Installing ISA Server 2004 Enterprise Edition into a Workgroup

To provide an environment in which your ISA servers are not part of your domain, you can choose to install ISA Server into a workgroup. Because ISA Server requires secure communication between machines, you need to take certain steps to ensure that the traffic and the authentication between the machines are protected.

Because there are no shared domain accounts in a workgroup, there are some caveats of which you should be aware:

• You need to create a server certificate, which provides the ability for each server to authenticate to others. Procedures available later in this chapter in the section entitled "Installing a Certificate for Workgroup Authentication" explain this process.

• The Firewall Client depends on domain user rights to provide access; if there aren't any domain user accounts, the Firewall Client won't work.

• If you're using an array (in which several ISA computers share information), you have to create accounts with exactly the same user names and passwords on each machine. These are known as mirrored (or shadow) accounts, and they are necessary to allow for array management.

• You can't use Windows Authentication for centralized user authentication, but must rely on another method, such as RADIUS.

• If you're installing a CSS in a workgroup, you won't be able to create another CSS as a replica.

  When you do install ISA Server into a workgroup, you can do so in three different supported scenarios:

  1. Workgroup scenario, in which you're installing an array that is protecting a single group of computers, such as a Web farm, and in which the CSS is installed in a domain.

  2. Workgroup enterprise scenario, in which both the ISA servers and the CSS are in a workgroup environment.

  3. Back-to-back scenario, in which the back-end ISA server is part of a domain, and the front-end server is part of a workgroup.

In the following sections, follow the checklists for installing ISA Server in each scenario. Because many of the procedures are repeated, they are all documented after the checklists. Refer to the appropriate procedures as needed.

Workgroup Scenario

To install ISA Server into a workgroup, you should follow these steps:

1. Install a certificate on the CSS—for instructions on doing this, refer to the section entitled "Installing a Certificate for Workgroup Authentication," later in this chapter.

   Note

   Step 1 can also be completed during the installation of your CSS server.

2. Install the CSS into the domain using certificate authentication using the certificate created for the first step—see the section entitled "Installing Configuration Storage Server," earlier in this chapter.

3. Install the first array at your primary site—for instructions on doing this, see the section entitled "Creating an ISA Server Array," earlier in this chapter.

4. Install ISA Server on the first workgroup computer, using a local user name and password, which will function as a mirrored account on your other ISA servers (and which requires you to create the same user name and password on all ISA servers).

5. On the Install Server Certificate page, follow the steps provided in the section entitled "Installing a Root Certificate from a Local Certificate Authority," later in this chapter.

Workgroup Enterprise Scenario

In this configuration, both the ISA Server array and the CSS are installed into the workgroup, which creates an isolated enterprise. The difference between this configuration and the workgroup scenario is that the CSS server is not part of the domain, but of the same workgroup as the ISA Server array. To install this configuration, follow these steps:

1. Install a certificate on the CSS—for instructions on doing this, refer to the section entitled "Installing a Certificate for Workgroup Authentication," later in this chapter.

   Note

   Step 1 can also be completed during the installation of your CSS server.

2. Install the CSS into the workgroup using certificate authentication (for instructions on this, see the section entitled "Installing Configuration Storage Server," earlier in this chapter). When prompted on the Install Server Certificate page, select Certificate Authentication and locate the Server Certificate created for this purpose.

3. Install ISA Server on the first workgroup computer using a local user name and password, which will function as a mirrored account on your other ISA servers (and which requires you to create the same user name and password on all ISA servers).

4. On the Install Server Certificate page, follow the steps provided in the section entitled "Installing a Root Certificate from a Local Certificate Authority," later in this chapter.

Back-to-Back Scenario

This configuration has two (or more) ISA Server arrays: one belongs to a corporate domain (we call this the back array), and the other (called the front or edge) array is in a workgroup as shown in Figure 3-5.

Figure 3-5: A back-to-back scenario.

Install this configuration following these steps:

1. Install a certificate on the CSS—for instructions on this, refer to the section entitled "Installing a Certificate for Workgroup Authentication," later in this chapter.

   Step 1 can also be completed during the installation of your CSS server.

2. Install the CSS in the primary site—see the section entitled "Installing Configuration Storage Server," earlier in this chapter.

3. Install the first array in the primary site—see the section entitled "Creating an ISA Server Array," earlier in this chapter.

4. Create a network in the primary site that contains the IP address scheme of the front array, and then create another network containing the IP address scheme of the perimeter network.

   Note

   For procedures on creating a network, see Chapter 7, "Configuring Access Rule Elements."

5. Create a network rule to establish a relationship between the internal network at the primary site and perimeter network. Use a NAT relationship if you are using server publishing to accept connections to the CSS, or use a route relationship if creating an access rule for connecting to the CSS.

6. Configure the default gateway address on the internal adapter of the front array to the IP address assigned to the external network adapter of the back array as shown in Figure 3-6.

7. Allow access to the CSS.

8. Install the root certificate using the procedure given in the section entitled "Installing a Root Certificate from a Local Certificate Authority," later in this chapter.

   Note

   Step 8 can also be completed during the installation of your array member.

9. Install ISA Server on the first workgroup computer, using the mirrored account (the same local user name and password) as on your other ISA servers.

Figure 3-6: In a back-to-back configuration, configure the gateway address of the internal network adapter of the Front array to that of the External network adapter of the Back array server.

Installing a Certificate for Workgroup Authentication

Installing a certificate for workgroup authentication is a multistep process. The following steps must be completed to provide workgroup authentication with your ISA servers and CSS:

1. Establish a Public Key Infrastructure (PKI).

   Note

   If you're not familiar with this process, see the guidance available at http://www.microsoft.com/windowsserver2003/technologies/pki. The remaining steps are described in more detail later in this chapter.

