Although Microsoft has made installations easier, you can't just put a CD in the server and run Setup. There are a few tricks and tips you need to know in order to successfully install software as complex as ISA Server 2004.
Installing Microsoft's Internet Security and Acceleration (ISA) Server is a pretty straightforward task, thanks to the Setup Wizard. However, the complexity of the installation process depends in part on whether you're upgrading from ISA Server 2000 or performing a clean installation.
In this article, I'll take a look at some preinstallation considerations and the basics of installing ISA Server 2004 "clean." I'll also go over the default configuration and some configuration changes you might want to consider, based on your network scenario.
A future article in this series will cover upgrading from ISA Server 2000. This article presumes you're installing ISA Server 2004 on a multihomed machine (that is, you plan to use the ISA computer as a firewall, not a Web caching-only server).
Installing ISA Server 2004 on Windows 2000 Server
You can install ISA Server 2004 on either Windows 2000 Server or Windows Server 2003, but there are a few special considerations to keep in mind if you choose to install on Windows 2000 Server.
You can't install ISA Server 2004 on Windows 2000 Server unless you've installed SP4 or later and IE 6 or later. If you slipstream SP4, you'll need to install a hot fix first.
Also note that you won't have full functionality of some of ISA Server 2004's features. For example, VPN Quarantine won't be supported when you use RADIUS policy, and you won't be able to configure the preshared key for L2TP IPSec.
Before you install ISA Server 2004, you should configure the routing table on the Windows 2000/2003 server. The ISA Server can have only one default gateway, so you should create routing table entries for routes to all of the non-local networks. Route summarization can be used to simplify the routing table entries.
Another important issue is the placement of DNS servers, because name resolution problems are some of the most common reasons for Web proxy and firewall clients not being able to connect through the ISA firewall. The firewall needs to know how to resolve both LAN names and Internet DNS names. I recommend a split DNS infrastructure so users can move between the local network and remote access without having to use different names or reconfigure their client applications to access resources.
You can install a caching-only DNS server on the ISA Server machine itself, to be used by computers on the internal network to resolve Internet names. This is needed if you don't have a DNS server on the internal network. You might also want to configure the ISA Server as a DHCP server to provide IP addresses to computers on the internal network, if you don't already have a DHCP server on the network.
Unless you're using the ISA machine as a single NIC Web caching-only server, it will have multiple network interfaces. I recommend that you rename the ISA Server's network interfaces (in the Network Connections interface) to make it easier to keep up with which interface is connected to which network. You need to configure the order of the network interfaces so that the internal interface is at the top (this increases name resolution performance).
There are a number of ways to perform the installation of the ISA Server 2004 software. The Unattended installation is useful if you're deploying several ISA machines with the same configuration. You'll need to use an msiund.ini file to hold the configuration information that the Setup program needs. You'll find this file in the \FPC folder on the ISA Server 2004 installation CD.
You can use a terminal services connection in Administration mode (on a Windows 2000 Server computer) or a Remote Desktop session (on Windows Server 2003) to install the ISA Server 2004 software. This will create a system policy rule that permits RDP connections from only the terminal/Remote Desktop client that is used to perform the remote installation. (If you install ISA at the console, any client on the network will be able to make an RDP connection to the ISA Server's local interface by default.)
You can run the ISA Server 2004 installation CD at the console. Alternatively, you can connect to a network share that contains the ISA Server 2004 installation files to perform the installation.
Performing a clean installation
The easiest and least problematic way to install ISA Server 2004 is to do a "clean" install (rather than an upgrade of an ISA Server 2000 computer). To do so, install Windows 2000/2003 Server and configure the routing entries and network adapters as discussed earlier. If installation doesn't begin, double-click isaautorun.exe.
If you've been running an evaluation version of ISA Server 2004, you should use the ISA backup tool to back up the configuration and then uninstall the eval version before installing the licensed copy.
Click the links to view the release notes and setup/feature guide. Then click Install ISA Server 2004. This invokes the Setup Wizard. Go through the first pages to accept the license agreement, enter your name and organizational information, and provide the product key.
You can choose from these setup types: Typical (this installs the main features and requires about 27 MB of disk space, exclusive of space needed for caching); Complete (this installs all features); and Custom (this lets you pick the features you want to install). You can also click the Change button to change the path location to which the ISA files will be installed.
