2 Overview Installing ISA Server Installing and Configuring ISA Server ClientsMaintaining ISA Server
3 Whether you deploy Microsoft® Internet Security and Acceleration (ISA) Server 2000 as a dedicated firewall, a Web cache server, or an integrated solution, you must plan carefully to ensure that you have the required hardware and software. After you perform an ISA Server installation, you must configure client computers. Depending on the client operating systems and your specific requirements to control Internet access, you can choose to use the transparent SecureNAT technology or deploy the ISA Firewall Client software. You can also configure computers as Web proxy clients to improve browser performance.In addition, it is important to properly maintain ISA Server to ensure that all client computers have fast and secure access to the Internet.
4 After completing this module, you will be able to: Install ISA Server on a computer running Microsoft Windows® 2000 Server.Configure computers as Web proxy, Firewall, or SecureNAT clients for ISA Server.Perform administrative tasks for maintaining ISA Server.
5 Installing ISA Server Identifying Hardware and Software Requirements Identifying Pre-Installation TasksSelecting an Installation ModeSpecifying the Initial Cache SizeConfiguring the LATUpgrading from Microsoft Proxy Server 2.0Troubleshooting ISA Server Installation
6 Before you install ISA Server, you must set up the hardware and configure the software for the ISA Server computer. To help identify the choices that you will make during installation, review the pre-installation checklist before performing the installation. If you encounter problems during a new installation or an upgrade from Microsoft Proxy Server 2.0, see the Troubleshooting ISA Server Installation section.Note: You also can automate the installation of ISA Server. For more information about performing an unattended setup, see "Unattended setup" in ISA Server Help.
7 In this lesson you will learn about the following topics: Identifying hardware and software requirementsIdentifying pre-installation tasksSelecting an installation modeSpecifying the initial cache sizeConfiguring the LATUpgrading from Microsoft Proxy Server 2.0Troubleshooting ISA Server installation
8 Identifying Hardware and Software Requirements RAMWindows 2000 Server, Windows 2000 Advanced Server, or Windows DatacenterCPU300 MHz or higher256 MBInternal AdapterHard Disk Space20 MBExternal AdapterActive DirectoryHard Disk FormatNTFSArrays
9 Identifying hardware and software requirements ISA Server requirementsNote: The Active Directory™ directory service for Windows 2000 must be installed on your network to implement the array feature.
10 Forward Caching Requirements The following table lists the hardware configurations of a single ISA Server computer for the expected number of users who gain access to objects on the Internet.If the number of users exceeds 1,000 users, consider better-performing hardware for the ISA Server computer or add more ISA Server computers.
11 Reverse Caching Requirements The following table lists the hardware configurations of a single ISA Server computer for the expected number of requests from Internet, or external, users. The exact RAM requirements depend on the content that you are publishing. Ideally, all cacheable content should fit into memory.
12 Firewall Requirements The following table lists the hardware configurations for the expected rate of data transfer for Firewall and SecureNAT clients that gain access to objects on the Internet.Note: Although it is important to have the required hardware configuration, the rate of data transfer is highly dependent on the speed of your connection to the Internet.
13 Identifying Pre-Installation Tasks Locate CD KeySelect an Installation OptionSelect an Array to Join, If ApplicableSelect an Installation ModeConfigure a Drive to Use for the CacheConfigure Address Ranges for the LAT
14 Before installing ISA Server, test your network connectivity to minimize the need for troubleshooting connection problems after installation is complete.Important: Before installing ISA Server, ensure that the Windows 2000 routing table on the ISA Server computer is configured correctly. The internal adapter of the ISA Server computer must be able to route packets to all internal network destinations, and the external network adapter must be able to route packets to the Internet. To ensure proper routing, add explicit routes for all internal network destinations, and configure a default gateway on only the external network adapter.
15 When you install ISA Server, you must provide the following information: CD Key. This is the 10-digit number located on back of the CD-ROM case.Installation options. As part of the installation process, you can install options from the following ISA Server components:ISA Services. Controls access of network services for the traffic between networks. This component is required for the installation.Add-In Services. Includes the Microsoft H.323 Gatekeeper service, which allows Microsoft NetMeeting® or other H.323-compliant applications to reach users inside your network. The H.323 protocol is a set of standards that enable real-time multimedia conferencing and communications over packet-based networks. Also includes the Message Screener, which performs content filtering on incoming Simple Mail Transfer Protocol (SMTP) traffic. Both of these add-in services are optional.Administration Tools. Includes the ISA Server administration tools, which are required for the installation, and the H.323 Gatekeeper administration tools, which are optional.
16 Note: You can also install the administration tools separately on a computer running Windows 2000 Server or Microsoft Windows 2000 Professional to remotely administer a stand-alone ISA Server computer or one or more arrays of ISA Server computers.
17 When you install ISA Server, you must provide the following information:
18 Array selection. If you previously modified the Active Directory schema to initialize the enterprise, you can either select to create an enterprise array or can select an array to join. If you did not initialize the enterprise, ISA Server is installed in a stand-alone array, which contains only a single ISA Server computer.
19 Installation Mode. You can select to install ISA Server in Firewall mode, Cache mode, or Integrated mode.
20 Cache configuration. If you install ISA Server in Integrated or Cache mode, you must configure the drives to use for the cache.
