Getting started with Microsoft ISA Server 2006

[patris1]

کد:

http://www.linglom.com/2007/12/28/getting-started-with-microsoft-isa-server-2006-part-i-installation/

PART 1 Installation

This post will show how to install ISA Server 2006 Standard Edition on a Windows 2003 Server which has 2 network interfaces: one is connected to internal network(LAN) and the other connected to external(Internet). The diagram is as below:

Step-by-step

1. Open ISA setup program.
   
2. Click Next.
   
3. Enter your license information. Click Next.
   
4. Select Setup Type. If you want to customize features or change installed directory, select Custom. Otherwise, select Typical. I leave Typical for convenience.
   
5. On Internal Network, you must enter your internal IP address range. You can do this by adding manually or select from network adapter. Before click Next, ensure that your network addressed was configured correctly.
   
6. On Firewall Client Connections, if you haven’t upgrade from previous ISA Server(ISA 2000 or 2004), leave the check box uncheck and click Next. Otherwise, check the check box before continue.
   
7. On Service Warning, click Next. Notice that some of services will be restarted or disabled while installing.
   
8. Click Install.
   
9. Wait for install finishes.
   
10. You can check “Invoke ISA Server Management when the wizard closes” if you want to configure ISA now.
    
11. Now you have finished installing ISA Server 2006. For configure the ISA details, continue on the next part.
    

---

موضوعات مشابه:

• Publishing Microsoft CRM 4.0 through ISA Server 2006
• How to migrate Microsoft ISA Server 2006 to Microsoft Forefront TMG
• Microsoft Isa Server 2006 Enterprise Edition

---

[patris1]

PART 2 Envrionment Setup

System Requirements

Below is the minimum requirements for ISA Server 2006 Standard Edition or ISA Server 2006 Enterprise Edition.

• Pentium III 733 MHz or higher.
• 512 MB of RAM or more.
• 150 MB of free hard-disk space.
• Microsoft Windows Server 2003 32-bit operating system with Service Pack 1 (SP1) or Microsoft Windows Server 2003 R2 32-bit.

Server Configuration

There are three servers which I will use throughout this series. I already have the following servers in the network:

• BKKPDC001 which runs under Windows Server 2003 R2 with Service Pack 2. It runs these services:
  
  • Active directory
  • DNS
  • DHCP
    
    • Address pool: 192.168.10.101-192.168.10.150
    • Scope option: DNS Servers – 192.168.10.2, 203.144.255.71, 203.144.255.72
      Note: The IP address 203.144.255.71 and 203.144.255.72 are the IP addresses of my ISP’s DNS servers.
    
    
  • IP Configuration:
    
    • IP address: 192.168.10.2/24
    • Gateway: 192.168.10.10
    • DNS Server: 192.168.10.2, 203.144.255.71, 203.144.255.72
      Note: The IP address 203.144.255.71 and 203.144.255.72 are the IP addresses of my ISP’s DNS servers.
    
    
  
  
• BKKNET001 which runs under Windows XP Professional. This is a client PC for test Internet access. The IP address is obtained from the DHCP server.
• BKKISA001 which runs under Windows Server 2003 Standard edition with Service Pack 2. I am going to setup ISA Server 2006 on this server. There are two network interface cards on this server.
  
  • Internal network (LAN):
    
    • IP Address: 192.168.10.10/24
    • Gateway: 192.168.10.2
    • DNS Server: 192.168.10.2, 203.144.255.71, 203.144.255.72
      Note: The IP address 203.144.255.71 and 203.144.255.72 are the IP addresses of my ISP’s DNS servers.
    
    
  • External network (the Internet):
    
    • IP Address: 192.168.0.10/24
    • Gateway: 192.168.0.1
    • DNS Server: None
    
    
  
  

Network Configuration

I try to keep the network configuration simple as possible. You will see on the left side of the ISA Server 2006 server are my internal network (LAN). It contains clients and a server of my network. On the right side of the ISA Server 2006 server is the external network. It connects to the router which connects to the Internet.
The image below is the network diagram of my example.

[patris1]

PART 3 Installation

Step-by-step

1. Insert ISA Server 2006 Enterprise edition CD-Rom, you will see Microsoft ISA Server 2006 Setup window. Click Install ISA Server 2006.
   
