Build and Deploy the ISA Configuration Storage Server, ISACS01

  • Article
Cc539143.chm_head_left(en-us,TechNet.10).gif Cc539143.chm_head_middle(en-us,TechNet.10).gif Cc539143.chm_head_right(en-us,TechNet.10).gif

Build and Deploy the ISA Configuration Storage Server, ISACS01

To prepare ISACS01, you first install Microsoft Windows Server 2003 R2 and join it to the Fabrikam domain. You then make ISACS01 a stand-alone Certificate of Authority, install the server certificate, and install a root certificate. These certificates are used to authenticate a workgroup computer running ISA Server services when it communicates with a Configuration Storage server.

Tasks

  1. Prepare the Configuration Storage Server, ISACS01
  2. Join the Fabrikam Domain
  3. Set Up the Certification Authority on ISACS01
  4. Create and Install a Server Certificate on ISACS01
  5. Export the ISACS01.fabrikam.com Server Certificate
  6. Configure the Default Gateway for ISACS01

Prepare the Configuration Storage Server, ISACS01

Perform a default install of Windows Server 2003 R2 on ISACS01. This requires you to first install Windows Server 2003 with SP1, then install Windows Server 2003 R2.

Procedure DWISA.1: To install Windows Server 2003 R2 on ISACS01

  1. Perform a default installation of Windows Server 2003, Standard Edition (with Service Pack 1 integrated), by using the CD boot method. Install the Support Tools from the Windows Server 2003 CD. Use appropriate naming conventions for your environment.
  2. After Setup for Windows Server 2003 with SP1 is complete, log on to the computer as an administrator. Insert Disc 2 into your CD-ROM drive. Setup for Disc 2 should start automatically. If it does not start automatically, browse to Disk 2 (or the shared folder that contains the Setup files) and, in the \Cmpnents\R2 folder, click Setup2.exe. Follow the instructions on your screen to upgrade to R2.

Prepare this server by enabling Remote Desktop, installing Microsoft .NET Framework 2.0, installing the Windows Server 2003 Support Tools, and then installing the latest updates from Microsoft.

Procedure DWISA.2: To prepare ISACS01

  1. Enable Remote Desktop. Click Start, point to Control Panel, click System, and then, on the Remote tab, select Enable Remote Desktop on this Computer.
  2. Install the Microsoft .NET Framework 2.0.
  3. Install Support Tools from the Support Tools directory on the Windows Server 2003 CD.
  4. Apply any released updates to Windows Server 2003 by using Microsoft Update.

Join the Fabrikam Domain

After you have finished building and preparing ISACS01, add the server to the Fabrikam domain and log on as Administrator@fabrikam.com.

Procedure DWISA.3: To add ISACS01 to the Fabrikam domain and log on as the domain administrator

Note

Joining a new domain will require you to restart the server.

  1. Configure the local network interface to use the IP Addresses of AD01 and AD02 as Preferred and Alternative DNS server.
  2. Join the server to the fabrikam domain.
  3. Log on to the domain as Administrator@Fabrikam.com.

Set Up the Certification Authority on ISACS01

You need a certification authority (CA) if you want to issue digital certificates. When the certificates are for internal use, we recommend that you create a local CA, avoiding the need to purchase a commercial certificate.

Set up a certification authority on a computer running Microsoft Windows Server 2003. For your stand-alone root CA, this can be any computer.

This procedure also installs the services that will enable computers to obtain the certificates through a Web page. If you prefer a different approach for obtaining the certificates for computers, you do not have to perform the Internet Information Services (IIS) and Active Server Pages (ASP) installations described in this procedure.

Procedure DWISA.4: To set up the certification authority on ISACS01

  1. On ISACS01, in the Control Panel, select Add or Remove Programs, and then click Add/Remove Windows Components.

  2. Double-click Application Server.

  3. Double-click Internet Information Services (IIS).

  4. Double-click World Wide Web Service.

  5. Select Active Server Pages.

  6. Click OK to close the World Wide Web Service dialog box, click OK to close the Internet Information Services (IIS) dialog box, and then click OK to close the Application Server dialog box.

  7. Select Certificate Services. Review the warning regarding the computer name and domain membership. Click Yes in the warning dialog box if you want to continue, and then click Next in the Windows components dialog box.

  8. On the CA Type page, select Stand-alone root CA , and then click Next.

  9. On the CA Identifying Information page, provide a common name for the CA such as ISACS01, and then click Next.

  10. On the Certificate Database Settings page, review the default settings. You may revise the database locations. A network share is created on the CA computer. From this share, other servers can import the root certificate. Click Next.