21 Local Address Table (LAT) configuration Local Address Table (LAT) configuration. If you install ISA Server in Integrated or Firewall mode, you must configure the address ranges to include in the LAT. The LAT is a table containing all of the internal Internet Protocol (IP) address ranges that the network behind the ISA Server computer uses.Important: You must install Windows 2000 Service Pack 1 or later before you install ISA Server.
22 Selecting an Installation Mode Microsoft ISA Server StatusSelect the mode for this server:Firewall modeSelect this option to install enterprise firewall functionality.Cache modeSelect this option to install cache and Web hosting functionality.Cache mode installation is recommended only for computers that are not directly connected to the Internet. If this computer is directly connected to the Internet, install ISA Server in integrated mode.Integrated modeSelect this option to install integrated enterprise firewall, cache, and Web hosting functionality.Have graphic artist create Setup Information message box.Microsoft Internet Security and Acceleration Server SetupSetup has stopped your IIS publishing service (W3SVC). After Setup is complete, uninstall IIS or reconfigure all IIS sites not to use ports 80 and 8080.ContinueExit SetupHelpOKHelp
23 Before you can select an installation mode, you must launch the ISA Server installation program and enter the information described in the pre-installation checklist. As part of the setup process, you select the mode for ISA Server: Firewall, Cache, or Integrated. After you select the server mode, if you have Internet Information Services (IIS) installed and configured to use port 80 or port 8080, ISA Server Setup informs you that it will stop the IIS Web service.
24 To start the ISA Server installation: Insert the compact disc into the CD-ROM drive, or if you copied the contents of the ISA Server compact disc to a network location, open a command prompt window, and then run the ISAautorun.exe file.In the Microsoft ISA Server Setup window, select Install ISA Server, and then click Continue.Type the CD Key, and then click OK twice.Read the licensing agreement, and then if you agree, click I Agree.
25 Click one of the following installations, and then click OK: Typical Installation. Includes the most commonly used components.Full Installation. Includes all ISA Server components and extensions.Custom Installation. Includes the ISA Server components and extensions that you specify.If you are installing ISA Server Enterprise Edition and the computer is not part of a Windows 2000 domain, click Yes to install ISA Server as a stand-alone server.Click Firewall mode, Cache mode, or Integrated mode, and then click Continue.
26 When the Setup Information message prompts you to stop the IIS service, click OK. After the ISA Server installation is complete, uninstall IIS or configure all Web sites on the server to use a port other than port 80 or port 8080.Important: Setup stops the IIS Web service because its default listening port is 80, which ISA Server also uses. Because ISA Server listens on port 8080 and may listen on port 80, you must modify the listening port settings for IIS because two different services cannot bind to the same port.
27 Specifying the Initial Cache Size Microsoft Internet Security and Acceleration Server SetupSpecify the NTFS drives on which caches should be located and the maximum size of each cache.OKCancelDrive [File System] Maximum Size (MB)HelpC: [NTFS] 100C: [NTFS] 100Drive: C: [NTFS]Available space (MB)Cache size (MB): 100Total cache size (MB): 100MBInitial cache size is 100 MB. Add 0.5 MB for each Web Proxy client.Set
28 If you install ISA Server in Cache mode or in Integrated mode, the Setup program prompts you to select the drive for the cache location and the initial cache size. Select an NTFS-formatted hard disk of sufficient size to make the cache as large as possible. For optimal performance, select a hard disk that you use exclusively for caching. You can increase cache size later by allocating more empty disk space or by adding more disk volumes.
29 Consider the following settings when specifying the size of the cache: Default cache size. 100 MB if at least 150 MB of free disk space is available.Minimum cache size. Allocate at least one drive and 5 MB on that drive.Recommended cache size. Allocate at least 100 MB and add 0.5 MB for each Web Proxy client, rounded up to the nearest full megabyte.Note: Although Windows 2000 allows you to format a drive without assigning a drive letter, you cannot use a drive without a drive letter for ISA Server caching.
30 Configuring the LATMicrosoft Internet Security and Acceleration Server Setup1Click Construct Table to construct a local address table.Enter the IP address ranges that span the internal network address space.Internal IP ranges:EditFrom ToFromSelect options to add private IP address ranges or routing table entries.2Add->ToRemove->To construct a local address table, click Construct Table.Construct Table…Local Address TableSelect the address ranges (based on the Windows 2000 routing table) for inclusion in the local address table (LAT). The LAT should include all the addresses in you internal network.Add the following private ranges: 10.xxx, xx and xx xx and xx..Add address ranges based on the Windows 2000 Routing TableSelect the address ranges that are associated with the following internal network adapters:MS LoopBack Driver3Com EtherLink PCI (Micros…OKCancelHelpCard IP AddressesOKCancelHelpMicrosoft Internet Security and Acceleration Server SetupEnter the IP address ranges that span the internal network address space.Internal IP ranges:EditFrom ToFromAdd->ToRemove->Verify the IP addresses that display in the local address table.3To construct a local address table, click Construct Table.Construct Table…OKCancelHelp
31 The LAT is a table of all internal IP addresses The LAT is a table of all internal IP addresses. If you install ISA Server in Firewall mode or Integrated mode, you can configure the LAT during Setup. ISA Server uses the LAT to determine which IP addresses are inside an organization's network and assumes that all other IP addresses are external. ISA Server uses the LAT to control how computers on the internal network communicate with external networks. In addition, Firewall clients automatically download LAT updates from the ISA Server computer. Firewall clients use the LAT updates to determine which IP addresses they can directly connect to and which requests they need to forward to the ISA Server computer.
