Installing ISA Server 2004 Enterprise Edition – Part 1 – Installing and Configuring t

[LEFT][FONT=Times New Roman]With his first article for ISAserver.org, we would like to welcome ISA Server MVP Marc Grote who for the past two years has contributed many excellent articles to our sister site - MSExchange.org. This is the first article of a four part series which will show you how to install and configure ISA Server 2004 Enterprise Edition. In the first part Marc will show you how to install and configure the Configuration Storage Server.[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Let's begin[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]For this article series we have the following configuration:[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Name[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Role[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Configuration[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]DEN-DC-01[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Windows 2003 Domain Controller[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]INTERNAL: 192.168.1.10[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]DEN-CSS-01[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Windows 2003 Member Server with ISA Server 2004 Configuration Storage Server[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]INTERNAL: 192.168.1.20[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]DEN-ISAEE-01[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Windows 2003 Member Server with ISA Server 2004 Enterprise Firewall[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]INTRAARRAY: 192.168.0.1[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]INTERNAL: 192.168.1.1[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]EXTERNAL: 172.16.1.1[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]DEN-ISAEE-02[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Windows 2003 Member Server with ISA Server 2004 Enterprise Firewall[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]INTRAARRAY: 192.168.0.2[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]INTERNAL: 192.168.1.2[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]EXTERNAL: 172.16.1.2[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Before we start installing the Configuration Storage Server on DEN-CSS-01, you need to know some basics about ISA Server 2004 Enterprise features and terminology.[/FONT]
[FONT=Times New Roman]Difference between ISA Server 2004 Standard and Enterprise[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]ISA Server 2004 Enterprise contains every feature of ISA Server 2004 Standard and the following additional features:[/FONT]
[FONT=Times New Roman]ISA Server 2004 Arrays with Configuration Storage Server [/FONT]
[FONT=Times New Roman]Enterprise- and Array-Policies [/FONT]
[FONT=Times New Roman]Integrated Network Load Balancing [/FONT]
[FONT=Times New Roman]Support for Cache Array Routing Protocol [/FONT]
[FONT=Times New Roman]Central Logging and Reporting [/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]For this first article you have to know what a Configuration Storage Server is because we will install a Configuration Storage Server (CSS) on DEN-CSS-01.[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]ISA Server 2004 Enterprise uses Configuration Storage Servers to store the ISA Server Array Firewall Policy. A single Configuration Storage server can store Firewall Policies for multiple ISA Server 2004 Enterprise Edition Arrays, and these Arrays can be located anywhere in the organization. The Configuration Storage Server uses ADAM (Active Directory Application Mode). ADAM is an LDAP compliance directory and runs as a non-operating-system service and it does not require deployment on a domain controller. It is possible to run multiple instances of ADAM on a single server, and each instance can be configured independently.[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]It is possible to deploy a Configuration Storage Server on a Domain controller, on a Member server, on ISA Server itself or on a Server in a workgroup. Every deployment Method has it Pros and Cons. In this scenario we will deploy the Configuration Storage Server on a Windows Server 2003 Member Server. [/FONT]
[FONT=Times New Roman]CSS Installation[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Insert the ISA Server 2004 Enterprise CD and follow the installation instructions. You must choose to Install Configuration Storage Server. This will install an ADAM-Instance on this computer which will be used to store the configuration of ISA Server Arrays. ISA Server Array Members will connect to the Configuration Storage Server to receive the configuration.[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Figure 1: Installation of a Configuration Storage Server[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]If you choose Install Configuration Storage Server you can see in Figure 2 that only the ISA Management Option and the Configuration Storage Server will be installed.[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Figure 2: Component Selection[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]On the next page we must select create a new ISA Server enterprise (Figure 3). This configuration option creates a new ISA Server Enterprise during the installation.[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Figure 3: Create a new ISA Server Enterprise[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Figure 4 shows a warning message that Microsoft recommends only deploying a single Enterprise in your Organization. Multiple Enterprises could be hard to manage. You can deploy multiple Arrays within one ISA Server Enterprise.[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Figure 4: Warning message when you install a new ISA Enterprise[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]The next step (Figure 5) is to name the new ISA Server Enterprise and enter a description for the new Enterprise.[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Figure 5: Enter a name and description for the new Enterprise[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]If you are using ISA Server 2004 Enterprise in a single domain or in domains with trust relationships, you must choose the Setup Option I am deploying in a single domain or in domains with trust relationships. ISA Server will use Windows authentication for authentication purposes. If you are using ISA Servers and Configuration Storage Servers in different domains without trust relationship or in a workgroup deployment, you must use certificates to establish a secure communication channel for authentication purposes.[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Attention:[/FONT]