2. Microsoft ISA Server Installer is starting and beginning with Core Components.
   
3. On Welcome to the Installation Wizard for Microsoft ISA Server 2006, click Next.
   
4. On License Agreement, select I agree the terms in the license agreement and click Next.
   
5. On Customer Information, enter your user name, organization name and the product serial number. Click Next.
   
6. On Setup Scenarios, select Install both ISA Server services and Configuration Storage Server and click Next.
   Note: Scenarios description:
   
   • Install ISA Server services. You can select this option to install on ISA Server services without the Configuration Storage server so you will have to specify the existing Configuration Storage server on the network at the next step.
   • Install Configuration Storage server. This option will install only Configuration Storage server for ISA Server arrays to retrieve the configuration.
   • Install both ISA Server services and Configuration Storage server. This option will install both ISA Server services and Configuration Storage server.
   • Install ISA Server Management. Select this option if you want to install only the management console for ISA Server so you can remotely manage ISA Server enterprise.
   
   
7. On Component Selection, leave as default selection and click Next.
   Note:Components description:
   
   • ISA Server. Controls access and traffic between networks.
   • Advanced Logging. Installs Microsoft Data Engine (MSDE) used to view and to filter historical log data
   • ISA Server Management. Allows remote management of ISA Server using ISA Server Management console snap-in.
   • Configuration Storage server. Stores the enterprise configuration for ISA Server arrays.
   
   
8. On Enterprise Installation Options, select Create a new ISA server enterprise and click Next.
   
9. On New Enterprise Warning, click Next. This is a message telling you that they recommend only a single enterprise in your organization for ease of centralize management. If you already have an existing Configuration Storage server, you should select Create a replica of the enterprise configuration in the previous step.
   
10. On Internal Network, you have to specify the network address ranges of your internal network. Click Add.
    
11. On Addresses, you can add IP address ranges by add from network adapter, add from private network or add range manually. I will add from adapter, click Add Adapter.
    
12. On Select Network Adapters, select the network card interface which connects to the internal network and click OK.
    
13. Back to Addresses, check if the internal network range is correct or not. Then, click OK to continue.
    
14. Back to Internal Network, click Next.
    
15. On Firewall Clients Connections, click Next.
    Note: If you haven’t upgrade from ISA 2000 or 2004, leave the check box Allow non-encrypted Firewall client connections empty. Otherwise, check the box before continue.
    
16. On Services Warning, click Next.
    Note: This is a warning message that some services will be restarted or disabled while the installation is in progress.
    
17. On Ready to Install the Program, click Install to begin the ISA Server 2006 Installation.
    
18. On Installing Microsoft ISA Server 2006, waits for the installation to be complete.
    
19. Microsoft ISA Server Installer is installing Additional Components.
    
20. Microsoft ISA Server Installer is initialize system.
    
21. On Installation Wizard Completed, click Finish to complete the installation.
    Note: There is an option – Invoke ISA Server Management when the wizard closes. You can select this option to start ISA Server Management after closes the wizard. I will cover about ISA Server Management in the next part.
    

[patris1]

PART 4 Service Pack 1

There are many new features and enhancements on the ISA Server 2006 service pack 1:
New Features

• Configuration Change Tracking. Registers all configuration changes applied to ISA Server to help you assess issues that may occur as a result of these changes.
• Web Publishing Rule Test Button. Tests the consistency of a Web publishing rule between the published server and ISA Server.
• Traffic Simulator. Simulates network traffic in accordance with specified request parameters, such as an internal user and the Web server, providing information about firewall policy rules evaluated for the request.
• Diagnostic Logging Query. Now integrated as a tab into the ISA Server Management console, this feature displays detailed events on packet progress and provides information about handling and rule matching.

Enhancements

• Support for integrated NLB mode in all three modes, including unicast, multicast, and multicast with Internet Group Management Protocol (IGMP). Previously, ISA Server integrated NLB-supported unicast mode only.
• Support for certificates with multiple Subject Alternative Name (SAN) entries in published web servers.
• Kerberos Constrained Delegation (KCD) authentication supports trusted-domain user accounts.
• Improve Web Publishing Load Balancing (WPLB) cookie handling.
• Alert Improvements.
• New performance counter.

