Branch Deployment of ISA Server 2004 Enterprise Edition

You can install Microsoft Internet Security and Acceleration (ISA) Server 2004 Enterprise Edition in variations of topologies. When you configure a branch, there are two basic configuration options that you must consider:

  • The nature of the domain relationship between the branch office and the main office. The branch may be in the same domain as the main office, in a child domain, in a separate domain with trust between the domains, or in a workgroup.
  • The kind of connectivity that exists between the branch office and the main office before you install ISA Server in the branch. ISA Server provides secure site-to-site virtual private networking functionality between the branch and main offices. However, that functionality cannot be provided to the branch before ISA Server is installed. Options for providing initial connectivity are discussed in this document.

In deploying ISA Server in a branch, you must consider the general scenario, the topology of your ISA Server deployment, and how to establish connectivity with the main office.

Notes

  • We recommend that wherever possible, the Configuration Storage server and ISA Server services be installed on separate computers, so that the Configuration Storage server can be behind the computer running ISA Server services. General deployment recommendations for ISA Server Enterprise Edition are provided in the document Deployment Guidelines for ISA Server 2004 Enterprise Edition, at the ISA Server 2004 Guidance Web site.
  • When you install Windows Server 2003 Service Pack 1 (SP1) on a Configuration Storage server, it automatically enables the Windows Firewall. Disable the Windows Firewall on your Configuration Storage servers immediately after installing SP1, because it will prevent communication between ISA Server array members and the Configuration Storage servers.
  • Any user that has administrative rights on a computer hosting a Configuration Storage server is able to directly modify ADAM on the computer. Therefore, from a security point of view, that user has the same rights as an ISA Server Enterprise Administrator. A user that is an ISA Server array administrator is also a local administrator on the computer or computers running ISA Server services. If one of those computers also hosts a Configuration Storage server, that array administrator should be viewed (from a security point of view) as having ISA Server enterprise administrator rights.
  • You may want to install ISA Server in a workgroup. Workgroup scenarios are covered in the document ISA Server 2004 Enterprise Edition in a Workgroup, at the ISA Server 2004 Guidance Web site.
  • You can use Windows authentication for replication of Configuration Storage servers that are in separate domains, as long as there is a trust relationship between the forests of the domains. Otherwise, use certificate authentication, which is described in the document ISA Server 2004 Enterprise Edition in a Workgroup, at the ISA Server 2004 Guidance Web site. If you attempt to use Windows authentication for replication of a Configuration Storage server that is in an untrusted domain, the installation will fail.
  • A detailed description of how to deploy a hub and spoke or mesh virtual private network (VPN) configuration is provided in the document Virtual Private Network Deployment Scenarios in ISA Server 2004 Enterprise Edition, at the ISA Server 2004 Guidance Web site.

ISA Server Deployment

A Configuration Storage server is a server on which the configuration for all the arrays in the enterprise is stored. The Configuration Storage server uses Active Directory Application Mode (ADAM) for storage. When you install the Configuration Storage server, you also automatically install ADAM on the computer. When you configure arrays in the enterprise, you are changing the information in the Configuration Storage server. At a later time, the ISA Server 2004 Enterprise Edition computers will access the Configuration Storage server to check whether there is any configuration change, and update their local storage (registry based) to reflect the recent changes in the enterprise.

Each enterprise requires at least one Configuration Storage server. Additional replicate Configuration Storage servers provide fault tolerance and preserve connectivity where site-to-site VPN connections are used. We recommend that you install a replicate Configuration Storage server in each branch that is a key data center, and in each branch that connects to other offices using a site-to-site VPN connection. This will allow continued full functioning of ISA Server in the event that connectivity is interrupted.

Note that slow communication links may affect Configuration Storage server replication. For more on how to manage Configuration Storage server replication, see the ISA Server Deployment Guidelines at the ISA Server 2004 Guidance Web site (http://www.micrsosoft.com).

When you install ISA Server services, the installation requires access to a domain controller, so that ISA Server can authenticate itself with the Configuration Storage server, and a DNS server, so that the fully qualified domain name of the Configuration Storage server and the name of the domain controller can be resolved. Because installation of ISA Server services will end an initial Routing and Remote access VPN connection, a branch installation scenario that relies on such a connection requires a local domain controller and DNS server to enable the installation to succeed.

When you have completed your deployment, branch connectivity can be handled by the VPN site-to-site functionality of ISA Server. However, to install ISA Server in a branch, you require connectivity to the main office. This document describes several means of establishing initial connectivity between the branch and the main offices before ISA Server is installed in the branch office:

There are many procedures that are common to the different branch scenarios. Therefore, the solution for each scenario is presented in a walk-through, as a concise series of steps, and the detailed procedures for the steps are provided in Appendix A: Procedures in this document. Similarly, because you may use one of several methods to establish initial branch connectivity, those methods are provided in Appendix B: Branch Connectivity Options in this document.

Four scenarios are presented in this document:

  • Installing Internet Security and Acceleration (ISA) Server in a branch array, where both the main and branch arrays are in the same domain or in a child domain. This is developed in the Single Domain/Child Domain Solution Walk-through in this document.
  • Installing ISA Server in a branch array, where the main and branch arrays are in different domains/forests. This is developed in the Separate Domain Solution Walk-through in this document.
  • Installing ISA Server in a branch where there is one server that functions as the domain controller for the branch, and one other server is available. The domain controller hosts the ISA Server Configuration Storage server and the remaining server runs ISA Server services. This is developed in the Dual Server Solution Walk-through in this document.
  • Installing ISA Server in a branch where there is one server that functions as the domain controller for the branch, and also hosts the ISA Server Configuration Storage server and ISA Server services. This is developed in the Single Server Solution Walk-through in this document.

A solution is provided for each of the scenarios:

For detailed procedures that are common to all solutions, see Appendix A: Procedures in this document.

Single Domain/Child Domain Solution—Walk-through

In the single domain/child domain scenario, the branch domain is a child domain to the domain of the main office. A child domain is a domain located in the namespace tree directly beneath another domain (the parent domain). For example, example.fabrikam.com would be a child domain of the parent domain fabrikam.com.

In this scenario, Internet Security and Acceleration (ISA) Server 2004 is installed in a branch array, where both the main and branch arrays are in the same domain or in a child domain. This walk-through provides information that is specific to the single domain/child domain scenario, with hyperlinks to procedures in Appendix A in this document and to branch connectivity options in Appendix B in this document.

To configure the scenario, follow these steps:
  1. Establish connectivity from the branch to the main office using one of the methods in Appendix B: Branch Connectivity Options.

  2. Create the child domain, following the procedure in Creating a New Child Domain.

  3. Install the main office Configuration Storage server, following the procedure in Installing the Configuration Storage Server.

  4. Install the first array in the main office, following the procedure in Creating an ISA Server Array.

  5. On the main array, create a virtual private network (VPN) representing the branch, following the procedure in Creating a VPN in ISA Server.

  6. Make sure all servers in the branch which must communicate with servers in the main office, such as the domain controller, are able to connect to the main office through the VPN connection. It may be necessary to set the default gateway of the branch to be the internal IP address of the computer or device that is providing the VPN connection.

  7. Install the replicate Configuration Storage server on a computer in the branch network, following the procedure in Installing the Configuration Storage Server. When you connect to the main Configuration Storage server and provide credentials, be sure to provide the domain name and user name of a user with permissions that allow connection to that server, such as the enterprise administrator.

  8. Install the branch ISA Server array as described in Creating an ISA Server Array.

  9. On the branch array, create a VPN representing the main office, following the procedure in Creating a VPN in ISA Server. Ensure that the servers in the branch now use the ISA Server array as their default gateway.

  10. Create enterprise-level access rules that allow the necessary communication between branches, as described in Creating Enterprise Policy for Branch Communication.

