How to Securely Publish a Configuration Storage Server in ISA Server 2006

Microsoft® Internet Security and Acceleration (ISA) Server 2006 Enterprise Edition supports connecting to an alternate securely published Configuration Storage server. If the connection between the ISA Server array and the Configuration Storage server is through a site-to-site virtual private network (VPN) connection, you can define another method to connect to the Configuration Storage server in the event the VPN connection is unavailable. You publish the Configuration Storage server using ISA Server server publishing over the Secure Configuration Storage Server Publishing protocol, which makes use of LDAPS. The array can then connect to a securely published Configuration Storage server over the Internet. This enables you to correct the array configuration issues, and enables the array to continue to get configuration updates from the Configuration Storage server. When the site-to-site VPN connection has been restored, the array switches back and connects to the primary Configuration Storage server through the site-to-site VPN connection.

Note

You can only publish a Configuration Storage server when it is in a network that has a network address translation (NAT) relationship with the External network.

Usage Conditions

The array only uses the securely published Configuration Storage server when all of the following criteria exist:

  • The primary Configuration Storage server is unavailable for 30 minutes.
  • The alternate Configuration Storage server is unavailable. This is true only if the alternate Configuration Storage server has been configured on the Configuration Storage page. In the case where an alternate server has been configured, the primary and alternate servers must be unavailable for a total of 30 minutes before the published server is used.
  • The option Over a VPN site-to-site connection is selected on the Published Configuration Storage page.
  • The fully qualified domain name (FQDN) of the securely published Configuration Storage server is entered in the Alternate securely published Configuration Storage server field.

Domain and Workgroup Considerations

Note the following domain and workgroup considerations for publishing a Configuration Storage server:

  • When your ISA Server arrays and your Configuration Storage server are in a domain, you can publish the primary Configuration Storage server. Although you can publish a replicate, we recommend that you publish the primary Configuration Storage server, because ISA Server will recognize that this is the same server when it connects using publishing. This is a more efficient connection scenario because of the ISA Server architecture.
  • When the Configuration Storage server is in a domain, and the ISA Server array is in a workgroup, you must publish a replicate Configuration Storage server. Because the replicate Configuration Storage server must have a certificate installed, and the name on the certificate must match the name that resolves to the external IP address of the ISA Server array through which you are publishing the server, you may require a new replicate with an appropriately named certificate.
  • When both the array and the Configuration Storage server are in a workgroup, publishing the Configuration Storage server is not possible.

When to Use the Securely Published Configuration Storage Server

Although the configuration and use of a published Configuration Storage server can be accomplished securely, we recommend that you connect to a published Configuration Storage server only when your ISA Server array has lost connectivity with its primary Configuration Storage server due to a configuration issue. Enable the connection only until the configuration issue can be corrected. After connectivity to the primary Configuration Storage server has been restored, disable the Configuration Storage server publishing rule.

Some examples of causes of tunnel failure in a VPN scenario are:

  • The preshared key for the tunnel is changed.
  • The certificate for the tunnel is replaced.
  • The password has expired for the user associated with the connection.

Note

When the branch office is connected to the published Configuration Storage server, you will not be able to monitor the branch ISA Server array from headquarters.

Configuration Procedures

To publish the Configuration Storage server, you must perform the following procedures:

  • Install a certificate on the Configuration Storage server.
  • Configure the default gateway.
  • Create a new computer set in ISA Server.
  • Create a server publishing rule in ISA Server.
  • Configure the ISA Server array to use the alternate server.
  • Ensure that the name of the published server is resolvable.

These procedures are described in detail in this document.

Note

You must configure ISA Server to publish the Configuration Storage server before a loss of connectivity occurs to have the alternate access available. Specifically, you will not be able to configure the array to use the alternate server after the VPN tunnel is unavailable.

Install a Certificate on the Configuration Storage Server

Because you will publish the Configuration Storage server over LDAPS, you will have to install a certificate on the server, and associate that certificate with the Configuration Storage server service.

Note

The supported format for the certificate is .pfx. The name on the certificate should match the name that resolves to the external IP address of the ISA Server array through which you are publishing the server. This name is provided to the Configuration Storage server when the branch ISA Server array attempts a connection, and will be compared to the name on the certificate. If the names do not match, the connection attempt will be rejected.

