Preparing an ISA Environment for the Firewall Client


By default, ISA Server 2004 does not automatically enable an environment for support and installation of the Firewall client component. Specific steps must be taken to enable systems on a network to utilize the Firewall client. Understanding these prerequisites and how the installation of the Firewall client can be automated can help to ease the administration of the Firewall client.

Installing the ISA Firewall Client Share

The first step in enabling support for the Firewall client is to set up a networked share location that contains the binaries for the firewall client itself. The ISA Server 2004 media contains an installation option for the Firewall client share, which is effectively a shared folder on a server that contains a copy of the ISA Firewall client software. Although it is on the ISA Server CD, this does not mean that it is a good idea to install it on the ISA Server itself. It is best practice from a security perspective to install the Firewall client share on a different system from ISA entirely, to eliminate the need for the ISA Server to perform file server functions for internal network clients.

CAUTION

One of the most dangerous roles that can be granted to an ISA Server is one of a file server. It requires Server Message Block (SMB) support and File and Print Sharing capabilities, greatly increasing the attack surface of the ISA Server. It is for this reason that it is recommended that the ISA Firewall client share be placed on a separate system.


To install the ISA Server Firewall client share on a server, perform the following steps:

1.

Insert the ISA Server 2004 Standard Edition Media into the CD drive of the server (or double-click on the isaautorun.exe file from the media directory).

2.

From the splash screen, select the link for Install ISA Server 2004.

3.

Click Next at the welcome dialog box.

4.

Select I Accept the Terms in the License Agreement and click Next.

5.

Enter a User Name, Organization, and Product Serial Number and click Next to continue.

6.

Under Installation Type, select Custom and click Next.

7.

Under Firewall Services, click and select This Feature Will Not Be Available.

8.

Click on ISA Server Management, and select This Feature Will Not Be Available.

9.

Under the Firewall Client Installation Share, click and select This Feature Will Be Installed on Local Hard Drive. The dialog box should then look like Figure 11.3. Click Next to continue.

Figure 11.3. Installing the Firewall Client Installation Share.


10.

Click Install to begin the installation process.

11.

Click Finish.

CAUTION

After the Client is installed, it is critical to update the server on which the Firewall Client was installed with the latest Service Pack for ISA Server 2004, which will contain the latest version of the Firewall Client. If the server running the share is not updated, the Firewall client directory will not contain the latest files and the clients will not get the proper version.


After it is installed, the Firewall Client Installation Share resides in the default location, \Program Files\Microsoft ISA Server\clients, and will be shared as \\servername\ mspclnt. Clients can connect to this share and install the client, either manually or though automated procedures.

Using DHCP to Configure ISA Server for Auto Detection

Creating the ISA Client Installation Share is only one step in the automation and distribution of the ISA Client. To fully automate deployment, the network must be configured to know which server is the ISA Server. This process is accomplished through the publishing of a record in either the Dynamic Host Configuration Protocol (DHCP) environment or the Domain Name System (DNS) Environment, or both, depending on the needs of the environment.

This information is published in either DHCP or DNS via a Web Proxy Autodiscovery (Wpad) file. With this file published on the server, and with Auto Discovery enabled on the ISA Server (described in the next section of this chapter), the Firewall clients, when installed, automatically detect which IP address is associated with the ISA Server, which can be used to automate the way that the ISA Client configures the proxy server settings for the system.

TIP

If both DHCP and DNS autodiscovery are enabled, the requesting client attempts to use DHCP first, and, that failing, attempts DNS. It may be useful to enable both because some clients may not resolve the DHCP Wpad entry, but instead use the DNS entry.


Assuming that a DHCP server has already been set up in the internal network, use the following steps to set up client autodiscovery through DHCP:

1.

From the internal server that is running DHCP (not the ISA Server), open the DHCP console (Start, All Programs, Administrative Tools, DHCP).

2.

Right-click on the name of the server in the left pane, and select Set Predefined Options.

3.

Click the Add button.

4.

Enter in Wpad for the name of the option, enter a data type of String, a code of 252, and a description.

5.

Click OK.

6.

In the String field, enter in a value of http://10.10.10.1/wpad.dat, as shown in Figure 11.4 (where 10.10.10.1 is the IP address of the ISA server; a DNS host name can be used as well if it is configured).

Figure 11.4. Creating DHCP WPad entries for automatic client configuration.


7.

Click OK.

8.

Close the DHCP Console.

With this setting enabled, every Firewall client that receives a DHCP lease can set its proxy settings to point to ISA Server.

NOTE

The biggest downside to DHCP Autodiscovery is that clients must have local administrator rights on their machines to have the proxy server setting changed via this technique. If local users do not have those rights, then DNS autodiscovery should be used instead of, or in combination with, DHCP autodiscovery.


Configuring Proxy Client Autodiscovery with DNS

The Domain Name Service (DNS) is also a likely candidate for autodiscovery information to be published. Using a Wpad entry in each forward lookup zone where clients need proxy server settings configured is an ideal way to automate the deployment of the settings.

Assuming DNS and a Forward Lookup Zone is set up in an environment, autodiscovery can be enabled through the following technique:

1.

Log in with admin rights to the DNS server.

2.

Open the DNS Console (Start, All Programs, Administrative Tools, DNS).

A host record that corresponds with ISA is required, so it is necessary to set one up in advance if it hasn't already been configured. To create one, right-click on the forward lookup zone and select New Host (A). Enter a name for the host (such as isa.companyabc.com) and the internal IP address of the ISA server and click Add Host. This host name will be used in later steps. After the host record is created, the CNAME record for Wpad needs to be created via the following procedure:

1.

While in the DNS console, right-click the forward lookup zone where the setting will be applied and click New Alias (CNAME), as shown in Figure 11.5.

Figure 11.5. Creating a DNS Wpad entry for ISA Client automatic configuration.


2.

For the alias name, enter Wpad, and enter the Fully Qualified Domain Name that corresponds to the Host record that was just created (for example, isa.companyabc.com).

3.

Click OK to save the CNAME record.

This technique enables all Internet Explorer clients that are configured to use the forward lookup zone in DNS to automatically configure their proxy server information, which can be highly useful in automating the deployment of the proxy configuration for the ISA Firewall clients (and other clients on the network).

Enabling Auto Discovery from ISA Server

After Wpad entries have been created to ease in the proxy server settings, auto-discovery of the ISA Server itself must be enabled on a per-network basis. To enable this functionality, do the following:

1.

On the ISA Server, open the ISA Server Management Console.

2.

From the console, click on Configuration, Networks in the console tree.

3.

In the Details pane, select the Networks tab.

4.

Right-click the network where auto-discovery is to be enabled (for example, the Internal network) and click Properties.

5.

Select the Auto Discovery tab.

6.

Check the box for Publish Automatic Discovery Information, as shown in Figure 11.6, and click OK.

Figure 11.6. Publishing auto-discovery information for ISA Server Firewall clients.


7.

Click Apply in the Details pane and click OK.



    Microsoft Internet Security and Acceleration ISA Server 2004 Unleashed
    Microsoft Internet Security and Acceleration (ISA) Server 2004 Unleashed
    ISBN: 067232718X
    EAN: 2147483647
    Year: 2005
    Pages: 216
    Authors: Michael Noel

    Similar book on Amazon

    flylib.com © 2008-2017.
    If you may any questions please contact us: flylib@qtcs.net