Separate Domain Solution—Walk-through

In the separate domain scenario, the branch domain is in a different domain than the main office. The two domains are in two forests that are not joined by a forest trust. When you have two Configuration Storage servers in two separate forests, you will have to establish two-way transitive trust between the two forests (not only trust between the two domains). Also, the two forests must have Windows 2003 functional level, and each domain controller must include the global catalog. These requirements will allow the Kerberos authentication required for replication. The procedure for creating forest trust is provided in Establishing External Trust Between Two Forests.

This procedure assumes that the two domains already exist, in two separate forests that are not joined by a forest trust.

To configure the scenario, follow these steps:
  1. Establish connectivity from the branch to the main office using one of the methods in Appendix B: Branch Connectivity Options.

  2. Establish trust between the two forests, following the procedure in Establishing External Trust Between Two Forests

  3. Ensure that the domain controller in each domain has the global catalog enabled. The procedure for Enabling the Global Catalog is provided in Enabling the Global Catalog.

  4. Install the main office Configuration Storage server, following the procedure in Installing the Configuration Storage Server.

  5. Install the first array in the main office, following the procedure in Creating an ISA Server Array.

  6. On the main array, create a virtual private network (VPN) representing the branch, following the procedure in Creating a VPN in ISA Server.

  7. Make sure all servers in the branch that must communicate with servers in the main office, such as the domain controller, are able to connect to the main office through the VPN connection. It may be necessary to set the default gateway of the branch to be the internal IP address of the computer or device that is providing the VPN connection.

  8. Install the replicate Configuration Storage server on a computer in the branch network, following the procedure in Installing the Configuration Storage Server. When you connect to the main Configuration Storage server and provide credentials, be sure to provide the domain name and user name of a user with permissions that allow connection to that server, such as the enterprise administrator.

  9. Install the branch ISA Server array as described in Creating an ISA Server Array.

  10. On the branch array, create a VPN representing the main office, following the procedure in Creating a VPN in ISA Server. Ensure that the servers in the branch now use the ISA Server array as their default gateway.

  11. Create enterprise-level access rules that allow the necessary communication between branches, as described in Creating Enterprise Policy for Branch Communication.

Note:
If a Remote Authentication Dial-In User Service (RADIUS) server and the ISA Server computer are in different domains (or if one is in a workgroup), user mapping is supported only for Password Authentication Protocol (PAP) and Shiva Password Authentication Protocol (SPAP) authentication methods. Do not use user mapping if any other authentication method is configured.

Dual Server Solution—Walk-through

In the dual server scenario you have two servers in a branch. One of the servers is the domain controller for the branch. The domain controller will host the Configuration Storage server and the remaining server will run ISA Server services. The dual server scenario has an advantage over the single server scenario, in that it enables you to place the Configuration Storage server on a separate computer, behind the computer running ISA Server services (the firewall).

This procedure guides you through the installation of the Configuration Storage server on a domain controller behind a computer running ISA Server services.

Note:
While you can install a Configuration Storage server on a domain controller, we do not recommend that you promote an existing Configuration Storage server to become a domain controller. Doing so may affect the ability of the Configuration Storage server to authenticate itself to the computer running ISA Server services.
To configure the scenario, follow these steps:
  1. Establish connectivity from the branch to the main office using one of the methods in Appendix B: Branch Connectivity Options.

  2. If the two offices are in the same domain/forest, skip this step. If the branch office is in a separate domain from the main office, establish trust between the two forests, following the procedure in Establishing External Trust Between Two Forests.

  3. If the branch office is in a separate domain from the main office, ensure that the domain controller in each domain has the global catalog enabled. The procedure for Enabling the Global Catalog is provided in Enabling the Global Catalog.

  4. Install the main office Configuration Storage server, following the procedure in Installing the Configuration Storage Server.

  5. Install the first array in the main office, following the procedure in Creating an ISA Server Array.

  6. On the main array, create a virtual private network (VPN) representing the branch, following the procedure in Creating a VPN in ISA Server.

  7. Make sure that the domain controller is able to connect to the main office through the VPN connection. It may be necessary to set the default gateway of the branch to be the internal IP address of the computer or device that is providing the VPN connection.

  8. Install the replicate Configuration Storage server on the domain controller in the branch, following the procedure in Installing ISA Server on a Domain Controller. When you connect to the main Configuration Storage server and provide credentials, be sure to provide the domain name and user name of a user with permissions that allow connection to that server, such as the enterprise administrator.

  9. On the computer that will run ISA Server services, create the array branch on the second computer, following the procedure in Creating an ISA Server Array.

  10. On the branch array, create a VPN representing the main office, following the procedure in Creating a VPN in ISA Server. Ensure that the servers in the branch now use the ISA Server array as their default gateway.

  11. Create enterprise-level access rules that allow the necessary communication between branches, as described in Creating Enterprise Policy for Branch Communication.

Single Server Solution—Walk-through

In the single server scenario, the branch domain is in the same domain as the main office. To conserve hardware and management costs, the server that hosts the branch domain controller will also host the ISA Server Configuration Storage server and ISA Server services.

This procedure guides you through the installation of the Configuration Storage server and ISA Server services on an Active Directory domain controller.

To configure the scenario, follow these steps:
  1. Establish connectivity from the branch office to the main office using one of the methods in Appendix B: Branch Connectivity Options. In the single server scenario, it is likely that you will create an initial virtual private network (VPN) connection using Routing and Remote Access, or connect to the main Configuration Storage server through server publishing.

  2. If the two offices are in the same domain, skip this step. If the branch office is in a separate domain from the main office, establish trust between the two forests, following the procedure in Establishing External Trust Between Two Forests.

  3. If the branch office is in a separate domain from the main office, ensure that the domain controller in each domain has the global catalog enabled. The procedure for Enabling the Global Catalog is provided in Enabling the Global Catalog.

  4. Install the main office Configuration Storage server, following the procedure in Installing the Configuration Storage Server.

  5. Install the first array in the main office, following the procedure in Creating an ISA Server Array.

  6. On the main array, create a VPN representing the branch, following the procedure in Creating a VPN in ISA Server.

  7. Make sure that the domain controller is able to connect to the main office through the VPN connection. It may be necessary to set the default gateway of the branch to be the internal IP address of the computer or device that is providing the VPN connection.

  8. Install the replicate Configuration Storage server on the domain controller in the branch, following the procedure in Installing ISA Server on a Domain Controller. After you have installed the Configuration Storage server, install ISA Server services on the Domain Controller, following the procedure in Modifying an ISA Server Installation. When you connect to the main Configuration Storage server and provide credentials, be sure to provide the domain name and user name of a user with permissions that allow connection to that server, such as the enterprise administrator.

    Note:
    If you install the Configuration Storage server and ISA Server services simultaneously, the setup process will restart the Routing and Remote Access service. If your initial VPN connection was established using Routing and Remote Access, this will prevent completion of the Configuration Storage server installation. For this reason, we recommend that you first install the Configuration Storage server, and then run setup again to install ISA Server services.
  9. On the branch array, create a VPN representing the main office, following the procedure in Creating a VPN in ISA Server. Ensure that the servers in the branch now use the ISA Server array as their default gateway.

  10. Create enterprise-level access rules that allow the necessary communication between branches, as described in Creating Enterprise Policy for Branch Communication.

This appendix contains the following procedures used in the solutions provided in this document:

Installing the Configuration Storage Server

The Configuration Storage server stores the configuration information for all of the arrays in the enterprise. This procedure describes how to install the Configuration Storage server. Perform this procedure on the computer that you have designated as a Configuration Storage server.

