Before you can complete an installation of ISA Server 2004 Enterprise Edition, you must install the CSS. The CSS is a database that contains the configuration information for your ISA Server Enterprise environment, and is designed to improve performance and enhance the resiliency of your network by functioning in multimaster mode and allowing the replication of configuration data across the environment.
Because ISA Server is a firewall, and for enhanced security can be installed in its own workgroup or forest, Enterprise Edition no longer requires Active Directory to maintain configuration storage information.
To install your CSS, follow these instructions.
The user account used to install the CSS automatically becomes an ISA Server Enterprise Administrator (not a domain Enterprise Administrator).
Insert the ISA Server 2004 CD and click the Install ISA Server 2004 icon on the Microsoft Internet Security And Acceleration Server 2004 page.
If Autorun is disabled, double-click ISAautorun.exe to launch the ISA Server 2004 Setup program.
On the Welcome To The Installation Wizard For Microsoft ISA Server 2004 page, click Next.
On the License Agreement page, click I Accept The Terms In The License Agreement, and click Next.
On the Customer Information page, enter your name and the name of your organization in the User Name and Organization text boxes. Enter your serial number in the Product Serial Number text boxes, and click Next.
On the Setup Scenarios page, click Install Configuration Storage Server, and click Next.
On the Component Selection page, click Next.
The ISA Server Management console and CSS components are installed by default.
On the Enterprise Installation Options page, click either Create A New ISA Server Enterprise or Create A Replica Of The Enterprise Configuration, and click Next.
If you already have a CSS installed, choose Create A Replica Of The Enterprise Configuration. Enter the fully qualified domain name (FQDN) of the existing CSS. Prior to creating a replica, the CSS you are defining must belong to the Replicate Configuration Storage Servers computers set. Array or Enterprise Administrator privileges are required.
On the New Enterprise Warning page, read the warning, then click Next.
On the Create New Enterprise page, type the name of your enterprise in the Enterprise Name box, type an optional description in the Description box, and click Next.
The default name of your enterprise is Enterprise. You can change this name if you desire.
On the Enterprise Deployment Environment page, specify whether installing ISA in a domain or in a domain with trusts, or in a workgroup or domains without trusts as shown in Figure 3-1, and click Next.
A server certificate is required when installing in a workgroup or domains without trusts. Refer to the section entitled "Installing a Certificate for Workgroup Authentication," later in this chapter.
On the Services Account page, select the account under which the CSS service will run, and click Next. This step may not appear, depending on the option you select.
If you are installing the CSS on a domain controller, read the section entitled "Installing CSS on a Domain Controller," later in this chapter, to understand the specific requirements for doing so.
On the Ready To Install The Program page, click Install.
On the Installation Wizard Completed page, click Finish.
Figure 3-1: Select the environment into which you will install the CSS.
Maintaining connectivity between the ISA server and the CSS is very important. Two tools are provided by Microsoft to ensure connectivity to your CSS:
Adamsetup.exe, the ADAM installation executable found on the ISA Server 2004 Enterprise Edition CD.
Ldp.exe, a resource kit utility used for connecting to a Lightweight Directory Access Protocol (LDAP) directory service.
The procedure is as follows:
Locate the ISA 2004 Enterprise Edition CD and browse to the \Fpc\Program Files\Microsoft ISA Server\Adam folder, and double-click Adamsetup.exe. Follow the prompts that appear to install ADAM.
To learn more about ADAM, see http://www.microsoft.com/windowsserver2003/adam. For procedures on how to install ADAM, refer to the "Additional Resources" appendix of this book.
After installing ADAM, browse to the %Windir%\Adam folder, and double-click Ldp.exe.
On the Connection menu, click Connect.
In the Connect dialog box, in the Server field, type the FQDN of your CSS server, change the port value from 389 to 2171 when using Windows Authentication or 2172 when using authentication with Secure Sockets Layer (SSL) and then click OK.
On the Connection menu, select Bind. Type the domain name, user, and password in the appropriate fields and click OK.
Select the Domain check box if you want to use Windows authentication, and clear the Domain check box if you want to use authentication with SSL.
If you do not receive an error message, the connection to either port 2171 or 2172 on the CSS was successful.
Port 2172 is the port used by the MS Firewall Storage protocol, an inbound LDAP-based protocol used by array members to communicate with the CSS. You can also use the command telnet hostname 2172 to check that name resolution, basic network connectivity, and availability of the ADAM service are working on the CSS server.
Prior to installing ISA Server 2004 Enterprise Edition, you can choose to create an ISA Server array. The array will be empty, but as you install ISA services on new servers, you can add them to the array.
To create an ISA Server array, follow these steps:
Open the ISA Server Management console. In the scope pane, click Arrays.
In the task pane, on the Tasks tab, click Create New Array.
On the Welcome To The New Array Wizard page, type the name for the new array, and then click Next.
On the Array DNS Name page, type the array's DNS name to be used by firewall clients and Web clients when connecting to the array. Click Next to continue.
On the Assign Enterprise Policy page, select an enterprise policy to assign to the array from the drop-down list, and click Next.
On the Array Policy Rule Types page, you can select the Deny Access Rules check box, the Allow Access Rules check box, or Publishing Rules (Deny Or Allow) check box to specify what types of rules can be created in the array. Click Next.
On the Completing The New Array Wizard page, review the configuration information, and then click Finish.
After the array is created, click OK. In the details pane, click Apply to complete the change, and then click OK again.