Contents
Overview 1
Installing ISA Server 2
Installing and Configuring ISA Server
Clients 15
Lab A: Installing ISA Server and
Configuring Clients 24
Maintaining ISA Server 36
Lab B: Configuring ISA Server 44
Review 51
Module 2: Installing and
Maintaining ISA Server
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
Configure computers as Web proxy, Firewall, or SecureNAT clients for
ISA Server.
Perform administrative tasks for maintaining ISA Server.
Materials and Preparation
This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials
To teach this module, you need the Microsoft PowerPoint
®
file 2159A_02.ppt.
Preparation Tasks
To prepare for this module, you should:
Read all of the materials for this module.
Complete the labs.
Study the review questions and prepare alternative answers to discuss.
Anticipate questions that students may ask. Write out the questions and
provide the answers.
Read RFC 1918, “Address Allocation for Private Internets,” under
Additional Reading on the Trainer Materials compact disc.
Read RFC1928, “SOCKS Protocol Version 5,” under Additional Reading
on the Student Materials compact disc.
Installing and Configuring ISA Server Clients
Describe the features of each ISA Server client: Web proxy, Firewall, and
SecureNAT. Present or, if possible, demonstrate the procedures for
configuring client computers for each type of client.
Maintaining ISA Server
Present the tasks required to maintain an ISA Server computer, including
starting and stopping services and backing up and restoring ISA Server.
Point out the taskpads and the Advanced view features in ISA Management.
Present or, if possible, demonstrate the procedures for adding entries to both
the LAT and local domain table (LDT). Explain the use of the Msplat.txt
file by the Firewall client. Emphasize that for maximum security, you
should save the backup files to an NTFS file system disk partition and set
the appropriate permissions to protect against unauthorized access.
Module 2: Installing and Maintaining ISA Server v Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
The labs in this module are also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for Course 2159A, Deploying and Managing
Microsoft Internet and Security Acceleration Server 2000.
Lab Setup
Module 2: Installing and Maintaining ISA Server 1 Overview
Installing ISA Server
Installing and Configuring ISA Server Clients
Maintaining ISA Server
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Whether you deploy Microsoft
®
Internet Security and Acceleration (ISA)
Server 2000 as a dedicated firewall, a Web cache server, or an integrated
solution, you must plan carefully to ensure that you have the required hardware
and software. After you perform an ISA Server installation, you must configure
client computers. Depending on the client operating systems and your specific
requirements to control Internet access, you can choose to use the transparent
SecureNAT technology or deploy the ISA Firewall Client software. You can
also configure computers as Web proxy clients to improve browser
performance.
In addition, it is important to properly maintain ISA Server to ensure that all
client computers have fast and secure access to the Internet.
After completing this module, you will be able to:
Identifying Pre-Installation Tasks
Selecting an Installation Mode
Specifying the Initial Cache Size
Configuring the LAT
Upgrading from Microsoft Proxy Server 2.0
Troubleshooting ISA Server Installation
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Before you install ISA Server, you must set up the hardware and configure the
software for the ISA Server computer. To help identify the choices that you will
make during installation, review the pre-installation checklist before performing
the installation. If you encounter problems during a new installation or an
upgrade from Microsoft Proxy Server 2.0, see the Troubleshooting ISA Server
Installation section.
You also can automate the installation of ISA Server. For more
information about performing an unattended setup, see “Unattended setup” in
ISA Server Help.
Topic Objective
To identify the topics related
Arrays
RAM
RAM
256 MB
CPU
CPU
300 MHz
or higher
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
The table below lists the hardware and software requirements for ISA Server.
Component Requirements
CPU 300 megahertz (MHz) or higher Pentium II-compatible
• ISA Server Standard Edition supports up to 4 processors
• ISA Server Enterprise Edition has no CPU limit
Memory 256 megabytes (MB) of random access memory (RAM)
Hard disk space 20 MB and space for cache
File system and
disk format
One local hard disk partition formatted with NTFS file system
Operating
system
Microsoft Windows 2000 Server, Microsoft Windows 2000
Advanced Server, or Microsoft Windows 2000 Datacenter Server
Windows 2000
Server Standard Edition and
ISA Server Enterprise
Edition.
