Module 2. Installing and Maintaining ISA Server
Download
Report
Transcript Module 2. Installing and Maintaining ISA Server
Module 2:
Installing and
Maintaining ISA Server
Overview
Installing ISA Server
Installing and Configuring ISA Server Clients
Maintaining ISA Server
Whether you deploy Microsoft® Internet Security and
Acceleration (ISA) Server 2000 as a dedicated firewall, a
Web cache server, or an integrated solution, you must
plan carefully to ensure that you have the required
hardware and software. After you perform an ISA Server
installation, you must configure client computers.
Depending on the client operating systems and your
specific requirements to control Internet access, you
can choose to use the transparent SecureNAT
technology or deploy the ISA Firewall Client software.
You can also configure computers as Web proxy clients
to improve browser performance.
In addition, it is important to properly maintain ISA
Server to ensure that all client computers have fast and
secure access to the Internet.
After completing this module, you will be able to:
Install ISA Server on a computer running Microsoft
Windows® 2000 Server.
Configure computers as Web proxy, Firewall, or
SecureNAT clients for ISA Server.
Perform administrative tasks for maintaining ISA Server.
Installing ISA Server
Identifying Hardware and Software Requirements
Identifying Pre-Installation Tasks
Selecting an Installation Mode
Specifying the Initial Cache Size
Configuring the LAT
Upgrading from Microsoft Proxy Server 2.0
Troubleshooting ISA Server Installation
Before you install ISA Server, you must set up the
hardware and configure the software for the ISA Server
computer. To help identify the choices that you will
make during installation, review the pre-installation
checklist before performing the installation. If you
encounter problems during a new installation or an
upgrade from Microsoft Proxy Server 2.0, see the
Troubleshooting ISA Server Installation section.
Note: You also can automate the installation of ISA
Server. For more information about performing an
unattended setup, see "Unattended setup" in ISA Server
Help.
In this lesson you will learn about the following topics:
Identifying hardware and software requirements
Identifying pre-installation tasks
Selecting an installation mode
Specifying the initial cache size
Configuring the LAT
Upgrading from Microsoft Proxy Server 2.0
Troubleshooting ISA Server installation
Identifying Hardware and Software Requirements
RAM
Windows 2000 Server,
Windows 2000 Advanced Server, or
Windows Datacenter
CPU
256 MB
300 MHz
or higher
Internal Adapter
Hard Disk Space
20 MB
External Adapter
Active Directory
Hard Disk Format
NTFS
Arrays
Identifying hardware and software requirements
ISA Server requirements
Note: The Active Directory™ directory service for
Windows 2000 must be installed on your network to
implement the array feature.
Forward Caching Requirements
The following table lists the hardware configurations of
a single ISA Server computer for the expected number
of users who gain access to objects on the Internet.
If the number of users exceeds 1,000 users, consider
better-performing hardware for the ISA Server computer
or add more ISA Server computers.
Reverse Caching Requirements
The following table lists the hardware configurations of
a single ISA Server computer for the expected number
of requests from Internet, or external, users. The exact
RAM requirements depend on the content that you are
publishing. Ideally, all cacheable content should fit into
memory.
Firewall Requirements
The following table lists the hardware configurations for
the expected rate of data transfer for Firewall and
SecureNAT clients that gain access to objects on the
Internet.
Note: Although it is important to have the required
hardware configuration, the rate of data transfer is
highly dependent on the speed of your connection to
the Internet.
Identifying Pre-Installation Tasks
Locate CD Key
Select an Installation Option
Select an Array to Join, If Applicable
Select an Installation Mode
Configure a Drive to Use for the Cache
Configure Address Ranges for the LAT
Before installing ISA Server, test your network
connectivity to minimize the need for troubleshooting
connection problems after installation is complete.
Important: Before installing ISA Server, ensure that the
Windows 2000 routing table on the ISA Server computer
is configured correctly. The internal adapter of the ISA
Server computer must be able to route packets to all
internal network destinations, and the external network
adapter must be able to route packets to the Internet. To
ensure proper routing, add explicit routes for all internal
network destinations, and configure a default gateway
on only the external network adapter.
When you install ISA Server, you must provide the following information:
CD Key. This is the 10-digit number located on back of the CD-ROM case.
Installation options. As part of the installation process, you can install
options from the following ISA Server components:
ISA Services. Controls access of network services for the traffic
between networks. This component is required for the installation.
Add-In Services. Includes the Microsoft H.323 Gatekeeper service,
which allows Microsoft NetMeeting® or other H.323-compliant
applications to reach users inside your network. The H.323 protocol is
a set of standards that enable real-time multimedia conferencing and
communications over packet-based networks. Also includes the
Message Screener, which performs content filtering on incoming
Simple Mail Transfer Protocol (SMTP) traffic.
Both of these add-in services are optional.
Administration Tools. Includes the ISA Server administration tools,
which are required for the installation, and the H.323 Gatekeeper
administration tools, which are optional.
Note: You can also install the administration tools
separately on a computer running Windows 2000 Server
or Microsoft Windows 2000 Professional to remotely
administer a stand-alone ISA Server computer or one or
more arrays of ISA Server computers.
When you install ISA Server, you must provide the
following information:
Array selection. If you previously modified the Active
Directory schema to initialize the enterprise, you can
either select to create an enterprise array or can select
an array to join. If you did not initialize the enterprise,
ISA Server is installed in a stand-alone array, which
contains only a single ISA Server computer.
Installation Mode. You can select to install ISA Server in
Firewall mode, Cache mode, or Integrated mode.
Cache configuration. If you install ISA Server in
Integrated or Cache mode, you must configure the
drives to use for the cache.
