STEP 4: Installing and Configuring the ISA Server 2004 Software

  • Article

The Windows 2000 Server or Windows Server 2003 computer is now ready for the ISA Server 2004 software. The installation procedure is the same for both Windows 2000 Server and Windows Server 2003. However, if you install ISA Server 2004 on Windows 2000 Server, Service Pack 4 or higher must first be installed.

In the following installation example, the machine has two Ethernet cards with permanent addresses assigned to the Internal and External network interfaces. This is the situation you might have if you have a T1, cable or DSL connection. In the case of DSL and cable connections, there would be a DSL or cable router in front of the ISA Server 2004 firewall and the default gateway on the External interface is the IP address of the Internal interface of the router.

The following steps demonstrate how to install the ISA Server 2004 software on a dual-homed (two Ethernet cards) Windows Server 2003 machine:

  1. Insert the ISA Server 2004 installation media into the CD-ROM drive or connect to a network share point hosting the ISA Server 2004 installation files. If the installation routine does not start automatically, double click the isaautorun.exe file in the root of the installation files tree.
  2. On the Microsoft Internet Security and Acceleration Server 2004 page, click the link for Review Release Notes and read the release notes. The release notes contain useful information about important issues and configuration options. After reading the release notes, click the Read Setup and Feature Guide link. You don’t need to read the entire guide right now, but you may want to print it to read later. Click the Install ISA Server 2004 link.

Cc302587.b25d58f1-13c9-48fe-94a0-2b3266b0e0e2(en-us,TechNet.10).gif

  1. Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2004 page.

Cc302587.f46aaf31-34bc-437d-848d-c5b13beea5aa(en-us,TechNet.10).gif

  1. Select the I accept the terms in the license agreement option on the License Agreement page. Click Next.
  2. On the Customer Information page, enter your name and the name of your organization in the User Name and Organization text boxes. Enter your serial number in the Product Serial Number text box. Click Next.
  3. On the Setup Type page, select the Custom option. If you do not want to install the ISA Server 2004 software on the C: drive, click the Change button to change the location of the program files on the hard disk. Click Next.

Cc302587.9ff8cb52-4cc8-486a-8f93-566cf95770a9(en-us,TechNet.10).gif

  1. On the Custom Setup page, you can choose which components to install. By default, the Firewall Services, ISA Server Management and Firewall Client Installation Share are installed. The Message Screener, which is used to control spam and file attachments from entering and leaving the network, is not installed by default. You must install the IIS 6.0 SMTP service on the ISA Server 2004 firewall computer before you install the Message Screener. Use the default settings and click Next.

Cc302587.a930422e-6cca-46f2-8e3c-98b71fa97e3e(en-us,TechNet.10).gif

  1. On the Internal Network page, click the Add button. The Internal network is different from the Local Address Table (LAT) that was used by ISA Server 2000. In the case of ISA Server 2004, the Internal network contains trusted network services with which the ISA Server 2004 firewall must communicate. Examples of such services include Active Directory domain controllers, DNS, DHCP, terminal services client management workstations, and others. The firewall System Policy automatically uses the Internal network. We will look at the System Policy later in this document.

Cc302587.e603a679-5fdf-4749-81d7-6e65ae839381(en-us,TechNet.10).gif

  1. On the Internal Network setup page, click the Select Network Adapter button.

Cc302587.ff34d535-bd6f-4ed5-8937-4d6be5675dcf(en-us,TechNet.10).gif

  1. In the Configure Internal Network dialog box, remove the checkmark from the Add the following private ranges… checkbox. Leave the checkmark in the Add address ranges based on the Windows Routing Table checkbox. Put a checkmark in the checkbox next to the adapter connected to the Internal network. In this example we have renamed the network interfaces so that the interface name reflects its location. Click OK.

