Installation

Installing ISA Server involves several tasks. First, you need to prepare the server for the installation. Then, if you're going to set up an ISA Server array or administer servers using enterprise policies, you need to install the ISA Server schema to Active Directory. After doing this, install ISA Server and use ISA Server's Getting Started Wizard to run the initial configuration.

The following sections walk you through these tasks.

Preinstallation

Before you install ISA Server, use the following steps to prepare the server:

1. If you're setting up an ISA Server array (discussed earlier), make sure there is a Windows 2000 domain available to join, because the ISA Server array schema must be stored in Active Directory. If the network is still using Windows NT 4 domains, create a new Windows 2000 domain and set up a one-way trust between the domains.

   All ISA servers in an array must belong to the same domain and site.

2. Verify that the network adapter connected to the internal network is properly set up. This adapter should use a static IP address and should not have a default gateway specified. The internal network will probably consist of addresses from the private address ranges (discussed earlier in this chapter).

   Windows can only store a default gateway for one network interface, the external interface. Therefore, if the internal network is routed, you can create static routes to ensure full connectivity. Creating static routes using the ROUTE command is covered in the Windows Help system as well as the Microsoft Windows 2000 Resource Kit.

3. Verify that the network adapter, modem, or ISDN adapter connected to the Internet or external network is properly set up. This connection can use a dynamically assigned IP address or a static IP address. Either way, the address needs to be a valid Internet address obtained from your ISP.
4. Remove File and Printer Sharing for Microsoft Networks and Client for Microsoft Networks from the external interface. You should also disable NetBIOS Over TCP/IP.
5. Test connectivity by connecting to other clients or servers on the internal network, as well as the external network (most likely the Internet). Alternatively, use the Ping command to test the ability to reach hosts on the internal and external network.
6. To enable the ISA server to access the Web (for example, to use Windows Update), set up the Web browser to use the ISA server's internal network address as the proxy server address, as described in the section entitled Configuring Web Proxy later in this chapter.
7. Update Windows 2000 with the latest service pack and relevant security updates.

Real World

Creating a Secure Configuration

To maximize security, follow these rules:

• Don't install additional applications or services on the ISA Server computer.
• Don't install ISA on a domain controller unless it belongs to its own domain and forest with a one-way trust to the rest of your company.
• Stop any unnecessary services on the server.
• Apply the hisecweb security template to the server to increase the security settings of Windows (see Chapter 28 for more information).
• Install the latest Windows and ISA Server service packs and security patches.

Enterprise Initialization

Before you can set up an ISA Server array, you need to install the ISA Server schema into Active Directory. You can also install the ISA Server schema to Active Directory so that you can apply enterprise-wide policies to your ISA servers, or turn a stand-alone server into an array at some point in the future (you don't have to create arrays immediately).

To install the ISA Server schema to Active Directory, thereby preparing the network for ISA Server arrays or enterprise policies, use the following procedure:

1. Insert the ISA Server CD in the CD-ROM drive or run ISAautorun.exe from a network location.
2. Click Run ISA Server Enterprise Installation in the Microsoft ISA Server Setup window. Click Yes to install the ISA Server schema to Active Directory.

   Installing the ISA Server schema to Active Directory is irreversible. Even if you uninstall ISA Server on all computers, the schema still exists in Active Directory. However, installing the ISA Server schema only has a minimal effect on Active Directory, typically only a couple megabytes of storage space is consumed in the Global Catalog and several megabytes of extra replication traffic is generated. Because there isn't any way around this, and the impact is small, you should consider this point, and then forget about it.

3. In the dialog box shown in Figure 31-2, specify how to apply policies to the enterprise and name the new enterprise policy (if you choose to create one):
   • Use Array Policy Only This setting prevents you from applying policies at the enterprise level, dictating that you must configure each ISA Server array individually.
   • Use This Enterprise Policy If you select this option and don't select the Allow Array-Level Access Policy Rules check box, all policies must be applied at the enterprise level. This means that all arrays in the enterprise will have the same policy settings, whether you like it or not.
   • Enterprise and Array Policies combined Set up ISA Server to permit both enterprise and array policies. This allows you to set policies at the enterprise level, but also individually set more restrictive policies at the array level (although you can only further restrict policies at the array level, not make them more permissive). To do so, select the Use This Enterprise Policy option and then select the Allow Array-Level Access Policy Rules check box.
   • Allow Publishing Rules Select this check box so that arrays are allowed to publish (make available to the Internet) Web servers and other servers.
   • Force Packet Filtering On The Array Select this check box to force all arrays to use packet filtering. If you clear this check box, you can enable or disable packet filtering on an array-by-array basis.

   

   Figure 31-2. Choosing how ISA Server should handle enterprise and array policies.

4. Click OK to install the ISA Server schema. Active Directory processes the updates. When it's finished, click OK.

You should wait until there is adequate time for Active Directory to replicate the changes before you set up any arrays.

