Install ISA Server Firewall Servers and Add Them to the Array

  • Article
Cc539145.chm_head_left(en-us,TechNet.10).gif Cc539145.chm_head_middle(en-us,TechNet.10).gif Cc539145.chm_head_right(en-us,TechNet.10).gif

Install ISA Server Firewall Servers and Add Them to the Array

Now that you have created an array, you can add Microsoft Internet Security and Acceleration (ISA) Server computers to the array. Perform this procedure for each computer you want to add to the array.

In a workgroup configuration, ensure that there are mirrored local accounts (same user name and password) for the accounts that will be used to manage the array.

Tasks

  1. Prepare the Firewall Array Servers, ISA01 and ISA02
  2. Ensure Name Resolution on ISA Firewall Servers
  3. Copy the Trusted Root CA Certificate from ISACS01
  4. Add Servers to the ISA Server Array
  5. Set Up Intra-Array Credentials
  6. Reconnect Using the Intra-Array Credentials
  7. Configure Network Load Balancing on the ISA Firewall Servers
  8. Verify the Network Load Balancing Configuration

Prepare the Firewall Array Servers, ISA01 and ISA02

Perform a default install of Microsoft Windows Server 2003 R2 on ISA01 and ISA02. This requires you to first install Windows Server 2003 with SP1 then follow that by installing Windows Server 2003 R2.

Procedure DWISA.11: To install Windows Server 2003 R2 on ISA01 and ISA02

  1. Perform a default installation of Windows Server 2003, Standard Edition (with Service Pack 1 integrated), by using the CD boot method. Install the Support Tools from the Windows Server 2003 CD. Use appropriate naming conventions for your environment.
  2. After Setup for Windows Server 2003 with SP1 is complete, log on to the computer as an administrator. Insert Disc 2 into your CD-ROM drive. Setup for Disc 2 should start automatically. If it does not start automatically, browse to Disk 2 (or the shared folder that contains the Setup files) and, in the \Cmpnents\R2 folder, click Setup2.exe. Follow the instructions on your screen to upgrade to R2.

Prepare ISA01 and ISA02 by enabling Remote Desktop, installing Microsoft .NET Framework 2.0, installing the Windows Server 2003 Support Tools, and installing the latest updates from Microsoft.

Procedure DWISA.12: To prepare ISA01 and ISA02

  1. Enable Remote Desktop. Click Start, point to Control Panel, click System, and then, on the Remote tab, select Enable Remote Desktop on this Computer.
  2. Install the Microsoft .NET Framework 2.0.
  3. Install Support Tools from the Support Tools directory on the Windows Server 2003 CD.
  4. Apply any released updates to Windows Server 2003 by using Microsoft Update.

Ensure Name Resolution on ISA Firewall Servers

You will not be able to join the ISA servers into the array unless they can resolve the fully qualified domain name (FQDN) of the ISA configuration server. You will need to edit the Hosts file on ISA01 and ISA02, adding a record for the FQDN of the ISA configuration server.

Procedure DWISA.13: To ensure name resolution on ISA firewall servers

  1. Log on to ISA01 as a member of the local Administrators group.

  2. Open a command prompt.

  3. Type CD\ c:\windows\system32\drivers\etc, and then press ENTER.

  4. Edit the Hosts file in notepad by typing NOTEPAD.EXE HOSTS, and then pressing ENTER.

  5. In the Hosts file, create a new entry with the FQDN and IP address of ISACS01: <pre IsFakePre="true" xmlns="https://www.w3.org/1999/xhtml">172.16.40.10 isacs01.fabrikam.com</pre>

    Note

    The IP address shown above is simply an example. Be sure to enter the correct IP address for the FQDN of the ISA Configuration Server in your environment.