32 Overview of the LATISA Server can construct the LAT and add the following IP address ranges:Private IP addresses. ISA Server can add IP addresses that are reserved by the Internet Assigned Numbers Authority (IANA) for internal use. Many organizations use these addresses for internal addresses. These addresses include to , to , and to Add private IP addresses to the LAT only if you use private IP addressing on your network.Networks from the routing table. ISA Server adds all of the networks that your computer connects to by using one or more network adapters that you select. When adding entries from the routing table, ensure that the network adapter that is configured to connect to your internal network has the correct routing information for all network segments on your internal network.
33 To configure the LAT during Setup: Important: When configuring the LAT, add addresses on the private network only. Do not add the external interface of the ISA Server computer or any external addresses. In addition, never configure a network adapter with both an external IP address and an IP address that is in the LAT-doing so can cause ISA Server to incorrectly enforce security rules and can present a serious security risk.
34 In the Microsoft Internet Security and Acceleration Server 2000 Setup dialog box, click Table. Choose from the following options, and then click OK twice:To add private IP address ranges, select the Add the following private ranges check box.To add routing table entries, select the Add address ranges based on the Windows 2000 Routing Table check box, and then select the check box for the network adapter that is connected to your internal network.In the Internal IP ranges box, review the list of IP address ranges, make the following corrections if necessary, and then click OK:To remove an address range, in the Internal IP Ranges box, click the range, and then click Remove.To add an address range, in the Edit box, type the beginning and end addresses of the range, and then click Add.
35 After configuring the LAT, Setup copies all of the required files and completes all configuration steps. Unless you specify a different location during an unattended setup, Setup installs ISA Server in the C:\Program Files\Microsoft ISA Server folder.
36 Upgrading from Microsoft Proxy Server 2.0 Upgrading from Microsoft Windows NTProxy Server 2.0Upgrade to Windows 2000ISA Server 2000ServerSOCKS RulesComparing Proxy 2.0 and ISA Server ConfigurationsPublishingCache ContentSOCKS RulesIPX ProtocolProxy Server 2.0Proxy Server 2.02.0Winsock Proxy ClientSecureNAT Client2000ISA ServerISA ServerUpgrading Client ComputersClient RequestsWinsock Proxy Clients and Firewall ClientsISA ServerPort 80Proxy Server 2.0Port 8080
37 ISA Server supports a full migration path for Microsoft Proxy Server 2 ISA Server supports a full migration path for Microsoft Proxy Server 2.0 users. Setup migrates most Proxy Server 2.0 rules, network settings, monitoring configurations, and cache configurations to ISA Server when you perform an upgrade.Before migrating from Proxy Server 2.0, review "PreMigrationConsiderations.htm" on the ISA Server compact disc and review the following sections in ISA Server Help: "Checklist: Migrating from Microsoft Proxy Server 2.0" and "Migrating from Microsoft Proxy Server 2.0.“Important: It is recommended that you perform a full backup of the current Proxy Server 2.0 settings before the upgrade and that you disconnect the computer to be upgraded from the Internet during the installation.
38 Upgrading from Microsoft Windows NT 4 Upgrading from Microsoft Windows NT You can install ISA Server on only computers running Windows 2000 Server with Service Pack 1 installed. If you are currently running Proxy Server 2.0 on Microsoft Windows NT® 4.0, you must complete the following steps:
39 Stop and disable all Proxy Server services including: Microsoft Winsock Proxy Service (wspsrv)Microsoft Proxy Server Administration (mspadmin)Proxy Alert Notification Service (mailalrt)World Wide Web Publishing Service (w3svc)If Proxy Server 2.0 is installed as an array, remove the server running Proxy Server 2.0 from the array.Perform the upgrade to Windows During the upgrade to Windows 2000, you may receive a message indicating that Proxy Server 2.0 will not work on a computer running Windows You can disregard this message and continue installing ISA Server.Install Windows 2000 Service Pack 1.Begin installing ISA Server.
40 Comparing Proxy Server 2.0 and ISA Server Configurations When you upgrade to ISA Server, most rules, network settings, monitoring configurations, and cache configurations in Proxy Server 2.0 are migrated to ISA Server. The differences and exceptions between Proxy Server 2.0 and ISA Server are listed as follows:
41 Publishing. Proxy Server 2 Publishing. Proxy Server 2.0 requires that you configure publishing servers as Winsock Proxy clients. ISA Server allows you to publish internal servers without requiring any special configuration or software installation on the publishing server. Instead, ISA Server recognizes the publishing servers as SecureNAT clients.
42 Cache. Proxy Server 2.0 cache content is not migrated because of the vastly different cache storage engine in ISA Server. ISA Server Setup deletes Proxy Server 2.0 cache content and initializes the new storage engine based on existing cache and drive settings.
43 SOCKS. ISA Server policy does not support the migration of Proxy Server 2.0 SOCKS rules. ISA Server includes the SOCKS applications filter, which allows client SOCKS applications to communicate with the network by using the applicable array or enterprise policy to determine if the client request is allowed.
44 Internet Protocol Exchange (IPX) Protocol Internet Protocol Exchange (IPX) Protocol. ISA Server does not support the IPX protocol.