For more information about this service pack, see Microsoft Article 943462.
Step-by-step

1. Download the file from Microsoft Internet Security and Acceleration (ISA) Server 2006 Service Pack 1.
   
2. Double-click the downloaded file, ISA2006-KB943462-X86-ENU.msp, to run the setup wizard.
   
3. On Welcome to the Update for Microsoft ISA Server 2006 Service Pack 1, click Next.
   
4. On License Agreement, select I accept the terms in the license agreement and click Next.
   
5. On Locate Configuration Storage Server, you have to specify the Configuration Storage Server. On this example, I leave it as default and click Next.
   
6. On Ready to Install the Program, click Install.
   
7. On Installing Microsoft ISA Server 2006 Service Pack 1, wait until the installation completes.
   
8. On Installation Wizard Completed, click Finish.
   
9. There is a pop-up message asks you to restart the system for the configuration changes made to ISA Server 2006 to take effect. Click Yes to restart it now.
   
10. Once the system is restarted, you can see the version of ISA Server 2006 is updated by open ISA Server Management. Click Start -> Programs -> Microsoft ISA Server -> ISA Server Management.
    
11. On ISA Server Management, click Help -> About Microsoft ISA Server 2006.
    
12. On About Microsoft ISA Server 2006, you see the current version of ISA Server 2006. The version of ISA Server 2006 Service Pack 1 is 5.0.5723.493.
    

[patris1]

PART 5 Network Layout Concept

By default, ISA Server 2006 comes with five pre-defined network templates. You can select one of them that match your networking environment. Let’s see each of them in details.

1. Edge Firewall
   This is a standard network topology for small to medium organization. The ISA Server is a main gateway controlling traffic between the intranet (LAN) and the Internet networks. The ISA Server needs 2 network interface cards.
   
2. 3-Leg Perimeter
   This is a standard network topology for medium to large organization. There is an additional network which is a perimeter network connects to ISA server compare to the edge firewall. The perimeter network or DMZ (Demilitarized Zone) is a network that is less secure for serving Web server, E-Mail server, DNS server and other services to the Internet users and also the internal users. The ISA Server needs 3 network interface cards.
   
3. Front Firewall
   This is a network topology for organization that security is high priority. In this case, there are more than one firewall. When a hacker attacks the front firewall and it compromises, there is still a back firewall to protect the internal network. This template, ISA Server acts as front firewall server between the Internet and the perimeter network and needs 2 network interface cards.
   
4. Back Firewall
   This network template is similar as the front firewall template except that the ISA Server that you’re configuring is the back firewall which stands between the internal and the perimeter networks.This template, ISA Server needs 2 network interface cards.
   
5. Single Network Adapter
   This is a network template for ISA Server to be act as Proxy server only. ISA Server can do caching to improve performance for users using the Internet in organization. This template, ISA Server requires only a single network interface card as the name of the template.
   

Note: About front and back Firewall templates, you have more than one firewalls. It is best practice not to use the same firewall model. For example, you should have the front firewall as hardware base from one company and the back firewall as software base from another company, or vice versa. If a hacker breaks the front firewall, then the hacker will takes an extra time to break another firewall to reach our internal network since the hacker cannot use the same technique to break the back firewall.

[patris1]

PART 6 Configure Network Layout

Step-by-step

1. Open ISA Server Management by click Start -> Programs -> Microsoft ISA Server -> ISA Server Management.
   
2. On Microsoft Internet Security and Acceleration Server 2006, expand Arrays -> BKKISA001 -> Configuration -> Networks.
   
3. Select Templates tab and click on the Edge Firewall template.
   
4. A Network Template Wizard window appears, click Next to continue.
   
5. On Export the ISA Server Configuration, you can click on Export button to backup your current ISA Server configuration. But this is the first time configuration so there is no need to backup anything.
   
6. On Internal Network IP Addresses, verify if the IP address ranges are correct. My internal network is 192.168.10.0/24 so the existing range is correct. Click Next.
   