Cc302587.6949d9b3-eb95-40ee-b0b9-67888c970fc0(en-us,TechNet.10).gif

  1. Click OK in the dialog box informing you that the Internal network was defined, based on the Windows routing table.

Cc302587.4c9c2a92-17d2-4d2e-9827-d2ea0326d55a(en-us,TechNet.10).gif

  1. Click OK on the Internal network address ranges dialog box.

Cc302587.3c4c3a29-90dd-49ec-9c32-9151a82b3520(en-us,TechNet.10).gif

  1. Click Next on the Internal Network page.

Cc302587.5b4fda30-0761-4687-9b21-fd1a33773c91(en-us,TechNet.10).gif

  1. Put a checkmark in the Allow computers running earlier versions of Firewall Client software to connect checkbox. This will allow you to continue using the ISA Server 2000 Firewall client software as you migrate to ISA Server 2004. Click Next.

Cc302587.79784e58-7e12-46f8-a03d-e7e458688c48(en-us,TechNet.10).gif

  1. On the Services page, note that the SNMP and IIS Admin Service will be stopped during installation. If the Internet Connection Firewall (ICF) / Internet Connection Sharing (ICF) and/or IP Network Address Translation services are installed on the ISA Server 2004 machine, they will be disabled, as they conflict with the ISA Server 2004 firewall software.

Cc302587.4a6cf840-3191-4705-80f0-6f9554daa618(en-us,TechNet.10).gif

  1. Click Install on the Ready to Install the Program page.
  2. On the Installation Wizard Completed page, click Finish.

Cc302587.ee407593-d2e5-4c4e-bad8-02d3e296a639(en-us,TechNet.10).gif

  1. Click Yes on the Microsoft ISA Server dialog box informing that you must restart the server.

Cc302587.ea17f05e-01df-4c9c-8faf-dc0900f8e48e(en-us,TechNet.10).gif

  1. Log on as an Administrator after the machine restarts.
  2. Click Start and point to All Programs. Point to Microsoft ISA Server and click ISA Server Management. The Microsoft Internet Security and Acceleration Server 2004 management console opens and displays the Welcome to Microsoft Internet Security and Acceleration Server 2004 page.

Cc302587.b47c5a9c-65a2-40f2-9ba2-c68405513def(en-us,TechNet.10).gif

Configuring ISA Server 2004

ISA Server 2004 configuration is the same for both Windows 2000 Server and Windows Server 2003. You need to create four Access Rules and make a change to the firewall’s System Policy if the external interface does not have a permanent IP address.

Tables 1 through 4 show the details of each of these rules.

Table 1 DHCP Request (Server)

Name

DHCP Request (Server)

Action

Allow

Protocols

DHCP (request)

From

Anywhere

To

Local Host

Users

All Users

Schedule

Always

Content Types

All content types

Purpose

Allow DHCP clients to send DHCP requests to the DHCP server on the ISA Server 2004 firewall

Table 2 DHCP Reply (Server)

Name

DHCP Reply (Server)

Action

Allow

Protocols

DHCP (reply)

From

Local Host

To

Internal

Users

All Users

Schedule

Always

Content Types

All content types

Purpose

Allow the DHCP server on the ISA Server 2004 firewall machine to reply to DHCP requests made by Internal network DHCP clients

Table 3 Internal DNS Server to Forwarder

Name

Internal DNS Server to forwarder

Action

Allow

Protocols

DNS

From

DNS Server*

To

Local Host

Users

All Users

Schedule

Always

Content Types

All content types

Purpose

Allow Internal network DNS server to forward queries to the DNS forwarder on the ISA Server 2004 firewall machine

* User defined

Table 4 All Open

Name

All Open

Action

Allow

Protocols

All Outbound Traffic

From

Internal

To

External

Users

All Users

Schedule

Always

Content Types

All content types

Purpose

Allow Internal network clients access to all protocols and sites on the Internet

In addition to these Access Rules, you should configure the firewall System Policy to allow DHCP replies from External network DHCP servers.

Perform the following steps to create the DHCP Request (Server) rule:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Firewall Policy node.
  2. In the Firewall Policy node, click the Tasks tab in the Task Pane. On the Task Pane, click the Create a New Access Rule link.