ISA Server Installation

To install ISA Server, follow these steps:

1. Disconnect the ISA server from the Internet. This eliminates the possibility of any security breaches while installing ISA Server.
2. Insert the ISA Server CD in the CD-ROM drive or run ISAautorun.exe from a network location.

   If you need to deploy a number of ISA servers, consider performing unattended setups. For information about how to install ISA Server unattended through a command prompt, search on unattended in the ISA Server Help system.

3. Click Install ISA Server in the Microsoft ISA Server Setup window. Click Continue to begin installation.
4. Enter the 10-digit CD key from the back of the ISA Server CD-ROM case and then click OK. Your product ID will be displayed. Click OK again to continue.
5. Read the standard Microsoft license agreement screen, and then click I Agree to continue.
6. Click Change Folder at the bottom of the screen shown in Figure 31-3 to optionally change the installation location. Roughly 20 MB of disk space is used at this location (the ISA Server cache can be stored elsewhere).

   

   Figure 31-3. Choosing an installation type.

7. Click the button associated with the type of installation you want to perform. Choose Typical to install the most commonly used options, Custom to specify exactly what options to install, as shown in Figure 31-4, or Full to install all options.

   

   Figure 31-4. The Custom Installation dialog box.

8. Choose whether to install ISA Server as a stand-alone server or as an array member (if you initialized the enterprise first, as described in the previous section). If you choose to make the server an array member, enter a name for the array or choose an existing array.
9. Choose whether to use the existing enterprise policy with the array (if creating or adding members to an array), or use custom enterprise settings, and then click Continue.
10. Choose which mode of ISA Server to use, as shown in Figure 31-5: Firewall mode for security purposes only, Cache Mode for Internet acceleration purposes only, or Integrated Mode to provide both security and acceleration services (this is the recommended mode for most networks).

    

    Figure 31-5. Choosing which mode of ISA Server to use.

    You can enable or disable ISA Server's firewall and caching services any time after installing by selecting Microsoft ISA Server in Add/Remove Programs in Control Panel, clicking Change, and then choosing Reinstall. Select a new mode and away you go. Make sure to back up the ISA Server configuration first.

    Installing ISA Server in Cache Mode will not allow SecureNAT clients to access the Internet. SecureNAT clients are only supported in Firewall Mode and Integrated Mode.

11. Setup stops Internet Information Services (IIS), if installed. Click OK to continue.

    To host Web sites from behind an ISA Server firewall, you need to "publish" the Web server using ISA Server, permitting Internet clients to access the published servers. This is discussed in the section entitled Publishing Internal Servers to the Internet later in this chapter.

12. Set the size and location of the local Web cache as shown in Figure 31-6. Hard disk space is inexpensive, so set aside a large chunk of disk space for the cache; 10 GB is a good amount for many organizations, but see Table 31-2 earlier in this chapter for more recommendations.

    You can place the cache on any NTFS drive, but for the best performance, you should place it on the fastest hard drive or spread it across several physical disks (spreading across partitions on the same physical disk offers no performance improvements).

    

    Figure 31-6. Specifying on which drives to store the Web cache.

13. The Server Setup Construct LAT dialog box appears, as shown in Figure 31-7. Here you can build the local address table (LAT). This table identifies which addresses are on your local network, and thus accessible through the network adapter connected to the internal company network. Addresses not located in the LAT are accessed using the network adapter connected to the external network (the Internet).

    

    Figure 31-7. The Server Setup Construct LAT dialog box.

14. In the Edit box, type the range of addresses on the local network. You don't need to add any RFC 1918 privatized addresses—they'll be added automatically when you click Construct Table. Click Add after entering each range of addresses.
15. When you've added all the internal IP addresses, click Construct Table to open the Local Address Table dialog box shown in Figure 31-8.

    

    Figure 31-8. The Local Address Table dialog box.

16. To add the private IP addresses automatically, select the Add The Following Private Ranges check box. To allow Windows to use the internal IP routing table, specify the network card(s) connected to the internal network (do not select the adapter connected to the Internet or external network). When you've made your selections, click OK.
17. A setup message appears, warning you that the automatically constructed LAT might include external addresses. Click OK again to return to the Server Setup Construct LAT dialog box in Figure 31-7.
18. Now you'll see the automatically configured LAT as ISA Server is about to construct it. Edit it to remove any external addresses from the table or any other errors you encounter. If any local addresses aren't showing, add them. When the table is correct, click OK.
19. Click OK to finish setup and start the ISA Server Getting Started Wizard, discussed in the next section.
20. Reconnect the ISA server to the Internet.

Until you run the ISA Server Getting Started Wizard, discussed in the section entitled Initial Configuration later in this chapter, no Internet connectivity exists for the network; internal clients can't access Internet Web sites, and Internet users can't access any Web servers you have on the internal network.