7. On Select a Firewall Policy, you can choose a pre-defined firewall policy which will be applied to the network specified in this template. On this example, I select Block all. I will create firewall rules manually on the next part.
   Note: On edge firewall template, there are five predefined firewall policies which are:
   
   1. Block all
      Block all network access through ISA Server. This option does not create any access rules other than the default rule which blocks all access.
      Use this option when you want to define firewall policy on your own.
   2. Block Internet access, allow access to ISP network services
      Block all network access through ISA Server, except for access to network services, such as DNS. This option is useful when these services are provided by your Internet Service Provider (ISP).
      Use this option when you want to define firewall policy on your own. The following access rules will be created:
      
      
      • Allow DNS from Internal Network and VPN Clients Network to External Network (Internet).
      
      
   3. Allow limited Web access
      Allow Web access using HTTP, HTTPS, FTP, only. Block all other network access. The following access rules will be created:
      
      
      • Allow HTTP, HTTPS, FTP from Internal Network to External Network.
      • Allow all protocols from VPN Clients Network to Internal Network.
      
      
   4. Allow limited Web access and access to ISP network services.
      Allow limited Web access using HTTP, HTTPS, and FTP, and allows access to ISP network services, such as DNS. Block all other network access.
      The following access rules will be created:
      
      • Allow HTTP, HTTPS, FTP from Internal Network and VPN Clients Network to External Network (Internet).
      • Allow DNS from Internal Network and VPN Clients Network to External Network (Internet).
      • Allow all protocols from VPN Clients Network to Internal Network.
      
      
   5. Allow unrestricted access
      Allow unrestricted access to the Internet through ISA Server. ISA Server will prevent access from the Internet. The following access rules will be created:
      
      
      • Allow all protocols from Internal Network and VPN Clients Network to External Network (Internet).
      • Allow all protocols from VPN Clients Network to Internal Network.
      
      
   
   
8. On Completing the Network Template Wizard, click Finish.
   
9. Then, you notice that there is a warning icon at the top of ISA Server Management. This means that the changes which you have made do not take effect yet. To update the configuration, click Apply.
   Note: If you want to undo changes that you have made, click Undo.
   
10. The changes have been saved.
    

[patris1]

PART 7 Create DNS Lookup Rule

On this example, I have internal and external DNS servers as I have shown the network diagram in Part 2: Environment Setup. The internal DNS server should work fine since it is on the same network with clients – the Internal network. But the external DNS servers (or my ISP’s DNS servers) are on the external network. And currently, ISA Server 2006 blocks all network access so clients from the internal network cannot request any DNS look up from the external DNS servers. This would be a problem if some clients want to use the Internet. Therefore, I will create an access rule to allow DNS look up for clients on the internal network to the external DNS servers. The external DNS servers are 203.144.255.71 and 203.144.255.72.
Step-by-step

1. On ISA Server Management, open Firewall Policy by expand Arrays -> BKKISA001 -> Firewall Policy (BKKISA001).
   
2. Create a new access rule by click on Tasks tab -> Create Access Rule.
   
3. On Welcome to the New Access Rule Wizard, type the access rule name. On this example, I type “Allow DNS Lookup” and click Next.
   
4. On Rule Action, you can select allow or deny on this rule. Select Allow and click Next.
   
5. On Protocols, you can select the protocols this rule applied to.
   
   • Choose Select protocols from a drop down menu and click Add.
     
   • On Add Protocols, expand Common Protocols and double-click on DNS. Click Close.
     
   • Back to Protocols, now the DNS protocol is added to the rule. Click Next.
     
   
   
6. On Access Rule Sources, you can specify source networks for this rule.
   
   • Click Add.
     
   • On Add Network Entities, expand Networks and double-click on Internal. Click Close.
     
   • Back to Access Rule Sources, now the Internal network is added as access rule source. Click Next.
     
   
   
7. On Access Rule Destination, you can specify destination networks for this rule.
   
   • Click Add.
     
   • On Add Network Entities, click on New -> Address Range.
     
   • On New Address Range Rule Element, type the name and specify the IP address range. On this example, I name it as “External DNS Addresses” and the IP address range is 203.144.255.71 to 203.144.255.72. Click OK.
     
   • Back to Add Network Entities, there is a new address range that I have just created so double-click on it to add to the rule and click Close.
     
   • Back to Access Rule Destination, now the “External DNS Addresses” is added to the rule as access rule destination. Click Next.
     