Note: The Configuration Storage server must be configured to use the internal (or associated) network adapter of the Microsoft Internet Security and Acceleration (ISA) Server computer (or the virtual Internet Protocol (IP) address of the ISA Server firewall array, if Network Load Balancing (NLB) is configured) as a default gateway.

To install a Configuration Storage server, follow these steps:
  1. On the computer that the Configuration Storage server is to be installed, log on to the domain as an enterprise administrator.

  2. Insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  3. In Microsoft ISA Server Setup, click Install ISA Server.

  4. After the setup program prompts that it has completed determining the system configuration, on the Welcome page, click Next.

  5. If you accept the terms and conditions stated in the user license agreement, click I accept the terms in the license agreement, and then click Next.

  6. Type your customer details, and then click Next.

  7. On the Setup Scenarios page, select Install Configuration Storage Server, and then click Next.

  8. On the Component Selection page, you can review the settings, and then click Next.

  9. On the Enterprise Membership page, select Create a New Enterprise if you are creating a new enterprise, or Create a replica of the enterprise configuration if you are creating a replicate Configuration Storage server. Click Next. Do one of the following:

    1. If you are creating a new enterprise, on the New Enterprise Warning page, click Next. This page warns you not to install more than one enterprise. Because you are creating a new enterprise, you can ignore the warning. On the Create a New Enterprise page, provide a name for the enterprise. Optional: provide a description of the enterprise. Click Next.
    2. If you are creating a replica of the enterprise configuration, on the Locate Configuration Storage Server page, provide the fully qualified domain name of the Configuration Storage server that you want to replicate, or click Browse to locate the server on the network. Click Next.
  10. If you are creating a replicate Configuration Storage server, the next wizard page will be the ISA Server Configuration Replicate Source page. This page provides options for the initial ISA Server replication, which may take a long time over a slow link. If you are replicating over a slow link, you may want to choose to replicate from a Windows backup file. For information about creating a backup file, see Creating and Restoring a Backup File in this document. Click Next.

  11. On the Enterprise Deployment Environment page, you have the option of installing a digital certificate to enable encrypted communication between the Configuration Storage server and the ISA Server firewall computers. All communication between firewall computers and Configuration Storage servers in a single domain is encrypted. We recommend that you use this option when your ISA Server firewall computers are not in the same domain as your Configuration Storage server, or if the firewall computers are in a workgroup. Click Next.

    Note:
    For information about installing digital certificates, see Digital Certificates for ISA Server 2004 ().The server certificate must be installed under the Service account, for the service called ISASTGCTRL. The name on the server has to match the fully qualified domain name of the Configuration Storage server.
  12. On the Ready to Install the Program page, click Install to begin the installation.

  13. After the installation is complete, click Finish.

After you have installed the Configuration Storage server, you may want to create an enterprise network. For instructions, see Creating an Enterprise Network in this document.

Creating an Enterprise Network

As enterprise administrator, you should define enterprise networks. This will enable you to create access rules on the enterprise level. Referring to the enterprise networks will enable your array administrators to define array networks, to easily create rules for networks throughout the enterprise, and to assist spoof detection through the proper definition of networks.

The following procedure will create an enterprise network that will include all of the IP addresses of the main and branch Internal networks.

To create an enterprise network, follow these steps:
  1. On the Configuration Storage server, expand the Enterprise node, and click Enterprise Networks.

  2. In the task pane, on the Tasks tab, click Create a New Network to start the New Network Wizard.

  3. In Network Name, provide a name for the new network, such as Internal, and then click Next.

  4. On the Network Addresses page, click Add Range to open the IP Address Range Properties dialog box. In Start address, type the low end of the IP address range, such as 10.1.0.0, and in End address, type the high end of the IP address range, such as 10.2.255.255, and then click OK. This range of IP addresses will cover all of the internal IP addresses for the main and branch arrays. On the Network Addresses page, click Next.

  5. On the summary page, review the properties of the enterprise network you are creating, and then click Finish.

Installing the Configuration Storage Server and ISA Server Services on a Single Computer

You can install the Configuration Storage server and ISA Server services on a single computer.

Important:
If you install the Configuration Storage server and ISA Server services simultaneously, the setup process will restart the Routing and Remote Access service. If your initial VPN connection was established using Routing and Remote Access, this will prevent completion of the Configuration Storage server installation. For this reason, if your initial CPN connection was established using Routing and Remote Access, we recommend that you first install the Configuration Storage server, and then install ISA Server services as described in Modifying an ISA Server Installation.
To install the Configuration Storage server and ISA Server services on a single computer, follow these steps:
  1. On the target computer, log on to the domain as an enterprise administrator.

  2. Insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  3. In Microsoft ISA Server Setup, click Install ISA Server.

  4. After the setup program prompts that it has completed determining the system configuration, on the Welcome page, click Next.

  5. If you accept the terms and conditions stated in the user license agreement, click I accept the terms in the license agreement, and then click Next.

  6. Type your customer details, and then click Next.

  7. On the Setup Scenarios page, select Install both ISA Server services and Configuration Storage server, and then click Next.

  8. On the Component Selection page, you can review the settings, and then click Next.

  9. On the Enterprise Membership page, select Create a New Enterprise if you are creating a new enterprise, or Create a replica of the enterprise configuration if you are creating a replicate Configuration Storage server. Click Next. Do one of the following:

    1. If you are creating a new enterprise, on the New Enterprise Warning page, click Next. This page warns you not to install more than one enterprise. Because you are creating a new enterprise, you can ignore the warning. On the Create a New Enterprise page, provide a name for the enterprise. Optional: provide a description of the enterprise. Click Next.
    2. If you are creating a replica of the enterprise configuration, on the Locate Configuration Storage Server page, provide the fully qualified domain name of the Configuration Storage server that you want to replicate, or click Browse to locate the server on the network. Click Next.
  10. If you are creating a replicate Configuration Storage server, the next wizard page will be the ISA Server Configuration Replicate Source page. This page provides options for the initial ISA Server replication, which may take a long time over a slow link. If you are replicating over a slow link, you may want to choose to replicate from a Windows backup file. For information about creating a backup file, see Creating and Restoring a Backup File in this document. Click Next.

  11. On the Internal Network page, specify the IP address range that will constitute the Internal network for this array. Select Add, and then click Add Adapter to define the Internal network with the IP addresses associated with the internal network adapter. Click Next.

  12. On the Firewall Client Connection Settings page, you can select which Firewall clients will be allowed to connect. Click Next.

  13. On the Services Warning page, read the warning, and then click Next.

  14. On the Ready to Install the Program page, click Install to begin the installation.

  15. After the installation is complete, select Invoke ISA Server Management when the wizard closes, and then click Finish.

  16. You will be prompted to restart the computer. Click Yes to restart the computer.

Note:
If you want to create an ISA Server array in a workgroup and have it use the Configuration Storage server of the combined server, you must install a certificate on the combined server. The name on the server has to match the fully qualified domain name of the Configuration Storage server. The procedures for installing a certificate and configuring ISA Server to use the certificate are provided in the document ISA Server 2004 Enterprise Edition in a Workgroup, at the ISA Server 2004 Guidance Web site.

Installing ISA Server on a Domain Controller

You can install the Configuration Storage server, or both the Configuration Storage server and ISA Server services on a domain controller.

Note:
You can run the Configuration Storage server using the credentials of a user in the Domain Admins group (a domain administrator). However, for the most secure configuration, we recommend that you provide the credentials of a user who is not a domain administrator. If you do so, you must perform these steps to ensure that the user has the permissions required by the service. All of these steps take place when logged on as a local administrator on the domain controller, who is by default a domain administrator. Running the Configuration Storage server on a domain controller under the Network Service account is not supported.
Important:
If you install the Configuration Storage server and ISA Server services simultaneously, the setup process will restart the Routing and Remote Access service. If your initial VPN connection was established using Routing and Remote Access, this will prevent completion of the Configuration Storage server installation. For this reason, we recommend that you first install the Configuration Storage server as described in this procedure, and then install ISA Server services as described in Modifying an ISA Server Installation.
To install the Configuration Storage server, or both the Configuration Storage server and ISA Server services on a domain controller, follow these steps:
  1. On the target computer, log on to the domain as an enterprise administrator.