Local Address Table (LAT) configuration. If you install
ISA Server in Integrated or Firewall mode, you must
configure the address ranges to include in the LAT. The
LAT is a table containing all of the internal Internet
Protocol (IP) address ranges that the network behind
the ISA Server computer uses.
Important: You must install Windows 2000 Service Pack
1 or later before you install ISA Server.
Selecting an Installation Mode
Microsoft ISA Server Status
Select the mode for this server:
Firewall mode
Select this option to install enterprise firewall
functionality.
Cache mode
Select this option to install cache and Web hosting
functionality.
Cache mode installation is recommended only for computers
that are not directly connected to the Internet. If this
computer is directly connected to the Internet, install ISA
Server in integrated mode.
Integrated mode
Select this option to install integrated enterprise
firewall, cache, and Web hosting functionality.
Continue
Exit Setup
Help
Microsoft Internet Security and Acceleration Server Setup
Setup has stopped your IIS publishing service (W3SVC). After Setup is
complete, uninstall IIS or reconfigure all IIS sites not to use ports 80 and
8080.
OK
Help
Before you can select an installation mode, you must
launch the ISA Server installation program and enter the
information described in the pre-installation checklist.
As part of the setup process, you select the mode for
ISA Server: Firewall, Cache, or Integrated. After you
select the server mode, if you have Internet Information
Services (IIS) installed and configured to use port 80 or
port 8080, ISA Server Setup informs you that it will stop
the IIS Web service.
To start the ISA Server installation:
1.
Insert the compact disc into the CD-ROM drive, or if
you copied the contents of the ISA Server compact
disc to a network location, open a command prompt
window, and then run the ISAautorun.exe file.
2.
In the Microsoft ISA Server Setup window, select
Install ISA Server, and then click Continue.
3.
Type the CD Key, and then click OK twice.
4.
Read the licensing agreement, and then if you agree,
click I Agree.
5.
Click one of the following installations, and then click OK:
Typical Installation. Includes the most commonly used components.
Full Installation. Includes all ISA Server components and extensions.
Custom Installation. Includes the ISA Server components and
extensions that you specify.
6.
If you are installing ISA Server Enterprise Edition and the computer
is not part of a Windows 2000 domain, click Yes to install ISA Server
as a stand-alone server.
7.
Click Firewall mode, Cache mode, or Integrated mode, and then
click Continue.
8.
When the Setup Information message prompts you to
stop the IIS service, click OK.
After the ISA Server installation is complete, uninstall
IIS or configure all Web sites on the server to use a
port other than port 80 or port 8080.
Important: Setup stops the IIS Web service because its
default listening port is 80, which ISA Server also
uses. Because ISA Server listens on port 8080 and
may listen on port 80, you must modify the listening
port settings for IIS because two different services
cannot bind to the same port.
Specifying the Initial Cache Size
Microsoft Internet Security and Acceleration Server Setup
Specify the NTFS drives on which caches should be located
and the maximum size of each cache.
OK
Cancel
Initial cache size is
100 MB. Add 0.5 MB
for each Web Proxy
client.
Drive
[File System]
C:
[NTFS]
Maximum Size (MB)
100
Drive:
C: [NTFS]
Available space (MB)
28722
Cache size (MB):
Total cache size (MB):
100
100MB
Set
Help
If you install ISA Server in Cache mode or in Integrated
mode, the Setup program prompts you to select the
drive for the cache location and the initial cache size.
Select an NTFS-formatted hard disk of sufficient size to
make the cache as large as possible. For optimal
performance, select a hard disk that you use exclusively
for caching. You can increase cache size later by
allocating more empty disk space or by adding more
disk volumes.
Consider the following settings when specifying the size
of the cache:
Default cache size. 100 MB if at least 150 MB of free
disk space is available.
Minimum cache size. Allocate at least one drive and 5
MB on that drive.
Recommended cache size. Allocate at least 100 MB and
add 0.5 MB for each Web Proxy client, rounded up to the
nearest full megabyte.
Note: Although Windows 2000 allows you to format a
drive without assigning a drive letter, you cannot use a
drive without a drive letter for ISA Server caching.
Configuring the LAT
1 Click Construct Table to
Microsoft Internet Security and Acceleration Server Setup
Enter the IP address ranges that span the internal network address space.
Internal IP ranges:
Edit
From
From
To
2 Select options to add
Add->
To
private IP address ranges
or routing table entries.
Remove->
To construct a local address table, click Construct
Table.
OK
Cancel
Construct Table…
Enter the IP address ranges that span the internal network address space.
Internal IP ranges:
Edit
From
From
1
200
168
255 255
To
192
To
192.168.1.200
168
Local Address Table
Select the address ranges (based on the Windows 2000 routing table) for inclusion in
the local address table (LAT). The LAT should include all the addresses in you
internal network.
Help
Microsoft Internet Security and Acceleration Server Setup
192
construct a local address
table.
192.168.255
Add the following private ranges: 10.xxx, 192.168.xx and 172.16.xx173.31.xx and 169.254.xx..
Add address ranges based on the Windows 2000 Routing Table
Select the address ranges that are associated with the following
internal network adapters:
Card
MS LoopBack Driver
3Com EtherLink PCI (Micros…
IP Addresses
169.254.25.129
192.168.1.200
Add->
Remove->
To construct a local address table, click Construct
Table.
OK
Cancel
Help
OK
Cancel
3 Verify the IP addresses
Construct Table…
that display in the local
address table.