  6. Make sure to add a carriage return at the end of the line, and then save and close the Hosts file.

  7. At the command prompt, ping the FQDN of the ISA Configuration Server to verify that you can now resolve the name:<pre IsFakePre="true" xmlns="https://www.w3.org/1999/xhtml">Ping isacs01.fabrikam.com</pre>

  8. Repeat this procedure on ISA02.

Copy the Trusted Root CA Certificate from ISACS01

In this procedure you will copy the trusted root CA certificate from ISACS01 to the ISA firewall servers, ISA01 and ISA02.

Procedure DWISA.14: To copy the trusted root CA certificate from ISACS01

  1. Log on to ISA01 as a member of the local Administrators group.
  2. Map a drive to \\ISACS01\certEnroll using the fabrikam\administrator credentials.
  3. Copy the .CRT file (for example, ISACS01.fabrikam.com_ISACS01.crt) from the share to C:\ on ISA01.
  4. Repeat this procedure on ISA02.

Add Servers to the ISA Server Array

Procedure DWISA.15: To add servers to the ISA Server array

  1. Log on to ISA01 using the local Administrator account.

  2. Insert the ISA Server CD into the CD drive, or run ISAautorun.exe from the shared network drive.

  3. In Microsoft ISA Server Setup, click Install ISA Server.

  4. After the setup program prompts that it has completed determining the system configuration, on the Welcome page, click Next.

  5. If you accept the terms and conditions stated in the user license agreement, click I accept the terms in the license agreement, and then click Next.

  6. Enter your customer details, and then click Next.

  7. On the Setup Scenarios page, select Install ISA Server Services, and then click Next.

  8. On the Component Selection page, review the settings, and then click Next.

  9. On the Locate Configuration Storage Server page, specify ISACS01.fabrikam.com. On this page, you will have to provide the credentials of an enterprise or array administrator, in order to connect to the Configuration Storage server. Select Connect using this account, enter fabrikam\Administrator, specify the correct password, and then click Next.

  10. On the Array Membership page, select Join an Existing Array, and then click Next.

  11. On the Join an Existing Array page, click Browse to open the Arrays to join dialog box, and then select the array from the list. Click Next.

  12. On the Configuration Storage Server Authentication Options page, select Authentication over SSL encrypted channel.

  13. Select Install a trusted Root CA certificate, browse to the location of the root certificate which you copied locally in the previous procedure (for example, C:\ISACS01.fabrikam.com_ISACS01.crt) and then click Open.

  14. Click Next.

  15. This step will only take place on the first server you install in the array. On the Internal Network page, specify the IP address range that will constitute the Internal network for this array. You can map your internal network to an enterprise network:

    1. Click Add to open the Addresses dialog box.
    2. Click Add Network.
    3. Select Internal (the name of the enterprise network you created earlier), and then click OK.
    4. In the Addresses dialog box, click OK.

  16. On the Services Warning page, review the list of services that will be stopped or disabled during installation of ISA Server. To continue the installation, click Next.

    Note

    On the first server you install in the array, you may see a System Policy Configuration screen. If this occurs, click Next.

  17. Click Install.

  18. After the installation is complete, click Finish.

    Note

    If you are using Remote Desktop Protocol (RDP) to connect to the ISA server, you will be disconnected once the firewall service starts. You will need to log on at the terminal in order to finish the installation.

  19. You may be prompted to restart the computer. Even if you are not prompted, reboot ISA01.

  20. Repeat this procedure on ISA02.

Set Up Intra-Array Credentials

In order for the servers in the firewall array to communicate with each other, intra-array credentials must be configured on the Configuration Server. You will set the intra-array credentials to use mirrored local Administrator accounts on each firewall computer.

Note

Do not set up intra-array credentials until all of the firewall servers have joined the array. Also, ensure the local Administrator accounts on ISA01 and ISA02 are configured with the same password.

Procedure DWISA.16: To set up intra-array credentials

  1. On ISACS01, in the ISA Server 2006 Management Console, expand Arrays in the left pane, and then right-click the array you created earlier.
  2. Select Properties, and then click the Intra-Array Credentials tab.
  3. Select the Authenticate using this account (for workgroup configuration only).
  4. Click Set Account and enter the Administrator account and password for the mirrored Administrator accounts on the firewall computers.
  5. Click OK to close the Properties dialog box.
  6. Click Apply in the upper pane of the Management Console to apply the changes. Do not close the ISA Server 2006 Management Console; you will continue to use it in the next procedure.

