STEP 1: Configuring the Network Interfaces

  • Article

The ISA Server 2004 firewall computer must have at least one internal network interface and one external network interface. The internal network interface is the network interface directly connected to the internal network. The external network interface can be an Ethernet card, a cable modem, a DSL modem, or a dial-up analog modem. The external network interface allows the ISA Server 2004 firewall to connect to the Internet.

You must carry out the following procedures to correctly configure the network interfaces on the ISA Server 2004 firewall computer:

  • Assign IP addresses to the internal and external network interfaces
  • Assign a DNS server address to the internal interface of the ISA Server 2004 computer
  • Arrange the network interface order
  • Set up the Dial-up Networking connectoid if you use a dial-up connection to the Internet

IP Address and DNS Server Assignment

You must assign IP addresses to the internal and external interfaces of the ISA Server 2004 firewall computer. The ISA Server 2004 firewall computer also requires a DNS server address so that it can translate names used to connect to Internet servers to IP addresses.

In this section, we discuss the following:

  • Configuring the internal network interface
  • Configuring the external network interface

Configuring the Internal Network Interface

The internal network interface must have an IP address that is on the same network ID as other computers on the directly attached network. This address must be in the private network address range and the address must not already be in use on the network.

You should configure the ISA Server 2004 firewall to use the internal interface address as its DNS server address. This Quick Start Guide assumes that your internal network computers use DHCP to obtain IP addressing information and that the ISA Server 2004 computer will be their DHCP Server.

The ISA Server 2004 firewall must have a static IP address bound to its internal interface. Perform the following steps on the Windows 2000 Server or Windows Server 2003 computer that will become the ISA Server 2004 firewall computer:

  1. Right click the My Network Places icon on the desktop and click the Properties option.
  2. In the Network Connections window, right click the internal network interface and click the Properties option.
  3. In the network interface’s Properties dialog box, click the Internet Protocol (TCP/IP) entry and then click the Properties button.
  4. In the Internet Protocol (TCP/IP) Properties dialog box, select the Use the following IP address option. Enter the IP address for the internal interface in the IP address text box. Enter the subnet mask for the internal interface in the Subnet mask text box. Do not enter a default gateway for the internal interface.
  5. Select the Use the following DNS server addresses option. Enter the IP address of the internal interface of the ISA Server 2004 computer in the Preferred DNS server text box. This is the same number you entered in step 4. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
  6. Click OK on the internal interface’s Properties dialog box.

Warning

Never enter a default gateway address on the internal interface

External Network Interface

The external interface configuration varies depending on the type of interface you use to connect to the Internet. There are two primary types of external interfaces:

  • An external interface using a statically assigned or permanent IP address
  • An external interface using a dynamic or non-permanent IP address

Many Internet Service Providers (ISPs) offer “business accounts” that provide permanent, statically assigned IP addresses. Hobbyist or home-user accounts are usually assigned a non-permanent address. Dial-up modem connections, (with the exception of ISDN dial-up connections), usually are assigned non-permanent IP addresses. In this section, you’ll find out how to configure each connection type.

Note

Cable, DSL and T1 connections, among others, can have either a permanent or non-permanent IP address assigned to the external interface.

External Interface with a Permanent IP Address

There are four common situations in which you would use an Ethernet card on the external interface of the ISA Server 2004 firewall computer:

  • You have a DSL connection using a DSL modem (note: some DSL modems install as network interface cards which are installed into the ISA Server 2004 firewall computer; in those circumstances, the internal DSL modem plugs into the DSL filtered wall jack)
  • You have a cable Internet connection using a cable modem. The Ethernet card plugs into the cable modem’s Ethernet connection
  • You have a T1, fractional T1 or similar dedicated connection to the Internet and there is a router in front of the ISA Server 2004 firewall computer
  • You have a broadband DSL or cable Internet connection and you are using a broadband router in front of the ISA Server 2004 firewall.

Figure 2 shows the relationship between the ISA Server 2004 firewall computer and the broadband router.

Note

Throughout this ISA Server 2004 Quick Start Guide, we use the terms “in front of” and “behind” the ISA Server 2004 firewall computer. Devices “in front of” the ISA Server 2004 firewall computer are between the ISA Server 2004 firewall and the Internet. From the internal network, you must go through the ISA Server 2004 firewall computer to connect to machines in front of the ISA Server 2004 firewall. Devices “behind” the ISA Server 2004 computer are on the internal network; these devices are protected by the ISA Server 2004 firewall computer.