Help
The LAT is a table of all internal IP addresses. If you
install ISA Server in Firewall mode or Integrated mode,
you can configure the LAT during Setup. ISA Server
uses the LAT to determine which IP addresses are
inside an organization's network and assumes that all
other IP addresses are external. ISA Server uses the
LAT to control how computers on the internal network
communicate with external networks. In addition,
Firewall clients automatically download LAT updates
from the ISA Server computer. Firewall clients use the
LAT updates to determine which IP addresses they can
directly connect to and which requests they need to
forward to the ISA Server computer.
Overview of the LAT
ISA Server can construct the LAT and add the following IP address
ranges:
Private IP addresses. ISA Server can add IP addresses that are
reserved by the Internet Assigned Numbers Authority (IANA) for
internal use. Many organizations use these addresses for internal
addresses. These addresses include 10.0.0.0 to 10.255.255.255,
192.168.0.0 to 192.168.255.255, and 172.16.0.0 to 172.31.255.255.
Add private IP addresses to the LAT only if you use private IP
addressing on your network.
Networks from the routing table. ISA Server adds all of the networks
that your computer connects to by using one or more network
adapters that you select. When adding entries from the routing table,
ensure that the network adapter that is configured to connect to your
internal network has the correct routing information for all network
segments on your internal network.
To configure the LAT during Setup:
Important: When configuring the LAT, add addresses on
the private network only. Do not add the external
interface of the ISA Server computer or any external
addresses. In addition, never configure a network
adapter with both an external IP address and an IP
address that is in the LAT-doing so can cause ISA
Server to incorrectly enforce security rules and can
present a serious security risk.
1.
In the Microsoft Internet Security and Acceleration Server 2000
Setup dialog box, click Table.
2.
Choose from the following options, and then click OK twice:
3.
To add private IP address ranges, select the Add the following
private ranges check box.
To add routing table entries, select the Add address ranges based
on the Windows 2000 Routing Table check box, and then select the
check box for the network adapter that is connected to your internal
network.
In the Internal IP ranges box, review the list of IP address ranges,
make the following corrections if necessary, and then click OK:
To remove an address range, in the Internal IP Ranges box, click
the range, and then click Remove.
To add an address range, in the Edit box, type the beginning and
end addresses of the range, and then click Add.
After configuring the LAT, Setup copies all of the
required files and completes all configuration steps.
Unless you specify a different location during an
unattended setup, Setup installs ISA Server in the
C:\Program Files\Microsoft ISA
Server folder.
Upgrading from Microsoft Proxy Server 2.0
Upgrading from
Microsoft
Windows NT
Publishing
Comparing
Proxy 2.0 and
ServerSOCKS
Rules
ISA Server
Configurations
Cache
Content
2.0
Winsock
Proxy Client
ISA Server 2000
Upgrade to Windows 2000
Proxy Server 2.0
SecureNAT
Client
2000
SOCKS
Rules
Proxy
Server 2.0
IPX
Protocol
Proxy
Server 2.0
ISA
Server
ISA
Server
Client
Requests
Port 80
Upgrading Client
Computers
Proxy Server 2.0
Winsock Proxy Clients
and Firewall Clients
ISA Server
Port
8080
ISA Server supports a full migration path for Microsoft Proxy Server
2.0 users. Setup migrates most Proxy Server 2.0 rules, network
settings, monitoring configurations, and cache configurations to
ISA Server when you perform an upgrade.
Before migrating from Proxy Server 2.0, review
"PreMigrationConsiderations.htm" on the ISA Server compact disc
and review the following sections in ISA Server Help: "Checklist:
Migrating from Microsoft Proxy Server 2.0" and "Migrating from
Microsoft Proxy Server 2.0.“
Important: It is recommended that you perform a full backup of the
current Proxy Server 2.0 settings before the upgrade and that you
disconnect the computer to be upgraded from the Internet during
the installation.
Upgrading from Microsoft Windows NT 4.0
You can install ISA Server on only computers running
Windows 2000 Server with Service Pack 1 installed. If
you are currently running Proxy Server 2.0 on Microsoft
Windows NT® 4.0, you must complete the following
steps:
1.
Stop and disable all Proxy Server services including:
Microsoft Winsock Proxy Service (wspsrv)
Microsoft Proxy Server Administration (mspadmin)
Proxy Alert Notification Service (mailalrt)
World Wide Web Publishing Service (w3svc)
2.
If Proxy Server 2.0 is installed as an array, remove the server
running Proxy Server 2.0 from the array.
3.
Perform the upgrade to Windows 2000. During the upgrade to
Windows 2000, you may receive a message indicating that Proxy
Server 2.0 will not work on a computer running Windows 2000.
You can disregard this message and continue installing ISA
Server.
4.
Install Windows 2000 Service Pack 1.
5.
Begin installing ISA Server.
Comparing Proxy Server 2.0 and ISA Server
Configurations
When you upgrade to ISA Server, most rules, network
settings, monitoring configurations, and cache
configurations in Proxy Server 2.0 are migrated to ISA
Server. The differences and exceptions between Proxy
Server 2.0 and ISA Server are listed as follows:
Publishing. Proxy Server 2.0 requires that you configure
publishing servers as Winsock Proxy clients. ISA Server
allows you to publish internal servers without requiring
any special configuration or software installation on the
publishing server. Instead, ISA Server recognizes the
publishing servers as SecureNAT clients.
Cache. Proxy Server 2.0 cache content is not migrated
because of the vastly different cache storage engine in
ISA Server. ISA Server Setup deletes Proxy Server 2.0
cache content and initializes the new storage engine
based on existing cache and drive settings.
SOCKS. ISA Server policy does not support the
migration of Proxy Server 2.0 SOCKS rules. ISA Server
includes the SOCKS applications filter, which allows
client SOCKS applications to communicate with the
network by using the applicable array or enterprise
policy to determine if the client request is allowed.