Reconnect Using the Intra-Array Credentials

Note

You will not be able to view the status of the ISA firewall computers until you reconnect, specifying the intra-array credentials.

Procedure DWISA.17: To reconnect specifying intra-array credentials

  1. Right-click the top level Microsoft Internet Security and Acceleration Server 2006 node in the left navigation pane, and then click Connect to Configuration Storage Server.
  2. The Enterprise Connection Wizard will launch. Click Next.
  3. On the Configuration Storage Server Location page, select On local computer, and then click Next.
  4. On the Array Connection Credentials page, select Different Credentials, and then click Next.
  5. On the Array Connection Credentials Details page, select Credentials of the following user, and specify the mirrored local Administrator account for the two ISA firewall servers. Leave the Domain field empty, click next, and then click Finish.
  6. Expand Arrays, expand the array name, expand the Configuration node, and then click Servers.
  7. Verify that you can see the two ISA firewalls, ISA01 and ISA02.

Configure Network Load Balancing on the ISA Firewall Servers

ISA Server 2006 Enterprise Edition supports NLB (Network Load Balancing) in "Integrated" mode, which allows you to configure and manage NLB settings from within the ISA Server Management Console. In addition, ISA 2006 Enterprise Edition supports:

Multiple NLB instances work in tandem - This means you can run NLB for both inward-facing (internal) NICs, and outward facing (external) NICs.

Bi-directional Affinity - Ensures that connections routed through an ISA Server in an array are load balanced back to the same server.

Procedure DWISA.18: To configure load balancing on the ISA firewall servers

  1. Log on to ISACS01 using an account that has ISA Server Array Administrator permissions.

  2. Run the ISA Server Management Console.

  3. Expand Arrays, expand the name of the array, expand Configuration, and then click Networks.

  4. In the far right pane, click the Tasks tab.

  5. In the Related Tasks list, click Enable Network Load Balancing Integration.

  6. The Network Load Balancing Wizard will start. Click Next.

  7. In the list of available networks, select the External check box. Click External, and then click Set Virtual IP. Enter the new virtual IP address and subnet mask. Click OK.

    Note

    The new virtual IP address must be on the same TCP/IP subnet as the dedicated external IP addresses of the ISA firewalls.

  8. In the list of available networks, select the Internal check box. Click Internal, and then click Set Virtual IP. Enter the new virtual IP address and subnet mask. Click OK then click Next.

    Note

    The new virtual IP address must be on the same TCP/IP subnet as the dedicated internal IP addresses of the ISA firewalls.

  9. In the Completing the Network Load Balancing Wizard dialog box, click Finish.

  10. In the top-center pane, click Apply. A warning will appear indicating that changes will be applied only after one or more services are restarted. Select Save the changes and restart the services, then click OK to dismiss the dialog box.

  11. Restart ISA01 and ISA02.

    Important

    Network Load Balancing will not function correctly until you reboot both firewall nodes (ISA01 and ISA02).

Verify the Network Load Balancing Configuration

Finally, verify that load balancing is working by reviewing system log entries for Event IDs 28 or 29.

Procedure DWISA.19: To verify the network load balancing configuration

  1. After ISA01 and ISA02 have been rebooted, log on to ISA01 using the local Administrator account.

  2. Open the Event Viewer, and then click the System event log.

  3. Look for Event ID 28 or 29, Source WLBS. The description for the event should tell you that the hosts have successfully converged into the NLB cluster.

    Note

    If you enable NLB integration (using the process just described), do not make any NLB configuration changes using the NLB-provided tools. ISA Server monitors the NLB configuration and will override any changes that you make. If you want to temporarily stop NLB, you can do so from the Monitoring/services tab of the ISA Server Management Console.