  2. Insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  3. In Microsoft ISA Server Setup, click Install ISA Server.

  4. After the setup program prompts that it has completed determining the system configuration, on the Welcome page, click Next.

  5. If you accept the terms and conditions stated in the user license agreement, click I accept the terms in the license agreement, and then click Next.

  6. Type your customer details, and then click Next.

  7. On the Setup Scenarios page, do one of the following:

    • If you want to install ISA Server services and the Configuration Storage server, select Install both ISA Server services and Configuration Storage server, and then click Next.
    • If you want to install only the Configuration Storage server, select Install Configuration Storage Server, and then click Next.
  8. On the Component Selection page, you can review the settings, and then click Next.

  9. On the Enterprise Membership page, select Create a New Enterprise if you are creating a new enterprise, or Create a replica of the enterprise configuration if you are creating a replicate Configuration Storage server. Click Next. Do one of the following:

    1. If you are creating a new enterprise, on the New Enterprise Warning page, click Next. This page warns you not to install more than one enterprise. Because you are creating a new enterprise, you can ignore the warning. On the Create a New Enterprise page, provide a name for the enterprise. Optional: provide a description of the enterprise. Click Next.
    2. If you are creating a replica of the enterprise configuration, on the Locate Configuration Storage Server page, provide the fully qualified domain name of the Configuration Storage server that you want to replicate, or click Browse to locate the server on the network. Click Next.
  10. If you are creating a replicate Configuration Storage server, the next wizard page will be the ISA Server Configuration Replicate Source page. This page provides options for the initial ISA Server replication, which may take a long time over a slow link. If you are replicating over a slow link, you may want to choose to replicate from a Windows backup file. For information about creating a backup file, see Creating and Restoring a Backup File in this document. Click Next.

  11. On the Enterprise Deployment Environment page, you have the option of installing a digital certificate to enable encrypted communication between the Configuration Storage server and the ISA Server firewall computers. All communication between firewall computers and Configuration Storage servers in a single domain is encrypted. We recommend that you use this option when your ISA Server firewall computers are not in the same domain as your Configuration Storage server, or if the firewall computers are in a workgroup. Click Next.

  12. If you are installing ISA Server services, the next page will be the Internal Network page. Specify the IP address range that will constitute the Internal network for this array. Select Add, and then click Add Adapter to define the Internal network with the IP addresses associated with the internal network adapter. Click Next.

  13. If you are installing ISA Server services, the next page will be the Firewall Client Connection Settings page. On this page you can select which Firewall clients will be allowed to connect. Click Next.

  14. If you are installing ISA Server services, the next page will be the Services Warning page. Read the warning, and then click Next.

  15. Because you are installing on a domain controller, you will see the Configuration Storage Server Service Account page. Provide the credentials of the user who is not a domain administrator.

  16. On the Ready to Install the Program page, click Install to begin the installation.

  17. After the installation is complete, select Invoke ISA Server Management when the wizard closes, and then click Finish.

  18. You will be prompted to restart the computer. Click Yes to restart the computer.

  19. After installation, log on to the Configuration Storage server as a domain administrator.

  20. Open a command prompt, click Start, click Run, and type cmd.

  21. In the Program Files\Microsoft ISA Server\ADAMData folder, locate the dnsdomain.bat file. dnsdomain is the DNS domain name of the computer on which ADAM is running.

  22. Type dnsdomain to run the file.

Note:
The dnsdomain.bat file appears in the directory approximately one minute after ADAM installation is complete.

Modifying an ISA Server Installation

To modify an ISA Server installation, follow these steps:
  1. On Windows Server 2003 computers, click Start, click Control Panel, and then double-click Add/Remove Programs.

  2. In Microsoft Internet Security and Acceleration Server Setup, click Change/Remove.

  3. On the Welcome page, click Next.

  4. On the Program Maintenance page, select Modify.

  5. On the Component Selection page, in Click on an icon in the list below, choose one or more of the following:

    1. Firewall Services. If you select this option, all the ISA Server services will be installed.
    2. ISA Server Management. If you select this option, the management console used to centrally manage ISA Server will be installed.
    3. Firewall Client Installation Share. If you select this option, a folder with all the files necessary to install the Firewall Client software will be created on the ISA Server computer. The folder will be shared to the Everyone group, thereby allowing anyone access to install the software.
    4. Message Screener. If you select this option, the Message Screener will be installed. This component must be installed on an SMTP server, which is typically not your ISA Server computer.
  6. Click Next. Then, click Install to begin the installation.

Creating a VPN in ISA Server

To create a virtual private network (VPN) in ISA Server using the Point Tunneling Protocol (PPTP), follow these steps:
  1. Open ISA Server Management.

  2. Expand the main array node.

  3. In the console tree, select Virtual Private Networks (VPN).

  4. In the details pane, select the Remote Sites tab.

  5. In the task pane, on the Tasks tab, click Add Remote Site Network to start the New Network Wizard.

  6. On the Welcome page, provide a name for the new network, and then click Next.

  7. On the VPN Protocol page, select Point-to-Point Tunneling Protocol (PPTP), and then click Next.

  8. On the Remote Site Gateway page, supply the name or IP address for the remote VPN server, and then click Next.

  9. On the Remote Authentication page, you can select to allow outgoing connections from the local site to the remote site. If you enable this option, you must provide a user name, domain, and password for the connection. If you do not enable this option, you will not be able to establish outgoing connections to the remote VPN site, although you will be able to accept connections from that site. Click Next.

  10. On the Network Addresses page, click Add Range and add the address ranges of the remote network, or click Add Network to select the enterprise networks included in the remote network. You can obtain this information from the administrator of the remote network. After you add the address ranges, on the Network Addresses page, click Next.

  11. On the summary page, review the configuration, and then click Finish.

  12. In the ISA Server details pane, click Apply to apply the changes to ISA Server.

After you create a VPN site-to-site network, you must create the appropriate firewall policy to allow and control access between the branch and main offices. For a description, see the document Site-to-Site VPN in ISA Server 2004 Enterprise Edition, at the ISA Server 2004 Guidance Web site. This document also provides instructions on how to create a VPN using Layer Two Tunneling Protocol (L2TP) and IP Security (IPsec) Tunneling.

Creating a Network

From an ISA Server perspective, a network is a rule element that can contain one or more ranges of Internet Protocol (IP) addresses. Networks include one or more computers, typically corresponding to a physical network. You can apply rules to one or more networks, or to all addresses except those in the specified network.

To create a new network, follow these steps:
  1. Open Microsoft ISA Server Management, expand the ISA Server array node, expand Configuration, and click Networks.

  2. In the details pane, select the Networks tab.

  3. In the task pane, on the Tasks tab, click Create a New Network.

  4. On the Welcome page, type a name for the network, and click Next.

  5. On the Network Type page, select a network type, and click Next.

  6. On the Network Addresses page, click Add Adapter to open the SelectNetwork Adapters dialog box. Select the network adapter that connects the ISA Server computer to the appropriate network. Click OK, and click Next. Or, you can click Add Network to select the enterprise networks to be included in this array network.

  7. On the Completing the New Network Wizard page, review the settings, and click Finish.

Creating a Network Rule

Network rules determine whether there is a relationship between two network entities, and what type of relationship is defined.