Internet Protocol Exchange (IPX) Protocol. ISA Server
does not support the IPX protocol.
Upgrading Client Computers
After you install ISA Server, you may have to upgrade your client
computers:
Winsock Proxy clients. Because both the Winsock Proxy Client that
is included with Proxy Server 2.0 and the Firewall Client that is
included with ISA Server are compatible with both server products,
you can upgrade client computers at any time after installing ISA
Server and maintain a mixed environment during migration.
Web Proxy clients. Proxy Server 2.0 uses port 80 for client
Hypertext Transfer Protocol (HTTP) requests. By default, ISA Server
uses port 8080. Therefore, you must configure all downstream
chain members and browsers that connect to the ISA Server
computer to connect to port 8080. Alternatively, you can configure
ISA Server to use port 80 for client HTTP requests.
Troubleshooting ISA Server Installation Problems
Err or
LAT Contains Inaccurate Information After Installation
Err or
You Cannot Connect to Internet Resources After Installation
Err or
ISA Server Presents Error Messages During Installation
Err or
You Cannot Find Array to Join During Installation
Err or
Users Can Gain Access to Internet Without Defined Rules
Err or
Users Cannot Connect to Resources After Upgrading from Proxy Server 2.0
The following list includes common installation
problems and solutions:
The LAT that the Setup program generates is incorrect.
Always double-check the LAT that the Setup program
generates before you continue and make any required
changes. The automatically generated LAT depends on
a correct and complete configuration of your routing
table.
You are unable to connect to Internet resources
immediately after installing ISA Server. This result is
expected. Before you can fully test your configuration,
you must configure access rules.
ISA Server presented one or more error messages
during installation. Review the event logs in Windows
2000 for more information about the errors. Remove ISA
Server by using Add/Remove Programs in Control
Panel, and then reinstall it. If you cannot remove ISA
Server by using Add/Remove Programs, use the
RMISA.exe program, which is located in the \isa\i386
folder on the ISA Server compact disc.
You cannot join an array because the installation
program cannot find the array. Ensure that the computer
can communicate with the other array members and a
domain controller for the current domain.
Users can gain access to Internet sites even though you
have not defined rules that allow access. Your LAT may
not be configured correctly. Ensure that the LAT
contains only internal IP addresses.
After upgrading from Proxy Server 2.0, client computers
can no longer connect to Internet resources. Change the
port that Web Proxy clients use to gain access to the
ISA Server computer or configure automatic discovery
for clients. ISA Server uses port 8080 for client
connections, whereas Proxy Server 2.0 uses port 80.
Tip: The "Troubleshooting" section of ISA Server Help
contains information about solving other common
problems.
Installing and Configuring ISA Server Clients
Client Overview
Configuring Web Proxy Clients
Configuring SecureNAT Clients
Installing and Configuring Firewall Clients
Troubleshooting Client Installation
Before you deploy or configure clients for ISA Server,
you must consider the requirements of your
organization. Some of the considerations include the
level of access control required, the operating systems
installed on client computers, the applications and
services that your internal clients will use, and how you
will publish servers on your internal network. If you
encounter problems while installing or configuring
clients, see the Troubleshooting Client Installation
section.
In this lesson you will learn about the following topics:
Client overview
Configuring Web Proxy clients
Configuring SecureNAT clients
Installing and Configuring Firewall Clients
Troubleshooting Client Installation
Client Overview
Internet
SecureNAT Client
ISA Server
Web Proxy Client
Improve the performance of Web requests for
internal clients.
Do not require you to deploy client
software or configure client computers.
Firewall Client
Allow Internet access only for
authenticated users.
ISA Server supports three types of clients: Web Proxy
clients, SecureNAT clients, and Firewall clients.
Comparing ISA Server Clients
The following list describes the features of each type of
ISA Server client:
Web Proxy clients
SecureNAT clients
Firewall clients
Web Proxy clients. Improve the performance of Web
requests. A Web Proxy client sends requests directly to
the ISA Server computer, but Internet access is limited
to the browser. You can configure most Web browsers
that support HTTP 1.0 and HTTP 1.1 clients as Web
Proxy clients. Other applications, such as streaming
media client applications, can also function as Web
Proxy clients.
SecureNAT clients. Provide security and caching of
HTTP requests, but do not allow for user-level
authentication. SecureNAT clients can support most
Transmission Control Protocol/Internet Protocol
(TCP/IP) protocols, including Internet Control Message
Protocol (ICMP). To configure a SecureNAT client, you
configure the client computer to route all packets to the
Internet through the ISA Server computer. You typically
do this by setting the default gateway on the client
computer to the IP address of the ISA Server computer.
Because a SecureNAT client requires no configuration
other than changing the default gateway, any computer
that uses the TCP/IP protocol can be a SecureNAT
client.
Important: Some protocols and applications require
secondary connections. For example, when you use the
File Transfer Protocol (FTP) protocol, by default the
client initiates a primary connection to the server, and
the server then initiates a secondary connection to the
client. ISA Server must use an application filter that
edits the data stream to allow SecureNAT clients to use
such protocols and applications. ISA Server includes
several application filters, such as an FTP filter and an
H.323 filter. If ISA Server does not contain the
appropriate application filter for a protocol or
application, SecureNAT clients cannot use this protocol
or application.
Firewall clients. Restrict access on a per-user basis for outbound
access for requests that use the TCP and User Datagram Protocol
(UDP) protocols. To configure a Firewall client, you must install the
Firewall Client software on each client computer. You can install the
Firewall Client software on computers running Microsoft Windows
Millennium Edition, Microsoft Windows 95 OSR2, Microsoft
Windows 98, Windows NT 4.0, or Windows 2000 only.
