Installing Microsoft’s Internet Security and Acceleration
(ISA) Server is a pretty straightforward task, thanks to the Setup Wizard.
However, the complexity of the installation process depends in part on whether
you’re upgrading from ISA Server 2000 or performing a clean installation.

In this article, I’ll take a look at some preinstallation
considerations and the basics of installing ISA Server 2004 “clean.” I’ll also
go over the default configuration and some configuration changes you might want
to consider, based on your network scenario.

Author’s note

A future article in this series will cover upgrading from
ISA Server 2000. This article presumes you’re installing ISA Server 2004 on a
multihomed machine (that is, you plan to use the ISA computer as a firewall,
not a Web caching-only server).

Installing ISA Server 2004 on Windows 2000 Server

You can install ISA Server 2004 on either Windows 2000
Server or Windows Server 2003, but there are a few special considerations to
keep in mind if you choose to install on Windows 2000 Server.

You can’t install ISA Server 2004 on Windows 2000 Server
unless you’ve installed SP4 or later and IE 6 or later. If you slipstream SP4,
you’ll need to install a hot fix
first.

Also note that you won’t have full functionality of some of
ISA Server 2004’s features. For example, VPN Quarantine won’t be supported when
you use RADIUS policy, and you won’t be able to configure the preshared key for
L2TP IPSec.

Preinstallation configuration

Before you install ISA Server 2004, you should configure the
routing table on the Windows 2000/2003 server. The ISA Server can have only one
default gateway, so you should create routing table entries for routes to all
of the non-local networks. Route summarization can be used to simplify the
routing table entries.

Another important issue is the placement of DNS servers,
because name resolution problems are some of the most common reasons for Web proxy
and firewall clients not being able to connect through the ISA firewall. The
firewall needs to know how to resolve both LAN names and Internet DNS names. I
recommend a split DNS infrastructure so users can move between the local
network and remote access without having to use different names or reconfigure
their client applications to access resources.

You can install a caching-only DNS server on the ISA Server
machine itself, to be used by computers on the internal network to resolve
Internet names. This is needed if you don’t have a DNS server on the internal network.
You might also want to configure the ISA Server as a DHCP server to provide IP
addresses to computers on the internal network, if you don’t already have a
DHCP server on the network.

Unless you’re using the ISA machine as a single NIC Web
caching-only server, it will have multiple network interfaces. I recommend that
you rename the ISA Server’s network interfaces (in the Network Connections
interface) to make it easier to keep up with which interface is connected to
which network. You need to configure the order of the network interfaces so
that the internal interface is at the top (this increases name resolution
performance).

Installation options

There are a number of ways to perform the installation of
the ISA Server 2004 software. The Unattended
installation is useful if you’re deploying several ISA machines with the
same configuration. You’ll need to use an msiund.ini file to hold the
configuration information that the Setup program needs. You’ll find this file in
the \FPC folder on the ISA Server 2004 installation CD.

You can use a terminal services connection in Administration
mode (on a Windows 2000 Server computer) or a Remote Desktop session (on Windows
Server 2003) to install the ISA Server 2004 software. This will create a system
policy rule that permits RDP connections from only the terminal/Remote Desktop
client that is used to perform the remote installation. (If you install ISA at
the console, any client on the network will be able to make an RDP connection
to the ISA Server’s local interface by default.)

You can run the ISA Server 2004 installation CD at the
console. Alternatively, you can connect to a network share that contains the
ISA Server 2004 installation files to perform the installation.

Performing a clean installation

The easiest and least problematic way to install ISA Server
2004 is to do a “clean” install (rather than an upgrade of an ISA Server 2000
computer). To do so, install Windows 2000/2003 Server and configure the routing
entries and network adapters as discussed earlier. If installation doesn’t
begin, double-click isaautorun.exe.

If you’ve been running an evaluation version of ISA Server
2004, you should use the ISA backup tool to back up the configuration and then
uninstall the eval version before installing the licensed copy.

Click the links to view the release notes and setup/feature
guide. Then click Install ISA Server 2004. This invokes the Setup Wizard. Go
through the first pages to accept the license agreement, enter your name and
organizational information, and provide the product key.

You can choose from these setup types: Typical (this
installs the main features and requires about 27 MB of disk space, exclusive of
space needed for caching); Complete (this installs all features); and Custom
(this lets you pick the features you want to install). You can also click the Change
button to change the path location to which the ISA files will be installed.