If you are using a server certificate issued by a private certification authority, you must install the root certificate on the ISA Server array members. This document does not provide the details of certification authority installation or issuing of certificates, which is described in "Digital Certificates for ISA Server 2004" at the ISA Server TechCenter.

After you have installed the certificate on the Configuration Storage server computer, you have to associate it with the Configuration Storage server, by using the ISA Server Repair functionality.

Use one of the following two procedures (using IsaCertTool, or the ISA Server Repair functionality) to associate the certificate with the Configuration Storage server. These procedures require that the Configuration Storage server has already been installed.

To install a certificate on the Configuration Storage server using ISACertTool

  1. Download ISACertTool, available at the ISA Server Downloads page.

  2. Copy the ISACertTool program to the directory \Program Files\Microsoft ISA Server on the Configuration Storage server.

  3. From a command prompt in the \Program Files\Microsoft ISA Server directory, type ISACertTool, using this syntax:

    ISACertTool /st file_name [/pswd password] [/keepcerts]
    

Where:

  • /st file_name installs the exported certificate on the Configuration Storage server. File_name specifies the path and name of the exported .pfx certificate file.
  • /pswd password specifies the password that may be required when installing the server certificate. It is only required if a password was specified during export of the certificate file.
  • /keepcerts specifies that existing certificates should not be deleted. By default when you run ISACertTool.exe, all certificates in the Active Directory® Application Mode (ADAM) ISSTGCTRL local store are erased. To specify that existing certificates should not be deleted, specify the /keepcerts parameter.

To install a certificate on the Configuration Storage server using Repair

  1. On the server that you are going to publish, insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  2. In Microsoft ISA Server Setup, click Install ISA Server 2006 to start the installation wizard.

  3. On the Program Maintenance page, select Repair, and then click Next.

    Bb794830.b93ffe80-b3fe-46fc-a59f-6b690f12abef(en-us,TechNet.10).gif

  4. On the Enterprise Deployment Environment page, select I am deploying in a workgroup or a domain without trust relationships. Provide or browse to the certificate name, provide the certificate password, and then click Next.

    Bb794830.d93eda74-5268-4f78-b77e-97d71d02081e(en-us,TechNet.10).gif

  5. On the Locate Configuration Storage Server page, provide the fully qualified domain name of the Configuration Storage server that you are going to publish, and then click Next.

  6. On the Configuration Storage Server Authentication Options page, select Authentication SSL encrypted channel. Select Install a trusted root certificate, and provide or browse to the name of the root certificate.

  7. Review the Services Warning page, and then click Next.

  8. Click Install to install the changes.

  9. When the changes have been made, click Finish to close the wizard.

Configure the Default Gateway

ISA Server must be configured as the default gateway on the Configuration Storage server. Set the default gateway to be the IP address of the ISA Server computer network adapter through which the Configuration Storage server connects to the ISA Server computer, for example, the internal network adapter. If you are using Network Load Balancing (NLB) on the internal adapters on an ISA Server array, specify the virtual IP address.

Note

   You can skip this step if you configure the server publishing rule to use the option Requests appear to come from the ISA Server computer. This is described in the procedure in "Create a Server Publishing Rule."

Create a New Computer Set

We recommend that you limit the new rule to apply only to the ISA Server computers in the branches that require access to the securely published Configuration Storage server. This improves the security configuration of your publishing rule. To do this, you will require a computer set.

To create a new computer set

  1. In ISA Server Management, click the Firewall Policy node.

  2. On the Toolbox tab, under Network Objects, click New, and select Computer Set.

  3. In the New Computer Set Rule Element dialog box, provide a name for the computer set, and then click Add as necessary to add the computers, IP address ranges, or subnets that will include only the ISA Server computers in the branches that require access to the published Configuration Storage server.

    Bb794830.e50a5777-43a5-4ddf-937f-41746d01a838(en-us,TechNet.10).gif

  4. Click OK to close the New Computer Set Rule Element dialog box.

Create a Server Publishing Rule

To publish the Configuration Storage server, create a server publishing rule.

To create a server publishing rule

  1. In ISA Server Management, select Firewall Policy.

  2. In the task pane, on the Tasks tab, click Publish Non-Web Server Protocols to open the New Server Publishing Rule Wizard.