Explain that Windows 2000
Datacenter Server does not
require Service Pack 1
because it already includes
all of the components of this
Service Pack.
Note
4 Module 2: Installing and Maintaining ISA Server Forward Caching Requirements
The following table lists the hardware configurations of a single ISA Server
computer for the expected number of users who gain access to objects on the
Internet.
Number of
users
ISA Server computer
RAM
Disk space allocated
for caching
Up to 500 Pentium II, 300 MHz 256 MB 2-4 gigabytes (GB)
500-1,000 Pentium III, 550 MHz 256 MB 10 GB
More than
1,000
Firewall Requirements
The following table lists the hardware configurations for the expected rate of
data transfer for Firewall and SecureNAT clients that gain access to objects on
the Internet.
Rate of data transfer ISA Server computer RAM
1–25 megabits per second Pentium II, 300 MHz 256 MB
25–50 megabits per second Pentium III, 550 MHz 256 MB
More than 50 megabits per
second
Pentium III, 550 MHz for
each 50 megabits per
second
256 MB Although it is important to have the required hardware configuration, the
rate of data transfer is highly dependent on the speed of your connection to the
Internet.
Delivery Tip
Summarize the hardware
configurations that are listed
in the tables. It is not
necessary to describe each
configuration in detail.
Emphasize that these
recommendations are only
Before installing ISA Server, ensure that the Windows 2000 routing
table on the ISA Server computer is configured correctly. The internal adapter
of the ISA Server computer must be able to route packets to all internal network
destinations, and the external network adapter must be able to route packets to
the Internet. To ensure proper routing, add explicit routes for all internal
network destinations, and configure a default gateway on only the external
network adapter.
When you install ISA Server, you must provide the following information:
CD Key. This is the 10-digit number located on back of the CD-ROM case.
Installation options. As part of the installation process, you can install
options from the following ISA Server components:
ISA Services. Controls access of network services for the traffic between
networks. This component is required for the installation.
Add-In Services. Includes the Microsoft H.323 Gatekeeper service, which
allows Microsoft NetMeeting
®
or other H.323-compliant applications to
reach users inside your network. The H.323 protocol is a set of standards
that enable real-time multimedia conferencing and communications over
packet-based networks. Also includes the Message Screener, which
performs content filtering on incoming Simple Mail Transfer Protocol
(SMTP) traffic.
Both of these add-in services are optional.
Topic Objective
Array selection. If you previously modified the Active Directory schema to
initialize the enterprise, you can either select to create an enterprise array or
can select an array to join. If you did not initialize the enterprise, ISA Server
is installed in a stand-alone array, which contains only a single ISA Server
computer.
Installation Mode. You can select to install ISA Server in Firewall mode,
Cache mode, or Integrated mode.
Cache configuration. If you install ISA Server in Integrated or Cache mode,
you must configure the drives to use for the cache.
Local Address Table (LAT) configuration. If you install ISA Server in
Integrated or Firewall mode, you must configure the address ranges to
include in the LAT. The LAT is a table containing all of the internal Internet
Protocol (IP) address ranges that the network behind the ISA Server
computer uses. You must install Windows 2000 Service Pack 1 or later before you
install ISA Server.
Note
Importan
t
Module 2: Installing and Maintaining ISA Server 7 Selecting an Installation Mode
Microsoft ISA Server Status
Firewall, Cache, or Integrated. After you select the server mode, if you have
Internet Information Services (IIS) installed and configured to use port 80 or
port 8080, ISA Server Setup informs you that it will stop the IIS Web service.
To start the ISA Server installation:
1. Insert the compact disc into the CD-ROM drive, or if you copied the
contents of the ISA Server compact disc to a network location, open a
command prompt window, and then run the ISAautorun.exe file.
2. In the Microsoft ISA Server Setup window, select Install ISA Server, and
then click Continue.
3. Type the CD Key, and then click OK twice.
4. Read the licensing agreement, and then if you agree, click I Agree.
5. Click one of the following installations, and then click OK:
• Typical Installation. Includes the most commonly used components.
