Data Centers

Build Your Skills: Here's how to make ISA Server work properly with Windows Server 2003

With a little work, you can make ISA Server run properly on Windows Server 2003.

Because Windows Server 2003 doesn't represent as much of a change in the industry as Windows 2000, upgrading to Windows Server 2003 from Windows 2000 is not as dramatic as the migration from NT to 2000 was. However, because of Microsoft's current focus on security, some products that work with Windows 2000, such as Exchange 2000, don't run at all on Windows Server 2003. Other products, such as Internet Security and Acceleration (ISA) Server 2000, can be made to run properly on Windows Server 2003 with a little work. The process for installing ISA Server 2000 on Windows Server 2003 isn't exactly clean, but, at the end, you will have a system working as expected, although you will encounter error messages on the path to get there.

Author's Note
For the purposes of this article, I will demonstrate freshly installing ISA on a new Windows Server 2003 system. Additionally, I will provide instructions on how to upgrade from Windows 2000 Server to Windows Server 2003 while maintaining ISA services.
If you are running the 120-day evaluation version of ISA Server 2000, you should note that you can't run the evaluation version on Windows Server 2003. It will run only on Windows 2000. You can run the commercial version of ISA Server only on Windows Server 2003.

Common requirements
Whether you're upgrading to Windows Server 2003 or upgrading your Windows 2000 Server, if you plan to run ISA, there are some things that you'll need handy.

Naturally, before you can install ISA Server on Windows Server 2003, you must first have a Windows Server 2003 system that's working properly. After jumping through the appropriate hoops, ISA Server will work on Windows Server 2003, whether you've installed Windows Server 2003 from scratch or upgraded from Windows 2000 Server.

Installing a new ISA Server on Windows Server 2003
To start the installation, insert the ISA Server CD into the CD-ROM drive. The CD willautoplay the Installation menu. If you do not have autorun enabled, browse to the root of the CD and double-click ISAAutoRun.exe. From the installation menu, click Install ISA Server. Windows Server 2003 will immediately display the error message shown in Figure A.

Figure A
ISA Server's Setup program will display this notice indicating the Service Pack 1 is required.

The notice indicates that SP1 for ISA Server is required and that you will encounter error messages as well as event log messages regarding the compatibly of the product on this version of Windows. Fortunately, the messages can be safely ignored. Click the Continue button to carry out the installation.

The next steps of the ISA Setup program ask for the CD Key and for you to accept the End User License Agreement. Neither of these screens will present a problem on Windows Server 2003.

The substantial installation work begins on the next screen where you choose what type of installation to perform. For the purposes of this article, we'll be getting all ISA components to work under Windows Server 2003. Therefore, we'll select Full Installation.

Next, you'll see the Mode screen appear. Here, you'll have to select the ISA Server operating mode you want to use. You'll have three choices:
  • Firewall mode
  • Cache mode
  • Integrated mode

Integrated mode includes both firewall and caching options. For the purposes of this article, we'll select Integrated Mode.

You'll then see the Specify The NTFS Drives screen appear. As a caching device, the system on which ISA Server is installed needs to have disk space dedicated to it. By default, ISA Server allocates 100 MB of space on the system drive. You can select to reserve more space for the cache by changing the value of the Cache Size field. Because Windows Server 2003 doesn't have an issue with the cache file, we'll accept the default values by clicking OK. You should increase it if you have plenty of disk space and want to increase ISA Server's cache performance.

You'll then see the Enter The IP Address Ranges screen. My lab network runs on the private address space Since ISA Server has been configured to act as a firewall and caching system, it needs to know which TCP/IP addresses it should consider internal and which it should consider external. To provide this information, ISA Server asks you to provide it with the ranges of internal addresses. All addresses outside these ranges are considered external. As I have only one internal address space, that is the range that I will provide on this step of the installer. ISA Server can also automatically construct this information when you click the Construct Table button. Choosing this option results in ISA Server, including the three RFC 1918 private address spaces—10.x, 172.16.x to 172.31.x and 192.168.x—and the RFC 3330-defined special use 169.254/16 address space. Additionally, this option will use the local routing table to determine local address spaces.