When you select the Custom option, by default the following features are installed: firewall services, ISA Server Management, and Advanced Logging (this allows you to log to a Microsoft data engine or MSDE database).
You can select to optionally install the Message Screener. You can use this feature to filter spam and e-mail attachments. The IIS 5.0 or 6.0 SMTP service must be installed before you install the Message Screener.
You'll need to define addresses on the default internal network. You can enter the IP addresses manually or click the Select Network Adapter button to use the routing table entries to determine which addresses are on the internal network. If you choose the latter, you'll see a message warning you that the routing table must be properly configured.
The internal network contains "trusted network services" such as DNS server, DHCP servers, Active Directory Domain Controller, terminal servers, and workstations used for management. ISA Server 2004 doesn't have a local address table (LAT) as did ISA Server 2000.
After you've defined the internal network, you can select whether to allow computers running earlier versions of the firewall client to connect (this would include the Proxy Server 2.0 Winsock Proxy and the ISA 2000 firewall client). I suggest that you update the client computers to the ISA 2004 firewall client as soon as possible for best functionality, but you might need to allow older clients to connect in the meantime.
A big security advantage of the ISA 2004 firewall client is that the communications between the ISA Server and the firewall clients is encrypted when you update all the firewall clients to the new software.
Before installation actually begins, the SNMP and IIS Admin services will be stopped, and the Internet Connection Firewall (ICF), Internet Connection Sharing (ICS), and RRAS NAT service will be disabled. ICF, ICS, and RRAS NAT conflict with ISA Server and cannot be used in conjunction with it.
When you get to the Ready To Install page of the wizard, click Install, and then click Finished on the Installation Wizard Completed page. You'll need to restart the server after installation completes.
The default configuration
After your ISA Server installation is complete, the following defaults are in effect until you make changes:
- There is one default access rule (called Default Rule), which is a Deny rule that does not allow any traffic to pass through the ISA Server firewall from any network to another. This is for high security, but it might lead you to believe that ISA doesn't work if you find that no one can connect to the Internet through the ISA firewall.
- The default system policies permit selected traffic to go to and from the ISA Server. These are only to allow needed services.
- There is a routed relationship set between the VPN and VPN-Q networks and the internal network.
- There is a NAT relationship set between the internal network and the default external network.
- Caching is disabled.
Note that, by default, only local administrators will be able to make changes to policies. (Domain administrators are added to the local administrators group automatically if the ISA Server is a domain member.)
Customizing your ISA Server configuration
Since the ISA Server is very secure, but not very functional in its default configuration, you'll want to make some immediate changes. To do so, log on as an administrator. Open the ISA Management Console (Start | All Programs | Microsoft ISA Server | ISA Server Management).
The first thing you'll want to do is create some access rules. To provide functionality, you should create rules to allow internal network clients to access the DHCP server on the ISA Server and to allow the ISA Server to send DHCP messages to the client computers (if you've installed DHCP services on the ISA Server).
If you have a DNS server on the internal network, you should also create a rule to allow the internal DNS server to use the ISA Server for its DNS server. If you don't have a DNS server on the internal network, you need to create a rule to allow clients on the internal network to access the ISA Server's caching-only DNS server.
Next, you need to create rules to allow clients on the internal network to access Internet sites and protocols through the ISA Server. To test the ISA Server, you can create an "all open" rule to allow access to all Internet sites and protocols; but in a production environment, you'll want to limit access.
Assigning administrative roles
You can delegate administration of the ISA Server and assign different administrative roles to users or groups based on what each firewall administrator needs to be able to do. This allows for better security. There are three defined administrative levels:
- Basic Monitoring: These users can monitor the server but can't configure monitoring tasks, such as configuring the logs or defining alerts.
- Extended Monitoring: These users can monitor the server and configure all monitoring tasks.
- Firewall Administrator: These users can completely manage the ISA Server, create rules and policies, apply network templates, and perform all configuration tasks for firewall and caching.
You can define administrative roles by invoking the Administration Delegation Wizard. In the ISA Server Management Console, click the name of the ISA Server in the left pane. On the Tasks tab in the right pane, click Define Administrative Roles. This starts the wizard, which will walk you through the process of delegating control to users or groups. I recommend that you assign roles to groups rather than individual users.