• Full Installation. Includes all ISA Server components and extensions.
• Custom Installation. Includes the ISA Server components and
extensions that you specify.
Topic Objective
To describe the procedure
that you use to select an
installation mode.
Lead-in
You must select one of
three installation modes for
ISA Server during Setup.
8 Module 2: Installing and Maintaining ISA Server 6. If you are installing ISA Server Enterprise Edition and the computer is not
part of a Windows 2000 domain, click Yes to install ISA Server as a stand-
alone server.
Available space (MB) 28722
Cache size (MB): 100
Total cache size (MB): 100MB
OK
Set
Drive [File System] Maximum Size (MB)
C: [NTFS] 100
Cancel
Help
C: [NTFS] 100
Initial cache size is
100 MB. Add 0.5 MB
for each Web Proxy
client.
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
If you install ISA Server in Cache mode or in Integrated mode, the Setup
program prompts you to select the drive for the cache location and the initial
cache size. Select an NTFS-formatted hard disk of sufficient size to make the
cache as large as possible. For optimal performance, select a hard disk that you
use exclusively for caching. You can increase cache size later by allocating
more empty disk space or by adding more disk volumes.
Consider the following settings when specifying the size of the cache:
Default cache size. 100 MB if at least 150 MB of free disk space is
available.
Add->
Remove->
OK Cancel Help
192.168.1.200 192.168.255
Microsoft Internet Security and Acceleration Server Setup
Enter the IP address ranges that span the internal network address space.
Internal IP ranges:
From To
Edit
From
To
Add->
Remove->
Remove->
To construct a local address table, click Construct
Table.
Construct Table…
OK Cancel Help
Click Construct Table to
construct a local address
table.
1
1
Select options to add
private IP address ranges
or routing table entries.
2
2
192 168 1 200
192 168 255 255
ISA Server uses the LAT to determine which IP addresses are inside an
organization’s network and assumes that all other IP addresses are external.
ISA Server uses the LAT to control how computers on the internal network
communicate with external networks. In addition, Firewall clients automatically
download LAT updates from the ISA Server computer. Firewall clients use the
LAT updates to determine which IP addresses they can directly connect to and
which requests they need to forward to the ISA Server computer.
Overview of the LAT
ISA Server can construct the LAT and add the following IP address ranges:
Private IP addresses. ISA Server can add IP addresses that are reserved by
the Internet Assigned Numbers Authority (IANA) for internal use. Many
organizations use these addresses for internal addresses. These addresses
include 10.0.0.0 to 10.255.255.255, 192.168.0.0 to 192.168.255.255, and
172.16.0.0 to 172.31.255.255. Add private IP addresses to the LAT only if
you use private IP addressing on your network.
For more information about private IP addresses, see RFC 1918,
“Address Allocation for Private Internets,” under Additional Reading on
the Student Materials compact disc.
Networks from the routing table. ISA Server adds all of the networks that
your computer connects to by using one or more network adapters that you
select. When adding entries from the routing table, ensure that the network
adapter that is configured to connect to your internal network has the correct
routing information for all network segments on your internal network.
Topic Objective
To describe the LAT and the
2. Choose from the following options, and then click OK twice:
• To add private IP address ranges, select the Add the following private
ranges check box.
• To add routing table entries, select the Add address ranges based on
the Windows 2000 Routing Table check box, and then select the check
box for the network adapter that is connected to your internal network.
3. In the Internal IP ranges box, review the list of IP address ranges, make
the following corrections if necessary, and then click OK:
• To remove an address range, in the Internal IP Ranges box, click the
range, and then click Remove.
• To add an address range, in the Edit box, type the beginning and end
addresses of the range, and then click Add.
After configuring the LAT, Setup copies all of the required files and completes
all configuration steps. Unless you specify a different location during an
unattended setup, Setup installs ISA Server in the C:\Program Files\Microsoft
ISA Server folder.
Key Points
Configuring the LAT
correctly is the single most
important part of installing
ISA Server. When
configuring the LAT, include
addresses on the private
network only. Do not add
the external interface of the
ISA Server computer or any
external addresses.