2. Obtain a server certificate.

3. Export a server certificate and install the server certificate using the CSS setup or using ISACertTools.exe for your ISA Server Enterprise Edition CD.

4. Install a root certificate.

Obtaining a Server Certificate To obtain a server certificate, complete the following steps:

1. Open Microsoft Internet Explorer.

2. On the menu bar, select Tools, and then select Internet Options.

3. Click the Security tab, click Trusted Sites, and then click Sites.

4. In the Trusted Sites dialog box, in the Add This Web Site To The Zone field, type the URL of the certificate server Web site name, and click Add. Click OK twice to close all dialog boxes.

5. Type the following URL in the browser: http://IP_address_of_certificate_authority_server/certsrv.

6. Click Request A Certificate.

7. Click Advanced Certificate Request.

8. Click Create And Submit A Request To This CA.

9. Type the name for the certificate.

10. Complete the form and from the drop-down list, select Server Authentication Certificate.

11. Click Mark Keys As Exportable.

12. Click Store Certificate In The Local Computer Certificate Store, click Submit, and then click Yes after reviewing the warning dialog box.

13. From the server where the certificate was requested, type the following URL in the browser: http://IP_address_of_certificate_authority_server/certsrv. Click View Status Of A Pending Request.

14. Click Install This Certificate.

Exporting a Server Certificate

To export a server certificate, follow these steps:

1. Open the Internet Services Manager console, right-click the applicable Web site, and select Properties.

2. Click the Directory Security tab, and click View Certificate.

3. Click the Details tab, click Copy To File to start the Certificate Export Wizard, and click Next.

4. Click Yes if you want to export the certificate with the private key; otherwise click No and then click Next to continue.

5. Click Next to accept the default file format.

6. If you selected Yes in Step 4, type and confirm the password, and then click Next.

7. Type the name of the file to be exported. Click Next to continue.

8. Click Finish to complete the wizard, and then click OK to confirm the successful export of the certificate.

Installing a Root Certificate from a Local Certificate Authority

After obtaining a certificate and exporting a certificate from a local certificate authority, the next step is to install a root certificate on the ISA server.

To install a root certificate from a local certificate authority, follow these steps:

1. Open Internet Explorer.

2. On the menu bar, select Tools, and then select Internet Options.

3. Click the Security tab, and then click Custom Level.

4. In the Security Settings dialog box, in the Reset Custom Settings area, on the Reset To drop-down list, select Medium. Click OK.

   Note

   To install a certificate, you must set the security settings to Medium or lower temporarily, or else you need to add the server to the Trusted Sites zone temporarily. Be certain to return your Internet security settings to the most secure configuration after you are finished.

5. Click OK to close the Internet Options dialog box.

6. Type the following URL in the browser: http://IP_address_of_certificate_authority_server/certsrv.

7. Click Download A CA Certificate, Certificate Chain, Or CRL.

8. Click Install This CA Certificate Chain, and click Yes to proceed.

After installing the root certificate, you should verify that the installation was completed properly. To do so, use the Certificates MMC to check that the root certificate is listed.

Renaming the CSS

Renaming the CSS is a supported process in ISA Server Enterprise Edition, but one in which you should be careful to follow the steps presented here to prevent problems. If you encounter an issue, use a script in the installation folder of the ISA Enterprise Edition CD called ChangeStorageServer.vbs, which restores connectivity to your CSS.

To rename a CSS, follow these steps:

1. On the computer running the ISA Server Management console, open the HOSTS file in the %Windir%\System32\Drivers\Etc folder.

2. On a new line within the HOSTS file, type the current IP address of the CSS, followed by at least one space, and then the new name to be given to the CSS. Save the HOSTS file.

3. Open the ISA Server Management console, click the Monitoring node in the scope pane, and then click the Configuration tab in the details pane to confirm that all array members are currently using their primary CSS.

4. In the scope pane, select the Arrays node. For each array, in the details pane, right-click the array name, and then select Properties.

5. In the details pane, click Apply to apply the changes, and then click OK.

6. In the scope pane, click the Monitoring node, then in the details pane, click the Configuration tab to verify all array members are updated with the change.

7. Rename the CSS and restart your server.

8. On the computer running the ISA Server Management console, remove the entry you added to the HOSTS file.

9. Open the ISA Server Management console, click the Arrays node in the scope pane, right-click the array name in the details pane, and select Properties.

10. On the Configuration Storage tab, type the new name in the Configuration Storage Server (Enter the FQDN) text box, and then click OK.

    Note

    The new setting can take up to 30 minutes to be recognized by all array members. To shorten this time, a script called SetCSSDelayTimes.vbs can be used. This script is found at the ISA Server Coding Corner on the Web.

11. In the scope pane, select the Monitoring node, and in the details pane, click the Configuration tab to confirm the new name has been applied.

Figure 3-7: Specifying an alternate CSS server

Specifying an Alternative CSS Server

You can optionally configure an alternative CSS server in your environment by following these steps:

1. Open the ISA Server Management console, and click the Arrays node in the scope pane.

2. In the details pane, right-click the applicable array and select Properties.

3. Click the Configuration Storage tab.

4. In the Alternate Configuration Storage Server (Optional) text box, type the FQDN of an alternate CSS server, and click OK.

   Note

   If the server is unable to resolve the FQDN of the alternate CSS, an error appears.

5. Click Apply to commit your changes, and then click OK.