Installing ISA Server 2004 in Windows Small Business Server 2003 R2

  • Article

Updated: May 27, 2009

Applies To: Windows SBS 2003

In this document:

  • Before You Begin

  • Procedures

  • Installing Firewall Client

Note

The information in this document applies to Windows SBS 2003 R2 Premium Edition.

Important

If you have, or plan to have, any client computers running the Windows Vista™ operating system, install the “Update for Windows Small Business Server 2003: Vista and Outlook 2007 compatibility (KB 926505)” and some additional updates. You can download all of the necessary updates from the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkId=78386). Install the updates after you finish setting up the Windows SBS Premium Technologies.

After completing Windows SBS 2003 R2 Setup, you can use the Premium Technologies discs to install Internet Security and Acceleration (ISA) Server 2004 with Service Pack 1 (SP1) as your firewall, which requires that your server have at least two network adapters (one to connect to the Internet and one to connect to the local network). You should then install Firewall Client on each client computer.

Before You Begin

Before you begin to install ISA Server 2004 with SP1, Standard Edition, you should review the following important points:

  • It is important that you install Service Pack 2 (SP2) for ISA Server 2004 if you are also installing the Windows SBS 2003 R2 Technologies. SP2 for ISA Server 2004 resolves a known compatibility issue with Microsoft Management Console (MMC) 3.0, which is included in the R2 Technologies. To obtain SP2 for ISA Server 2004, see the downloads page for ISA Server 2004 at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkID=22657).

Note

After you install SP2 for ISA Server 2004, you also need to install an update that resolves known HTTP issues in SP2. To obtain the update, see Article 916106 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=67767).

  • To maintain the current authentication experience for your users, it is highly recommended that you save your existing certificate by exporting it before you begin to set up ISA Server 2004.

  • During the ISA Server installation process, you need to indicate that you are creating a new certificate. Later, you will import your saved certificate in order to maintain your current authentication experience for your users.

  • Disable any real-time antivirus software that you are running, because it might cause problems while you are running Setup. Remember to restart your antivirus software after Setup is complete.

Procedures

To export a certificate

  1. Click Start, click Run, and then type MMC.

  2. Click File, and then click Add/Remove Snap-in.

  3. Click Add.

  4. From the list that appears, select Certificates, and then click Add.

  5. Click Computer Account, and then click Next.

  6. Accept the default of Local Computer, and then click Finish.

  7. Click Close, and then click OK.

  8. Expand Certificates (Local Computer).

  9. Expand Personal.

  10. Expand Certificates.

  11. Maximize the snap-in window, and then write down the expiration date of the certificate that corresponds to your external domain. You will use this date to identify the certificate when you configure ISA Server later.

  12. Right-click the certificate corresponding to your external domain, point to All Tasks, then click Export.

  13. When the Certificate Export Wizard begins, click Next.

  14. Select Yes, export the private key, and then click Next.

  15. Accept the defaults on the Export File Format page, and then click Next.

  16. Enter a password, confirm the password, and then click Next.

  17. Enter a file name for the export file (it will have the extension .pfx), and then click Next.

  18. Write down the entire path and file name of the export file, and then click Finish.

  19. Click OK.

  20. Click File, and then click Exit to close the console.

  21. Click No to not save the console.

To install ISA Server 2004

  1. From the Autorun page of the Premium Technologies disc (D:\Setup.exe, where D is the letter of your CD drive), click Install Microsoft Internet Security and Acceleration (ISA) Server 2004.

Note

If Windows Small Business Server 2003 with Service Pack 1 came preinstalled on your server, your original equipment manufacturer (OEM) might have created a shortcut on the desktop for installing the Premium Technologies.

  1. On the Welcome page, click Next.

  2. When the End User License Agreement (EULA) page appears, review the licensing agreement. To continue, you must accept the agreement and click Next.

