Putting Together Your Flight Plan

To ensure that your installation goes smoothly, have the answers to the following questions before you begin:

• Where are the installation files?

• Do you have appropriate permissions to install ISA Server?

• What is the CD key, and where is the product license?

• Will the Active Directory Schema need to be updated?

• What server mode will you use?

• Where will you store the program files, log files, and Web cache?

• What are the network IDs for the hosts on your internal network?

• What ISA features do you want to include in your installation?

• Will you be creating or joining an array?

Let's look at these points in a little more detail before beginning the installation.

Installation Files and Permissions

The installation files for ISA Server can be accessed via the product CD-ROM or from a network installation share point. If you are installing from a share point, make sure that the Share and NTFS permissions at the source allow you to install the program.

You must be logged on with an account that has permission to install the program. If you are installing a stand-alone ISA server, you must at least be a member of the Administrators group for that machine. If you want to install an enterprise array, you must be a member of the Domain Administrators group. If you have a multiple forest environment, you should be a member of the Enterprise Admins group, and if you are responsible for initializing Active Directory, you also have to be a member of the Schema Admins group.

Table 23.1 lists the required permissions for ISA Server installation.

CD Key and Product License

The CD key is located on the CD case. It is a 10-digit number. You might also find it on the product packaging. Be sure that you have the license readily available and that you photocopy it, scan it, and then put it in a safe place.

It is an important part of your fault-tolerance plan to have multiple copies of your product licenses and to store them in a safe, centralized location or locations. Doing so will help you avert unfortunate fines should your company be the subject of an audit.

Active Directory Considerations

If you plan to install an enterprise array, the machine onto which you install ISA Server must be a member of a domain. You also need to connect to a domain controller during the installation. Confirm network connectivity to a domain controller prior to beginning the installation.

As mentioned earlier, when you perform an enterprise initialization, you will be altering Active Directory so that it can store array configuration information. Remember that alterations to the schema are a one-way process and that you cannot go back and restore the schema to its previous state.

Server Mode

Decide in advance the server mode you will assign to the ISA server. The server modes are cache mode, firewall mode, and integrated mode. This decision should be made after conferring with your security group and determining exactly what function(s) this ISA server will perform on your network. The security implications of the modes are quite different; these implications need to be addressed prior to implementation.

Disk Location for ISA Server Files

Decide where you want to install the ISA Server program files. These files require only about 20MB of disk space and do not incur much read/write activity, so you will usually be safe installing them to the default location, which is in the Program Files folder on the boot partition.

During installation, you need to decide where you want to place your Web cache files. It is best to place these on a RAID array, which must be formatted as NTFS. The RAID configuration should ensure the best performance possible.

Although you won't need to decide where to put your log files during installation, you should have your server configured so that you can adjust the configuration to put the logs on their own volume, if possible. Log files are written to much more than they are read. Therefore, after the installation is complete, you should move the log file location to a volume that has the fastest write access.

Internal Network IDs and the Local Address Table

You will be asked to configure the local address table (LAT) during the installation routine. To prepare the LAT correctly, you need to know the network IDs that are in use inside your company. The LAT will be used to determine if requests should be sent directly to an internal server or if they should be subjected to ISA Server rules and policies.

It is paramount that you configure the LAT correctly because it defines the networks that are considered internal and those that are considered external. If for some reason an external network ID finds itself on the LAT, requests from that network ID will be treated as internal network clients and will not be subjected to the same access controls applied to external network hosts. This means that these external network hosts could have direct access to your internal network resources.

Optimal configuration of your LAT is based on the routing tables configured on your ISA servers. You'll have the option for ISA Server to configure the LAT based on the routing table on that server. The best way to have the LAT configured correctly and reliably is to have an accurate routing table on the machine. This can be done automatically via a routing protocol, such as RIP or OSPF, or you can create manual routing table entries via the Routing and Remote Access console GUI interface or via the ROUTE command using the command prompt interface.

ISA Server Features Installation

A few services are labeled "add-in" services by the ISA Server installation routine. Before you begin the installation, you should determine whether you want to include these services:

• The H.323 Gatekeeper Service

• The Message Screener

• The H.323 Gatekeeper Administration Tool

The H.323 Gatekeeper allows multiple inbound and outbound calls using a program such as NetMeeting to conduct voice, video, and data sessions. The H.323 Administration tool allows you to administer the service. Thus, if you install the service, you should install the tool as well.

The Message Screener is a tool you use together with secure Mail Server publishing. The Message Screener tool allows you to check incoming mail for a number of elements, such as keywords. If you plan to implement secure Mail Server publishing, you should install this tool.