Updating ISA's Operating System
The most commonly updated portion of ISA Server is ISA's operating system, which is Windows Server 2003 in most cases.
Although ISA Server 2004 supports installation on Windows 2000 Server, deploying it on Windows Server 2003 is highly recommended. The 2000 support is primarily intended for short-term migration scenarios, and Windows 2000 itself does not support the same level of robust operating system security as Windows Server 2003. This point cannot be stressed enough.
Any of several methods can be used to patch the Windows operating system:
Manually Patching an ISA Server
Given the fact that it is often not viable to automatically update and reboot a critical system such as ISA, the most common approach to ISA Server Patch management involves manually installing and patching an ISA Server on a controlled basis. Given the large number of server updates that Microsoft releases, this may seem like a rather onerous task. In reality, however, only a small number of these patches and updates apply to ISA server itself, so one of the tasks of the administrator is to validate whether an ISA server requires a specific patch or not.
For example, a patch that addresses a WINS server vulnerability would not apply to an ISA server that is not running that particular service. In reality, because ISA is locked down to not respond to any type of traffic other than those that are specifically defined, only a small number of the patches that are produced need to be run on an ISA server.
In general, a patch may need to be applied on the ISA server if it addresses a vulnerability in the following Windows components:
If in doubt, it is best to install the patch after testing it in a lab environment. If it is not a critical patch, it may be wise to wait until a designated maintenance interval and then install the cumulative patches that have come out so far.
Verifying Windows Update Access in the ISA System Policy
ISA Server System Policies control whether or not the Local Host network (effectively the ISA server itself) is allowed access to certain websites. The System Policy controls whether or not ISA can ping servers on the internal network, whether it can contact NTP servers to update its internal clock, and any other type of network access, including whether the server can access external websites such as Windows Update.
The default web policy blocks most websites from direct access from ISA, and enabling the ISA server to access specific sites must be manually defined in the System Policy. To allow for automatic updates via the Windows Update website, ISA grants the Local Host network access to the windowsupdate.com website. If this setting has been changed, or if access to additional websites is required, the System Policy must be updated. It is therefore important to know the location of this policy and how to modify it. To view this setting, perform the following steps:
Working with Windows Update to Patch the Operating System
Utilizing the Windows Update websites gives a greater degree of control to updating an ISA server, while at the same time making it easier for an administrator to determine what patches are needed. Assuming the Windows Update site has been added to the System Policy Allowed Sites group, as described in the previous section, using this technique to patch an ISA Server is straightforward. Windows Update can be invoked easily by clicking on the built-in link at Start, All Programs, Windows Update.
For step-by-step instructions on using Windows Update to patch an ISA server, see Chapter 2.
Managing ISA Server Updates and Critical Patches
In addition to operating system updates, the ISA application itself may require patching. This involves installing and configuring an ISA Standard Edition server with the latest service pack for ISA, in addition to checking the ISA website at Microsoft for updates to ISA. Up-to-date information on patch availability for ISA Server 2004 can be found at the following URL:
In addition, it may be helpful to review the ISA Server community boards on such websites as http://www.isaserver.org, http://www.isatools.org, and http://www.msisafaq.de for updates and issue troubleshooting on a regular basis. Reviewing the real world deployment issues and questions on these sites can be an important part of maintaining an ISA server.
Prototyping ISA Server Patches Before Updating Production Equipment
In general, it is always good practice to prototype the deployment of patches for an ISA system before they are installed on a production system. A spare ISA server in a lab environment is an ideal candidate for this type of deployment. In addition, a robust backup and restore plan for ISA, in the event of an installed patch taking a server down, should be developed. For more information on backing up and restoring ISA, see Chapter 18, "Backing up, Restoring, and Recovering an ISA Server 2004 Environment."