[FONT=Times New Roman]Keep in mind that when you deploy ISA Server 2004 Enterprise in a workgroup environment you can use only one Configuration Storage Server. The following links could also find your interest when you deploy ISA Server in a workgroup:[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]If you are using certificates in a workgroup deployment you must use this tool to update ADAM account settings so that they do not expire.[/FONT]
[FONT=Times New Roman]http://www.microsoft.com/downloads/details.aspx?FamilyID=1cbac3e5-acac-4613-9860-e1b760b9434f&DisplayLang=en[/FONT]
[FONT=Times New Roman]The second tool is ISACertTool.exe that helps you to do the following:[/FONT]
[FONT=Times New Roman]• Install a server certificate on the Configuration Storage server.[/FONT]
[FONT=Times New Roman]• Install a root certificate on each array member to indicate that it trusts the Certification Authority that issued the server certificate[/FONT]
[FONT=Times New Roman]http://www.microsoft.com/downloads/details.aspx?FamilyId=F8F60164-C5A5-4716-9FF4-2D56C86506C3&displaylang=en[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Figure 6: Setup the ISA Server 2004 Deployment method[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]After finishing ISA Server 2004 setup, the setup opens as a last step, a website from the ISA Server 2004 installation directory, which will guide you through additional steps how to secure your Windows / ISA Server installation.[/FONT]
[FONT=Times New Roman]I also recommend reading the following articles from the Microsoft website:[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Hardening the Windows Infrastructure on the ISA Server 2004 Computer[/FONT]
[FONT=Times New Roman]http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/hardeningwindows.mspx[/FONT]
[FONT=Times New Roman]ISA Server 2004 Security Hardening Guide[/FONT]
[FONT=Times New Roman]http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/securityhardeningguide.mspx[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Figure 7: Hardening the Windows Server / ISA Server infrastructure[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Before we are going to install the ISA Server 2004 Array members, we must create a new ISA Server 2004 Array. To create a new ISA Server Array start the ISA Server 2004 management console on the Configuration Storage Server, navigate to Arrays and create a new ISA Server Array.[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Figure 8: Create a new ISA Server Array[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]We will name the Array MainArray (Figure 9).[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Figure 9: Name the ISA Server 2004 Array[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]The next page (Figure 10) asks you to enter the ISA Server Arrays DNS name. You must enter a DNS conform FQDN (Fully Qualified Domain Name). You must create a corresponding A-record in DNS, so that Firewallclients and Webproxyclients can resolve the Name correctly. If you are using NLB you must enter the VIP (VirtualIP) as the IP address in DNS. I will give you more information about implementing NLB in another article. We will enter the Array's DNS name MainArray.cohovineyard.com.[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Figure 10: ISA Server Array's DNS name[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]The next step is to specify which Enterprise Policy to apply to this Array. Because we don't create another Policy, we must use the Default Policy (Figure 11). It is possible to create new Policies every time and associate this new Policy with an Array after installation. I will show you how to do this in another article on [url]www.isaserver.org[/url]. [/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Figure 11: Select the ISA Server Enterprise Policy for the new Array[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]In the following picture you can select the types of Array Firewall Policy rules that can be created for this Array (Figure 12). This is a great option to limit the creation of rule type at Array level.[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Figure 12: Select the types of Array Firewall Policy rules that can be created for this Array[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]After reading the summary of the new Array Wizard click Finish. ISA Server now creates the new Array. This task can be time consuming (Figure 13).[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Figure 13: Creating the new Array[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Click Apply (Figure 14) and you have successfully finished the new Array installation.[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Figure 14: Click Apply to save the changes and update the configuration[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]As you know, ISA Server 2004 uses System Policies which allow some communications between ISA Server, Active Directory Servers, DNS Servers, DHCP and many more. You must modify the System Policy to allow the ISA Server 2004 Array Members to access the Configuration Storage Server. If you want to know more about System Policies, read Tom Shinders article "The ISA Firewall's Default Post Installation System Policy and Configuration" at the following website: [url]http://www.isaserver.org/articles/2004systempolicy.html[/url]. [/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]You can find these settings in the System Policy Editor under Configuration Storage Server – Local Configuration Storage Server Access. Click Enable (Figure 15).[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Figure 15: Enable Remote Configuration Storage Server Access[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Click From (Figure 15) in the System Policy Editor – select Managed ISA Server Computers and click Add to enter the names and IP-addresses from the two ISA Server 2004 Enterprise Array members.[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Figure 16: Enter the name and IP-addresses for the Managed ISA Server Computers[/FONT]
[FONT=Times New Roman] [/FONT]
[FONT=Times New Roman]Click Apply to save the configuration changes. We are now ready to install the Firewall services, but this will be part of another article on [/FONT][URL="http://www.isaserver.org/"][U][FONT=Times New Roman][COLOR=#0000ff]www.isaserver.org[/COLOR][/FONT][/U][/URL][FONT=Times New Roman].[/FONT]
[FONT=Times New Roman] [/FONT][/LEFT]