Important
12 Module 2: Installing and Maintaining ISA Server
ISA
Server
Upgrading Client
Computers
Port 80
Client
Requests
Port
8080
ISA Server 2000
Proxy Server 2.0
ISA Server
Winsock Proxy Clients
and Firewall Clients
Proxy
Server 2.0
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
ISA Server supports a full migration path for Microsoft Proxy Server 2.0 users.
Setup migrates most Proxy Server 2.0 rules, network settings, monitoring
configurations, and cache configurations to ISA Server when you perform an
upgrade.
Before migrating from Proxy Server 2.0, review
“PreMigrationConsiderations.htm” on the ISA Server compact disc and review
the following sections in ISA Server Help: “Checklist: Migrating from
Microsoft Proxy Server 2.0” and “Migrating from Microsoft Proxy Server 2.0.”
before upgrading, and
disconnect the computer
that you are upgrading from
the Internet during the
installation.
Important
Module 2: Installing and Maintaining ISA Server 13 3. Perform the upgrade to Windows 2000. During the upgrade to
Windows 2000, you may receive a message indicating that Proxy Server 2.0
will not work on a computer running Windows 2000. You can disregard this
message and continue installing ISA Server.
4. Install Windows 2000 Service Pack 1.
5. Begin installing ISA Server.
Comparing Proxy Server 2.0 and ISA Server
Configurations
When you upgrade to ISA Server, most rules, network settings, monitoring
configurations, and cache configurations in Proxy Server 2.0 are migrated to
ISA Server. The differences and exceptions between Proxy Server 2.0 and
ISA Server are listed as follows:
Publishing. Proxy Server 2.0 requires that you configure publishing servers
as Winsock Proxy clients. ISA Server allows you to publish internal servers
without requiring any special configuration or software installation on the
publishing server. Instead, ISA Server recognizes the publishing servers as
SecureNAT clients.
Cache. Proxy Server 2.0 cache content is not migrated because of the vastly
Therefore, you must configure all downstream chain members and browsers
that connect to the ISA Server computer to connect to port 8080.
Alternatively, you can configure ISA Server to use port 80 for client HTTP
requests.
Key Points
Migration of Proxy Server
2.0 SOCKS rules to
ISA Server policy is not
supported.
Note
14 Module 2: Installing and Maintaining ISA Server Troubleshooting ISA Server Installation
Users Cannot Connect to Resources After Upgrading from Proxy Server 2.0
Err
or
Users Can Gain Access to Internet Without Defined Rules
Err
or
You Cannot Find Array to Join During Installation
Err
or
ISA Server Presents Error Messages During Installation
Err
or
You Cannot Connect to Internet Resources After Installation
Err
or
Users can gain access to Internet sites even though you have not defined
rules that allow access. Your LAT may not be configured correctly. Ensure
that the LAT contains only internal IP addresses.
After upgrading from Proxy Server 2.0, client computers can no longer
connect to Internet resources. Change the port that Web Proxy clients use
to gain access to the ISA Server computer or configure automatic discovery
for clients. ISA Server uses port 8080 for client connections, whereas Proxy
Server 2.0 uses port 80. The “Troubleshooting” section of ISA Server Help contains information
about solving other common problems.
Topic Objective
To identify common
ISA Server installation
problems.
Lead-in
After installing ISA Server
and ISA Server clients, you
may have to troubleshoot
installation problems.
Tip
Module 2: Installing and Maintaining ISA Server 15
Lead-in
Before you install and
configure ISA Server clients,
evaluate the needs of your
organization and compare
the features of each client.
16 Module 2: Installing and Maintaining ISA Server Client Overview
Internet
Internet
ISA Server
ISA Server
SecureNAT Client
Do not require you to deploy client
software or configure client computers.
SecureNAT Client
Do not require you to deploy client
software or configure client computers.
Firewall Client
Allow Internet access only for
authenticated users.
Firewall Client
Allow Internet access only for
authenticated users.
Web Proxy Client
Improve the performance of Web requests for
internal clients.
