In the Daily Drill Down ”Preparing to deploy Microsoft Internet Security and Acceleration Server 2000,” we warned you that you couldn’t just toss the Microsoft Internet Security and Acceleration (ISA) Server installation CD into your server and run Setup. We showed you some of things you need to do first. Now that you’re prepared, you can get out that CD. In this Daily Drill Down, we’ll show you how to install ISA Server.

A few last-minute checks
After you’ve prepared your network as outlined in ”Preparing to deploy Microsoft Internet Security and Acceleration Server 2000,” you have to do a few last-minute checks to ensure everything’s ready. First, check to make sure you have all of the TCP/IP information from your ISP for the Internet connection. You’ll need to know your server’s external IP address, subnet mask, default gateway, and the TCP/IP addresses of your ISP’s DNS servers. You’ll use that information to configure the network card that connects to your ISP.
You’ll need the TCP/IP information only if you’re using a second network card and a direct connection, such as a T1, T3, or DSL line. If you use a dial-up connection, the ISP will automatically assign this information every time your server connects.
You should check your Windows 2000’s TCP/IP configuration to make sure the network card connected to the internal network doesn’t have a default gateway configured. If your server has a default gateway set on both the internal network card and the external network card, you could encounter network problems.

While you’re checking the default gateway TCP/IP setting on the internal network card, see how you have assigned the TCP/IP address on that card. You should have assigned a static TCP/IP address. If you use DHCP to assign the address of the internal network card, you could run into problems if the card grabs a different address than what the ISA clients are looking for. Don’t worry about DHCP on the external network card. The clients won’t be affected if the external TCP/IP address changes.

After you’ve double-checked your TCP/IP settings, you’re ready to go. Now you’re ready to grab that CD and run Setup. For the purposes of this Daily Drill Down, we’re going to install ISA Enterprise Server in an array configuration.

Running the ISA Server Enterprise Initialization
Because we’re going to install ISA Enterprise as an array member, we’ll be modifying the Active Directory schema. In order for that to work, you must be logged in to your server as Administrator or as a user who’s a member of the Enterprise Admins and Schema Admins groups.

When you put the ISA Server CD in your server’s CD-ROM drive, you’ll almost immediately see the Microsoft ISA Setup screen appear. This is the main menu for ISA’s Setup program. From this screen, you can view some of ISA Server’s documentation, register your server, install ISA Server, or extend Active Directory’s schema and prepare your network for ISA Server.

When you install your first ISA Server, you must first extend Active Directory’s schema to accommodate the new objects that ISA Server needs to work properly. As a matter of fact, if you attempt to install ISA Server without first extending Active Directory’s schema, ISA Server’s Setup program won’t let you. Instead, it will give you an error message and force you to stop the installation.

Don’t worry too much about the difficulty of extending Active Directory’s schema or knowing any special programming to do it. Microsoft provides a utility to help. Just click Run ISA Server Enterprise Initialization on the Microsoft ISA Server Setup screen. Setup will then ask you if you want to extend the Active Directory schema. Click Yes to continue.
You only have to follow this procedure the first time you install ISA Server on your network. Schema modifications will replicate throughout your Active Directory tree, so if you add ISA servers to your network, the Active Directory changes those servers will need to work will already be in place.
After you click Yes, you’ll see the ISA Enterprise Initialization screen, shown in Figure A. On this screen, you can set the type of policy that ISA Server will apply to servers in an array. If you select Use Array Policy Only, each ISA server array you create will have its own policy and will have to be administered individually. If you choose Use This Enterprise Policy, ISA Server will apply the same enterprise policy to all the arrays on the network. If you select this option, you’ll also need to provide a name for the policy in the field below the radio button.

Figure A
When extending the schema, you must also choose the policy types ISA Server will use.

For the greatest administrative flexibility, you can also combine enterprise and array policies. To do so, select Use This Enterprise Policy and select the check box labeled Allow Array-Level Access Rules That Restrict Enterprise Policy. When you do, you can tailor and apply enterprise policies for each array. The overall enterprise policy applies first, and then the array policy builds on it.