  3. On the Welcome page, provide a name for the rule, such as Secure Configuration Storage Server Publishing, and then click Next.

  4. On the Select Server page, in Server IP address, type the IP address of the Configuration Storage server, and then click Next.

  5. On the Select Protocol page, from the drop-down menu, select MS Firewall Secure Storage Server. Click Ports, and under Firewall Ports, select Publish on this port instead of the default port, and provide the port number 2174.

    Bb794830.33baef7b-c24b-41a1-bea7-a2446ffe3646(en-us,TechNet.10).gif

  6. Click OK, and then click Next.

  7. On the Network Listener IP Addresses page, under Listen for requests from these networks, select the networks on which you want to listen for connection requests. For a branch office that will be connecting over the Internet, select External. Click Next.

    Note

    You can select specific IP addresses that ISA Server will listen on. To do this, click the Address button, and then for the selected network, specify the IP addresses that ISA Server will listen on. The address that the name of the Configuration Storage server resolves to must be one of the listening addresses of ISA Server.

  8. Click Finish to close the New Server Publishing Rule Wizard.

  9. In the details pane, on the Firewall Policy tab, under the Name column, double-click the new rule to open its properties.

  10. On the From tab, under This rule applies to traffic from these sources, select Anywhere, and then click Remove.

  11. Click Add. From the Add Network Entities dialog box, add the computer set that you created containing the ISA Server array members. Click OK to close the rule properties.

    Note

    On the To tab of the publishing rule, under Requests for the published server, there is an option Requests appear to come from the ISA Server computer. This option can be used when you have not configured ISA Server as the default gateway on the published server.

  12. In the details pane, right-click the rule and select Disable. Leave the rule disabled until it is needed. When the rule is needed, it can be enabled from a location other than the branch array (which will not have connectivity when the rule is needed).

  13. In the details pane, click the Apply button to apply your changes.

Configure the ISA Server Array to Use the Alternate Server

Follow this procedure to configure ISA Server to use the alternate Configuration Storage server.

To configure the ISA Server array to use the alternate server

  1. In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, and then click the name of the applicable array.

  2. On the Tasks tab, click Configure Array Properties.

  3. On the Published Configuration Storage tab, select Over a VPN site-to-site connection.

  4. In Alternate securely published Configuration Storage server, provide the name or IP address of the published server. Click OK to close the property page.

    Bb794830.0a1ef259-85d4-460a-9959-cc0466671dee(en-us,TechNet.10).gif

  5. In the details pane, click the Apply button to apply your changes.

Note

You can also configure this when setting up the branch office ISA Server array by using the Branch Office VPN Connectivity Wizard. This is described in the document "Branch Office VPN Connectivity Wizard" at the Microsoft ISA Server TechCenter.

Ensure that the Name of the Published Server Is Resolvable

You will connect to the published Configuration Storage server by requesting a name that resolves to the external IP address of the ISA Server array that is publishing the server. For this reason, you must ensure that the name can be resolved, for example by a public Domain Name System (DNS) server, a local DNS server, or a Hosts file entry. That name must match the name on the Configuration Storage server certificate.

Testing the Configuration

You should test the access to the published Configuration Storage server before it becomes necessary for operations. Perform this procedure from an ISA Server Management console in the branch office (or connect to that console using Terminal Server). If you are testing access in an Internet Protocol security (IPsec) tunnel VPN scenario, follow the second procedure.

To test the published Configuration Storage server configuration

  1. From an ISA Server Management console in the branch office, click the top node of ISA Server Management, Microsoft Internet Security and Acceleration Server 2006.

  2. On the Tasks tab, select Connect to Configuration Storage Server. On the Welcome page, click Next.

  3. On the Configuration Storage Server Location page, select On a securely published computer. Provide the name that resolves to the external IP address of the ISA Server array through which you are publishing the server.

    Bb794830.832f0967-7a00-47a7-9f43-6753813d468c(en-us,TechNet.10).gif

  4. On the Configuration Storage Server Credentials page, provide the credentials needed to connect, and then click Next.

  5. On the Array Connection Credentials page, select whether to use the same credentials as you are using to connect to the Configuration Storage server, or different credentials, and then click Next. If you select different credentials, the next wizard page will be Array Connection Credential Details, where you can provide the credentials for connecting to an array.