Important: You can configure a computer to use multiple client
types simultaneously. For example, you can configure a computer
as a Web Proxy client for requests that are issued from within a
browser, as a Firewall client to forward all requests from Winsock
applications that use the TCP and UDP protocols, and as a
SecureNAT client for all other protocols, such as ICMP.
Determining Which ISA Clients to Use
Use the following guidelines to determine which clients
to deploy for ISA Server.
If you want to
Then use
Improve the performance of
Web requests for internal
clients
Avoid deploying client
software or configuring
client computers
Improve Web performance
in an environment with nonMicrosoft operating systems
Web Proxy clients
Publish servers that are
located on your internal
network
SecureNAT clients. You can publish internal servers
to make them available to external users. When you
publish internal servers, you configure the servers
as SecureNAT clients. Because the published
servers are SecureNAT clients, you do not need to
configure settings on the published server.
Microsoft does not recommend configuring
published servers as Firewall clients
Firewall clients or Web Proxy clients. You can
configure user-based access policy rules for
Firewall clients and Web Proxy clients
Allow Internet access for
only authenticated users
SecureNAT clients. SecureNAT clients do not require
any software or specific configuration
SecureNAT clients. SecureNAT client requests are
transparently passed to the Microsoft Firewall
service and then to the caching service for caching
Configuring Web Proxy Clients
Local Area Network (LAN) Settings
Automatic configuration
Automatic configuration may override manual settings. To ensure
the use of manual settings, disable automatic configuration.
Automatically detect settings
2
Use automatic
configuration
script
Type
the IP address
or
1
Select the Use a
proxy server
check box.
name
of the ISA Server computer in
the Address box.
Proxy Server
3
Use a proxy server
Address:
192.168.1.200
Port: 8080
Bypass proxy server for local addresses
OK
Type the port
number in the Port
box, and then click
OK.
Cancel
You do not need to install any software to configure
Web Proxy clients. However, you must configure the
Web browser on the client computer to use the ISA
Server computer as the proxy server. Other applications
that use Web protocols may also be able to function as
Web Proxy clients. Some of these applications can
obtain their configuration settings from your Web
browser. Others may require additional configuration
steps. The exact configuration steps for configuring ISA
Server depend on the Web browser that you use.
Important: Web browser helper applications that use
protocols other than HTTP, such as Microsoft Windows
Media™ Player, do not use ISA Server to connect to the
Web. To allow helper applications to connect to the
Web, you must use the SecureNAT client or the Firewall
client in addition to the Web Proxy client.
To configure Microsoft Internet Explorer 5 or later to
use the Microsoft Web Proxy service:
1.
Open the Properties dialog box for Internet Explorer.
On the Connections tab, click LAN Settings, and then
in the Local Area Network (LAN) Settings dialog box,
select the Use a proxy server check box.
2.
In the Address box, type a valid path to the ISA Server
computer.
3.
In the Port box, type the port number that the ISA
Server computer uses for Web Proxy client
connections, which is 8080 by default, and then click
OK twice.
If you want your Web browser to bypass the ISA Server
computer when connecting to local computers, you can
also select the Bypass proxy server for local addresses
check box. Bypassing the ISA Server computer for local
computers may improve Web browser performance.
Configuring SecureNAT Clients
Configuring Clients on Networks That Do Not Use
Routers
Configuring Clients on Networks That Use Routers
Resolving Names for SecureNAT Clients
Although SecureNAT clients do not require specific
software, you must configure SecureNAT clients to
route all network traffic to the Internet through the ISA
Server computer. How you configure the client
computer depends on whether your network uses
routers between the ISA Server computer and the
SecureNAT clients.
Configuring Clients on Networks That Do Not Use
Routers
To configure SecureNAT clients on a network without
routers, set the SecureNAT client's IP default gateway
settings to the IP address of the ISA Server computer's
internal network adapter by manually changing the
default gateway setting or by using Dynamic Host
Configuration Protocol (DHCP).
Configuring Clients on Networks That Use Routers
To configure SecureNAT clients on a network with
routers, set the default gateway settings to the router
closest to the SecureNAT client. Ensure that the router
is configured to forward IP packets to the Internet so
that all packets are routed through the ISA Server
computer. Optimally, routers should use a default
gateway that routes along the shortest path to the ISA
Server computer.
In addition, do not configure routers to discard packets
destined for addresses outside of the internal network.
The ISA Server computer will determine how to route
these packets.
Resolving Names for SecureNAT Clients
To configure SecureNAT clients on a network without
routers, set the SecureNAT client's IP default gateway
settings to the IP address of the ISA Server computer's
internal network adapter by manually changing the
default gateway setting or by using Dynamic Host
Configuration Protocol (DHCP).
If clients request data from
Then
Internet and internal servers
Use a DNS server on the internal network.
Ensure that the internal server can resolve
both internal and Internet addresses.
Internet only
Configure SecureNAT clients to use a DNS
server on the Internet.
Installing and Configuring Firewall Clients
ISA Server
Group Policy
MSPClnt\Setup.exe
Webinst/default.htm
Client Computer
You can install the Firewall Client software on client
computers from a shared folder or from a Web location.
You can also use Windows 2000 Group Policy to
centrally distribute the Firewall Client software to client
computers. For all installation methods, you must install
the Firewall Client software from the installation point
on the ISA Server computer so that the client computer
receives all of the required configuration information.
Important: Do not install the Firewall Client software on
the ISA Server computer. It is not recommended that
you use this configuration because the operations of
the Firewall client may interfere with the operations of
ISA Server when both are running on the same
computer.