  3. When the Installation Path page appears, click Next to accept the default installation path.

  4. Click Finish to install and configure ISA Server 2004.

  5. After ISA Server Setup is complete, the Configure E-mail and Internet Connection Wizard appears. You must complete the wizard to properly configure your server to use ISA Server as your firewall. Click Next to begin.

  6. On the Connection Type page, even if you have previously run the wizard, you must select your connection type, and then continue through the wizard to the Firewall page.

  7. On the Firewall page, even if you have previously run the wizard, you must select Enable Firewall.

  8. On the Services Configuration page, select those services that you want to allow through the firewall. If you previously ran the wizard and defined custom services, you can open ICWdetails.htm from \Program Files\Microsoft Windows Small Business Server\Networking\ICW. Search for the section "Enable Basic Firewall and Remote Access" to see the list of firewall settings that were configured.

  9. On the Web Service Configuration page, select any services that you want to allow through the firewall.

  10. If you allowed access to Web services, the Web Server Certificate page appears.

    • If you have not previously run the wizard, select the type of certificate that you want to use.

    • If you have previously run the wizard, select Create a new Web server certificate, and then enter the same Web server name that was used in your previously existing certificate. Later, you will replace this new certificate with the one that you previously exported.

  11. On the Internet E-mail page, if you previously ran the wizard, select Do not change Internet e-mail configuration, and then complete the wizard.

  12. Your server restarts after the wizard finishes.

Important

Before you proceed, you should install the most recent service packs and updates for ISA Server 2004. You can download the most recent service packs and updates at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkID=22657).

Important

It is important that you install SP2 for ISA Server 2004 if you are also installing the Windows SBS 2003 R2 Technologies. SP2 for ISA Server 2004 resolves a known compatibility issue with Microsoft Management Console (MMC) 3.0, which is included in the R2 Technologies. To obtain SP2 for ISA Server 2004, see downloads page for ISA Server 2004 at the Microsoft Web site (https://go.microsoft.com/fwlink/?LinkID=22657).

Note

After you install SP2 for ISA Server 2004, you also need to install an update that resolves known HTTP issues with SP2. To obtain the update, see Article 916106 in the Microsoft Knowledge Base (https://go.microsoft.com/fwlink/?LinkId=67767).

If you previously exported your existing certificate, you must now import it and then configure ISA Server Management to use it. To do this, complete the following two procedures.

To import a certificate

  1. Click Start, click Run, and then type MMC.

  2. Click File, and then click Add/Remove Snap-in.

  3. Click Add.

  4. From the list that appears, select Certificates, and then click Add.

  5. Click Computer Account, and then click Next.

  6. Accept the default Local Computer, and then click Finish.

  7. Click Close, and then click OK.

  8. Expand Certificates (Local Computer).

  9. Right-click the Personal folder, point to All Tasks, and then click Import.

  10. When the Certificate Import Wizard appears, click Next.

  11. On the File to Import page, click Browse.

  12. In the Files of Type drop-down box, select Personal Information Exchange (*.pfx,*.p12).

  13. Browse to or type the filename of the .pfx file that you exported previously, and then click Next.

  14. Enter the password you used to export the .pfx file, and then click Next.

  15. Verify that Place all certificates in the following store is selected, verify that the default store is Personal, and then click Next.

  16. Click Finish.

To specify the certificate using ISA Server Management

  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. Expand the console tree and click Firewall Policy.

  3. Click the Toolbox tab in the details pane.

  4. Click the Web Listeners folder.

  5. Right-click SBS Web listener, and then click Properties.

  6. On the SBS Web listener Properties page, click the Preferences tab.

  7. Verify that the Enable SSL check box is selected.

  8. Click the Select button next to the certificate text box.

  9. You will see multiple certificates with the same name. Select the certificate that you just imported, and then click OK.

Note

You can identify the correct certificate by the expiration date that you wrote down when you exported it.

Note

Do not select the publishing.yourdomain.local certificate.

  1. Click OK to close the SBS Web listener Properties page.

  2. Click Apply to save your changes and to update the configuration.

  3. Repeat this procedure for SBS CompanyWeb listener, if it exists in the Web Listeners folder.

Under normal circumstances, ISA Server 2004 is installed from the Premium Technologies disc by clicking the "Install Microsoft Internet Security and Acceleration Server 2004" link.

