With his first article for ISAserver.org, we would like to welcome ISA Server MVP Marc Grote who for the past two years has contributed many excellent articles to our sister site - MSExchange.org. This is the first article of a four part series which will show you how to install and configure ISA Server 2004 Enterprise Edition. In the first part Marc will show you how to install and configure the Configuration Storage Server.

Let's begin

For this article series we have the following configuration:





Windows 2003 Domain Controller



Windows 2003 Member Server with ISA Server 2004 Configuration Storage Server



Windows 2003 Member Server with ISA Server 2004 Enterprise Firewall





Windows 2003 Member Server with ISA Server 2004 Enterprise Firewall




Before we start installing the Configuration Storage Server on DEN-CSS-01, you need to know some basics about ISA Server 2004 Enterprise features and terminology.
Difference between ISA Server 2004 Standard and Enterprise

ISA Server 2004 Enterprise contains every feature of ISA Server 2004 Standard and the following additional features:
ISA Server 2004 Arrays with Configuration Storage Server
Enterprise- and Array-Policies
Integrated Network Load Balancing
Support for Cache Array Routing Protocol
Central Logging and Reporting

For this first article you have to know what a Configuration Storage Server is because we will install a Configuration Storage Server (CSS) on DEN-CSS-01.

ISA Server 2004 Enterprise uses Configuration Storage Servers to store the ISA Server Array Firewall Policy. A single Configuration Storage server can store Firewall Policies for multiple ISA Server 2004 Enterprise Edition Arrays, and these Arrays can be located anywhere in the organization. The Configuration Storage Server uses ADAM (Active Directory Application Mode). ADAM is an LDAP compliance directory and runs as a non-operating-system service and it does not require deployment on a domain controller. It is possible to run multiple instances of ADAM on a single server, and each instance can be configured independently.

It is possible to deploy a Configuration Storage Server on a Domain controller, on a Member server, on ISA Server itself or on a Server in a workgroup. Every deployment Method has it Pros and Cons. In this scenario we will deploy the Configuration Storage Server on a Windows Server 2003 Member Server.
CSS Installation

Insert the ISA Server 2004 Enterprise CD and follow the installation instructions. You must choose to Install Configuration Storage Server. This will install an ADAM-Instance on this computer which will be used to store the configuration of ISA Server Arrays. ISA Server Array Members will connect to the Configuration Storage Server to receive the configuration.

Figure 1: Installation of a Configuration Storage Server

If you choose Install Configuration Storage Server you can see in Figure 2 that only the ISA Management Option and the Configuration Storage Server will be installed.

Figure 2: Component Selection

On the next page we must select create a new ISA Server enterprise (Figure 3). This configuration option creates a new ISA Server Enterprise during the installation.

Figure 3: Create a new ISA Server Enterprise

Figure 4 shows a warning message that Microsoft recommends only deploying a single Enterprise in your Organization. Multiple Enterprises could be hard to manage. You can deploy multiple Arrays within one ISA Server Enterprise.

Figure 4: Warning message when you install a new ISA Enterprise

The next step (Figure 5) is to name the new ISA Server Enterprise and enter a description for the new Enterprise.

Figure 5: Enter a name and description for the new Enterprise

If you are using ISA Server 2004 Enterprise in a single domain or in domains with trust relationships, you must choose the Setup Option I am deploying in a single domain or in domains with trust relationships. ISA Server will use Windows authentication for authentication purposes. If you are using ISA Servers and Configuration Storage Servers in different domains without trust relationship or in a workgroup deployment, you must use certificates to establish a secure communication channel for authentication purposes.

Keep in mind that when you deploy ISA Server 2004 Enterprise in a workgroup environment you can use only one Configuration Storage Server. The following links could also find your interest when you deploy ISA Server in a workgroup:

If you are using certificates in a workgroup deployment you must use this tool to update ADAM account settings so that they do not expire.
The second tool is ISACertTool.exe that helps you to do the following:
• Install a server certificate on the Configuration Storage server.
• Install a root certificate on each array member to indicate that it trusts the Certification Authority that issued the server certificate

Figure 6: Setup the ISA Server 2004 Deployment method

After finishing ISA Server 2004 setup, the setup opens as a last step, a website from the ISA Server 2004 installation directory, which will guide you through additional steps how to secure your Windows / ISA Server installation.
I also recommend reading the following articles from the Microsoft website:

Hardening the Windows Infrastructure on the ISA Server 2004 Computer
ISA Server 2004 Security Hardening Guide

Figure 7: Hardening the Windows Server / ISA Server infrastructure

Before we are going to install the ISA Server 2004 Array members, we must create a new ISA Server 2004 Array. To create a new ISA Server Array start the ISA Server 2004 management console on the Configuration Storage Server, navigate to Arrays and create a new ISA Server Array.

Figure 8: Create a new ISA Server Array

We will name the Array MainArray (Figure 9).

Figure 9: Name the ISA Server 2004 Array

The next page (Figure 10) asks you to enter the ISA Server Arrays DNS name. You must enter a DNS conform FQDN (Fully Qualified Domain Name). You must create a corresponding A-record in DNS, so that Firewallclients and Webproxyclients can resolve the Name correctly. If you are using NLB you must enter the VIP (VirtualIP) as the IP address in DNS. I will give you more information about implementing NLB in another article. We will enter the Array's DNS name MainArray.cohovineyard.com.

Figure 10: ISA Server Array's DNS name

The next step is to specify which Enterprise Policy to apply to this Array. Because we don't create another Policy, we must use the Default Policy (Figure 11). It is possible to create new Policies every time and associate this new Policy with an Array after installation. I will show you how to do this in another article on www.isaserver.org.

Figure 11: Select the ISA Server Enterprise Policy for the new Array

In the following picture you can select the types of Array Firewall Policy rules that can be created for this Array (Figure 12). This is a great option to limit the creation of rule type at Array level.

Figure 12: Select the types of Array Firewall Policy rules that can be created for this Array

After reading the summary of the new Array Wizard click Finish. ISA Server now creates the new Array. This task can be time consuming (Figure 13).

Figure 13: Creating the new Array

Click Apply (Figure 14) and you have successfully finished the new Array installation.

Figure 14: Click Apply to save the changes and update the configuration

As you know, ISA Server 2004 uses System Policies which allow some communications between ISA Server, Active Directory Servers, DNS Servers, DHCP and many more. You must modify the System Policy to allow the ISA Server 2004 Array Members to access the Configuration Storage Server. If you want to know more about System Policies, read Tom Shinders article "The ISA Firewall's Default Post Installation System Policy and Configuration" at the following website: http://www.isaserver.org/articles/2004systempolicy.html.

You can find these settings in the System Policy Editor under Configuration Storage Server – Local Configuration Storage Server Access. Click Enable (Figure 15).

Figure 15: Enable Remote Configuration Storage Server Access

Click From (Figure 15) in the System Policy Editor – select Managed ISA Server Computers and click Add to enter the names and IP-addresses from the two ISA Server 2004 Enterprise Array members.

Figure 16: Enter the name and IP-addresses for the Managed ISA Server Computers

Click Apply to save the configuration changes. We are now ready to install the Firewall services, but this will be part of another article on www.isaserver.org.

موضوعات مشابه: