Building Windows Server 2003 as ISA's Operating System
The mechanism that lies at the base of ISA Server's functionality is the operating system. ISA draws from Windows its base network and kernel functionality, and it cannot be installed without it. Consequently, the operating system installation is the first step in the creation of a new ISA Server.
Installing Windows Server 2003 Standard Edition
As previously mentioned, ISA Server 2004 software requires an operating system to supply needed core functionality. Although Windows 2000 Server is supported, the operating system of choice for ISA Server 2004 is Windows Server 2003 Standard edition. The Windows Server 2003 operating system encompasses a myriad of new technologies and functionality, more than can be covered in this book. If additional reading on the capabilities of the operating system is desired, the recommended reference is Windows Server 2003 Unleashed, from SAMS Publishing (ISBN: 0672326167).
It is highly recommended to install ISA Server 2004 on a clean, freshly-built operating system on a reformatted hard drive. If the server that will be used for ISA Server was previously running in a different capacity, the most secure and robust solution would be to completely reinstall the operating system using the procedure outlined in this section.
Installation of Windows Server 2003 is straightforward, and takes approximately 30 minutes to an hour to complete. The following step-by-step installation procedure illustrates the procedure for installation of standard Windows Server 2003 media. Many hardware manufacturers include special installation instructions and procedures that may vary from the procedure outlined here, but the concepts are roughly the same. To install Windows Server 2003 Standard edition, perform the following steps:
Following this step, Windows Server 2003 Setup begins formatting the hard drive and copying files to it. After a reboot and more automatic installation routines, the setup process continues with the Regional and Language Options screen as follows:
The next screen to be displayed is where networking settings can be configured. Setup allows for automatic configuration (Typical Settings) or manual configuration (Custom Settings) options. Selecting Custom Settings allows for each installed Network Interface Card (NIC) to be configured with various options, such as Static IP addresses and custom protocols. Selecting Typical Settings bypasses these steps, although they can easily be set later.
The question of domain membership versus workgroup membership is a complex one. To ease installation, the server can simply be made a workgroup member, and domain membership can be added at a later time as necessary. For more information on whether or not to make an ISA server a domain member, see the section, titled "Determining Domain Membership Versus Workgroup Isolation."
After more installation routines and reboots, setup is complete and the operating system can be logged into as the local Administrator and configure it for ISA Server 2004.
Configuring Network Properties
Each deployed ISA Server 2004 server has its network settings configured uniquely, to match the network or networks to which the server is connected. It is important to understand the implications of how the network configuration affects ISA Setup. For example, the sample ISA Server in Figure 2.4 illustrates how one ISA server that is connected to the Internet, an Internal network, and a Perimeter (DMZ) network is configured.
Figure 2.4. Looking at a Sample ISA network layout.
It is often highly useful to rename the network cards' display names on a server to help identify them during troubleshooting. For example, naming a NIC Internal, External, or DMZ helps to identify to which network it is attached. In addition, it may also be useful to identify to which physical port on the server the NIC corresponds, with names such as External (top), Internal (bottom), DMZ (PCI).
ISA Firewall rules rely heavily on the unique network settings of the server itself, and the assumption is made throughout this book that these settings are properly configured. It is therefore extremely important to have each of the Network Interface Cards (NICs) set up with the proper IP addresses, gateways, and other settings in advance of installing ISA Server.
Installing the Optional Message Screener Components
If the deployment of ISA Server will take advantage of the Message Screener component of ISA Server 2004, the SMTP Service must first be installed and configured on the server. The Message Screener service enables the ISA Server to act as an SMTP relay for inbound or outbound mail flow in an organization. ISA Server inspects the SMTP packets and filters messages based on preset criteria. This functionality allows for a base level of anti-spam and content filtering for mail messages.
The Message Screener service can be useful for organizations that currently have their email server directly connected to the Internet and want to move away from this insecure configuration. The ISA Server acts as a bastion host, sitting between the email server and the Internet clients, taking the brunt of the attacks and spam attempts.
The SMTP Service should be installed only if the Message Screener service will be utilized on the ISA Server itself. If it will not be used, it should not be enabled so as to reduce the attack surface of the ISA Server.
To install the SMTP Service on an ISA Server that will run the Message Screener service, perform the following procedure:
Applying Windows Server 2003 Service Pack 1
The release of the long-delayed Service Pack 1 for Windows Server 2003 introduced a myriad of design and security improvements to the underlying architecture of Windows Server 2003. Because many of these improvements directly improve ISA Server 2004 security, it is highly recommended to take advantage of these improvements by installing the Service Pack and running the Security Configuration Wizard, which is made available through its installation.
It is important to note that for ISA Server 2004 to run properly on Windows Server 2003 with SP1, it must be updated with ISA Server 2004 Standard edition Service Pack 1. The Enterprise edition does not have this limitation.
To update Windows Server 2003 with the service pack, obtain the SP1 media or download the Service Pack binaries from the following URL:
After it is obtained, install the Service Pack by performing the following steps:
Updating and Patching the Operating System
In addition to the patches that were installed as part of the Service Pack, security updates and patches are constantly being released by Microsoft. It is highly advantageous to install the critical updates made available by Microsoft to the ISA Server, particularly when it is first being built. These patches can be manually downloaded and installed, or they can be automatically applied by using Windows Update, as detailed in the following procedure:
The subsequent screen, shown in Figure 2.8, offers the option of performing an Express Install, which automatically chooses the critical security patches necessary and installs them, or a Custom Install, where the option to choose which particular patchescritical and non-criticalis offered. If more control over the patching process is required, then the Custom Install option is preferred. For a quick and easy update process, Express Install is the way to go. To continue with the installation, perform the following steps:
Figure 2.8. Running Windows Update.
Running Windows Update on an ongoing basis as part of a maintenance plan is a wise idea for keeping the server up to date with the most recent patches and fixes. For production servers, however, it is advisable to initially test those patches in a lab environment when possible. In addition, although enabling Automatic Updates to perform this function may seem ideal, it is not recommended to automatically install any updates on a running server, particularly a security-based server.