Cc302587.4aee849b-19ef-4391-aac2-94df2601f59f(en-us,TechNet.10).gif

  1. On the Welcome to the New Access Rule Wizard page, enter DHCP Request (Server) in the Access Rule name text box. Click Next.
  2. On the Rule Action page, select the Allow option and click Next.
  3. On the Protocols page, select the Selected protocols option from the This rule applies to list and then click the Add button.

Cc302587.9715eae8-497d-463d-9d4a-2a10f6655f12(en-us,TechNet.10).gif

  1. In the Add Protocols dialog box, click the Infrastructure folder. Double click the DHCP (request) entry and then click Close.

Cc302587.abb64080-f885-4af6-8887-7c0b1ec93633(en-us,TechNet.10).gif

  1. Click Next on the Protocols page.

Cc302587.ff15731c-dcfa-40e1-bbb2-715d7e0ad1c6(en-us,TechNet.10).gif

  1. On the Access Rule Sources page, click the Add button.

Cc302587.d920d5a8-7678-46e2-a0c5-b29b11f52510(en-us,TechNet.10).gif

  1. In the Add Network Entities dialog box, click the Computer Sets folder. Double click the Anywhere entry and click Close.

Cc302587.04ab986c-7e6d-4502-9fdb-b58b8bac5790(en-us,TechNet.10).gif

  1. Click Next on the Access Rule Sources page.

Cc302587.0382263c-f8ee-4e8d-93b9-b6b63360dc69(en-us,TechNet.10).gif

  1. On the Access Rule Destinations page, click the Add button.

Cc302587.afc0ebe5-3162-4407-b328-8fd0e9c2fbec(en-us,TechNet.10).gif

  1. In the Add Network Entities dialog box, click the Networks folder and then double click the Local Host entry. Click Close.

Cc302587.a1aced32-0a55-415f-973f-09f1c776348c(en-us,TechNet.10).gif

  1. Click Next on the Access Rule Destinations page.

Cc302587.382ec2eb-574f-4455-aa08-76890738d6cc(en-us,TechNet.10).gif

  1. On the User Sets page, accept the default entry, All Users, and click Next.

Cc302587.b47de6da-39a6-461e-9b73-562e5e323e2e(en-us,TechNet.10).gif

  1. On the Completing the New Access Rule Wizard page, review the settings and click Finish.

Perform the following steps to create the DHCP Reply (Server) rule:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Firewall Policy node.
  2. In the Firewall Policy node, click the Tasks tab in the Task Pane. On the Task Pane, click the Create a New Access Rule link.

Cc302587.00d2ec4c-8647-4d27-910f-85a522bc34d4(en-us,TechNet.10).gif

  1. On the Welcome to the New Access Rule Wizard page, enter DHCP Reply (Server) in the Access Rule name text box. Click Next.
  2. On the Rule Action page, select the Allow option and click Next.
  3. On the Protocols page, select the Selected protocols option from the This rule applies to list and then click the Add button.
  4. In the Add Protocols dialog box, click the Infrastructure folder. Double click the DHCP (request) entry and then click Close.

Cc302587.f7018877-15f6-409a-8e83-371f23896aa8(en-us,TechNet.10).gif

  1. Click Next on the Protocols page.

Cc302587.0c35a2c3-31df-4ed5-93f2-336ce9b4902c(en-us,TechNet.10).gif

  1. On the Access Rule Sources page, click the Add button.
  2. In the Add Network Entities dialog box, click the Networks folder. Double click the Local Host entry and click Close.
  3. Click Next on the Access Rule Sources page.
  4. On the Access Rule Destinations page, click the Add button.
  5. In the Add Network Entities dialog box, click the Networks folder and then double click the Internal entry. Click Close.
  6. Click Next on the Access Rule Destinations page.
  7. On the User Sets page, accept the default entry, All Users, and click Next.
  8. On the Completing the New Access Rule Wizard page, review the settings and click Finish.

Perform the following steps to create the Internal DNS Server to Forwarder rule:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Firewall Policy node.
  2. In the Firewall Policy node, click the Tasks tab in the Task Pane. On the Task Pane, click the Create a New Access Rule link.