45 Upgrading Client Computers After you install ISA Server, you may have to upgrade your client computers:Winsock Proxy clients. Because both the Winsock Proxy Client that is included with Proxy Server 2.0 and the Firewall Client that is included with ISA Server are compatible with both server products, you can upgrade client computers at any time after installing ISA Server and maintain a mixed environment during migration.Web Proxy clients. Proxy Server 2.0 uses port 80 for client Hypertext Transfer Protocol (HTTP) requests. By default, ISA Server uses port Therefore, you must configure all downstream chain members and browsers that connect to the ISA Server computer to connect to port Alternatively, you can configure ISA Server to use port 80 for client HTTP requests.
46 Troubleshooting ISA Server Installation Problems Err orLAT Contains Inaccurate Information After InstallationYou Cannot Connect to Internet Resources After InstallationErr orISA Server Presents Error Messages During InstallationErr orYou Cannot Find Array to Join During InstallationErr orUsers Can Gain Access to Internet Without Defined RulesErr orUsers Cannot Connect to Resources After Upgrading from Proxy Server 2.0Err or
47 The following list includes common installation problems and solutions:
48 The LAT that the Setup program generates is incorrect The LAT that the Setup program generates is incorrect. Always double-check the LAT that the Setup program generates before you continue and make any required changes. The automatically generated LAT depends on a correct and complete configuration of your routing table.
49 You are unable to connect to Internet resources immediately after installing ISA Server. This result is expected. Before you can fully test your configuration, you must configure access rules.
50 ISA Server presented one or more error messages during installation ISA Server presented one or more error messages during installation. Review the event logs in Windows for more information about the errors. Remove ISA Server by using Add/Remove Programs in Control Panel, and then reinstall it. If you cannot remove ISA Server by using Add/Remove Programs, use the RMISA.exe program, which is located in the \isa\i386 folder on the ISA Server compact disc.
51 You cannot join an array because the installation program cannot find the array. Ensure that the computer can communicate with the other array members and a domain controller for the current domain.
52 Users can gain access to Internet sites even though you have not defined rules that allow access. Your LAT may not be configured correctly. Ensure that the LAT contains only internal IP addresses.
53 After upgrading from Proxy Server 2 After upgrading from Proxy Server 2.0, client computers can no longer connect to Internet resources. Change the port that Web Proxy clients use to gain access to the ISA Server computer or configure automatic discovery for clients. ISA Server uses port 8080 for client connections, whereas Proxy Server 2.0 uses port 80.Tip: The "Troubleshooting" section of ISA Server Help contains information about solving other common problems.
54 Installing and Configuring ISA Server Clients Client OverviewConfiguring Web Proxy ClientsConfiguring SecureNAT ClientsInstalling and Configuring Firewall ClientsTroubleshooting Client Installation
55 Before you deploy or configure clients for ISA Server, you must consider the requirements of your organization. Some of the considerations include the level of access control required, the operating systems installed on client computers, the applications and services that your internal clients will use, and how you will publish servers on your internal network. If you encounter problems while installing or configuring clients, see the Troubleshooting Client Installation section.
56 In this lesson you will learn about the following topics: Client overviewConfiguring Web Proxy clientsConfiguring SecureNAT clientsInstalling and Configuring Firewall ClientsTroubleshooting Client Installation
57 Client Overview Internet ISA Server SecureNAT Client Web Proxy Client Do not require you to deploy client software or configure client computers.ISA ServerWeb Proxy ClientImprove the performance of Web requests for internal clients.Firewall ClientAllow Internet access only for authenticated users.
58 ISA Server supports three types of clients: Web Proxy clients, SecureNAT clients, and Firewall clients.
59 Comparing ISA Server Clients The following list describes the features of each type of ISA Server client:Web Proxy clientsSecureNAT clientsFirewall clients
60 Web Proxy clients. Improve the performance of Web requests Web Proxy clients. Improve the performance of Web requests. A Web Proxy client sends requests directly to the ISA Server computer, but Internet access is limited to the browser. You can configure most Web browsers that support HTTP 1.0 and HTTP 1.1 clients as Web Proxy clients. Other applications, such as streaming media client applications, can also function as Web Proxy clients.
61 SecureNAT clients. Provide security and caching of HTTP requests, but do not allow for user-level authentication. SecureNAT clients can support most Transmission Control Protocol/Internet Protocol (TCP/IP) protocols, including Internet Control Message Protocol (ICMP). To configure a SecureNAT client, you configure the client computer to route all packets to the Internet through the ISA Server computer. You typically do this by setting the default gateway on the client computer to the IP address of the ISA Server computer. Because a SecureNAT client requires no configuration other than changing the default gateway, any computer that uses the TCP/IP protocol can be a SecureNAT client.
62 Important: Some protocols and applications require secondary connections. For example, when you use the File Transfer Protocol (FTP) protocol, by default the client initiates a primary connection to the server, and the server then initiates a secondary connection to the client. ISA Server must use an application filter that edits the data stream to allow SecureNAT clients to use such protocols and applications. ISA Server includes several application filters, such as an FTP filter and an H.323 filter. If ISA Server does not contain the appropriate application filter for a protocol or application, SecureNAT clients cannot use this protocol or application.