Web Proxy Client
Some protocols and applications require secondary connections.
For example, when you use the File Transfer Protocol (FTP) protocol, by
default the client initiates a primary connection to the server, and the server
then initiates a secondary connection to the client. ISA Server must use an
application filter that edits the data stream to allow SecureNAT clients to
use such protocols and applications. ISA Server includes several application
filters, such as an FTP filter and an H.323 filter. If ISA Server does not
contain the appropriate application filter for a protocol or application,
SecureNAT clients cannot use this protocol or application.
Topic Objective
To describe the clients that
are supported by
ISA Server.
Lead-in
ISA Server supports three
types of clients.
Key Points
Only Firewall clients can be
identified and fully
authenticated by
ISA Server.
Important
Module 2: Installing and Maintaining ISA Server 17
Firewall clients. Restrict access on a per-user basis for outbound access for
requests that use the TCP and User Datagram Protocol (UDP) protocols. To
configure a Firewall client, you must install the Firewall Client software on
caching service for caching.
Publish servers that are located on your
internal network
SecureNAT clients. You can publish internal
servers to make them available to external
users. When you publish internal servers, you
configure the servers as SecureNAT clients.
Because the published servers are SecureNAT
clients, you do not need to configure settings
on the published server. Microsoft does not
recommend configuring published servers as
Firewall clients.
Allow Internet access for only
authenticated users
Firewall clients or Web Proxy clients. You
can configure user-based access policy rules
for Firewall clients and Web Proxy clients.
Importan
t
18 Module 2: Installing and Maintaining ISA Server Configuring Web Proxy Clients
Select the Use a
proxy server
check box.
Type the port number
in the Port box, and
then click OK.
However, you must configure the Web browser on the client computer to use
the ISA Server computer as the proxy server. Other applications that use Web
protocols may also be able to function as Web Proxy clients. Some of these
applications can obtain their configuration settings from your Web browser.
Others may require additional configuration steps. The exact configuration
steps for configuring ISA Server depend on the Web browser that you use.
Web browser helper applications that use protocols other than
HTTP, such as Microsoft Windows Media
™
Player, do not use ISA Server to
connect to the Web. To allow helper applications to connect to the Web, you
must use the SecureNAT client or the Firewall client in addition to the Web
Proxy client.
To configure Microsoft Internet Explorer 5 or later to use the Microsoft Web
Proxy service:
1. Open the Properties dialog box for Internet Explorer. On the Connections
tab, click LAN Settings, and then in the Local Area Network (LAN)
Settings dialog box, select the Use a proxy server check box.
2. In the Address box, type a valid path to the ISA Server computer.
3. In the Port box, type the port number that the ISA Server computer uses for
Web Proxy client connections, which is 8080 by default, and then click OK
twice.
If you want your Web browser to bypass the ISA Server computer when
connecting to local computers, you can also select the Bypass proxy server
for local addresses check box. Bypassing the ISA Server computer for
local computers may improve Web browser performance.
Topic Objective
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Although SecureNAT clients do not require specific software, you must
configure SecureNAT clients to route all network traffic to the Internet through
the ISA Server computer. How you configure the client computer depends on
whether your network uses routers between the ISA Server computer and the
SecureNAT clients.
Configuring Clients on Networks That Do Not Use
Routers
To configure SecureNAT clients on a network without routers, set the
SecureNAT client's IP default gateway settings to the IP address of the
ISA Server computer's internal network adapter by manually changing the
default gateway setting or by using Dynamic Host Configuration Protocol
(DHCP).
Configuring Clients on Networks That Use Routers
To configure SecureNAT clients on a network with routers, set the default
gateway settings to the router closest to the SecureNAT client. Ensure that the
router is configured to forward IP packets to the Internet so that all packets are
routed through the ISA Server computer. Optimally, routers should use a
default gateway that routes along the shortest path to the ISA Server computer.
In addition, do not configure routers to discard packets destined for addresses
outside of the internal network. The ISA Server computer will determine how
to route these packets.
Topic Objective
To identify the topics related
to configuring SecureNAT
Copyright: Tài liệu đại học ©