  6. Click Finish.

  7. If you receive an error message stating that the connection failed, check your configuration and try this procedure again.

  8. If you connect successfully, in the Monitoring node of the Configuration tab, check if the servers are synchronized with the Configuration Storage server.

  9. Make a minor change in the headquarters array configuration, such as a change in the description of a rule. After the configuration synchronizes, from ISA Server Management in the branch, check if the change is visible.

To test the published Configuration Storage server configuration in an IPsec tunnel VPN scenario

  1. Remove the branch ISA Server IP address from the VPN network as defined on the headquarters array. Detailed procedures are provided in Configure IPsec Tunnel Mode IP Addresses. This will break the VPN tunnel between the branch office array and headquarters. Before testing, consider that this may also affect the tunnel between some branch client computers and headquarters.

  2. From an ISA Server Management console in the branch office, click the top node of ISA Server Management, Microsoft Internet Security and Acceleration Server 2006.

  3. On the Tasks tab, select Connect to Configuration Storage Server. On the Welcome page, click Next.

  4. On the Configuration Storage Server Location page, select On a securely published computer. Provide the name that resolves to the external IP address of the ISA Server array through which you are publishing the server.

    Bb794830.832f0967-7a00-47a7-9f43-6753813d468c(en-us,TechNet.10).gif

  5. On the Configuration Storage Server Credentials page, provide the credentials needed to connect, and then click Next.

  6. On the Array Connection Credentials page, select whether to use the same credentials as you are using to connect to the Configuration Storage server, or different credentials, and then click Next. If you select different credentials, the next wizard page will be Array Connection Credential Details, where you can provide the credentials for connecting to an array.

  7. Click Finish.

  8. If you receive an error message stating that the connection failed, check your configuration and try this procedure again.

  9. If you connect successfully, in the Monitoring node of the Configuration tab, check if the servers are synchronized with the Configuration Storage server.

  10. Make a minor change in the headquarters array configuration, such as a change in the description of a rule. After the configuration synchronizes, from ISA Server Management in the branch, check if the change is visible.

  11. Return the branch ISA Server IP address to the VPN network definition.

Required Actions When a VPN Tunnel Failure Occurs

When a VPN tunnel failure occurs in a production scenario, take the following steps.

To troubleshoot a VPN tunnel failure

  1. For an IPsec VPN tunnel, configure the network IP addresses as described in Configure IPsec Tunnel Mode IP Addresses.

  2. Enable the server publishing rule.

  3. After the VPN tunnel has been reestablished, revert the IP address change you made in Step 1 (in an IPsec VPN scenario).

  4. Disable the rule.

Note

The ISA Server array will revert back to the primary Configuration Storage server approximately 15 seconds after connectivity is reestablished.

Configure IPsec Tunnel Mode IP Addresses

This procedure is required only if you use IPsec tunnel mode to establish the VPN tunnel between the branch and the primary Configuration Storage server. When you access the published Configuration Storage server, ISA Server will accept the connection from an external IP address. For a branch that connects using VPN tunnel mode, ISA Server will assess that the packet is from a VPN network, and will try to establish a VPN tunnel. Because the tunnel cannot be established, the packet will be dropped.

Perform this procedure only when you require connectivity to the alternate published Configuration Storage server.

Note

After the connection to the published Configuration Storage server has been established, you should return the IP address to the range of tunnel addresses. This will ensure that the VPN tunnel can be reestablished after you correct the configuration issues.

To configure IPsec tunnel mode IP addresses

  1. In the console tree of ISA Server Management, expand Microsoft Internet Security and Acceleration Server 2006, expand Arrays, and expand the applicable array (the headquarters array).

  2. In the console tree, select the Virtual Private Networks (VPN) node. On the Remote Sites tab, in the details pane, double-click the IPsec VPN network to open its properties.

  3. On the Addresses tab, select the branch ISA Server external IP address and click Remove.

  4. Click OK to close the VPN network properties.

  5. In the details pane, click the Apply button to apply your changes.

Other Resources

Microsoft ISA Server TechCenter Web site