Cc302587.d961c025-c8aa-431f-8d62-5af2dc63a833(en-us,TechNet.10).gif

  1. On the Welcome to the New Access Rule Wizard page, enter Internal DNS Server to Forwarder in the Access Rule name text box. Click Next.
  2. On the Rule Action page, select the Allow option and click Next.
  3. On the Protocols page, select the Selected protocols option from the This rule applies to list and then click the Add button.
  4. In the Add Protocols dialog box, click the Infrastructure folder. Double click the DNS entry and then click Close.

Cc302587.a362860d-e28d-404d-8e37-1650e1644092(en-us,TechNet.10).gif

  1. Click Next on the Protocols page.

Cc302587.6a997eca-5190-4ffc-b383-55fbf7720ffb(en-us,TechNet.10).gif

  1. On the Access Rule Sources page, click the Add button.
  2. In the Add Network Entities dialog box, click the New menu, then click Computer.

Cc302587.2be5bfe9-93ae-4274-87ab-917cf2dbebb3(en-us,TechNet.10).gif

  1. In the New Computer Rule Element dialog box, enter Internal DNS Server in the Name text box. Enter 10.0.0.2 in the Computer IP Address text box. Click OK.

Cc302587.d1a666c4-9535-4b83-9ffa-621a2d4329a3(en-us,TechNet.10).gif

  1. In the Add Network Entities dialog box, click the Computers folder and then double click the Internal DNS Server entry. Click Close.

Cc302587.4ba2c2c8-374b-442d-8886-56f4a61505a8(en-us,TechNet.10).gif

  1. Click Next on the Access Rule Sources page.

Cc302587.5b601902-0ff7-45a3-aa48-aad65e15be9f(en-us,TechNet.10).gif

  1. On the Access Rule Destinations page, click the Add button.
  2. In the Add Network Entities dialog box, click the Networks folder and then double click the Local Host entry. Click Close.
  3. Click Next on the Access Rule Destinations page.
  4. On the User Sets page, accept the default entry, All Users, and click Next.
  5. On the Completing the New Access Rule Wizard page, review the settings and click Finish.

Perform the following steps to create the All Open rule:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then click the Firewall Policy node.
  2. In the Firewall Policy node, click the Tasks tab in the Task Pane. On the Task Pane, click the Create a New Access Rule link.

Cc302587.a7262d41-6740-4459-a6b7-e51f32199c14(en-us,TechNet.10).gif

  1. On the Welcome to the New Access Rule Wizard page, enter DHCP Reply (Server) in the Access Rule name text box. Click Next.
  2. On the Rule Action page, select the Allow option and click Next.
  3. On the Protocols page, select the All outbound traffic option from the This rule applies to list and then click Next.

Cc302587.7f5ea4ae-f1fc-4e91-91df-dfa3560906c3(en-us,TechNet.10).gif

  1. Click Next on the Protocols page.
  2. On the Access Rule Sources page, click the Add button.
  3. In the Add Network Entities dialog box, click the Networks folder. Double click the Internal entry and click Close.
  4. Click Next on the Access Rule Sources page.
  5. On the Access Rule Destinations page, click the Add button.
  6. In the Add Network Entities dialog box, click the Networks folder and then double click the External entry. Click Close.
  7. Click Next on the Access Rule Destinations page.
  8. On the User Sets page, accept the default entry, All Users, and click Next.
  9. On the Completing the New Access Rule Wizard page, review the settings and click Finish.

Your Access Rule should look like those in the figure below. Note that in this example, you do not need to reorder the rules. When you start creating advanced Access Rules to control inbound and outbound access, you may need to reorder rules to obtain the desired results.

Cc302587.424ebf6d-efbe-478a-9f91-225c7935fd65(en-us,TechNet.10).gif

Configuring System Policy to Support Dynamic Addresses on the External Interface

ISA Server introduces a System Policy, which is a set of firewall policy rules that control how the ISA Server computer enables communications with network infrastructure elements that are necessary to manage network security and connectivity. ISA Server 2004 is installed with a default system policy, designed to address the balance between security and connectivity.