63 Firewall clients. Restrict access on a per-user basis for outbound access for requests that use the TCP and User Datagram Protocol (UDP) protocols. To configure a Firewall client, you must install the Firewall Client software on each client computer. You can install the Firewall Client software on computers running Microsoft Windows Millennium Edition, Microsoft Windows 95 OSR2, Microsoft Windows 98, Windows NT 4.0, or Windows 2000 only.Important: You can configure a computer to use multiple client types simultaneously. For example, you can configure a computer as a Web Proxy client for requests that are issued from within a browser, as a Firewall client to forward all requests from Winsock applications that use the TCP and UDP protocols, and as a SecureNAT client for all other protocols, such as ICMP.
64 Determining Which ISA Clients to Use Use the following guidelines to determine which clients to deploy for ISA Server.
65 If you want toThen useImprove the performance of Web requests for internal clientsWeb Proxy clientsAvoid deploying client software or configuring client computersSecureNAT clients. SecureNAT clients do not require any software or specific configurationImprove Web performance in an environment with non- Microsoft operating systemsSecureNAT clients. SecureNAT client requests are transparently passed to the Microsoft Firewall service and then to the caching service for cachingPublish servers that are located on your internal networkSecureNAT clients. You can publish internal servers to make them available to external users. When you publish internal servers, you configure the servers as SecureNAT clients. Because the published servers are SecureNAT clients, you do not need to configure settings on the published server. Microsoft does not recommend configuring published servers as Firewall clientsAllow Internet access for only authenticated usersFirewall clients or Web Proxy clients. You can configure user-based access policy rules for Firewall clients and Web Proxy clients
66 Configuring Web Proxy Clients Local Area Network (LAN) SettingsAutomatic configurationAutomatic configuration may override manual settings. To ensure the use of manual settings, disable automatic configuration.Automatically detect settingsUse automatic configuration script2Type the IP address or name of the ISA Server computer in the Address box.1Select the Use a proxy server check box.Proxy Server3Use a proxy serverType the port number in the Port box, and then click OK.Address:Port:8080Bypass proxy server for local addressesOKCancel
67 You do not need to install any software to configure Web Proxy clients You do not need to install any software to configure Web Proxy clients. However, you must configure the Web browser on the client computer to use the ISA Server computer as the proxy server. Other applications that use Web protocols may also be able to function as Web Proxy clients. Some of these applications can obtain their configuration settings from your Web browser. Others may require additional configuration steps. The exact configuration steps for configuring ISA Server depend on the Web browser that you use.Important: Web browser helper applications that use protocols other than HTTP, such as Microsoft Windows Media™ Player, do not use ISA Server to connect to the Web. To allow helper applications to connect to the Web, you must use the SecureNAT client or the Firewall client in addition to the Web Proxy client.
68 To configure Microsoft Internet Explorer 5 or later to use the Microsoft Web Proxy service: Open the Properties dialog box for Internet Explorer. On the Connections tab, click LAN Settings, and then in the Local Area Network (LAN) Settings dialog box, select the Use a proxy server check box.In the Address box, type a valid path to the ISA Server computer.In the Port box, type the port number that the ISA Server computer uses for Web Proxy client connections, which is 8080 by default, and then click OK twice.
69 If you want your Web browser to bypass the ISA Server computer when connecting to local computers, you can also select the Bypass proxy server for local addresses check box. Bypassing the ISA Server computer for local computers may improve Web browser performance.
70 Configuring SecureNAT Clients Configuring Clients on Networks That Do Not Use RoutersConfiguring Clients on Networks That Use RoutersResolving Names for SecureNAT Clients
71 Although SecureNAT clients do not require specific software, you must configure SecureNAT clients to route all network traffic to the Internet through the ISA Server computer. How you configure the client computer depends on whether your network uses routers between the ISA Server computer and the SecureNAT clients.
72 Configuring Clients on Networks That Do Not Use Routers To configure SecureNAT clients on a network without routers, set the SecureNAT client's IP default gateway settings to the IP address of the ISA Server computer's internal network adapter by manually changing the default gateway setting or by using Dynamic Host Configuration Protocol (DHCP).
73 Configuring Clients on Networks That Use Routers To configure SecureNAT clients on a network with routers, set the default gateway settings to the router closest to the SecureNAT client. Ensure that the router is configured to forward IP packets to the Internet so that all packets are routed through the ISA Server computer. Optimally, routers should use a default gateway that routes along the shortest path to the ISA Server computer.In addition, do not configure routers to discard packets destined for addresses outside of the internal network. The ISA Server computer will determine how to route these packets.
74 Resolving Names for SecureNAT Clients To configure SecureNAT clients on a network without routers, set the SecureNAT client's IP default gateway settings to the IP address of the ISA Server computer's internal network adapter by manually changing the default gateway setting or by using Dynamic Host Configuration Protocol (DHCP).If clients request data fromThenInternet and internal serversUse a DNS server on the internal network. Ensure that the internal server can resolve both internal and Internet addresses.Internet onlyConfigure SecureNAT clients to use a DNS server on the Internet.
75 Installing and Configuring Firewall Clients ISA ServerGroup PolicyMSPClnt\Setup.exeWebinst/default.htmClient Computer
76 You can install the Firewall Client software on client computers from a shared folder or from a Web location. You can also use Windows 2000 Group Policy to centrally distribute the Firewall Client software to client computers. For all installation methods, you must install the Firewall Client software from the installation point on the ISA Server computer so that the client computer receives all of the required configuration information.Important: Do not install the Firewall Client software on the ISA Server computer. It is not recommended that you use this configuration because the operations of the Firewall client may interfere with the operations of ISA Server when both are running on the same computer.