   
   
8. On User Sets, you can specify the user sets for the rule. On this example, I leave it as All Users and click Next.
   
9. On Completing the New Access Rule Wizard, click Finish.
   
10. To save changes that you have made, you must click on Apply.
    
11. On Saving Configuration Changes, click OK.
    
12. Now you have completed create an access rule to allow DNS look up from internal network to the external DNS server.
    

[patris1]

PART 8 Create Web Access Rule

Step-by-step

1. On ISA Server Management, open Firewall Policy by expand Arrays -> BKKISA001 -> Firewall Policy (BKKISA001).
   
2. On Firewall Policy, select Tasks and click on Create Access Rule.
   
3. On Welcome to the New Access Rule Wizard, type a name for the access rule. On this example, I type “Allow HTTP, HTTPS for Linglom” and click Next.
   
4. On Rule Action, select Allow and click Next.
   
5. On Protocols, you have to choose which protocols will be applied to this rule.
   
   • Select Selected protocols and click Add.
     
   • On Add Protocols, expand Common Protocols and double-click on HTTP and HTTPS. Then, click Close and click Next to continue.
     
   
   
6. On Access Rule Sources, select the source network for this rule.
   
   • Click Add.
     
   • On Add Network Entities, expand Network and double-click on Internal. Click Close and click Next to continue.
     
   
   
7. On Access Rule Destinations, do the same as the previous step but select External network as a destination.
   
8. On User Sets, you have to select which users and groups are applied to this access rule. On this example, I want this rule apply to only a domain user account – linglom.
   
   • Remove All Users by click on Remove and add a new User Sets by click Add.
     
   • On Add Users, you see existing user sets available. There is no user set that I want so I will create a new one. Click New.
     
   • On Welcome to the New User Set Wizard, type the name of a new user set that you want and click Next.
     
   • On Users, click Add -> Windows users and groups.
     
   • On Select Users or Groups, select the users or groups that you want to add to this new user set. On this example, I select the domain user – linglom. Then, click OK.
     
   • You see that the user has been added to a new user set. Click Next.
     
   • On Completing the New User Set Wizard, click Finish.
     
   • A new user set is created. The, select on it and click Add to add the new user set to this rule.
     
   • Now the user set is added to the rule. So this rule will be apply to only this user – Linglom. Click Next.
     
   
   
9. On Completing the New Access Rule Wizard, click Finish.
   
10. Don’t forget to save the changes that you have made by click on Apply at the top.
    
11. The changes have been saved. Click OK.
    
12. Now you see the rule that you have created.
    

[patris1]

PART 9 Client Configuration

Section

• Client Types
• SecureNAT client
• Firewall client
• Web Proxy client

Client Types

The table below compares the ISA Server clients.
Feature Client types SecureNAT client Firewall client Web Proxy client Installation required No, but some network configuration changes may be required Yes No, Web browser configuration required Operating system support Any operating system that supports Transmission Control Protocol/Internet Protocol (TCP/IP) Only Windows platforms All platforms, but by way of Web application Protocol support Application filters for multiple connection protocols required All Winsock applications Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), File Transfer Protocol (FTP), and Gopher User-level authentication No Yes Yes Server applications No configuration or installation required Configuration file required Not applicable Back to top

SecureNAT client

1. To configure client as SecureNAT client type, set the default gateway of the network interface card on client to the ISA Server.
   
2. If you are using DHCP, you can configure by add Router scope option to the ISA Server.
   

Back to top

Firewall client

1. Download Firewall Client for ISA Server from Microsoft.
2. Install Microsoft Firewall Client on the client computer.
   
3. On ISA Server Computer Selection, select Connect to this ISA Server computer and type the ISA Server host name.
   
4. After the installation completes, you will see the firewall client’s icon on the task bar.
   
5. You can view and modify configuration by double-click on the icon and select Settings tab. Also, you can click on Apply Default Settings Now for other users on this computer can use this configuration.
   

Back to top

Web Proxy client

1. Open your web browser. On this example, I use Internet Explorer.
2. On Menu bar, Click on Tools -> Internet Options.
   
3. On Internet Options, Select Connections tab and click on LAN settings.
   
4. On Local Area Network (LAN) Settings, check the box Use a proxy server for your LAN and type the ISA Server address and port.