Installing from a Shared Folder
When you run the ISA Server Setup program, it
automatically creates a folder named Program
Files\Microsoft ISA Server\Clients, copies the client
installation files to this location, and then shares that
folder as MSPClnt. By default, the Firewall Client Setup
program installs the Firewall Client in the C:\Program
Files\Microsoft Firewall Client folder. You can select a
different folder during Setup.
To install the Firewall Client software from the shared
folder:
1.
Use Windows Explorer to connect to \\server\MSPClnt
(where server is the name of the ISA Server computer).
2.
Run Setup.exe from that location, and then follow the
on-screen instructions.
Installing from a Web Location
To install the Firewall Client software from a Web location:
1.
Copy the Default.htm and Setup.bat files from the Program
Files\Microsoft ISA Server\Clients\WEBINST folder to a Web server.
2.
Use a Web browser to connect to the Web server, and then display
Default.htm.
3.
Start the Setup program by doing one of the following:
If you are using Internet Explorer, click the Firewall Client software
link.
If you are using Netscape Navigator, follow the instructions to save
Setup.bat to your hard drive, and then run Setup.bat from a command
prompt.
Note: For most Winsock applications, the default Firewall client
configuration works with no further modification. However, in some
cases, you may have to modify the client configuration information.
For more information about configuring Firewall client settings, see
"Advanced Firewall client configuration" in ISA Server Help.
Installing by Using Group Policy
To install the Firewall Client software by using a group
policy, assign the Windows Installer package
MS_FWC.msi in the shared folder \\isa_server\Mspclnt
to the users that require the Firewall client.
Using the Firewall Client
The Firewall client is transparent to applications and users. By
default, an icon on the taskbar appears when a user has the
Firewall Client software installed, and the appearance of this icon
indicates the status of the connection to the ISA Server computer.
You can use Firewall Client in Control Panel to disable the Firewall
client, control whether the taskbar icon appears, and update
Firewall configuration information from the ISA Server computer.
Tip: The Firewall client automatically detects when there is no
connection to the ISA Server computer. When the Firewall client
detects that there is no connection, it automatically disables itself
so that the client computer connects to Internet resources directly.
This action allows users to move a computer, without having to
reconfigure the Firewall client, between an office location that uses
ISA Server and a home location in which ISA Server is not installed.
Troubleshooting Client Installation
Err or
Cannot Connect to Internet After Installing Firewall Client Software
Err or
Cannot Connect to Internet After Configuring Web Proxy Client
Err or
Cannot Gain Access to Internet Sites From a Client Computer
Common client installation problems and possible
solutions are as follows:
You can no longer connect to Internet resources
immediately after installing the Firewall Client
software
You can no longer connect to Internet resources
immediately after configuring the Web Proxy client
You cannot gain access to Internet sites from a
client computer
You can no longer connect to Internet resources
immediately after installing the Firewall Client software.
Before attempting other methods of troubleshooting,
update the Firewall client by using the most recent ISA
Server configuration. To update the client, in Control
Panel, click Update Now in the Firewall Client program.
You can no longer connect to Internet resources
immediately after configuring the Web Proxy client.
Ensure that your computer can communicate with the
ISA Server computer and that your access rules allow
you to gain access to the Internet.
You cannot gain access to Internet sites from a client
computer. Attempt to isolate the problem by answering
the following questions:
Can you gain access to internal resources?
Can you gain access to external Web-based resources?
Can you gain access to external resources by using
Winsock-based applications?
Can you gain access to external resources by using
SecureNAT?
Can you gain access to external resources by using
SecureNAT?
The most important part of troubleshooting client
connection problems is isolating the problem, which
includes identifying which client component is involved.
For example, if you can gain access to Web-based
resources but Winsock-based applications do not work,
you may need to reconfigure application settings for the
Firewall client. If you cannot gain access to either
internal or external resources, the problem may be
unrelated to ISA Server and you will have to examine
your network configuration.
Note: For more information on troubleshooting client
connection problems, see "Troubleshooting client
connections" in ISA Server Help.
Lab A: Installing ISA Server and Configuring Clients
Objectives
After completing this lab, you will be able to:
Install ISA Server.
Install the ISA Server administration tools.
Configure a Web Proxy client.
Configure a SecureNAT client.
Prerequisites
Before working on this lab, you must have:
Experience using Microsoft Management Console
(MMC).
Knowledge about how to configure network settings in
Windows 2000.
Knowledge about the characteristics of the different ISA
Server clients.
Scenario
Northwind Traders wants to secure all Internet access
for internal users by using ISA Server. To accomplish
this, you must install ISA Server and configure client
computers as Web proxy, Firewall, and SecureNAT
clients.
Exercise 1: Installing ISA Server
In this exercise, ISA Server will be installed in Integrated
mode.
Scenario
The security policy of Northwind Traders requires that
the internal network be separated from the Internet by
using a firewall. Also, because they anticipate an
increase in outgoing Internet traffic in the future, they
decide to use Web caching to increase the amount of
network traffic that the Internet connection can process.
To improve security and performance, ISA Server will be
installed.
Installing ISA Server
Exercise 2: Installing ISA Server Administration Tools
In this exercise, ISA Server administration tools will be
installed.
Scenario
Now that ISA Server is installed, it is decided to
remotely administer the ISA Server computer. To do this,
ISA Management and the H.323 Gatekeeper
Administration tool will be installed on another
computer in the network.
Installing ISA Server Administration Tools
Exercise 3: Configuring a Web Proxy Client
In this exercise, Internet Explorer will be configured as a
Web Proxy client that is configured to use the ISA
Server computer for Internet requests. This
configuration will then be tested.
