click OK.
    Cc302599.87822586-72e6-48ea-b695-ce6201858a57(en-us,TechNet.10).gif
  11. Click OK in the Setup Message dialog box informing you that the Internal network was defined, based on the Windows routing table.
  12. Click OK on the Internal network address ranges dialog box.
    Cc302599.b3eb9607-b9c5-43ba-b113-f632d24434f3(en-us,TechNet.10).gif
  13. Click Next on the Internal Network page.
    Cc302599.abb769cd-e458-4f2b-92b2-3884ffefbc07(en-us,TechNet.10).gif
  14. On the Firewall Client Connection Settings page, place checkmarks in the Allow non-encrypted Firewall client connections and Allow Firewall clients running earlier versions of the Firewall client software to connect to ISA Server check boxes. These settings will allow you to connect to the ISA Server 2004 firewall using downlevel operating systems and from Windows 2000/Windows XP/Windows Server 2003 operating systems running the ISA Server 2000 version of the Firewall client. Click Next.
    Cc302599.0d888553-7b46-4023-9955-6b481d72753e(en-us,TechNet.10).gif
  15. On the Services page, click Next.
  16. Click Install on the Ready to Install the Program page.
  17. On the Installation Wizard Completed page, click Finish.
    Cc302599.d2a416e0-ccd5-4338-9c3d-0f04fc069147(en-us,TechNet.10).gif
  18. Click Yes in the Microsoft ISA Server dialog box informing you that the machine must be restarted.
  19. Log on as Administrator after the machine restarts

Viewing the System Policy

By default, ISA Server 2004 does not allow outbound access to the Internet from any protected network and it does not allow Internet hosts access the firewall or any networks protected by the firewall. However, a default firewall System Policy is installed that allows network management tasks to be completed.

Note

A protected network is any network defined by the ISA Server 2004 firewall that is not part of the default External network.

Perform the following steps to see the default firewall System Policy:

  1. Click Start and point to All Programs. Point to Microsoft ISA Server and click ISA Server Management.
  2. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server node in the scope pane (left pane) and click the Firewall Policy node. Right-click the Firewall Policy node, point to View and click Show System Policy Rules.
    Cc302599.7410217a-a357-4b9c-bc32-dc49fb17860a(en-us,TechNet.10).gif
  3. Click the Show/Hide Console Tree button and then click the Open/Close Task Pane arrow (the little blue arrow on the left edge of the task pane on the right side of the console). Notice that the ISA Server 2004 Access Policy represents an ordered list. Policies are processed from top to bottom, which is a significant departure from how ISA Server 2000 processed Access Policy. The System Policy represents a default list of rules controlling access to and from the ISA Server 2004 firewall by default. Note that the System Policy Rules are ordered above any custom Access Policies you will create, and therefore are processed before them. Scroll down the list of System Policy Rules. Notice that the rules are defined by:
    Order number
    Name
    Action (Allow or Deny)
    Protocols
    From (source network or host)
    To (destination network or host)
    Condition (who or what the rule applies to)
    You may want to widen the Name column to get a quick view rule the rule descriptions. Notice that not all the rules are enabled. Disabled System Policy Rules have a tiny down-pointing red arrow in their lower right corner. Many of the disabled System Policy Rules will become automatically enabled when you make configuration changes to the ISA Server 2004 firewall, such as when you enable VPN access.
    Notice that one of the System Policy Rules allows the firewall to perform DNS queries to DNS servers on all networks.
    Cc302599.057ef17f-d82a-405d-881a-04451e0dba3a(en-us,TechNet.10).gif
  4. You can change the settings on a System Policy Rule by double-clicking the rule.
    Cc302599.e602bc83-041a-4129-84ba-388b80016246(en-us,TechNet.10).gif
  5. Review the System Policy Rules and then hide the rules by clicking the Show/Hide System Policy Rules button in the console’s button bar. This is the pressed (pushed in) button seen in the following figure.
    Cc302599.997c86c2-3cce-4796-b8d0-add77af9cbb9(en-us,TechNet.10).gif

The following table includes a complete list of the default, built-in System Policy:

Table 1: System Policy Rules

Order Name Action Protocols From To Condition

1

Allow access to directory services for authentication purposes

Allow

LDAP

LDAP(GC)

LDAP(UDP)

LDAPS

LDAPS(GC)

Local Host

Internal

All Users

2

Allow Remote Management using MMC

Allow

Microsoft Firewall Control

RPC(all interfaces)

NetBIOS Datagram

NetBIOS Name Service

NetBIOS Session

Remote Management Computers

Local Host

All Users

3

Allow Remote Management using Terminal Server

Allow

RDP(Terminal Services)

Remote Management Computers

Local Host

All Users

4

Allow remote logging to trusted servers using NetBIOS

Allow

NetBIOS Datagram

NetBIOS Name Service

NetBIOS Session

Local Host

Internal

All Users

5

Allow RADIUS authentication from ISA Server to trusted RADIUS servers

Allow

RADIUS

RADIUS Accounting

Local Host

Internal

All Users

6

Allow Kerberos authentication from ISA Server to trusted servers

Allow

Kerberos-Sec(TCP)

Kerberos-Sec(UDP)

Local Host

Internal

All Users

7

Allow DNS from ISA Server to selected servers

Allow

DNS

Local Host

All Networks

All Users

8

Allow DHCP requests from ISA Server to all networks

Allow

DHCP(request)