After making the appropriate selection on the IP provisioning screen, ISA Server will copy files to the specified location and then attempt to start its services. Here's where you'll see your first major problems with running ISA Server on Windows Server 2003. Starting certain ISA services will result in the error shown in Figure B.

Figure B
After installing ISA Server, Windows Server 2003 will report errors in starting ISA Server services.

You can view additional ISA Server errors by examining Windows Server 2003's event log. If you open the event log, you'll find a number of errors similar to the one shown in Figure C, indicating the services have been blocked from loading.

Figure C
The event log will display errors indicating that there are service problems.

Making ISA Server Windows 2003 compliant
In order to remove the problems preventing ISA Server components from properly loading, you need to install the two components mentioned earlier—ISA Server SP1 and the Windows 2003 ISA Server components.

The first step to getting the product running is to install ISA Server Service Pack 1 on the Windows Server 2003 system. To perform this operation, download SP1 from Microsoft, execute the downloaded executable, accept the license agreement, and allow the installer to update the product. Note that a reboot is required after the installation of ISA Server SP1.

After the system reboots, download the ISA Server 2000 Required Updates For Windows Server 2003 package. Execute the downloaded file and accept the license agreement. A number of files will be installed, and the ISA services will be stopped and restarted. A reboot is not required for this step.

At the end of the process, you will have no more errors from failed services in the event viewer, and services that previously failed to start will now start properly, as shown in Figure D.

Figure D
After installing SP1 and ISA Server updates, the service will now start successfully.

Upgrading an ISA Server to Windows Server 2003
If you currently have an ISA Server 2000 installation running on Windows 2000 and wish to upgrade the operating system to Windows Server 2003, the process is surprisingly hassle-free. For this demonstration, I'll upgrade a stand-alone Windows 2000 SP3 ISA Server 2000 system to Windows Server 2003. There are no other services running on this machine—and there shouldn't be—since this service is designed to run at the network perimeter. Superfluous services, such as SQL and Exchange, could result in security breaches. This machine is currently running ISA Server 2000 on Windows 2000 Service Pack 3.

Install the updates first
One way to ensure that an OS upgrade goes smoothly and does not result in a major outage is to install ISA Server SP1 and the Required Updates for Windows Server 2003 before you upgrade Windows 2000 to Windows Server 2003.

After the updates have been installed, you can perform a typical upgrade from Windows 2000 Server to Windows Server 2003 and rest assured that the ISA services will function properly. In my lab, this process went without a hitch and resulted in ISA Server running all services with no errors.

Some things to note
In certain circumstances, even with the updates installed, ISA Server has specific problems running under Windows Server 2003. The most common problem that you may run into involves an ISA installation on the same server that includes IIS 6.0 components. The problem will be the inability for the ISA Server Web proxy (w3proxy) service to bind to port 80 for Web publishing. This occurs because IIS listens to all IP addresses resulting in a conflict.

To correct this problem, install the Windows Server 2003 support tools from the 2003 CD. To do this, execute suptools.msi from the \support\tools directory on the Windows Server 2003 CD. The support tools will be installed to C:\Program Files\Support Tools.

Next, open a command prompt on your server. Change directories to the new C:\Program Files\Support Tools directory. Stop IIS from listening on all IP addresses by typing httpcfg delete iplisten -i Require IIS to listen to only the internal NIC's IP address by typing httpcfg set iplisten -i Replace the IP address in this example with that of your server.

Why does ISA Server still have to listen to the internal address? In very few cases would you run an externally facing Web server on a firewall/proxy system, especially considering the security history of IIS. In fact, I highly recommend that you run as few services as possible on your ISA system.

Next, stop the http service by typing net stop http. Stop the proxy service by typing net stop w3proxy. After the services stop successfully, you must restart both services. Restart http with net start http. Restart proxy with net start w3proxy.

A bit of a bumpy road
Although it is one of the few Windows 2000-related products that can do so, ISA Server 2000 can be coaxed to run on Windows Server 2003. It just takes a little bit of work. Get the updates you need, and pay attention to errors onscreen and in the event log. With everything together, you can get ISA Server working as well on Windows Server 2003 as it does on Windows 2000 Server.

Editor's Picks

Free Newsletters, In your Inbox