  11. On the Completing the Windows Components Wizard page, review the summary, and then click Finish.

    Note

    If you receive the following error message, click Yes:

    "Active Server Pages (ASPs) must be enabled in Internet Information Services (IIS) in order to allow Certificate Services to provide Web enrollment services. Enabling ASPs is a potential security risk and must be carefully evaluated. You can enable ASPs later if you choose not to do it now. IIS must be manually reconfigured later to enable this functionality. Do you want to enable Active Server Pages now?"

Create and Install a Server Certificate on ISACS01

In this procedure you create the certificate that will be used for intra-array communication.

Procedure DWISA.5: To create and install a server certificate on ISACS01

  1. Log on to ISACS01 using an account that is a member of the Domain Administrators group.

  2. Open Internet Explorer and browse to: https://ISACS01/certsrv/.

    Note

    If you have Internet Explorer Enhanced Security Configuration enabled, you will receive a warning that the content is being blocked. If this happens, click Add, click Add again, and then click Close.

  3. Click Request a certificate.

  4. Select Advanced Certificate Request.

  5. Select Create and submit a request to this CA.

  6. Under Name, specify the fully qualified domain name (FQDN) of this server: ISACS01.fabrikam.com. In the Type of Certificate Needed drop-down list, click Server Authentication Certificate. Select Mark keys as exportable and Store Certificate in the local computer certificate. Accept all other defaults. Click Submit.

  7. Review the warning dialog box that appears, and then click Yes.

  8. On the Start menu, click All programs, click Administrative Tools, and then click Certification Authority.

  9. In the Certification Authority Microsoft Management Console (MMC), expand ISACS01, click the Pending requests node, right-click the request, click All Tasks, and then click Issue.

  10. Return to the https://ISACS01/certsrv/ Web page, and then click View status of a pending certificate request.

  11. Click the pending certificate, and then click Install this certificate.

  12. Review the warning dialog box that appears, and then click Yes.

Export the ISACS01.fabrikam.com Server Certificate

Next, you export the server certificate to a file. The file is used during the ISA Configuration Storage Server installation procedure.

Procedure DWISA.6: To export the ISACS01.fabrikam.com server certificate

  1. On the Start menu, click Run. Type MMC, and then click OK.
  2. In MMC, click File, and then click Add/Remove Snap-in.
  3. In Add/Remove Snap-in, click Add to open the Add Standalone Snap-in dialog box. In the list of snap-ins, click Certificates, and then click Add.
  4. In Certificates snap-in, click Computer account, and then click Next. In Select Computer, verify that Local computer is selected, and then click Finish. Click Close, and then click OK.
  5. In the MMC console, expand Certificates (Local Computer), expand Personal, and then click Certificates.
  6. In the details pane, right-click the certificate you just created (it bears the FQDN of the Configuration Storage server, ISACS01.fabrikam.com), point to All Tasks, and then click Export.
  7. On the Welcome page of the export wizard, click Next.
  8. On the Export Private Key page, select Yes, export the private key, and then click Next.
  9. On the Export File Format page, leave the default settings, and then click Next.
  10. On the Password page, enter a strong password, and then click Next.
  11. On the File to Export page, click Browse, and then browse to a location where you want to store the exported certificate file. This can be a floppy disk, a network share, or any location from which the file can be easily retrieved by ISA Server Setup when installing the Configuration Storage server. Name the file ISA.PFX, and then click Save. Click Next.
  12. On the summary page, click Finish, then click OK.
  13. Close MMC console. Save the console settings with a descriptive name, such as LocalCertificate.

Configure the Default Gateway for ISACS01

If you have not yet enabled a Zone 2 network interface card (NIC) on ISACS01, do so at this time. This NIC will be used for communications between the Configuration Storage server and the ISA firewall array.

Note

The Configuration Storage server must be configured to use the internal (or associated) network adapter card of the ISA Server computer (or the virtual IP address of the ISA Server firewall array, if network load balancing is configured) as a default gateway.

Procedure DWISA.7: To configure ISACS01 to use the virtual IP address of the ISA Server firewall array as its default gateway

  1. Log on to ISACS01 using an account that is a member of the Domain Admins group.
  2. Get the properties for the Network Adapter that is on the Zone 2 network segment.
  3. Set the default gateway to be the VIP that you plan to use for the ISA firewall array.