77 Installing from a Shared Folder When you run the ISA Server Setup program, it automatically creates a folder named Program Files\Microsoft ISA Server\Clients, copies the client installation files to this location, and then shares that folder as MSPClnt. By default, the Firewall Client Setup program installs the Firewall Client in the C:\Program Files\Microsoft Firewall Client folder. You can select a different folder during Setup.To install the Firewall Client software from the shared folder:Use Windows Explorer to connect to \\server\MSPClnt (where server is the name of the ISA Server computer).Run Setup.exe from that location, and then follow the on-screen instructions.
78 Installing from a Web Location To install the Firewall Client software from a Web location:Copy the Default.htm and Setup.bat files from the Program Files\Microsoft ISA Server\Clients\WEBINST folder to a Web server.Use a Web browser to connect to the Web server, and then display Default.htm.Start the Setup program by doing one of the following:If you are using Internet Explorer, click the Firewall Client software link.If you are using Netscape Navigator, follow the instructions to save Setup.bat to your hard drive, and then run Setup.bat from a command prompt.Note: For most Winsock applications, the default Firewall client configuration works with no further modification. However, in some cases, you may have to modify the client configuration information. For more information about configuring Firewall client settings, see "Advanced Firewall client configuration" in ISA Server Help.
79 Installing by Using Group Policy To install the Firewall Client software by using a group policy, assign the Windows Installer package MS_FWC.msi in the shared folder \\isa_server\Mspclnt to the users that require the Firewall client.
80 Using the Firewall Client The Firewall client is transparent to applications and users. By default, an icon on the taskbar appears when a user has the Firewall Client software installed, and the appearance of this icon indicates the status of the connection to the ISA Server computer.You can use Firewall Client in Control Panel to disable the Firewall client, control whether the taskbar icon appears, and update Firewall configuration information from the ISA Server computer.Tip: The Firewall client automatically detects when there is no connection to the ISA Server computer. When the Firewall client detects that there is no connection, it automatically disables itself so that the client computer connects to Internet resources directly. This action allows users to move a computer, without having to reconfigure the Firewall client, between an office location that uses ISA Server and a home location in which ISA Server is not installed.
81 Troubleshooting Client Installation Cannot Connect to Internet After Installing Firewall Client SoftwareErr orCannot Connect to Internet After Configuring Web Proxy ClientErr orCannot Gain Access to Internet Sites From a Client ComputerErr or
82 Common client installation problems and possible solutions are as follows: You can no longer connect to Internet resources immediately after installing the Firewall Client softwareYou can no longer connect to Internet resources immediately after configuring the Web Proxy clientYou cannot gain access to Internet sites from a client computer
83 You can no longer connect to Internet resources immediately after installing the Firewall Client software. Before attempting other methods of troubleshooting, update the Firewall client by using the most recent ISA Server configuration. To update the client, in Control Panel, click Update Now in the Firewall Client program.
84 You can no longer connect to Internet resources immediately after configuring the Web Proxy client. Ensure that your computer can communicate with the ISA Server computer and that your access rules allow you to gain access to the Internet.
85 You cannot gain access to Internet sites from a client computer You cannot gain access to Internet sites from a client computer. Attempt to isolate the problem by answering the following questions:Can you gain access to internal resources?Can you gain access to external Web-based resources?Can you gain access to external resources by using Winsock-based applications?Can you gain access to external resources by using SecureNAT?
86 The most important part of troubleshooting client connection problems is isolating the problem, which includes identifying which client component is involved. For example, if you can gain access to Web-based resources but Winsock-based applications do not work, you may need to reconfigure application settings for the Firewall client. If you cannot gain access to either internal or external resources, the problem may be unrelated to ISA Server and you will have to examine your network configuration.Note: For more information on troubleshooting client connection problems, see "Troubleshooting client connections" in ISA Server Help.
87 Lab A: Installing ISA Server and Configuring Clients
88 Objectives After completing this lab, you will be able to: Install ISA Server.Install the ISA Server administration tools.Configure a Web Proxy client.Configure a SecureNAT client.
89 Prerequisites Before working on this lab, you must have: Experience using Microsoft Management Console (MMC).Knowledge about how to configure network settings in Windows 2000.Knowledge about the characteristics of the different ISA Server clients.
90 ScenarioNorthwind Traders wants to secure all Internet access for internal users by using ISA Server. To accomplish this, you must install ISA Server and configure client computers as Web proxy, Firewall, and SecureNAT clients.
91 Exercise 1: Installing ISA Server In this exercise, ISA Server will be installed in Integrated mode.
92 ScenarioThe security policy of Northwind Traders requires that the internal network be separated from the Internet by using a firewall. Also, because they anticipate an increase in outgoing Internet traffic in the future, they decide to use Web caching to increase the amount of network traffic that the Internet connection can process. To improve security and performance, ISA Server will be installed.Installing ISA Server
93 Exercise 2: Installing ISA Server Administration Tools In this exercise, ISA Server administration tools will be installed.
94 Installing ISA Server Administration Tools ScenarioNow that ISA Server is installed, it is decided to remotely administer the ISA Server computer. To do this, ISA Management and the H.323 Gatekeeper Administration tool will be installed on another computer in the network.Installing ISA Server Administration Tools
95 Exercise 3: Configuring a Web Proxy Client In this exercise, Internet Explorer will be configured as a Web Proxy client that is configured to use the ISA Server computer for Internet requests. This configuration will then be tested.
