Step 2: Installing and Configuring ISA-SRV

Applies To: Windows Server 2008, Windows Server 2008 R2

ISA Server 2006 Standard Edition is an integrated edge security gateway that can be used with AD RMS to restrict Internet access to the AD RMS cluster. The ISA server handles all requests from the Internet to the AD RMS extranet cluster URLs and passes them to the AD RMS cluster, when necessary.

To install and configure ISA Server 2006 Standard Edition to work with AD RMS, you must complete the following steps:

  • Configure the ISA Server (ISA-SRV)

  • Publish AD RMS cluster to extranet

Configure the ISA Server (ISA-SRV)

First, install Windows Server 2003 on a stand-alone server.

To install Windows Server 2003, Standard Edition

  1. Start your computer by using the Windows Server 2003 product CD.

  2. Follow the instructions that appear on your computer screen, and when prompted for a computer name, type ISA-SRV.

Next, configure TCP/IP properties so that ISA-SRV has a static IP address of 10.0.0.5 and preferred DNS server with IP address 10.0.0.1 on the first network adapter. On the second network adapter, use 10.0.100.1 as the IP address.

To configure TCP/IP properties on ISA-SRV

  1. Log on to ISA-SRV as a member of the local Administrators group.

  2. Click Start, point to Control Panel, point to Network Connections, click Local Area Connection, and then click Properties.

  3. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.

  4. Click the Use the following IP address option. In the IP address box, type 10.0.0.5. In the Subnet mask box, type 255.255.255.0. In the Preferred DNS server box, type 10.0.0.1.

  5. Click OK, and then click Close to close the Local Area Connection Properties dialog box.

  6. Click Start, point to Control Panel, point to Network Connections, click Local Area Connection 2, and then click Properties.

  7. On the General tab, click Internet Protocol (TCP/IP), and then click Properties.

  8. Click the Use the following IP address option. In the IP address box, type 10.0.100.1. In the Subnet mask box, type 255.255.255.0.

  9. Click OK, and then click Close to close the Local Area Connection 2 Properties dialog box.

Next, join ISA-SRV to the cpandl.com domain.

To join ISA-SRV to the cpandl.com domain

  1. Click Start, right-click MyComputer, and then click Properties.

  2. Click the Computer Name tab, and then click Change.

  3. In the Computer Name Changes dialog box, select the Domain option, and then type cpandl.com.

  4. Click More, and type cpandl.com in Primary DNS suffix of this computer box.

  5. Click OK, and then click OK again.

  6. When a Computer Name Changes dialog box appears prompting you for administrative credentials, provide the credentials for CPANDL\Administrator, and then click OK.

  7. When a Computer Name Changes dialog box appears welcoming you to the cpandl.com domain, click OK.

  8. When a Computer Name Changes dialog box appears telling you that the computer must be restarted, click OK, and then click Close.

  9. Click Restart Now.

Next, import the server authentication certificate that contains the private key into the Trusted Certification Authorities store on ISA-SRV.

To import the server authentication certificate to the ISA-SRV computer

  1. Log on to ISA-SRV with as a member of the local Administrators group.

  2. Click Start, click Run, type mmc.exe, and then press ENTER.

  3. Click File, and then click Add/Remote Snap-in.

  4. Click Add, select Certificates, and then click Add.

  5. Select the Computer Account option, click Next, and then click Finish.

  6. Click Close, and then click OK.

  7. Expand Certificates, and then expand Personal.

  8. Right-click Certificates in the console tree, point to All Tasks, and then click Import.

  9. On the Welcome to the Certificate Import wizard page, click Next.

  10. In the File name box, type \\adrms-db\public\adrms-srv_with_key.pfx, click OK, and then click Next.

  11. Type the password used to export the certificate, and then click Next.

  12. Click Next, and then click Finish.

  13. Click OK confirming that the import was successful.

  14. Close the Certificates console.

Finally, install ISA Server 2006 Standard Edition.