Scenario
ISA Server has been installed in your organization to
improve the efficiency and security of all Internet
access. Before users can use Internet Explorer to gain
access to Web sites, Internet Explorer must be
configured as a Web Proxy client on all of the users'
computers.
Configuring a Web Proxy Client
Exercise 4: Installing the Firewall Client
In this exercise, the Firewall Client will be installed. This
configuration will then be tested.
Scenario
Northwind Traders wants to control Internet use by
employees by using ISA Server. Components of the
access policy require that access be controlled based
on user accounts. To accomplish this task, the Firewall
client must be installed on all computers running
Windows 2000.
Installing the Firewall Client
Exercise 5: Configuring a SecureNAT Client
In this exercise, a client computer will be configured as
a SecureNAT client.
Scenario
The network at Northwind Traders contains client
computers that are running different operating systems.
It must be ensured that all client computers can gain
access to the Internet through the ISA Server computer.
To accomplish this task, all client computers will be
configured as SecureNAT clients.
Configuring a SecureNAT Client
Maintaining an ISA Server Array
Using the ISA Management
Maintaining the LAT and LDT
Maintaining Configuration Information
Managing Services
ISA Server contains administrative and management
tools to help you configure and maintain ISA Server as a
stand-alone server or an array. ISA Server uses the LAT
and the local domain table (LDT) to manage internal and
external connections. You can add IP address and
domain information manually to both server and client
computers.
After you configure ISA Server, you can use the backup
feature to save configuration data. When you restore the
ISA Server configuration, all ISA Server services are
stopped. Therefore, it is important to know the services
that are associated with ISA Server and how to manage
those services.
In this lesson you will learn about the following topics:
Using ISA Management
Maintaining the LAT and LDT
Maintaining Configuration Information
Managing Services
Using ISA Management
ISA Management
Action View
Large Icons
Tree
Small Icons
List
Detail
Taskpad
Advanced
Customize…
Getting Started
Welcome
Select policy elements
Configure Schedules
Configure Client Sets
Configure Protocol Rules
Configure Destination Sets
Configure Site and Content Rules
Secure Server
Configure Firewall Protection
Configure Dial-Up Entries
Configure Routing for Firewall and
SecureNAT Clients
Configure Routing for Web
Browser Applications
Configure Cache Policy
Welcome
Welcome to the Microsoft Internet Security and Acceleration (ISA)
Server Getting Started Wizard.
This wizard will assist you in finishing the setup process and help
you to define and configure initial ISA Server policies, to connect
and protect your internal network.
To navigate through the wizard, click Next.
To quit the wizard, click Finish.
Click the Help button for more information on specific tasks.
Exit the Getting Started
Wizard
Help
Management with tasks
Next
Finish
Using ISA Management
ISA Management is an MMC snap-in that you use to
administer ISA Server. ISA Management includes
graphical taskpads and wizards that help simplify
navigation and configuration of common tasks. ISA
Management also includes the Getting Started Wizard to
help you configure policies after installation.
Using the Getting Started Wizard
You can run the Getting Started Wizard when you first
start ISA Server after installation. The Getting Started
Wizard guides you through the steps of defining and
configuring initial enterprise and array policies.
Using Taskpads and Advanced Views
You can run ISA Management in Taskpad view or in Advanced view.
Taskpads contain shortcuts for performing the most common
configuration tasks in the details pane of ISA Management. Taskpad
view is the default view in ISA Management and simplifies many
common configuration steps. However, you can complete some
less commonly performed tasks in Advanced view only.
To use Advanced view, on the View menu of ISA Management, click
Advanced. To change back to Taskpad view, click Taskpad.
Important: The taskpads and wizards in ISA Server are powerful
tools that enable you to configure settings quickly and easily.
Before performing any configuration changes, ensure that you
understand the implications of the action that you are about to
perform, including the functionality of protocols that you may want
to set.
Maintaining the LAT and LDT
192.168.100.200
192.168.100.300
Msplat.txt
Internet
192.168.100.225
ISA Server
192.168.100.200
192.168.100.300
Clients
Msplat.txt
ISA Server uses the LAT and the LDT to determine if an
IP address or computer name is on the internal network.
The LAT contains IP address ranges that define your
internal network address space. The LDT lists all of the
domain names in the internal network that are served by
the ISA Server computer.
You can add entries to both the LAT and LDT in ISA
Management. On the Firewall client, the Msplat.txt file
contains a copy of the LAT. Firewall clients update the
Msplat.txt file with the current settings from the ISA
Server computer at startup and then every six hours
thereafter.
Adding IP Addresses to the LAT
The LAT created during Setup may not contain all of
your organization's IP addresses. In addition, your
network address configuration may change after you
install ISA Server. After Setup, you can add these
addresses manually, if necessary. ISA Server stores the
LAT information in the file C:\Program Files\Microsoft
ISA Server\Clients\Msplat.txt. Clients copy the LAT to
the folder in which the Firewall Client software is
installed.
Caution: Never add IP addresses to the LAT that are not
on your internal network. Adding addresses to the LAT
that are not on your internal network may cause
connection problems for client computers and could
compromise the security of your network.
To add IP addresses to the LAT:
1.
In ISA Management, in the console tree, expand
Network Configuration, right-click Local Address Table
(LAT), point to New, and then click LAT Entry.
2.
In the From box, type the first IP address in the range
of addresses to add to the LAT, and then in the To box,
type the last IP address in the range of addresses to
add to the LAT. To add just one address, type the same
IP address in the From box and the To box.
3.
In the Description box, type a description of the LAT
entry, and then click OK.