To create a new network rule, follow these steps:
  1. In Microsoft ISA Server Management, expand the ISA Server array node, expand Configuration, and then select Networks.

  2. In the details pane, click the Network Rules tab. In the task pane, on the Tasks tab, click Create a Network Rule to start the New Network Rule Wizard.

  3. On the Welcome page of the wizard, enter the name for the network rule, and then click Next.

  4. On the Network Traffic Sources page, click Add to open the Add Network Entities dialog box, expand Networks, select the specific source network, click Add, and then click Close. On the Network Traffic Sources page, click Next.

  5. On the Network Traffic Destinations page, click Add to open the Add Network Entities dialog box, expand Networks, select the destination network, click Add, and then click Close. On the Network Traffic Destinations page, click Next.

  6. On the Network Relationship page, select either a Network Address Translation (NAT) relationship, or a Route relationship, and then click Next.

  7. Review the information on the wizard summary page, and then click Finish.

  8. In the ISA Server details pane, click Apply to apply the new network rule.

Creating an ISA Server Array

You can configure an ISA Server array on the Configuration Storage server. This will be an empty array, for which you can configure enterprise policy. The enterprise or array administrator can then add servers to the array. Alternatively, the array can be created on the first array server, and other servers can then be added.

To create an ISA Server array, follow these steps:
  1. On the Configuration Storage server, open ISA Server Management.

  2. In the ISA Server Management console tree, click Arrays. In the task pane, on the Tasks tab, click Create New Array to start the New Array Wizard.

  3. On the Welcome page, provide a name for the new array, such as Main, and then click Next.

  4. On the Array DNS Name page, provide the Domain Name System (DNS) name of the array. This is the name that Firewall clients and Web client will use to connect to the array. Click Next.

  5. On the Array Enterprise Policy Page, from the drop-down menu, select the enterprise policy that will be applied to the new array, and then click Next.

  6. On the Array Policy Rule Types page, select the types of rules that the array administrator is allowed to make, and then click Next.

  7. On the summary page, review the array configuration, and then click Finish. When the progress bar indicates that the array has been created, click OK.

  8. After the array has been created, you can assign array administrator privileges to the Main array. In ISA Server Management, right-click the name of the array and select Properties.

  9. On the Assign Roles tab, click Add. Add the appropriate user or group. From the drop-down Role menu, select ISA Server Array Administrator, and then click OK.

  10. Click OK to close the properties page.

  11. In the Firewall Policy details pane, click Apply to apply the changes.

Adding Servers to the ISA Server Array

Now that you have created an array, you can add ISA Server computers to the array. Perform this procedure for each computer you want to add to the array.

To add servers to the ISA Server array, follow these steps:
  1. Log on to the domain using the credentials of the array administrator.

  2. Insert the ISA Server CD into the CD drive, or run ISAAutorun.exe from the shared network drive.

  3. In Microsoft ISA Server Setup, click Install ISA Server.

  4. After the setup program prompts that it has completed determining the system configuration, on the Welcome page, click Next.

  5. If you accept the terms and conditions stated in the user license agreement, click I accept the terms in the license agreement, and then click Next.

  6. Type your customer details, and then click Next.

  7. On the Setup Scenarios page, select Firewall Server Components, and then click Next.

  8. On the Component Selection page, you can review the settings, and then click Next.

  9. On the Locate Configuration Storage Server page, specify the Configuration Storage server to which this computer will connect. You can click Browse to locate the Configuration Storage server. Note that the name you use to refer to the Configuration Storage server is its name on the network, and not the enterprise name. On this page, you must provide the credentials of an enterprise or array administrator, to connect to the Configuration Storage server. This user must be recognized by the Configuration Storage server, either as a domain user, or a local user on the Configuration Storage server. Click Next.

  10. On the Array Membership page, select Join an Existing Array, and then click Next.

  11. On the Join an Existing Array page, provide the name of the array. You can also click Browse to open the Arrays to join dialog box, and select the array from the list. Click Next.

  12. On the Configuration Storage Server Authentication Options page, select the authentication type that will be used for connections between the ISA Server computer and the Configuration Storage server. Because the firewall array and the Configuration Storage server are in the same domain in this scenario, select Windows authentication, and then click Next.

  13. This step will only take place on the first server you install in the array. On the Internal Network page, specify the IP address range that will constitute the Internal network for this array. You can map your Internal network to an enterprise network:

    1. Click Add to open the Addresses dialog box.
    2. Click Select to open the Select Enterprise Networks dialog box.
    3. Select Internal, and then click OK.
    4. In the Addresses dialog box, click OK.
    5. On the Internal Network page, click Next.Alternatively, you can select Add Adapter and define the Internal network with the IP addresses associated with the internal network adapter, rather than mapping to an enterprise network.
  14. On the Firewall Client Connection Settings page, you can select which Firewall clients will be allowed to connect. Click Next.

  15. On the Services Warning page, review the list of services that will be stopped or disabled during installation of ISA Server. To continue the installation, click Next.

    Note:
    If the domain of your server is outside the IP address range that you specified for the Internal network (the IP address range of the Internal enterprise network), you will receive a notice that the system policy of ISA Server will be configured to allow the needed Active Directory connectivity. Click Next to continue the installation.
  16. Click Install.

  17. After the installation is complete, click Finish.

  18. You will be prompted to restart the computer. Click Yes to restart the computer.

Repeat this procedure for the other servers that must be installed.

Creating Enterprise Policy for Branch Communication

ISA Server provides system policy rules that allow appropriate access to computers running ISA Services that may also host a Configuration Storage server. This topic describes how to configure rules to allow access through computers running ISA Server services to computers that are running Configuration Storage server or ISA Server management.

Create access rules on the enterprise level to ensure that critical inter-branch communication is enabled. The properties of each rule are provided here. Instructions on how to create an access rule are provided in Creating an Access Rule.

Allow replication between Configuration Storage servers

There is a system policy rule that allows replication between Configuration Storage servers, but the rule is enabled only when the Configuration Storage server is installed on the same computer with ISA Server services. If you have one or more branches where the Configuration Storage server is installed on a computer that is not running ISA Server services, this rule will not apply. To ensure that the replication can take place, perform the following steps:

  1. Create an enterprise-level computer set containing the IP addresses of all of the Configuration Storage servers in the enterprise, following the procedure in Creating a New Computer Set. Refer to this as the Configuration Storage Servers computer set.
  2. Following the procedure in Creating an Access Rule, create a post-array enterprise-level access rule allowing access from the Configuration Storage Servers computer set, to the Configuration Storage Servers computer set, using these protocols:
    • MS-Firewall Storage-Replication
    • RPC (all interfaces)

Allow centralized remote management and monitoring

There is a system policy rule that allows centralized remote management and monitoring, but the rule is enabled only when the Configuration Storage server is installed on the same computer with ISA Server services. If you have one or more branches where the Configuration Storage server is installed on a computer that is not running ISA Server services, this rule will not apply. To ensure that the replication can take place, perform the following steps:

  1. Create an enterprise-level computer set containing the IP addresses of all of the static address pools used in VPNs in the enterprise, following the procedures in Creating a New Computer Set. Refer to this as the Static Address Pools computer set.
  2. Following the procedures in Creating an Access Rule, create a post-array enterprise-level access rule allowing access from the Enterprise Remote Management Computers computer set, to the Enterprise Array Servers computer set and Static Address Pools computer set on these protocols:
    • Microsoft CIFS (TCP)
    • Microsoft CIFS (UDP)
    • MS Firewall Control
    • MS Firewall Storage
    • RDP (Terminal Services)
    • RPC (all interfaces)

Allow authentication services from all branches to the main office

System policy that allows authentication access to the domain controller is designed for the scenario when the domain controller is behind the ISA Server array in the Internal network of the branch. However, you may not have a domain controller in each branch, in which case, authentication access is required from one branch to another, or to the main office. To enable this communication, follow these steps:

  1. If you have not done so, create an enterprise-level computer set containing the IP addresses of all of the static address pools used in VPNs in the enterprise, following the procedure in Creating a New Computer Set. Refer to this as the Static Address Pools computer set.
  2. Following the procedure in Creating a New Network Set, create an enterprise-level network set containing all of the enterprise networks representing the branches (and the main office, in the hub and spoke topology). Refer to this as the Corporate Networks computer set.
  3. Following the procedure in Creating an Access Rule, create a post-array enterprise-level access rule allowing access from the Corporate Networks computer set, the Static Address Pools computer set, and Local Host, to the Corporate Networks computer set on these protocols:
    • DNS
    • Kerberos-Sec (TCP)
    • Kerberos-Sec (UDP)
    • LDAP (UDP)
    • LDAP GC (Global Catalog)
    • LDAP
    • LDAPS
    • LDAPS GC (Global Catalog)
    • Microsoft CIFS (TCP)
    • Microsoft CIFS (UDP)
    • RPC (all interfaces)

Creating an Access Rule

Access rules determine how clients on a source network can access resources on a destination network. This procedure describes the New Access Rule Wizard in general terms.

To create a new access rule, follow these steps:
  1. In the Microsoft ISA Server Management console tree, select Firewall Policy.

  2. In the task pane, on the Tasks tab, click Create ArrayAccess Rule to start the New Access Rule Wizard.

  3. On the Welcome page of the wizard, enter the name for the access rule. Use a descriptive name, such as Internet access for staff during work hours, and then click Next.

  4. On the Rule Action page, select Allow if you are allowing access, or Deny if you are denying access, and then click Next.

  5. On the Protocols page, the default setting of This rule applies to is Selected protocols. Use the Add button to add the specific protocols from the Add Protocols dialog box. Or, you can select All outbound traffic to apply the rule to all defined protocols. When you have made these selections, click Next.

  6. On the Access Rule Sources page, click Add to open the Add Network Entities dialog box, click the category for which you are creating access, select the specific object, click Add (repeat to add additional network objects), and then click Close. On the Access Rule Sources page, click Next.

  7. On the Access Rule Destinations page, click Add to open the Add Network Entities dialog box, click Networks, select the External network (representing the Internet), click Add, and then click Close. On the Access Rule Destinations page, click Next.

  8. On the User Sets page, if your rule applies to all users, you can leave the user set All users in place and proceed to the next page of the wizard. If the rule applies to specific users, select All users and click Remove. Then, use the Add button to open the Add Users dialog box, from which you can add the user set to which the rule applies. The Add Users dialog box also provides access to the New User Sets Wizard through the New menu item. When you have completed the user set selection, click Next.

  9. Review the information on the wizard summary page, and then click Finish.

  10. In the Firewall Policy details pane, click Apply to apply the new access rule. It may take a few moments for the rule to be applied. Order your access rules to match your Internet access policy. If you change the order, you will need to click Apply to apply the changes.

Connecting ISA Server Management

When your ISA Server Management console is not connected to the Configuration Storage server, you cannot view the ISA Server policy or status in the console.

To connect ISA Server Management to the Configuration Storage server, follow these steps:
  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the ISA Server Management console, select the top node, Microsoft Internet Security and Acceleration Server 2004.

  3. In the task pane, on the Tasks tab, click Connect to Configuration Storage Server to start the Enterprise Connection Wizard. On the Welcome page, click Next.

  4. On the Configuration Storage Server Location page, specify the location of the Configuration Storage server, and then click Next.

  5. On the Array Connection Credentials page, select whether to use the same credentials as you are using to connect to the Configuration Storage server, or different credentials, and then click Next. If you select different credentials, the next wizard page will be Array Connection Credential Details, where you can provide the credentials for connecting to an array.

  6. Review the summary page and click Finish.

Creating a Protocol Definition

If you want a rule to refer to a protocol that is not predefined in ISA Server, you must define that protocol. This procedure describes how to create a protocol definition.

To create a protocol definition, follow these steps:
  1. Click Start, point to All Programs, point to Microsoft ISA Server, and then click ISA Server Management.

  2. In the ISA Server Management console, select Firewall Policy.

  3. In the task pane, on the Toolbox tab, click Protocols.

  4. Under Protocols, click New, and then click Protocol to open the New Protocol Definition Wizard.

  5. On the New Protocol Definition Wizard Welcome page, in the Protocol definition name box, type LDAPS server, and then click Next.

  6. On the Primary Connection Information page, click New.

  7. In the New/Edit Protocol Connection dialog box, in the Protocol type list, select the protocol type. For LDAPS server, this is TCP.

  8. In Direction, select the direction. For LDAPS server, this is Inbound.

  9. In From and To, type the port range. For LDAPS server, both From and To are 2172 For LDAP, the port is 2171. These are ports that are specific to LDAPS and LDAP in ISA Server 2004 Enterprise Edition.

  10. Click OK to close the New/Edit Protocol Connection dialog box.

  11. On the Primary ConnectionInformation page, click Next.

  12. On the Secondary Connections page, in Do you want to use secondary connections, select No, and then click Next. If the protocol requires secondary connections, select Yes, and click New to define the secondary connection.

  13. Click Finish to close the New Protocol Definition Wizard. Notice that the LDAPS server protocol definition is listed in the User-Defined folder under the Protocols menu.

Creating a Server Publishing Rule

ISA Server uses server publishing to process incoming requests to internal servers. Server publishing rules determine how server publishing functions, essentially filtering all incoming and outgoing requests through the ISA Server computer.

To create a server publishing rule, follow these steps:
  1. In ISA Server Management, select Firewall Policy.

  2. In the task pane, on the Tasks tab, click Create New Server Publishing Rule to open the New Server Publishing Rule Wizard.

  3. On the New Server Publishing Rule Wizard Welcome page, provide a name for the rule, and then click Next.

  4. On the Select Server page, in Server IP address, type the IP address of the computer that you want to publish, such as the Configuration Storage server, and then click Next.

  5. On the Select Protocol page, from the Selected protocol drop-down list, select the protocol on which you want to publish the server, and then click Next.

  6. On the IP Addresses page, under Listen for requests from these networks, select the networks on which you want to listen for requests. For example, in a back-to-back perimeter network scenario, the front-end ISA Server computer will be communicating with the external network adapter of the back-end ISA Server computer, so select External.

    Note:
    You can select specific IP addresses that ISA Server will listen on. To do this, click the Address button, and then for the selected network, specify the IP addresses that ISA Server will listen on.
  7. Click Next.

  8. Click Finish to close the New Server Publishing Rule Wizard. Notice that in the ISA Server Management console, in the details pane, on the Firewall Policy tab, the new rule is listed.

  9. In the details pane, click the Apply button to apply the publishing rule that is effective for the incoming traffic.

Creating a New Computer Set

When you create an access rule, you can restrict access to a set of computers, rather than allowing access to an entire network. To do so, you can click New in the Add Network Entities dialog box, and create a new computer set. Alternatively, follow this procedure to create a new computer set:

  1. In the console tree of ISA Server Management, click Enterprise Policies (for enterprise-level computer sets) or Firewall Policy (for array-level computer sets).
  2. In the task pane, on the Toolbox tab, click Network Objects.
  3. On the toolbar beneath Network Objects, click New, and then click Computer Set.
  4. In the New Computer Set Rule Element dialog box, provide a name for the new computer set.
  5. Click Add, and select either Computer, Address Range, or Subnet, and add the appropriate computers, address ranges, or subnets included in the computer set:
    • If you click Computer, you can add a single computer.
    • If you click Address Range, you can add a range of IP addresses, representing a group of computers.
    • If you click Subnet, you can add a subnet.
  6. After you add the computers, address ranges, or subnets, click OK to close the New Computer Set Rule Element dialog box.
  7. In the details pane, click Apply to apply the change.