To install ISA Server 2006 Standard Edition

  1. Log on to ISA-SRV as a member of the local Administrators group.

  2. Insert the ISA Server 2006 Standard Edition product CD.

  3. Click Install ISA Server 2006.

  4. On the Welcome to the Installation Wizard for Microsoft ISA Server 2006 page, click Next.

  5. Select the I accept the terms in the license agreement option, and then click Next.

  6. Type your ISA Server product key in the Product Serial Number box, and then click Next.

  7. Select the Typical option, and then click Next.

  8. Click Add, click Add Adapter, select the Local Area Connection check box, click OK, and then click OK again.

  9. Click Next three times, and then click Install.

  10. When the installation is complete, click Finish.

  11. Click OK. Read the information if desired, and then close Internet Explorer.

  12. Click Exit to close Microsoft ISA Server 2006 Setup.

Publish AD RMS cluster to extranet

ISA Server 2006 Standard Edition requires that a Web listener be configured for a specified port. In this guide, you use TCP port 443 (SSL) in order to help make data transmission secure between the clients and ISA server. In this section, you publish the AD RMS Web site through the ISA server. This involves publishing the AD RMS extranet cluster URL to this ISA Server and then allowing the ISA server to pass the user credentials directly to the AD RMS server. Because a self-signed certificate is used for the AD RMS cluster in this guide, you must move it from the Personal certificate store to the Trusted Certification Root Authorities store.

First, publish the AD RMS cluster on ISA-SRV.

To publish AD RMS in ISA Server 2006 Standard Edition

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. Expand ISA-SRV, and then click Firewall Policy.

  3. Click the Tasks tab, and then click Publish Web Sites.

  4. In the Web publishing rule name box, type AD RMS Extranet, and then click Next.

  5. Click Next twice accepting the default selections.

  6. Select the Use SSL to connect to the published Web server or server farm option, and then click Next.

  7. In the Internal Site Name box, type adrms-srv.cpandl.com.

  8. Select the Use a computer name of IP address to connect to the published server check box, type 10.0.0.2 in the Computer name or IP address box, and then click Next.

  9. In the Path (optional) box, type /*, select the Forward the original host header instead of the actual one specified in the Internal site name field on the previous page check box, and then click Next.

  10. In the Public name box, type adrms-srv.cpandl.com, and then click Next.

  11. Click New to create a new Web listener.

  12. In the Web listener name box, type HTTPS Port 443, and then click Next.

  13. Select the Require SSL secured connections with clients option, and then click Next.

  14. Select the External check box, and then click Next.

  15. Select the Use a single certificate for this Web listener option, and then click Select Certificate.

  16. Click the ADRMS-SRV.cpandl.com certificate, click Select, and then click Next.

  17. In the Select how clients will provide credentials to ISA Server box, select No Authentication, click Next, and then click Next again.

  18. Click Finish to close the New Web Listener Wizard.

  19. Click Next.

  20. Click No delegation, but client may authenticate directly, and then click Next.

  21. Click Next to apply this Web publishing rule to all users.

  22. Click Finish.

  23. Click Apply to save changes and update your configuration, and then click OK.

Finally, move the ADRMS-SRV server authentication certificate from the Personal certificate store to the Trusted Root Certification Authorities store:

To move the ADRMS-SRV server authentication certificate

  1. Click Start, and then click Run.

  2. Type mmc.exe, and then click OK.

  3. Click File, and then click Add/Remove Snap-in.

  4. Click Add, click Certificates, click Add, select the Computer account option, and then click Next.

  5. Click Finish, click Close, and then click OK.

  6. Expand Certificates (Local computer), expand Personal, and then expand Trusted Root Certification Authorities.

  7. Click Certificates under Personal in the console tree.

  8. Select the ADRMS-SRV.cpandl.com certificate in the details pane and drag it to the Certificates folder under Trusted Root Certification Authorities.

  9. Close the Certificates console.