Cc302484.726087b0-bd76-4113-815d-c60acab97288(en-us,TechNet.10).gif

Figure 2: Diagram shows the relationship between the ISA Server 2004 firewall, the internal network and the router in front of the ISA Server 2004 computer

Perform the following procedures if your external interface uses an Ethernet card and has a permanent IP address assigned to it:

  1. Right click the My Network Places icon on the desktop and click the Properties option.
  2. In the Network Connections window, right click the external network interface and click the Properties option.
  3. In the network interface’s Properties dialog box, click the Internet Protocol (TCP/IP) entry and then click the Properties button.
  4. In the Internet Properties (TCP/IP) Properties dialog box, select the Use the following IP address option. Enter the IP address for the external interface in the IP address text box. Enter the subnet mask for the external interface in the Subnet mask text box. Enter a default gateway for the external interface. Check with your ISP to obtain the proper IP address, subnet mask and default gateway addresses.
    Cc302484.23a26b1d-1c3b-480d-b12c-5ac277ea401c(en-us,TechNet.10).gif

Warning

Do not guess at what your external IP address should be. If your ISP assigns you a permanent IP address, ask your ISP to confirm the numbers used for your IP address, Subnet mask, Default gateway and Preferred DNS server. If you use a broadband router in front of the ISA Server 2004 firewall computer, use the IP address, subnet mask and default gateway recommended by the ISP that provided the router

  1. Select the Use the following DNS server addresses option. Enter the IP address of the internal interface in the Preferred DNS server text box. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
  2. Click OK in the internal interface’s Properties dialog box.

Note

Dial up connections represent a special case and are discussed in the Setting up a Dial-up Connection section. Do not perform the following steps for configuring the external interface with a dynamic IP address if you use a dial-up connection to connect to the Internet.

External Interface with a Dynamic IP Address

The most common situation in which an Ethernet card is used on the external interface with a non-permanent IP address is when the Ethernet card is a cable or DSL modem, or it connects to a DSL or cable modem. Your DSL or cable provider can tell you whether you have a permanent or non-permanent address.

Perform the following steps if your external interface uses a non-permanent (dynamic or DHCP assigned) IP address:

  1. Right click the My Network Places icon on the desktop and click the Properties option.
  2. In the Network Connections window, right click the external network interface and click the Properties option.
  3. In the network interface’s Properties dialog box, click the Internet Protocol (TCP/IP) entry and then click the Properties button.
  4. In the Internet Protocol (TCP/IP) Properties dialog box, select the Obtain an IP address automatically option.
    Cc302484.48fd296a-1647-47d8-997b-7e7338765853(en-us,TechNet.10).gif
  5. Select the Use the following DNS server addresses option. Enter the IP address of the internal interface of the ISA Server 2004 computer in the Preferred DNS server text box. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
  6. Click OK in the internal interface’s Properties dialog box.

Network Interface Order

The internal interface of the ISA Server 2004 computer should be placed on top of the network interface list to ensure the best performance for name resolution. Perform the following steps to configure the network interface order on both Windows 2000 Server and Windows Server 2003 computers:

Warning

Do not change the interface order if you are using a Dial-up connection to connect to the Internet. This procedure applies only to situations in which you use non-dialup connections to connect to the Internet.

Perform the following steps to change the network interface order:

  1. Right click the My Network Places icon on the desktop and click the Properties option.
  2. In the Network and Dial-up Connections window, click the Advanced menu, then click the Advanced Settings option.
  3. In the Advanced Settings dialog box, click the internal interface in the list of Connections on the Adapters and Bindings tab. After the internal interface is highlighted, click the up-arrow to move the internal interface to the top of the list of interfaces.
    Cc302484.a72ba8ee-668a-42dd-aeb8-258bc076ecd1(en-us,TechNet.10).gif
  4. Click OK in the Advanced Settings dialog box.

Setting up a Dial-up Connection

ISA Server 2004 firewall computers can use Dial-up Networking connections, which are configured in the Network and Dial-up Connections window in Windows 2000 Server and the Network Connections window in Windows Server 2003, to connect to the Internet. These dial-up connection entries are named connectoids. You’ll create Dial-up Networking connectoids and then use these to configure Dial-up Preferences in the ISA Server 2004 management console later in this Quick Start Guide.

We will assume your dial-up hardware is already installed and is working properly. The next step is to create the Dial-up Networking connectoid you’ll use to connect the ISA Server 2004 firewall computer to your ISP. We will cover procedures for creating the connectoid in Windows 2000 Server and Windows Server 2003 computers separately.