Creating a New Network Set

You can group one or more networks into network sets. Network sets can include one or more networks, or explicitly exclude one or more networks. Rules can be applied to networks or to network sets.

To create a new network set, follow these steps:
  1. Start the New Network Set wizard:

    For an array-level network set:

    • In the console tree of ISA Server Management, on the array level, click Firewall Policy.
    • In the task pane, on the Toolbox tab, click Network Objects.
    • On the toolbar beneath Network Objects, click New, and then click Network Set.

    For an enterprise-level network set:

    • In the console tree of ISA Server Management, under the Enterprise node, select Enterprise Networks.
    • In the details pane, click the Network Sets tab.
    • In the tasks pane on the Tasks tab, click Create a New Network Set.
  2. On the Welcome page, provide a name for the new network set, and then click Next.

  3. On the Network Selection page, select Includes all selected networks. From the list box, select the networks that will be included in the network set, and then click Next.

    Note:
    You can also select Includes all networks except the selected networks. In that case, all of the networks shown in the list box will be included in the network set, except for the ones you select.
  4. On the summary page, review the network set configuration, and then click Finish.

  5. In the details pane, click Apply to apply the change.

Changing the Configuration Storage Server for an Array

If you want to change the Configuration Storage server that an ISA Server array refers to, follow these steps:
  1. In ISA Server Management, expand Arrays, right-click the array you want to configure, and select Properties.

  2. On the Configuration Storage tab, in Configuration Storage server (FQDN), enter the new location of the Configuration Storage server. Click OK, and then click Apply in the details pane to apply your changes.

Creating a New Child Domain

To create a new child domain, follow these steps:
  1. Click Start, click Run, and then type dcpromo to start the Active Directory Installation Wizard.

  2. On the Welcome page, click Next.

  3. On the Operating System Compatibility page, read the information, and then click Next.

  4. If this is the first time you have installed Active Directory on a server running Windows Server 2003, for more information, click Compatibility Help.

  5. On the Domain Controller Type page, click Domain controller for a new domain, and then click Next.

  6. On the Create New Domain page, click Child domain in an existing domain tree, and then click Next.

  7. On the Network Credentials page, type the user name, password, and user domain of the user account you want to use for this operation, and then click Next. The user account must be a member of the Enterprise Admins group.

  8. On the Child Domain Installation page, verify the parent domain (Nenice.net) and type the new child domain name, and then click Next.

  9. On the NetBIOS Domain Name page, verify the NetBIOS name, and then click Next.

  10. On the Database and Log Folders page, type the location in which you want to install the database and log folders, or click Browse to choose a location, and then click Next. (Use the default settings.)

  11. On the Shared System Volume page, type the location in which you want to install the Sysvol folder, or click Browse to choose a location, and then click Next. (Use the default settings.)

  12. On the DNS Registration Diagnostics page, verify that the DNS configuration settings are accurate, and then click Next.

  13. On the Permissions page, select Permissions compatible only with Windows 2000 or Windows Server 2003 operating systems.

  14. On the Directory Services Restore Mode Administrator Password page, type and confirm the password that you want to assign to the Administrator account for this server, and then click Next. Use this password when starting the computer in Directory Services Restore Mode.

  15. Review the Summary page, and then click Next to begin the installation.

  16. Restart the computer.

Note:
  • To perform this procedure, you must be a member of the Domain Admins group (in the parent domain) or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.
  • The server on which you install Active Directory using this procedure will be the first domain controller in a new child domain.
  • When a child domain is added to an existing tree domain, a two-way, transitive parent and child trust is established by default.
  • The wizard options on the Permissions page affect application compatibility with computers running operating systems earlier than Windows Server 2003 and Windows 2000 Server and are not related to domain functionality. For more information about permissions, see Windows Help.
  • You can also use a smart card to verify administrative credentials. For more information about smart cards, see Windows Help.
  • The Active Directory Installation Wizard allows Active Directory domain names up to 64 characters or up to 155 bytes. Although the limit of 64 characters is usually reached before the limit of 155 bytes, the opposite could be true if the name contains Unicode characters, where each character requires three bytes. These limits do not apply to computer names.
  • You cannot install Active Directory on a computer running Windows Server 2003, Web Edition, but you can join the computer to an Active Directory domain as a member server.

Establishing External Trust Between Two Forests

This procedure assumes the following:

  • DNS is properly configured
  • The forest functional level in both forests is set to Windows Server 2003.

For more information about these requirements, see Checklist: Creating a Forest Trust (www.microsoft.com).

To establish trust between two forests, follow these steps:
  1. Open Active Directory Domains and Trusts.

  2. In the console tree, right-click the domain node for the forest root domain, and then click Properties.

  3. On the Trust tab, click New Trust, and then click Next.

  4. On the Trust Name page, type the DNS name (or NetBIOS name of another forest, and then click Next.

  5. On the Trust Type page, click Forest trust, and then click Next.

  6. On the Direction of Trust page, do one of the following:

    1. To create a two-way, forest trust , click Two-way. Users in this forest and users in the specified forest can access resources in either forest.
    2. To create a one-way, incoming forest trust, click One-way:incoming. Users in the specified forest will not be able to access any resources in this forest.
    3. To create a one-way, outgoing forest trust, click One-way:outgoing. Users in this forest will not be able to access any resources in the specified forest.
  7. Continue to follow the wizard.

Note:
To perform this procedure, you must be a member of the Domain Admins group (in the forest root domain forest root domain) or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure.

Enabling the Global Catalog

To enable or disable a global catalog, follow these steps:
  1. Open Active Directory Sites and Services.

  2. In the console tree, click the domain controller where you want to enable or disable the global catalog.

  3. In the details pane, right-click NTDS Settings, and then click Properties.

  4. Select the Global Catalog check box to enable the global catalog.

Note:
  • To perform this procedure, you must be a member of the Domain Admins group (in the domain of the selected domain controller) or the Enterprise Admins group in Active Directory, or you must have been delegated the appropriate authority. As a security best practice, consider using Run as to perform this procedure. For more information, see Default local groups, Default groups, and Using Run as.
  • To open Active Directory Sites and Services, click Start, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Sites and Services.
  • Members of the Domain Admins group can always log on to the domain, even when a global catalog is not available.
  • Enabling a global catalog can cause additional replication traffic.
  • The local domain controller will not advertise itself as a global catalog until this policy has been propagated to read-only directory partitions in the domain.

Creating and Restoring a Backup File

The Configuration Storage server is based on Active Directory Application Mode (ADAM). These procedures walk you through the creation of a Windows backup file for ADAM data that can be used in the replication of a Configuration Storage server.

Backing up the ADAM data files

To back up the ADAM data files, on the Configuration Storage server from which you want to replicate, follow these steps:
  1. Click Start, point to All Programs, point to Accessories, point to System Tools, and then click Backup.

  2. If the Welcome page appears, click Advanced Mode.

  3. On the Backup tab, select the ADAMData folder, located under the installation folder (by default, Program files\Microsoft ISA Server).

  4. In Backup media or file name, type the name of the backup file (with a .bkf extension).

  5. Click Start Backup. In the Backup Job Information dialog box, click Start Backup.

  6. When the backup is complete, copy the backup files to the computer on which you want to replicate the Configuration Storage server.

Restoring the backup files

On the computer to which you want to replicate the Configuration Storage server, do the following:
  1. Click Start, point to AllPrograms, point to Accessories, point to SystemTools, and then click Backup.