If you have Web servers or other servers you want users outside your network to be able to access through your firewall, select Allow Publishing Rules. Finally, select Force Packet Filtering On The Array if you want to ensure that packet filtering will always be enabled on arrays in the network. By selecting this option, you can prevent any special array administrators you create in order to administer ISA arrays from disabling packet filtering.

After you made your choices on the ISA Enterprise Initialization screen, click OK to continue. Setup will then extend Active Directory. This process can take anywhere from a few minutes to several hours. The actual length of time will depend on such factors as the number of objects in your Active Directory tree, network topology, and the speed of your servers.

After Setup finishes extending the Active Directory schema, Setup will display a message telling you that the schema imported successfully. You’re now ready to begin installing ISA Server itself. If you have many domain controllers (DCs) on your network, you may want to wait a few hours before installing ISA Server to allow the schema extensions to replicate across your network.

Installing ISA Server
To begin installing ISA Server, click Install ISA Server on the main Microsoft ISA Server Setup screen. The first screen you see is a generic welcome screen. Click Continue to bypass it. Setup will then ask you to enter your CD key. You’ll need to enter this number carefully and click OK when you’re done. If you enter the number incorrectly, Setup will display an error message and won’t let you proceed. After you’ve entered the number, Setup will display your product ID number. Setup reminds you to write down this number because you’ll need it to register. If you don’t have anything to write with, don’t panic. You can obtain the number later by clicking Help | About in the ISA Server MMC. Click OK to leave the Product ID screen.

Setup will briefly check for installed components. Setup performs this step to ensure that the proper Active Directory schema extensions are in place. You’ll then see the EULA (End User License Agreement) screen. This screen contains all of the legalese you must agree to before you can run the software. Read through it and make sure you can abide by all its terms. Then, click I Agree to continue. If you click I Decline, Setup will end.

After agreeing to the terms of license, you’ll see the To Choose The Installation You Want screen. In the Folder box, you can change the default installation folder where Setup will copy ISA Server files. To accept the default location of C:\Program Files\Microsoft ISA Server, do nothing. To choose another one, click Change Folder and type the appropriate path.

On this screen, you can also choose Typical Installation, Custom Installation, or Full Installation. Typical chooses all of the defaults, but leaves out the H.323 options as well as the Message Screener. As you can probably guess, the Full installation includes all of these options, and the Custom installation lets you choose the components you want to install. For the purposes of this Daily Drill Down, we’ll do a Typical installation. Click the appropriate installation type to continue.

Setup will then ask if you want the server to be part of an array. To join or create a new array, click Yes. If you want to create a stand-alone server, click No. We’re going to create an array member, so click Yes. If this is the first array on your network, Setup will ask you for a name to give the array. Enter the name in the Array Name field and click OK. If there’s already an array on the network, a list of the available arrays will appear. You can then join an existing array by selecting an array from the list and clicking OK, or you can click New to start a new array. We’ll concern ourselves with new arrays only in this drill down.
When you make your ISA server a member of an existing array, you must install it in the same mode as the other array members. That means it can only do the same jobs that you configured the first member of the array to perform. If the first server was configured to be a firewall only, then any members of its array can be only firewalls as well. The new ISA server also adopts the array’s enterprise settings, access policy, publishing policy, and monitoring configuration.
After you’ve created the new array, you’ll see the Configure Enterprise Policy Settings screen, shown in Figure B. This screen allows you to control how your array is going to react to the enterprise policy you set when you extended the schema (see Figure A). Unless you have reasons for doing otherwise, just use the defaults and click OK to continue.

Figure B
You can control how your array handles the enterprise policy.

You’ll then see the Select The Mode For This Server screen. Here you can tell the server what kind of role it’s going to serve in your organization. Your choices are Firewall Mode, Cache Mode, or Integrated Mode. As you can probably guess by the mode names, Firewall Mode optimizes ISA Server to act as a firewall on your network. Cache Mode allows you to set it up to cache Web requests. Integrated Mode does both. Select the mode you want and then click Continue.