Note: Because ISA Server overwrites the Msplat.txt file
at regular intervals with a new version that is
downloaded from the server, changes that you make on
the client file are lost when the server updates the file. If
the client must connect directly to locations that are not
in the Msplat.txt file, create a custom client LAT file. To
create a custom client LAT file, use a text editor to
create a file named Locallat.txt, and place the file in the
client Firewall Client folder. The Firewall Client then
uses both Msplat.txt and Locallat.txt to determine which
IP addresses are local. For more information about
Locallat.txt, see "Firewall Client components" in ISA
Server Help.
Adding Names to the LDT
Firewall clients use the LDT to determine whether to
perform a name resolution request directly or through
the ISA Server computer. If a name is in the LDT, the ISA
Server client computer resolves the name resolution
request directly by using a DNS server. If a name is not
in the LDT, the client forwards the request to the ISA
Server computer, which then resolves the name request
by passing the request to a DNS server on the Internet.
You can add entries to the LDT manually, if necessary.
To add entries to the LDT:
1.
In ISA Management, in the console tree, expand
Network Configuration, right-click Local Domain Table
(LDT), point to New, and then click LDT Entry.
2.
In the Name box, type the name of the local domain.
3.
In the Description box, type a description of the LDT
entry, and then click OK.
Maintaining Configuration Information
ISA Management
Action View
Tree
Internet Security and Acceleration Server
Servers and Arrays
H323 Gate
Disconnect
Back Up…
Restore…
Promote…
View
Refresh
Export List…
Name
Monitoring
Computer
Access Policy
Publishing
Bandwidth Rules
Policy Elements
Cache Configuration
Monitoring Configuration
Extensions
Network Configuration
Client Configuration
Backup Array
Store backup configuration in this location:
Browse…
Comment:
Properties
OK
Restore Array
Restore array configuration from the following backup (.BIF) file:
Browse…
OK
Cancel
Cancel
ISA Server includes a backup and restore feature that
enables you to save and restore most stand-alone server
or array configuration information. You can back up the
stand-alone server or array configuration data and store it
locally in a file. You can save your configuration data to
any folder on the local computer.
Although a backup of the ISA Server configuration allows
you to quickly recover from configuration mistakes, the
backup does not contain all of the configuration data for
the ISA Server computer. To recover from a system
failure, you must also have a backup of your entire
computer configuration on tape or other storage medium.
Important: For maximum security, save the backup files
to an NTFS disk partition and set the appropriate
permissions to protect against unauthorized access.
Backing Up Configuration Information
When you perform a backup, you save configuration
information to a file on the ISA Server computer. This
information includes access policy rules, publishing
rules, policy elements, the alert configuration, the cache
configuration, and array properties.
To back up configuration information:
1.
In ISA Management, in the console tree, right-click the
stand-alone server or array that you want to back up,
and then click Back Up.
2.
In the Store backup configuration in this location box,
type the directory and file name of the backup file in
which to store the backup data, and then click OK.
Note: For more information about performing backups
on an ISA Server computer, see "backup.htm" in the
support\docs folder on the ISA Server compact disc.
Restoring a Configuration
If you backed up the array configuration, you can
restore the configuration. The restoration process
reconstructs most of the configuration parameters of
the stand-alone server or array.
To restore a stand-alone server or an array configuration:
1.
In ISA Management, in the console tree, right-click the
stand-alone server or array that you want to restore,
and then click Restore.
2.
Click Yes to acknowledge that the operation will
replace the existing configuration.
3.
In the Restore array configuration from the following
backup (.BIF) file box, type the name of the directory in
which the configuration backup file is located, and then
click OK.
Managing Services
ISA Server
Control
Service
Firewall
Service
Web
Proxy
Service
Scheduled
Content
Download
H.323
Gatekeeper
Starts other ISA Server services.
Supports requests from Firewall clients and SecureNAT
clients.
Supports requests from Web browsers.
Downloads cache content from Web servers, according to the
configured jobs.
Manages requests for applications that use audio, video, or
application sharing.
You can manage most of the services and settings
associated with ISA Server from within ISA Server
Management. However, to start or to stop the Microsoft
ISA Server Control service, you must use Services on
the Administrative Tools menu.
ISA Server includes the following services:
ISA Server Control service. Starts the other ISA services, generates
alerts and running actions, synchronizes each member server's
configuration with the array, updates the client configuration files,
and deletes unused log files.
Firewall service. Supports requests from Firewall and SecureNAT
clients.
Web Proxy service. Supports requests from Web Proxy clients.
Microsoft Scheduled Cache Content Download service. Downloads
cache content from Web servers, according to the jobs that you
configure by using ISA Management.
H.323 Gatekeeper service. Manages requests for applications that
use audio, video, or application sharing, such as NetMeeting.
Starting and Stopping ISA Services
When one of the ISA Server services is not functioning
correctly, you may have to restart or shut down the
service. In addition, ISA Server may stop a service
because of an alert condition. You will have to restart
the service after resolving the condition that caused the
service to shut down.
Using ISA Management
To start or stop an ISA Server service in ISA Management:
1.
In ISA Management, in the console tree, expand
Monitoring, and then click Services.
2.
In the details pane, click the applicable service, and
then click Start a Service or Stop a Service.
Using Services
You use Computer Management to start and stop the
ISA Server Control service and the H.323 Gatekeeper.
To start or stop an ISA Server service by using
Services:
1.
On the Administrative Tools menu, open Services.
2.
In the details pane, right-click the applicable service,
and then click Start or Stop.
Important: If you stop the ISA Server Control service,
Windows 2000 also stops all of the other ISA Server
services.
Lab B: Configuring ISA Server
Review
Installing ISA Server
Installing and Configuring ISA Server Clients
Maintaining ISA Server