Local Host

Anywhere

All Users

9

Allow DHCP replies from DHCP servers to ISA Server

Allow

DHCP(reply)

Anywhere

Local Host

All Users

10

Allow ICMP (PING) requests from selected computers to ISA Server

Allow

Ping

Remote Management Computers

Local Host

All Users

11

Allow ICMP requests from ISA Server to selected servers

Allow

ICMP Information Request

ICMP Timestamp

Ping

Local Host

All Networks

All Users

121

Allow VPN client traffic to ISA Server

Allow

PPTP

External

Local Host

All Users

132

Allow VPN site-to-site to ISA Server

Allow

 

External

IPSec Remote Gateways

Local Host

All Users

142

Allow VPN site-to-site from ISA Server

Allow

 

Local Host

External

IPSec Remote Gateways

All Users

15

Allow Microsoft CIFS protocol from ISA Server to trusted servers

Allow

Microsoft CIFS(TCP)

Microsoft CIFS(UDP)

Local Host

Internal

All Users

167

Allow Remote logging using Microsoft SQL protocol from firewall to trusted servers

Allow

Microsoft SQL(TCP)

Microsoft SQL(UDP)

Local Host

Internal

All Users

17

Allow HTTP/HTTPS requests from ISA Server to specified sites

Allow

HTTP

HTTPS

Local Host

System Policy Allowed Sites

All Users

183

Allow HTTP/HTTPS requests from ISA Server to selected servers for HTTP connectivity verifiers

Allow

HTTP

HTTPS

Local Host

All Networks

All Users

198

Allow access from trusted computers to the Firewall Client installation share on ISA Server

Allow

Microsoft CIFS(TCP)

Microsoft CIFS(UDP)

NetBIOS Datagram

NetBIOS Name Service

NetBIOS Session

Internal

Local Host

All Users

209

Allow remote performance monitoring of ISA Server from trusted servers

Allow

NetBIOS Datagram

NetBIOS Name Service

NetBIOS Session

Remote Management Computers

Local Host

All Users

21

Allow NetBIOS from ISA Server to trusted servers

Allow

NetBIOS Datagram

NetBIOS Name Service

NetBIOS Session

Local Host

Internal

All Users

22

Allow RPC from ISA Server to trusted servers

Allow

RPC(all interfaces)

Local Host

Internal

All Users

23

Allow HTTP/HTTPS from ISA Server to specified Microsoft Error Reporting sites

Allow

HTTP

HTTPS

Local Host

Microsoft Error Reporting sites

All Users

244

Allow SecurID protocol from ISA Server to trusted servers

Allow

SecurID

Local Host

Internal

All Users

255

Allow remote monitoring from ISA Server to trusted servers, using Microsoft Operations Manager (MOM) Agent

Allow

Microsoft Operations Manager Agent

Local Host

Internal

All Users

266

Allow HTTP from ISA Server to all networks for CRL downloads

Allow

HTTP

Local Host

All Networks

All Users

27

Allow NTP from ISA Server to trusted NTP servers

Allow

NTP(UDP)

Local Host

Internal

All Users

28

Allow SMTP from ISA Server to trusted servers

Allow

SMTP

Local Host

Internal

All Users

29

Allow HTTP from ISA Server to selected computers for Content Download Jobs

Allow

HTTP

Local Host

All Networks

System and Network Service

1 This policy is disabled until the VPN Server component is activated

2 These two policies are disabled until a site to site VPN connection is configured

3 This policy is disabled until a connectivity verifier that uses HTTP/HTTPS is configured

4 This policy is disabled until the SecureID filter is enabled

5 This policy must be manually enabled

6 This policy is disabled by default

7 This policy is disabled by default

8 This policy is automatically enabled when the Firewall client share is installed

9 This policy is disabled by default

At this point, the ISA Server 2004 firewall is ready to be configured to allow inbound and outbound access through the firewall. However, before you start creating Access Policies, you should back up the default configuration. This allows you to restore the ISA Server 2004 firewall to its post-installation state. This is useful for future troubleshooting and testing.

Backing Up the Post-Installation Configuration

Perform the following steps to back up the post installation configuration:

  1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and right-click the server name in the left pane of the console. Click the Back Up command.
  2. In the Backup Configuration dialog box, enter a name for the backup file in the File name text box. Be sure to note where you are saving the file by checking the entry in the Save in drop-down list. In this example we will call the backup file backup1. Click the Backup button.
    Cc302599.61a0d71c-8928-4357-a89b-7781e16be2c4(en-us,TechNet.10).gif
  3. In the Set Password dialog box, enter a password and confirm the password in the Password and Confirm password text boxes. The information in the backup file is encrypted because it can potentially contain passwords and other confidential information that you do not want others to access. Click OK.
    Cc302599.57e4f0ce-839f-4289-bb17-1a0b6ec531b9(en-us,TechNet.10).gif
  4. Click OK in the Exporting dialog box when you see the The configuration was successfully backed up message.

Make sure to copy the backup file to another location on the network after the backup is complete. The backup file should be stored offline on media that supported NTFS formatting so that you can encrypt the file

Conclusion

In this ISA Server 2004 Configuration Guide document we discussed the procedures required to install the ISA Server 2004 software on a Windows Server 2003 computer. We also examined the firewall System Policy that is created during installation. Finally, we finished up with step by step procedures required to back up the post-installation firewall configuration. In the next document in this ISA Server 2004 Configuration Guide series, we will enable the VPN remote access server.