96 Configuring a Web Proxy Client ScenarioISA Server has been installed in your organization to improve the efficiency and security of all Internet access. Before users can use Internet Explorer to gain access to Web sites, Internet Explorer must be configured as a Web Proxy client on all of the users' computers.Configuring a Web Proxy Client
97 Exercise 4: Installing the Firewall Client In this exercise, the Firewall Client will be installed. This configuration will then be tested.
98 Installing the Firewall Client ScenarioNorthwind Traders wants to control Internet use by employees by using ISA Server. Components of the access policy require that access be controlled based on user accounts. To accomplish this task, the Firewall client must be installed on all computers running Windows 2000.Installing the Firewall Client
99 Exercise 5: Configuring a SecureNAT Client In this exercise, a client computer will be configured as a SecureNAT client.
100 Configuring a SecureNAT Client ScenarioThe network at Northwind Traders contains client computers that are running different operating systems. It must be ensured that all client computers can gain access to the Internet through the ISA Server computer. To accomplish this task, all client computers will be configured as SecureNAT clients.Configuring a SecureNAT Client
101 Maintaining an ISA Server Array Using the ISA ManagementMaintaining the LAT and LDTMaintaining Configuration InformationManaging Services
102 ISA Server contains administrative and management tools to help you configure and maintain ISA Server as a stand-alone server or an array. ISA Server uses the LAT and the local domain table (LDT) to manage internal and external connections. You can add IP address and domain information manually to both server and client computers. After you configure ISA Server, you can use the backup feature to save configuration data. When you restore the ISA Server configuration, all ISA Server services are stopped. Therefore, it is important to know the services that are associated with ISA Server and how to manage those services.
103 In this lesson you will learn about the following topics: Using ISA ManagementMaintaining the LAT and LDTMaintaining Configuration InformationManaging Services
104 Using ISA Management Getting Started Welcome Action ViewTreeLarge IconsSmall IconsListDetailTaskpadWelcomeWelcome to the Microsoft Internet Security and Acceleration (ISA) Server Getting Started Wizard.This wizard will assist you in finishing the setup process and help you to define and configure initial ISA Server policies, to connect and protect your internal network.To navigate through the wizard, click Next.To quit the wizard, click Finish. Click the Help button for more information on specific tasks.HelpNextAdvancedCustomize…Getting StartedSelect policy elementsConfigure SchedulesConfigure Client SetsConfigure Protocol RulesConfigure Destination SetsConfigure Site and Content RulesSecure ServerConfigure Firewall ProtectionConfigure Dial-Up EntriesConfigure Routing for Firewall and SecureNAT ClientsConfigure Routing for Web Browser ApplicationsConfigure Cache PolicyExit the Getting Started WizardFinishManagement with tasks
105 Using ISA ManagementISA Management is an MMC snap-in that you use to administer ISA Server. ISA Management includes graphical taskpads and wizards that help simplify navigation and configuration of common tasks. ISA Management also includes the Getting Started Wizard to help you configure policies after installation.
106 Using the Getting Started Wizard You can run the Getting Started Wizard when you first start ISA Server after installation. The Getting Started Wizard guides you through the steps of defining and configuring initial enterprise and array policies.
107 Using Taskpads and Advanced Views You can run ISA Management in Taskpad view or in Advanced view. Taskpads contain shortcuts for performing the most common configuration tasks in the details pane of ISA Management. Taskpad view is the default view in ISA Management and simplifies many common configuration steps. However, you can complete some less commonly performed tasks in Advanced view only.To use Advanced view, on the View menu of ISA Management, click Advanced. To change back to Taskpad view, click Taskpad.Important: The taskpads and wizards in ISA Server are powerful tools that enable you to configure settings quickly and easily. Before performing any configuration changes, ensure that you understand the implications of the action that you are about to perform, including the functionality of protocols that you may want to set.
108 Maintaining the LAT and LDT Msplat.txtInternetISA ServerClientsMsplat.txt
109 ISA Server uses the LAT and the LDT to determine if an IP address or computer name is on the internal network. The LAT contains IP address ranges that define your internal network address space. The LDT lists all of the domain names in the internal network that are served by the ISA Server computer. You can add entries to both the LAT and LDT in ISA Management. On the Firewall client, the Msplat.txt file contains a copy of the LAT. Firewall clients update the Msplat.txt file with the current settings from the ISA Server computer at startup and then every six hours thereafter.
110 Adding IP Addresses to the LAT The LAT created during Setup may not contain all of your organization's IP addresses. In addition, your network address configuration may change after you install ISA Server. After Setup, you can add these addresses manually, if necessary. ISA Server stores the LAT information in the file C:\Program Files\Microsoft ISA Server\Clients\Msplat.txt. Clients copy the LAT to the folder in which the Firewall Client software is installed.Caution: Never add IP addresses to the LAT that are not on your internal network. Adding addresses to the LAT that are not on your internal network may cause connection problems for client computers and could compromise the security of your network.
111 To add IP addresses to the LAT: In ISA Management, in the console tree, expand Network Configuration, right-click Local Address Table (LAT), point to New, and then click LAT Entry.In the From box, type the first IP address in the range of addresses to add to the LAT, and then in the To box, type the last IP address in the range of addresses to add to the LAT. To add just one address, type the same IP address in the From box and the To box.In the Description box, type a description of the LAT entry, and then click OK.
