Installing and Configuring ISA Server 2000 on Windows Server 2003

 

The procedure for installing ISA Server 2000 on a Windows Server 2003 machine is a little different than how its done on a Windows 2000 machine. The following procedures must be performed to install ISA Server 2000 on a Windows Server 2003 computer:

 

• Install Windows Server 2003
• Install ISA Server 2000
• Install ISA Server Service Pack 1
• Install isahf255.exe
• Install Feature Pack 1

 

We will go over each procedure in this ISA Server 2000 VPN Deployment Kit document.

 

Install Windows Server 2003

 

ISA Server 2000 can be installed in one of thee mode:

 

• Cache Mode

Caching mode ISA Server are designed to have one or two network interfaces. Each interface must be located on the internal network because packet filtering is not enforceable on a caching only ISA Server machine.

 

• Firewall Mode

Firewall mode provides a high level of firewall protection from external intruders and also protects your network by enabling granular outbound access control. Firewall mode does not include the Web caching features that are part of the Cache mode server.

 

• Integrated Mode

Integrated mode provides all the firewall and caching features available with ISA Server 2000

 

       Note:
Please refer to ISA Server Help for a detailed description of features available with each ISA Server 2000 mode.

 

The machine covered in the example we cover in this ISA Server 2000 VPN Deployment Kit document has the following characteristics:

 

• At least two network interfaces – one internal and one external (an optional DMZ interface can be installed if required)
• DNS setting on the internal interface uses an internal DNS server that can resolve Internet host names
• All non-essentials services on the ISA Server 2000 machine are disabled

 

       Note:
Please refer to ISA Server Help for a description of minimal installation requirements

 

An Integrated mode ISA Server firewall requires at least one internal and one external interface.

 

• The internal interface is never configured with a default gateway address. The IP address on the internal interface is always on the LAT.

• The external interface is configured with a default gateway that routes packets to the Internet. The external interface is never on the LAT.

 

Windows Server 2003, like Windows 2000, allows a single default gateway. The result is ISA Server 2000 on Windows Server 2003 supports a single external interface or single Internet interface. You can have multiple public address DMZ interfaces, but only a single interface can connect the internal network to the Internet.

 

       Note:
ISA Server 2000 supports multiple external interfaces with the aid of third party software, or with an upstream hardware device that with load balancing and link aggregation capabilities.

 

The DNS settings on the ISA Server interfaces must be configured correctly. Misconfiguration of the DNS settings is the most common configuration error made on ISA Server firewalls in production. The preferred setup is to

 

• Configure the internal interface of the ISA Server with the address of a DNS server on the internal network that is capable of resolving Internet host names

 

• Place the internal interface on the top of the interface list. Windows Server 2003 uses the interface order to determine which name server addresses to query first.

 

• Do not enter a DNS server address on the external interface

 

Many ISA Server administrators are unfamiliar with the interface ordering procedure. Perform the following steps to configure the interface order on the ISA Server computer:

 

1. Click Start, point to Control Panel and right click on Network Connections. Click the Open command (figure 1).

 

Figure 1 (Fig100)

 

2. In the Network Connections window, click the Advanced menu and then click the Advanced Settings command (figure 2).

 

Figure 2 (fig2)

 

3. In the Advanced Settings dialog box, select the interface representing the internal interface and click the up arrow to move the internal interface to the top of the interface list. Click OK in the Advanced Settings dialog box after making the changes to the interface order.

 

Figure 3 (fig300)

 

Do not put both an internal DNS server and an external DNS server on the same interface. The external DNS server is not be able to resolve internal network host names. Under certain circumstances the Internet DNS server could be placed on the top of the DNS server list. This can lead to the ISA Server firewall not being able to communicate with the internal network domain controllers and interfere with authentication.

 

       Note:
Please refer to Windows 2000 Resource Kit Chapter 6 – Windows 2000 DNS to learn more about how the DNS resolver uses the preferred adapter and the DNS server list on each adapter to resolve host names

 

Disable all non-essential services on the ISA Server firewall computer. While individual implementations of ISA Server firewalls require a customized set of services, it is safe to conclude the IIS W3SVC (the World Wide Web service) should not run on the ISA Server firewall.

 

We recommend that you do not use client applications that expose the firewall to unnecessary risk. Such client applications include Web browser or email client software. Web browsers and email clients are major vectors of virus, Trojan and worm attacks. A properly configured ISA Server firewall is eminently secure; the addition of client applications can have a significant negative impact on ISA Server security.

 

Install ISA Server 2000

 

Locate your ISA Server 2000 CD-ROM disk and put it into the CD-ROM drive or connect to a network share containing the ISA Sever 2000 installation files. Perform the following steps to install ISA Server on a Windows Server 2003 machine:

 

1. Double click on the ISAAutorun.exe file on the ISA Server CD (figure 4), local hard disk, or network share point.

 

Figure 4 (Fig301)

 

2. Click on the Install ISA Server link on the Internet Security & Acceleration Server 2000 splash page (Figure 5).

 

Figure 5 (Fig302)

 

3. You will see an ISA 2000 dialog box informing that you need to install ISA 2000 Service Pack 1 (figure 6). Error messages will occur during the installation. Don’t be concerned about these errors as we will perform the required procedures to prevent them from becoming a problem.  Click Continue.

 

Figure 6 (Fig1)

 

4. Click Continue on the Welcome to the Microsoft ISA Server installation program page (figure 7).

 

Figure 7 (Fig303)

 

5. Enter your CD Key in the CD Key dialog box (figure 8). Click OK.

 

Figure 8 (Fig304)

 

6. Write down your Product ID as list in the Product ID dialog box. Click OK in the Product ID dialog box after writing this number down.
7. Click I Agree in the Microsoft ISA Server Setup dialog box (figure 9).