When you select the Custom option, by default the following
features are installed: firewall services, ISA Server Management, and Advanced
Logging (this allows you to log to a Microsoft data engine or MSDE database).

You can select to optionally install the Message Screener. You
can use this feature to filter spam and e-mail attachments. The IIS 5.0 or 6.0
SMTP service must be installed before you install the Message Screener.

You’ll need to define addresses on the default internal network.
You can enter the IP addresses manually or click the Select Network Adapter button to use the routing table
entries to determine which addresses are on the internal network. If you choose
the latter, you’ll see a message warning you that the routing table must be
properly configured.

The internal network contains “trusted network services”
such as DNS server, DHCP servers, Active Directory Domain Controller, terminal
servers, and workstations used for management. ISA Server 2004 doesn’t have a local
address table (LAT) as did ISA Server 2000.

After you’ve defined the internal network, you can select
whether to allow computers running earlier versions of the firewall client to
connect (this would include the Proxy Server 2.0 Winsock Proxy and the ISA 2000
firewall client). I suggest that you update the client computers to the ISA
2004 firewall client as soon as possible for best functionality, but you might
need to allow older clients to connect in the meantime.

A big security advantage of the ISA 2004 firewall client is
that the communications between the ISA Server and the firewall clients is
encrypted when you update all the firewall clients to the new software.

Before installation actually begins, the SNMP and IIS Admin
services will be stopped, and the Internet Connection Firewall (ICF), Internet
Connection Sharing (ICS), and RRAS NAT service will be disabled. ICF, ICS, and
RRAS NAT conflict with ISA Server and cannot be used in conjunction with it.

When you get to the Ready To Install page of the wizard,
click Install, and then click Finished on the Installation Wizard Completed page.
You’ll need to restart the server after installation completes.

The default configuration

After your ISA Server installation is complete, the
following defaults are in effect until you make changes:

  • There
    is one default access rule (called Default Rule), which is a Deny rule
    that does not allow any traffic to pass through the ISA Server firewall
    from any network to another. This is for high security, but it might lead
    you to believe that ISA doesn’t work if you find that no one can connect
    to the Internet through the ISA firewall.
  • The
    default system policies permit selected traffic to go to and from the ISA
    Server. These are only to allow needed services.
  • There
    is a routed relationship set between the VPN and VPN-Q networks and the internal
    network.
  • There
    is a NAT relationship set between the internal network and the default external
    network.
  • Caching
    is disabled.

Note that, by default, only local administrators will be
able to make changes to policies. (Domain administrators are added to the local
administrators group automatically if the ISA Server is a domain member.)

Customizing your ISA Server configuration

Since the ISA Server is very secure, but not very functional
in its default configuration, you’ll want to make some immediate changes. To do
so, log on as an administrator. Open the ISA Management Console (Start | All
Programs | Microsoft ISA Server | ISA Server Management).

The first thing you’ll want to do is create some access
rules. To provide functionality, you should create rules to allow internal network
clients to access the DHCP server on the ISA Server and to allow the ISA Server
to send DHCP messages to the client computers (if you’ve installed DHCP
services on the ISA Server).

If you have a DNS server on the internal network, you should
also create a rule to allow the internal DNS server to use the ISA Server for its
DNS server. If you don’t have a DNS server on the internal network, you need to
create a rule to allow clients on the internal network to access the ISA
Server’s caching-only DNS server.

Next, you need to create rules to allow clients on the internal
network to access Internet sites and protocols through the ISA Server. To test
the ISA Server, you can create an “all open” rule to allow access to all
Internet sites and protocols; but in a production environment, you’ll want to
limit access.

Assigning administrative roles

You can delegate administration of the ISA Server and assign
different administrative roles to users or groups based on what each firewall
administrator needs to be able to do. This allows for better security. There
are three defined administrative levels:

  • Basic Monitoring: These users can
    monitor the server but can’t configure monitoring tasks, such as
    configuring the logs or defining alerts.
  • Extended Monitoring: These users
    can monitor the server and configure all monitoring tasks.
  • Firewall Administrator: These
    users can completely manage the ISA Server, create rules and policies,
    apply network templates, and perform all configuration tasks for firewall
    and caching.

You can define administrative roles by invoking the
Administration Delegation Wizard. In the ISA Server Management Console, click
the name of the ISA Server in the left pane. On the Tasks tab in the right
pane, click Define Administrative Roles. This starts the wizard, which will
walk you through the process of delegating control to users or groups. I
recommend that you assign roles to groups rather than individual users.