Some system policy rules are enabled upon installation. These are considered the most basic and necessary rules for effectively managing the ISA Server environment. You can subsequently identify those services and tasks that you require to manage your network, and enable the appropriate system policy rules. You should work on locking down the ISA Server 2004 System Policy after you have become more familiar with the ISA Server 2004 operations. We will not cover locking down System Policy in this ISA Server 2004 Quick Start Guide.

System Policy rules are evaluated before Access Rules that are created by the firewall administrator. Because of this, we must modify System Policy Rule to allow the ISA Server 2004 firewall to communicate with DHCP servers on the External network when the External interface uses DHCP to obtain IP addressing information.

Perform the following steps to configure this System Policy:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name in the left pane of the console and then click the Firewall Policy node. Click the Tasks tab in the Task Pane and then click the Edit System Policy link.

Cc302587.36b005a5-8204-46d2-9351-33e8b71599e0(en-us,TechNet.10).gif

  1. In the System Policy Editor, locate the Network Services node in the Configuration Groups section and then click the DHCP entry.

Cc302587.34e3f00e-0be3-465e-a03a-d8be182fe84f(en-us,TechNet.10).gif

  1. Click the From tab in the System Policy Editor and then click Add. In the Add Network Entities dialog box, double click External and click Close.

Cc302587.e97a9425-ee6c-4d56-aa4e-0d2aaf3ae406(en-us,TechNet.10).gif

  1. In the System Policy Editor, the External network appears in the This rule applies to traffic from these sources section. Click OK.

Cc302587.aa0c27d6-5596-4ea4-814d-d3de4c0d3a33(en-us,TechNet.10).gif

Configuring Dial-up Preferences (dial-up connections only)

You must configure Dial-up preferences for ISA Server 2004 firewalls that use dial-up connections to the Internet. The dial-up connectoid must be created before you configure the Dial-up Preferences.

Perform the following steps to configure the Dial-up Preferences:

  1. In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name in the left pane of the console and then expand the Configuration node. Click the General node.
  2. In the General node, click the Specify Dial-up Preferences link.

Cc302587.d295f1c9-8a73-4025-b2cb-049858e2ef29(en-us,TechNet.10).gif

  1. In the Dialing Configuration dialog box, select the Allow automatic dialing to this network option so that the ISA Server 2004 firewall automatically dials the connection when a request comes from a host on the internal network. Select the External network from the list of networks under this option. Put a checkmark in the Configure this dial-up connection as the default gateway checkbox. This enables the ISA Server 2004 firewall to use the dialup connection to connect to the Internet.

Cc302587.48129af3-be3e-4dd3-98f3-3bc02eadc80a(en-us,TechNet.10).gif

  1. Click the Select button. In the Select Network Dial-up Connection dialog box, select the dial-up connection you created to connect to the Internet. Click OK.

Cc302587.7b4e8ca2-830e-458b-9c87-8a01af599b78(en-us,TechNet.10).gif

  1. On the Dialing Configuration dialog box, click the Set Account button. In the Set Account dialog box, enter the User account that is used by the dial-up connection to connect to the Internet. This is the user account assigned to you by your ISP. Do not use the Browse button to find this account. Enter the ISP account’s password and confirm the password in the Password and Confirm password text boxes. Click OK.

Cc302587.887d2ef0-d427-4d80-aa57-c031ae589a97(en-us,TechNet.10).gif

  1. Click Apply and then click OK in the Dialing Configuration dialog box.

Cc302587.c61fa86c-c42f-44f2-ae85-737ffdb3ce81(en-us,TechNet.10).gif

  1. Click Apply to save the changes and update the firewall policy.

Cc302587.430cfe0e-7dc8-46ad-8deb-3b8b104d4c15(en-us,TechNet.10).gif

  1. Click OK in the Apply New Configuration dialog box.

Cc302587.4eaaac93-56cc-42f0-9055-ab3618c0bcd0(en-us,TechNet.10).gif