 

Figure 9 (Fig305)

 

8. Click the Full Installation button in the installation type dialog box (figure 10). This allows you to use all ISA Server features. You can use the Add/Remove Programs applet later if you need to remove some ISA Server features.

 

Figure 10 (Fig306)

 

9. In this example we are installing ISA Server in standalone mode, not in enterprise array mode. Click Yes in the dialog box that asks if you want to continue (figure 11).

 

Figure 11 (Fig2)

 

10. Select the Integrated mode option on the Select the mode for this server page (figure 12). You want to take advantage of the full power of your ISA Server firewall. Integrated mode gives you everything the Web Proxy and Firewall services have to offer. Go for it! Click Continue.

 

Figure 12 (Fig3)

 

11. On the Web cache page (figure 13), select a drive to put the Web cache file on. The drive must be NTFS. Type in a size of the cache in the Cache size (MB) text box and then click the Set button. Then click OK.

 

Figure 13 (Fig4)

 

12. On the LAT page (figure 14), click the Construct Table button. On the Local Address Table page, remove the checkmark in the Add the following private ranges checkbox. Put a checkmark in the Add address ranges based on the Windows 2000 Routing Table checkbox. Remove the checkmark from the checkbox representing the external interface, and leave the checkmark in the checkbox for the internal interface. Click OK in the Local Address Table dialog box, then click OK in the Setup Message dialog box that informs you that the LAT was constructed based on the Windows 2000 routing table (in spite of the fact that you’re installing ISA Server on a Windows Server 2003 machine).

 

Figure 14 (Fig5)

 

13.   Click OK on the LAT dialog box after reviewing the list listing in the Internal IP ranges list (figure 15).

 

Figure 15 (Fig6)

 

14. Unlike Windows 2000, Windows Server 2003 does not install IIS by default. You will see a dialog box telling you that you’ll have to install the SMTP service if you want to run the SMTP Message Screener. Click OK to continue (figure 16).

 

Figure 16 (Fig7)

 

15. When installation is complete, you will see a warning balloon informing you that ISA 2000 will cause Windows to become unstable. Close the balloon, remove the checkmark from the Start ISA Server Getting Started Wizard checkbox, and then click OK in the Launch ISA Management Tools dialog box (figure 17).

 

Figure 17 (Fig8)

 

16. Click OK in the dialog box informing you that setup was completed (figure 18).

 

Figure 18 (Fig307)

 

17. Click OK in the dialog box informing you that setup has failed to start one or more services (figure 19).

 

Figure 19 (Fig308)

 

Now you’re ready to install ISA Server Service Pack 1.

 

Install ISA Server Service Pack 1

 

The next step is to immediately install ISA Server Service Pack 1. You can get Service Pack 1 at http://www.microsoft.com/isaserver/downloads/sp1.asp Download SP1. Download the Service Pack to a machine on the internal network, scan it for viruses, and then copy it to the ISA Server. Perform the following steps after copying the service pack to the ISA Server:

 

1. Double click on the isasp1.exe file. Type in a path to put the temporary files in the Choose Directory for Extracted Files dialog box (figure 20). Click OK.

 

Figure 20 (Fig9)

 

2. Click I Agree in the End User License Agreement (EULA) dialog box (figure 21).

 

Figure 21 (Fig310)

 

3. Click OK in the Microsoft ISA Server 2000 Update Setup dialog box (figure 22). The computer will restart.

 

Figure 22 (Fig10)

 

That’s all there is to installing ISA Server service pack 1.

 

Install HotFix isahf255.exe

 

Log on the ISA Server service pack 1 installation routine restarts the machine. There are a few hotfixes and updates you need to install on the Windows Server 2003/ISA Server machine to insure ISA Server compatibility with Windows Server 2003. You can download the HotFix pack, isahf255.exe at http://www.microsoft.com/downloads/details.aspx?familyid=77d89f87-5205-4779-b1ab-fc338283b2d9&displaylang=en

 

Download the file to a machine on the internal network, scan it for viruses, and then copy it to the ISA Server. Perform the following steps after copying the file to the ISA Server:

 

1. Double click on the isahf255.exe file. Read the  click I Agree in the ISA Server 2000 hot fix 255 (331062) dialog box. Type in a path for the temporary files in the Choose Directory for Extracted Files dialog box, then click OK (figure 23).

 

Figure 23 (fig11)

 

2. Click I Agree in the EULA dialog box.
3. Click OK in the Microsoft ISA Server 2000 Update Setup dialog box that informs you that the update was successful applied (figure 24).

 

Figure 24 (Fig12)

 

 

You do not need to restart the server. The next step is to install Feature Pack 1.

 

Install Feature Pack 1

 

Feature Pack 1 (FP1) is not required. You don’t have to install ISA Server Feature Pack 1 on the Windows Server 2003/ISA Server machine. However, I do highly recommend that you install ISA Server Feature Pack 1 because it adds a several new and useful features. You can download ISA Server Feature Pack 1 at http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c-5be084b345f9&DisplayLang=en

 

Download the feature pack to a machine on the internal network and scan it for viruses. Then copy the file to the ISA Server and perform the following steps:

 

1. Double click on the isaftp1.exe file. Type in a path for the extracted files in the Choose Directory For Extracted Files dialog box (figure 25).

 

Figure 25 (Fig13)

 

2. Click I Agree in the Feature Pack 1 EULA dialog box.
3. Click OK in the Microsoft ISA Server 2000 Feature Pack 1 dialog box. Leave the checkmark in the Read about ISA Server Feature Pack 1 checkbox to learn more about what you get with Feature Pack 1.

 

At this point the ISA Server is ready to use. You can now create inbound and outbound access policies and configure the machine to be a VPN Server and VPN Gateway.