Setup will then stop any services (such as the Web services) running on your server that may be affected by ISA Server. If you select Cache or Integrated Mode, you’ll see the Cache Configuration screen. On this screen, you can set up the amount of cache that ISA Server will use when caching Web pages for users.

You can use only NTFS drives to locate caches. Setup automatically searches for the largest NTFS partition on your server and suggests a default cache size of 100 MB. You can change that amount by entering a new number in the Cache Size field and clicking Set. Microsoft suggests that you allocate, at a minimum, 100 MB and add 0.5 MB for each client that uses the HTTP or FTP protocol. However, because the Cache Size field doesn’t allow you to enter fractional megabytes, you should round up to the nearest full megabyte if you have an odd number of users. When you’ve set the cache sizes, click OK to continue.

You’ll then see the screen shown in Figure C. Here you tell ISA Server what range of TCP/IP addresses are allowed to use ISA services. Just enter a start range and an end range in the appropriate fields and then click Add.

Figure C
You must specify the range of addresses that can use ISA.

If there are too many ranges and you don’t feel like typing them all in, you can allow Setup to build the list for you. Just click Construct Table. Setup will then build a list for you from a list of private ranges, such as 10.x.x.x, as well as the addresses that it finds by scanning your Windows 2000 server’s routing table.

Be sure to double-check the addresses that Construct Table finds. It may accidentally discover and load external TCP/IP addresses to your list. If this happens, you could make your network vulnerable to attacks. Click OK after you’ve added and removed the addresses you want.

Setup then copies ISA’s files to your server. When it’s done, Setup asks you if you want to launch the ISA Server Getting Started Wizard. If you don’t want to, deselect the Launch check box. Otherwise, just click OK. Setup will then end and launch the wizard.

Running the ISA Server Getting Started Wizard
When you launch the Getting Started Wizard, it starts the ISA Management MMC and displays the screen shown in Figure D. Here you can quickly get your ISA Server up and running so your users can start using it immediately.

Figure D
After installing ISA Server, you can run the Getting Started Wizard.

The Getting Started Wizard walks you through the steps of defining and configuring initial enterprise and array policies. Some of the tasks it helps you perform are the following:

  • Configuring packet filtering.
  • Configuring routing and chaining
  • Configuring routing for firewall and SecureNAT clients
  • Configuring settings for Web proxies
  • Creating a cache policy
  • Creating the enterprise and array level and site and content rules
  • Creating enterprise- and array-level policy elements
  • Creating enterprise- and array-level protocol rules
  • Setting system security level

We’ll cover the Getting Started Wizard and show you how to configure your ISA server in an upcoming Daily Drill Down.
Shortly after Microsoft shipped ISA Server, a potential security hole was discovered. ISA Server’s Web Proxy service would encounter a problem if someone issued a request for a Web page and the URL exceeded a particular length. When ISA would attempt to process the request, the Web Proxy service would fail with an access violation. After the failure, all ingoing and outgoing Web proxy requests would go unfulfilled until the service was restarted.
Fortunately, you can download and apply a patch to fix this problem. To do so, go to Microsoft Security Bulletin MS01-021. Here, you’ll find detailed information about the problem and a link to download the hot fix.
To install the patch, download it from the site and run it on your server or just go to the site from your ISA Server and choose Run This Program From Its Current Location instead of downloading the file. When you do, you’ll see a Security Warning appear. Don’t panic. Windows 2000 is just warning you that you’re about to download a file that is going to alter your system. Click Yes to continue. Setup will then copy the files to your server and ask you if you want to apply the hot fix. Just click Yes. The installation won’t take any time at all. When it’s done, click OK to restart your server.
The good old days of simple software installations are gone. When you install complex software like ISA Server, you must make many decisions during the installation. Knowing what’s in store for an installation and knowing how you’re going to configure things in advance can save you lots of troubleshooting time later.
The authors and editors have taken care in preparation of the content contained herein but make no expressed or implied warranty of any kind and assume no responsibility for errors or omissions. No liability is assumed for any damages. Always have a verified backup before making any changes.