Installing and Configuring ISA Server 2000 on Windows Server 2003
The procedure for installing ISA Server 2000 on a Windows Server 2003 machine is a little different than how its done on a Windows 2000 machine. The following procedures must be performed to install ISA Server 2000 on a Windows Server 2003 computer:
We will go over each procedure in this ISA Server 2000 VPN Deployment Kit document.
Install Windows Server 2003
ISA Server 2000 can be installed in one of thee mode:
Caching mode ISA Server are designed to have one or two network interfaces. Each interface must be located on the internal network because packet filtering is not enforceable on a caching only ISA Server machine.
Firewall mode provides a high level of firewall protection from external intruders and also protects your network by enabling granular outbound access control. Firewall mode does not include the Web caching features that are part of the Cache mode server.
Integrated mode provides all the firewall and caching features available with ISA Server 2000
Please refer to ISA Server Help for a detailed description of features available with each ISA Server 2000 mode.
The machine covered in the example we cover in this ISA Server 2000 VPN Deployment Kit document has the following characteristics:
Please refer to ISA Server Help for a description of minimal installation requirements
An Integrated mode ISA Server firewall requires at least one internal and one external interface.
Windows Server 2003, like Windows 2000, allows a single default gateway. The result is ISA Server 2000 on Windows Server 2003 supports a single external interface or single Internet interface. You can have multiple public address DMZ interfaces, but only a single interface can connect the internal network to the Internet.
ISA Server 2000 supports multiple external interfaces with the aid of third party software, or with an upstream hardware device that with load balancing and link aggregation capabilities.
The DNS settings on the ISA Server interfaces must be configured correctly. Misconfiguration of the DNS settings is the most common configuration error made on ISA Server firewalls in production. The preferred setup is to
Many ISA Server administrators are unfamiliar with the interface ordering procedure. Perform the following steps to configure the interface order on the ISA Server computer:
Figure 1 (Fig100)
Figure 2 (fig2)
Figure 3 (fig300)
Do not put both an internal DNS server and an external DNS server on the same interface. The external DNS server is not be able to resolve internal network host names. Under certain circumstances the Internet DNS server could be placed on the top of the DNS server list. This can lead to the ISA Server firewall not being able to communicate with the internal network domain controllers and interfere with authentication.
Please refer to Windows 2000 Resource Kit Chapter 6 Ė Windows 2000 DNS to learn more about how the DNS resolver uses the preferred adapter and the DNS server list on each adapter to resolve host names
Disable all non-essential services on the ISA Server firewall computer. While individual implementations of ISA Server firewalls require a customized set of services, it is safe to conclude the IIS W3SVC (the World Wide Web service) should not run on the ISA Server firewall.
We recommend that you do not use client applications that expose the firewall to unnecessary risk. Such client applications include Web browser or email client software. Web browsers and email clients are major vectors of virus, Trojan and worm attacks. A properly configured ISA Server firewall is eminently secure; the addition of client applications can have a significant negative impact on ISA Server security.
Install ISA Server 2000
Locate your ISA Server 2000 CD-ROM disk and put it into the CD-ROM drive or connect to a network share containing the ISA Sever 2000 installation files. Perform the following steps to install ISA Server on a Windows Server 2003 machine:
Figure 4 (Fig301)
Figure 5 (Fig302)
Figure 6 (Fig1)
Figure 7 (Fig303)
Figure 8 (Fig304)
Figure 9 (Fig305)
Figure 10 (Fig306)
Figure 11 (Fig2)
Figure 12 (Fig3)
Figure 13 (Fig4)
Figure 14 (Fig5)
13. Click OK on the LAT dialog box after reviewing the list listing in the Internal IP ranges list (figure 15).
Figure 15 (Fig6)
Figure 16 (Fig7)
Figure 17 (Fig8)
Figure 18 (Fig307)
Figure 19 (Fig308)
Now youíre ready to install ISA Server Service Pack 1.
Install ISA Server Service Pack 1
The next step is to immediately install ISA Server Service Pack 1. You can get Service Pack 1 at http://www.microsoft.com/isaserver/downloads/sp1.asp Download SP1. Download the Service Pack to a machine on the internal network, scan it for viruses, and then copy it to the ISA Server. Perform the following steps after copying the service pack to the ISA Server:
Figure 20 (Fig9)
Figure 21 (Fig310)
Figure 22 (Fig10)
Thatís all there is to installing ISA Server service pack 1.
Install HotFix isahf255.exe
Log on the ISA Server service pack 1 installation routine restarts the machine. There are a few hotfixes and updates you need to install on the Windows Server 2003/ISA Server machine to insure ISA Server compatibility with Windows Server 2003. You can download the HotFix pack, isahf255.exe at http://www.microsoft.com/downloads/details.aspx?familyid=77d89f87-5205-4779-b1ab-fc338283b2d9&displaylang=en
Download the file to a machine on the internal network, scan it for viruses, and then copy it to the ISA Server. Perform the following steps after copying the file to the ISA Server:
Figure 23 (fig11)
Figure 24 (Fig12)
You do not need to restart the server. The next step is to install Feature Pack 1.
Install Feature Pack 1
Feature Pack 1 (FP1) is not required. You donít have to install ISA Server Feature Pack 1 on the Windows Server 2003/ISA Server machine. However, I do highly recommend that you install ISA Server Feature Pack 1 because it adds a several new and useful features. You can download ISA Server Feature Pack 1 at http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c-5be084b345f9&DisplayLang=en
Download the feature pack to a machine on the internal network and scan it for viruses. Then copy the file to the ISA Server and perform the following steps:
Figure 25 (Fig13)
At this point the ISA Server is ready to use. You can now create inbound and outbound access policies and configure the machine to be a VPN Server and VPN Gateway.