112 Note: Because ISA Server overwrites the Msplat Note: Because ISA Server overwrites the Msplat.txt file at regular intervals with a new version that is downloaded from the server, changes that you make on the client file are lost when the server updates the file. If the client must connect directly to locations that are not in the Msplat.txt file, create a custom client LAT file. To create a custom client LAT file, use a text editor to create a file named Locallat.txt, and place the file in the client Firewall Client folder. The Firewall Client then uses both Msplat.txt and Locallat.txt to determine which IP addresses are local. For more information about Locallat.txt, see "Firewall Client components" in ISA Server Help.
113 Adding Names to the LDTFirewall clients use the LDT to determine whether to perform a name resolution request directly or through the ISA Server computer. If a name is in the LDT, the ISA Server client computer resolves the name resolution request directly by using a DNS server. If a name is not in the LDT, the client forwards the request to the ISA Server computer, which then resolves the name request by passing the request to a DNS server on the Internet. You can add entries to the LDT manually, if necessary.
114 To add entries to the LDT: In ISA Management, in the console tree, expand Network Configuration, right-click Local Domain Table (LDT), point to New, and then click LDT Entry.In the Name box, type the name of the local domain.In the Description box, type a description of the LDT entry, and then click OK.
115 Maintaining Configuration Information ISA ManagementAction ViewTreeNameMonitoringComputerAccess PolicyPublishingBandwidth RulesPolicy ElementsCache ConfigurationMonitoring ConfigurationExtensionsNetwork ConfigurationClient ConfigurationInternet Security and Acceleration ServerServers and ArraysH323 GateDisconnectBack Up…Restore…Promote…Backup ArrayStore backup configuration in this location:Browse…ViewRefreshExport List…Comment:PropertiesOKCancelRestore ArrayRestore array configuration from the following backup (.BIF) file:Browse…OKCancel
116 ISA Server includes a backup and restore feature that enables you to save and restore most stand-alone server or array configuration information. You can back up the stand-alone server or array configuration data and store it locally in a file. You can save your configuration data to any folder on the local computer.Although a backup of the ISA Server configuration allows you to quickly recover from configuration mistakes, the backup does not contain all of the configuration data for the ISA Server computer. To recover from a system failure, you must also have a backup of your entire computer configuration on tape or other storage medium.Important: For maximum security, save the backup files to an NTFS disk partition and set the appropriate permissions to protect against unauthorized access.
117 Backing Up Configuration Information When you perform a backup, you save configuration information to a file on the ISA Server computer. This information includes access policy rules, publishing rules, policy elements, the alert configuration, the cache configuration, and array properties.
118 To back up configuration information: In ISA Management, in the console tree, right-click the stand-alone server or array that you want to back up, and then click Back Up.In the Store backup configuration in this location box, type the directory and file name of the backup file in which to store the backup data, and then click OK.Note: For more information about performing backups on an ISA Server computer, see "backup.htm" in the support\docs folder on the ISA Server compact disc.
119 Restoring a Configuration If you backed up the array configuration, you can restore the configuration. The restoration process reconstructs most of the configuration parameters of the stand-alone server or array.
120 To restore a stand-alone server or an array configuration: In ISA Management, in the console tree, right-click the stand-alone server or array that you want to restore, and then click Restore.Click Yes to acknowledge that the operation will replace the existing configuration.In the Restore array configuration from the following backup (.BIF) file box, type the name of the directory in which the configuration backup file is located, and then click OK.
121 Managing Services ISA Server Control Service Starts other ISA Server services.Firewall ServiceSupports requests from Firewall clients and SecureNAT clients.Web Proxy ServiceSupports requests from Web browsers.Scheduled Content DownloadDownloads cache content from Web servers, according to the configured jobs.H.323 GatekeeperManages requests for applications that use audio, video, or application sharing.
122 You can manage most of the services and settings associated with ISA Server from within ISA Server Management. However, to start or to stop the Microsoft ISA Server Control service, you must use Services on the Administrative Tools menu.
123 ISA Server includes the following services: ISA Server Control service. Starts the other ISA services, generates alerts and running actions, synchronizes each member server's configuration with the array, updates the client configuration files, and deletes unused log files.Firewall service. Supports requests from Firewall and SecureNAT clients.Web Proxy service. Supports requests from Web Proxy clients.Microsoft Scheduled Cache Content Download service. Downloads cache content from Web servers, according to the jobs that you configure by using ISA Management.H.323 Gatekeeper service. Manages requests for applications that use audio, video, or application sharing, such as NetMeeting.
124 Starting and Stopping ISA Services When one of the ISA Server services is not functioning correctly, you may have to restart or shut down the service. In addition, ISA Server may stop a service because of an alert condition. You will have to restart the service after resolving the condition that caused the service to shut down.
125 Using ISA ManagementTo start or stop an ISA Server service in ISA Management:In ISA Management, in the console tree, expand Monitoring, and then click Services.In the details pane, click the applicable service, and then click Start a Service or Stop a Service.
126 Using ServicesYou use Computer Management to start and stop the ISA Server Control service and the H.323 Gatekeeper.To start or stop an ISA Server service by using Services:On the Administrative Tools menu, open Services.In the details pane, right-click the applicable service, and then click Start or Stop.Important: If you stop the ISA Server Control service, Windows 2000 also stops all of the other ISA Server services.