However, there are two reasons why you might need to start the ISA Server 2004 installation wizard from the command prompt:

  1. You receive the following error message while installing ISA Server 2004:

    "The system cannot validate the product key for Windows Small Business Server 2003. To proceed, you must enter the product key manually. For more information about how to manually enter the product key, see Premiuminstallsteps.htm, which is on the Premium Technologies disc. Look for the section titled 'To install ISA Server 2004 via the command line.'"

    In this instance, the installation of ISA Server 2004 does not complete because it cannot confirm the validity of the product key used for Windows SBS 2003 R2. ISA Server 2004 Setup requires the product key in order to finish successfully.

    You can start the ISA Server 2004 installation wizard by typing the following syntax at the command prompt:

    Sbsisa2k4setup /PID AAAAA-BBBBB-CCCCC-DDDDD-EEEEE

    where AAAAA-BBBBB-CCCCC-DDDDD-EEEEE (with or without dashes) represents your product key for Windows SBS R2.

  2. You want to reinstall ISA Server 2004 by using a configuration file that you saved previously. To do so, type the following syntax at the command prompt:

    Sbsisa2k4launch.exe /IMPORTFILE "C:\importfile.xml"

    where C:\importfile.xml represents the name of the configuration file. Make sure you use quotation marks around the name of the configuration file.

You can find Sbsisa2k4setup.exe on Premium Technologies Disc 1, in the ISASetup folder.

Installing Firewall Client

After you install ISA Server 2004, you must install Firewall Client on each client computer in order to access the Internet.

To install Firewall Client, it is recommended that you create a shared folder for the Firewall Client installation files, and then follow the instructions later in this document to use the Set Up Client Applications Wizard to deploy Firewall Client to each client computer. After completing the installation of all Premium Technologies on your server, create a full backup.

To add Firewall Client for deployment to client computers

  1. Click Start, and then click Server Management.

  2. In the console tree, double-click Client Computers, and then in the details pane, click Set Up Client Applications.

  3. On the Available applications page, click Add. The Application Information dialog box appears.

  4. In the Application Name box, type Firewall Client, and then in the Location of setup executable for this application box, type \\ServerName\Mspclnt\Setup.exe /v"SERVER_NAME_OR_IP=ServerName ENABLE_AUTO_DETECT=0 REFRESH_WEB_PROXY=1 /qn" where ServerName is the name of your server. There are no spaces within the command except before /v, ENABLE, REFRESH, and /qn.

  5. Follow the instructions to complete the wizard.

  6. When prompted to assign the new application to client computers, click Yes. The Assign Applications Wizard appears.

  7. Follow the instructions to complete the wizard.

Note

The Set Up Client Applications Wizard only works with client computers running Microsoft Windows 2000 Professional or Microsoft Windows XP Professional. If you have a client computer running a different operating system, you must manually connect to the shared folder from the client computer. From the client computer, click Start, click Run, and then type \ServerName\Mspclnt\Setup.exe, where ServerName is the name of your server.

  1. To check the name of your server, click Start, right-click My Computer, and then click Properties. The computer name is the first label before the period listed in the Full computer name, for example, ServerName.smallbusiness.local.

To deploy Firewall Client to the client computer

  1. Have the users log off and then log back on to the client computers. A shortcut to install Firewall Client appears on the desktop.

  2. Double-click the shortcut, and then complete the Firewall Client Wizard. Firewall Client will be automatically configured to connect to ISA Server on the computer running Windows Small Business Server R2.

Important


After completing Setup for the Premium Technologies, it is highly recommended that you back up your server. To do so, use the Backup Configuration Wizard (click Start, click Server Management, and then click Backup).

The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This White Paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2007 Microsoft Corporation. All rights reserved.

Microsoft and Windows are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.

All other trademarks are property of their respective owners.