Note

These steps are performed differently in Windows 2000 Server and Windows Server 2003. Go to the section applying to the operating system onto which you’re installing ISA Server 2004 and follow those steps.

Creating the Dial-up Connectoid on a Windows 2000 Server Computer

Perform the following steps on the Windows 2000 Server computer to create the dial-up connectoid:

  1. Right click the My Network Places icon on the desktop and click the Properties option.
  2. In the Network and Dial-up Connections window, double click the Make New Connection icon.
  3. In the Location Information dialog box, enter your area code and access number if required. Click OK.
  4. Click OK in the Phone and Modem Options dialog box.
  5. Click Next on the Welcome to the Network Connection Wizard page.
  6. Select the Dial-up to the Internet option on the Network Connection Type page and click Next.
  7. On the Welcome to the Internet Connection Wizard page, select the I want to set up my Internet connection manually, or I want to connect through a local area network (LAN) option and click Next.
  8. Select the I connect through a phone line and a modem option on the Setting up your Internet connection page and click Next.
  9. On the Step 1 of 3: Internet account connection information page, enter the correct Area code and Telephone number for your ISP Internet connection. Click Next.
  10. On the Step 2 of 3: Internet account logon information page, enter the User name and Password provided to you by your ISP and click Next.
  11. On the Step 3 of 3: Configuring your computer page, enter a Connection name. For example, name the connection ISP Internet Link. Click Next.
  12. Select No on the Set Up Your Internet Mail Account page and click Next.
  13. Click Finish on the Completing the Internet Connection Wizard page.
  14. The ISP Internet Link entry now appears in the Network and Dial-up Connections window and it has a telephone icon associated with it.
  15. Right click the ISP Internet Link and click the Properties option. In the ISP Internet Link Properties dialog box, click the Options tab. If you want the link to automatically redial if the connection is dropped, put a checkmark in the Redial if line is dropped checkbox. You can then configure the Redial attempts and Time between redial attempts to meet your preferences. The default Idle time before hanging up value is set to never. If you want the modem to drop a connection after an idle period, change this value.

Note

Modern networks and applications require frequent connections to the Internet. You should anticipate that the dial-up connection will remain connected most of the time, as internal network hosts connect to the Internet at any time of day for a variety of reasons. You can prevent connections from internal network clients by limiting connections based on schedules. Please refer to the ISA Server 2004 Help for more information on creating schedules.

Creating the Dial-up Connectoid on a Windows Server 2003 Computer

Perform the following steps on the Windows Server 2003 computer to create the dial-up connectoid that connects the machine to the Internet:

  1. Right click the My Network Places icon on the desktop and click the Properties option.
  2. In the Network Connections window, double click the New Connection Wizard icon.
  3. Click Next on the Welcome to the New Connection Wizard page.
  4. On the Network Connection Type page, select the Connect to the Internet option and click Next.
  5. On the Internet Connection page, select the Connect using a dial-up modem option and click Next.
  6. On the Connection Name page, enter ISP Internet Link in the ISP Name text box and click Next.
  7. On the Phone Number to Dial page, enter the area code and phone number you use to connect to the ISP in the Phone number text box and click Next.
  8. On the Connection Availability page, select the Anyone’s use option and click Next.
  9. On the Internet Account Information page, enter the User name and Password provided to you by your ISP. Confirm the password in the Confirm password text box. Place checkmarks in the Use this account name and password when anyone connects to the Internet from this computer and Make this the default Internet connection checkboxes. Remove the checkmark from the Turn on Internet Connection Firewall for this connection checkbox. Click Next.
  10. Click Finish on the Completing the New Connection Wizard page.
  11. The Connect ISP Internet Link dialog box appears. Click the Properties button.
  12. On the ISP Internet Link Properties dialog box, click the Options tab. If you want the connection to automatically redial if the link is dropped, put a checkmark in the Redial if line is dropped checkbox. You can configure custom Redial attempts and Time between redial attempts values if you select this option. If you want the connection to drop after a period of idleness, change the value in the Idle time before hanging up list box. If you do not want the link to drop, select the never option in the idle time drop down list. Click OK after making the changes.
  13. Close the Connect ISP Internet Link dialog box.

Note

Modern networks and applications require frequent connections to the Internet. You should anticipate that the dial-up connection will remain connected most of the time as internal network hosts connect to the Internet at any time of day for a variety of reasons. You can prevent connections from internal network clients by creating schedules. Please refer to the ISA Server 2004 Help for more information on creating schedules.

[Topic Last Modified: 02/26/2008]