  2. If the Welcome page appears, click Advanced Mode.

  3. On the Restore and Manage Media tab, right-click File, and then click Catalog file. Provide or browse to the backup file (.bkf) you copied to the local computer. Then, click OK.

  4. Expand the tree nodes to navigate to the ADAMData folder. Click to select the folder.

  5. In Restore files to, select Alternate location.

  6. In Alternate location, specify the folder to which you want to restore the backup data files.

    Note:
    The folder you specify must be on an NTFS drive, and located on a local computer, because a network location is not supported.
  7. Click Start Restore.

  8. In the Confirm Restore dialog box, click OK.

Note:
After running restore, do not rename the folder you have specified for the restore data or copy the contents of the folder to a different location.

This appendix describes the following methods of configuring branch connectivity:

For detailed procedures that are common to all solutions and this appendix, see Appendix A: Procedures in this document.

Using a Third-Party VPN Connection to Establish Branch Connectivity

You can use an existing VPN connection created using a third-party device or software application as the basis for installation of ISA Server components in a branch office. Ensure that the computer on which you are going to install the components uses the third-party VPN connectivity provider as its default gateway. After you have installed the ISA Server services in the branch office, you can either leave the existing VPN connection, or remove it and create a new connection using ISA Server.

Branch Connectivity Using Routing and Remote Access

Branch connectivity using Routing and Remote Access must take place on a computer running Windows Server 2003 or Windows 2000 Server that will not have ISA Server installed on it, because the ISA Server installation stops Routing and Remote Access, thereby ending the VPN connection. After you have created the VPN connection using a second computer running Windows Server 2003, set it as the default gateway for the computers on which you are going to install the Configuration Storage server, as well as the domain controller.

To establish branch connectivity using Routing and Remote Access, follow these steps:
  1. Click Start, point to All Programs, point to Administrative Tools, and select Routing and Remote Access.

  2. Right-click the server name and select Configure and Enable Routing and Remote Access.

  3. On the Welcome page of the wizard, click Next.

  4. On the Configuration page, select Secure connection between two private networks, and then click Next.

  5. On the Demand-Dial Connections page, select Yes, and then click Next.

  6. On the IP Address Assignment page, unless you are using a Dynamic Host Configuration Protocol (DHCP) server to assign addresses, select From a specified range of addresses, and then click Next. If you are using a DHCP server to assign addresses, select Automatically, and then click Next to display the summary page of the wizard.

  7. On the Address Range Assignment page, click New to open the New Address Range dialog box. Note that any addresses you assign for this VPN connection cannot be in use by any of the servers in the remote network. Provide an address range and click OK, and then click Next.

  8. On the summary page, click Finish, and the Demand Dial Interface Wizard will begin automatically.

  9. On the Interface Name page, provide a friendly name for the interface.

  10. On the Connection Type page, select Connecting using virtual private networking (VPN), and then click Next.

  11. On the VPN type page, select Point to Point Tunneling Protocol (PPTP), and then click Next. You can also use Layer Two Tunneling Protocol (L2TP) to establish the connection.

  12. On the Destination Address page, provide the IP address of the headquarters ISA Server external network adapter. If the main office array has been configured to use Network Load Balancing (NLB) on the External network, use the virtual IP address assigned in the NLB configuration.

  13. On the Protocols and Security page, select Route IP packets on this interface, and then click Next.

  14. On the Static Routes for Remote Networks page, click Add to open the Static Route dialog box. Provide the range of IP addresses that will be routed to the VPN. Click OK, and then click Next.

  15. On the Dial Out Credentials page, provide the credentials of the user that you created on the main array firewall server, which is the same as the name of the connection, and then click Next.

  16. On the summary page, review the configuration, and then click Finish.

Note:
You can install a replicate Configuration Storage server in the branch on the computer that is hosting Routing and Remote Access (if it is running Windows Server 2003, which is required for ISA Server 2004 Enterprise Edition) or on another computer that has the server running Routing And Remote Access as its default gateway.

Connecting to the Headquarters Configuration Storage Server Using Server Publishing

You can create a replicate Configuration Storage server in a branch by server publishing your main Configuration Storage server to the Internet, and then connecting to the Internet from the branch to replicate the server. By publishing the Configuration Storage server only to the IP address of the planned replicate, you maintain the security of the information, while making it available where it is needed. Follow these steps:

  1. On the main firewall array, create a computer set containing the IP address of the computer that will be the replicate Configuration Storage server.
  2. Create protocol definitions for LDAPS (inbound) and LDAP (inbound) following the procedure in Creating a Protocol Definition. Create three server publishing rules, publishing LDAPS (inbound), LDAP (inbound), and DNS server to the new computer set, following the procedure in Creating a Server Publishing Rule.
  3. In the branch office, establish an Internet connection for the computer that will host the Configuration Storage server. Install the replicate Configuration Storage server, following the procedure Installing the Configuration Storage Server.

After you have installed the Configuration Storage server, you can install the branch array, and then establish a VPN site-to-site connection from the branch ISA Server array to the main ISA Server array. You should then disable the server publishing rule.

Configuring the Configuration Storage Server Locally and Shipping to a Branch

You can configure the branch Configuration Storage server in the main office, where connectivity through the corporate network is ensured. You can then ship the Configuration Storage server to the branch office, and use it to install the branch ISA Server array. Alternatively, in a single-server branch office scenario, you can configure the Configuration Storage server and ISA Server services on the computer in the main office, and then ship it to the branch office.

To configure ISA Server in the main office for deployment in a branch office, follow these steps:
  1. Install either a Configuration Storage server or a combined Configuration Storage server with ISA Server services by following one of these steps:

  2. Ship the computer to the branch office.

  3. In the branch office, connect the Configuration Storage server to the Internal network. On a computer in the Internal network, install ISA Server services, referring to the replicate Configuration Storage server.

  4. After the ISA Server services computer or computers have been configured, you can establish a site-to-site VPN connection from the branch array to the main array, following the procedure in Creating a VPN in ISA Server.

Using a Temporary Enterprise to Establish Branch Connectivity

You can create a combined ISA Server installation in a branch and use it to establish a VPN connection to the main office. The combined server will be in its own enterprise, unrelated to the main office. After you have created the VPN connection, you can install a replicate Configuration Storage server that points to the main Configuration Storage server, and then use that server as the Configuration Storage server for the branch array. Finally, you can remove the combined server. Follow these steps:

  1. Install the combined server as a new enterprise, following the procedure in Installing the Configuration Storage Server and ISA Server Services on a Single Computer.
  2. On the main array, create a site-to-site VPN for the combined server, following the procedure Creating a VPN in ISA Server.
  3. On the combined server, create a site-to-site VPN for the main array, following the procedure Creating a VPN in ISA Server.
  4. On the main array, create a network rule establishing a route relationship between the two VPNs, following the procedure Creating a Network Rule.
  5. Create an access rule on the main array allowing at least LDAPS and DNS traffic between the branch and main offices, following the procedure Creating an Access Rule. Allow Internet Control Message Protocol (ICMP) traffic as well, if you want to test the VPN connection using Ping. (For instructions, see Step 7 of this procedure.)
  6. Create a local or domain user on the main array that the branch can use for authentication when connecting.
  7. Test the VPN connection by pinging the main array from the branch combined server.
  8. Install a replicate of the main Configuration Storage server in the branch, following the procedure Installing the Configuration Storage Server.
  9. Create the branch array, following the procedure Creating an ISA Server Array. Use the replicate Configuration Storage server as the storage for the new array.
  10. Uninstall the combined server.
  11. Create a new site-to-site VPN connection, network rules, and appropriate access rules for the new branch array, and reestablish the VPN connection to the main office.

Additional ISA Server 2004 documents are available on the ISA Server 2004 Guidance page.

Do you have comments about this document? Send feedback.

Show: