Contents
Overview 1
Introducing ISA Server Enterprise Edition 2
Installing ISA Server in the Enterprise 7
Using Enterprise Policies and Array Policies 19
Managing Network Connections 25
Scaling ISA Server 36
Extending and Automating ISA Server
Functionality 42
Lab A: Configuring ISA Server for the
Enterprise 47
Review 58

Module 9:
Configuring ISA Server
for an Enterprise

Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any

Describe the use of ISA Server in an enterprise environment.

Install ISA Server in an enterprise environment.

Use enterprise and array policies.

Scale ISA Server.

Manage network connections.

Extend and automate ISA Server functionality.

Materials and Preparation
This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials
To teach this module, you need the Microsoft PowerPoint
®
file 2159A_09.ppt.
Preparation Tasks
To prepare for this module, you should:

Read all of the materials for this module.

Complete the lab.

Study the review questions and prepare alternative answers to discuss.

Anticipate questions that students may ask. Write out the questions and
provide the answers.

ii Module 9: Configuring ISA Server for an Enterprise Module Strategy
Use the following strategy to present this module:

Introducing ISA Server Enterprise Edition
Explain that you can install ISA Server Enterprise Edition as a stand-alone
server or as an array member. Emphasize that if you choose not to apply an
enterprise policy to an array installation, the array administrator can create
any rule to allow or deny access.

Installing ISA Server in the Enterprise
Ensure that students understand the impact that modifying the schema has
on the entire Active Directory
™
directory service forest and that changes to
the schema are irreversible. Explain that when you promote a stand-alone
server, ISA Server may delete policy rules and publishing rules to ensure
that array policies are not more permissive than an applicable enterprise
policy.

Using Enterprise Policies and Array Policies
Emphasize that when you apply an enterprise policy to an array, ISA Server
deletes all of the previously defined array-level site and content rules and
protocol rules that allow access.

Managing Network Connections
Use the slide example to explain the use of routing rules for conditionally
routing requests. Explain that firewall chaining enables requests from


Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.

The lab in this module is also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for Course 2159A, Deploying and Managing
Microsoft Internet Security and Acceleration Server 2000.

Lab Setup
The following list describes the setup requirements for the lab in this module.
Setup Requirement 1
The lab in this module requires that ISA Server be installed on all ISA Server
computers. To prepare student computers to meet this requirement, perform one
of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Perform a full installation of ISA Server manually.

Setup Requirement 2
The lab in this module requires that the ISA Server administration tools be
installed on all ISA Server client computers. To prepare student computers to
meet this requirement, perform one of the following actions:



Configure the default gateway manually.

Setup Requirement 5
The lab in this module requires that Microsoft Internet Explorer be configured
on all student computers to use the ISA Server computer as a Web Proxy
server. To prepare student computers to meet this requirement, perform one of
the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Configure Internet Explorer manually.

Setup Requirement 6
The lab in this module requires that Internet Information Services (IIS) be
configured on all ISA Server computers to use Transmission Control Protocol
(TCP) port 8008 for the default Web site. To prepare student computers to meet
this requirement, perform one of the following actions:

Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.

Configure IIS manually.

Setup Requirement 7
The lab in this module requires a protocol rule on the ISA Server computer that
allows all members of the Domain Admins group to gain access to the Internet

DNS for the student computer zones has a WPAD entry added.

The Active Directory schema update for ISA Server is installed.

The stand-alone ISA Server computer is promoted to an array.

An enterprise policy is created.


Module 9: Configuring ISA Server for an Enterprise 1 Overview

Introducing ISA Server Enterprise Edition

Installing ISA Server in the Enterprise

Using Enterprise Policies and Array Policies

Managing Network Connections

Scaling ISA Server

Extending and Automating ISA Server Functionality

*****************************
ILLEGAL FOR NON
-
TRAINER USE

Lead-in
In this module, you will learn
about configuring
ISA Server in an enterprise
environment.
2 Module 9: Configuring ISA Server for an Enterprise 



Introducing ISA Server Enterprise Edition

Benefits of ISA Server Enterprise Edition

Using ISA Server Enterprise Edition

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
There are many benefits for an organization to deploy ISA Server Enterprise
Edition in an enterprise environment. When you deploy ISA Server Enterprise
Edition, you must select an installation configuration and a policy
configuration.
Topic Objective
To introduce ISA Server
Enterprise Edition.

Contains configuration and policy information and
used to apply access controls to users and groups.
Contains configuration and policy information and
used to apply access controls to users and groups.
Enables you to create policies at both the array and
enterprise level.
Enables you to create policies at both the array and
enterprise level.

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
ISA Server Enterprise Edition offers several benefits to organizations that want
fast, secure, and manageable Internet connectivity in an enterprise environment.
Scalability
ISA Server Enterprise Edition provides scalability by using arrays, enhanced
symmetric multiprocessing support, the Network Load Balancing feature of
Microsoft Windows
®
2000 Advanced Server, and the Cache Array Routing
Protocol (CARP) protocol.
Arrays
ISA Server Enterprise Edition uses arrays to manage a group of ISA Server
computers as a single, logical entity. Array installations increase performance
and bandwidth savings by distributing client requests between multiple
ISA Server computers. In addition, because the load is distributed across all of
the servers in the array, you can achieve good performance even with moderate
hardware. Arrays also provide fault tolerance. Moreover, because the array

tolerance for publishing internal resources to the Internet.
CARP
ISA Server Enterprise Edition uses CARP to provide scaling and efficiency
when deploying an array of ISA Server computers as forward and reverse
caching servers. CARP eliminates the duplication of content among array
members and automatically adjusts to additions or deletions of servers in the
array.
Distributed and Hierarchical Caching
ISA Server Enterprise Edition uses CARP to perform distributed caching
among an array of ISA Server computers to enhance the caching performance
and the fault tolerance if an ISA Server computer becomes unavailable.
In addition, ISA Server supports hierarchical, or chained, caching. Chained
caching is a hierarchical connection between individual ISA Server computers
or arrays of ISA Server computers. Chained caching enables caching to take
place closer to the users. Client requests are sent upstream through the chain of
cache servers until the requested object is found. When the object is located on
an upstream server, it is cached in both the upstream server’s cache and the
downstream server's cache. Both the Standard Edition and the Enterprise
Edition support hierarchical caching.
Active Directory
ISA Server stores configuration and policy information of arrays in the
Active Directory
™
directory service. Active Directory provides a central point
for storing and gaining access to ISA Server policies and configuration settings.
In addition, both the Standard Edition and the Enterprise Edition can apply
access controls by using user accounts and groups that are defined in
Active Directory.
Tiered Policy
ISA Server Enterprise Edition supports a tiered policy, which enables you to

Back Up…
Restore…
View
Refresh
Export List…
Properties
Help

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
You can install ISA Server Enterprise Edition as a stand-alone server or as an
array member. When you install ISA Server as an array member, you can select
a policy configuration that meets the needs of your organization.
Selecting an Installation Configuration
When you install ISA Server Enterprise Edition as a stand-alone server, the
computer does not have to belong to a Windows 2000 domain. ISA Server
stores the configuration information for the stand-alone server in the registry.
Stand-alone servers do not use array policies or enterprise policies.
When you install ISA Server as an array member, the computer must be a
member of a Windows 2000 domain. ISA Server Enterprise Edition stores
configuration information for arrays in Active Directory. You can apply an
enterprise policy to an array, which allows you to centralize management for
multiple arrays in your enterprise.
Topic Objective
To describe the topics
related to using ISA Server
Enterprise Edition.

configure rules at the array level that further restrict an access policy.

Array Policy. Includes site and content rules, protocol rules, IP packet
filters, Web publishing rules, routing rules, and server publishing rules. You
select an array policy to apply a unique array policy to each array in the
enterprise. For example, you can allow unlimited access to the Internet for
the clients that use one array and then place restrictions on the clients that
use another array. If you choose not to apply an enterprise policy to an array
installation, the array administrator can create any rule to allow or deny access.
When you apply enterprise policies, array policies can create additional
restrictions over the enterprise policies. However, an array policy can never
allow any type of access that an enterprise policy does not first allow.

Key Points
If you choose not to apply
an enterprise policy to an
array installation, the array
administrator can create any
rule to allow or deny access.

When you enforce
enterprise policies, an array
policy can never allow any
type of access that an
enterprise policy does not
first allow.
Important

members. When you modify an array, it is recommended that you back up the
configuration information.
Topic Objective
To present the topics related
to installing ISA Server in
the enterprise.
Lead-in
Before you can set up
ISA Server as an array
member, the ISA Server
schema must be installed in
Active Directory.
8 Module 9: Configuring ISA Server for an Enterprise Installing ISA Server Schema in Active Directory
Select an option
to configure
enterprise policy.
OK Cancel
Specify how to apply the enterprise policy at the array level. After
installation, you can modify these settings for any array in the enterprise.
When applying enterprise policy:
Use array policy only
Use this enterprise policy:
ISA Enterprise Initialization
Enterprise Policy 1
Also allow array-level access policy rules that restrict enterprise policy
Allow publishing rules
Force packet filtering on the array

and Administering Microsoft Windows 2000 Directory Services.

Topic Objective
To describe the procedure
that you use to install
ISA Server schema in
Active Directory.
Lead-in
Before you can set up
ISA Server as an array
member, you must install
the ISA Server schema in
Active Directory.
Key Points
Applying a schema change
to Active Directory is a
major operation that
normally requires planning.
Because Active Directory
does not support deletion of
schema objects, the
enterprise initialization
process is irreversible.
Caution
Delivery Tip
Ensure that students
understand the impact that
modifying the schema has
on the entire
Active Directory forest and

Select the Allow array-level access
rules that restrict enterprise policies
check box.
Allow administrators to create
publishing rules
Select the Allow publishing rules check
box.
Enforce packet filtering on all arrays Ensure that the Force packet filtering
on the array check box is selected. Because of Active Directory replication latency, there may be a delay
until the schema changes are applied to all domain controllers in your
organization.

Note
10 Module 9: Configuring ISA Server for an Enterprise Using Arrays

Guidelines for Setting Up Arrays

Configuration Settings for Arrays

Permissions Required for Adding Arrays

*****************************
ILLEGAL FOR NON
-

Topic Objective
To identify the topics related
to using arrays.
Lead-in
Before you set up an array,
consider the following
guidelines, configuration
settings, and required
permissions.
Module 9: Configuring ISA Server for an Enterprise 11 
Cache. Disk space for caching is allocated separately on each ISA Server
computer according to the amount that you specify when you install or
reconfigure the cache. However, all of the cache configuration properties
are common for all of the servers in an array. These properties include the
Hypertext Transfer Protocol (HTTP) protocol caching properties, the File
Transfer Protocol (FTP) protocol caching properties, and the CARP
protocol properties.

Permissions Required for Adding Arrays
By default, the members of the Domain Admins group for the domain and the
members of the Enterprise Admins group for the Active Directory forest can
create new arrays. Only the members of the Enterprise Admins group are
prompted to configure how the enterprise policies apply to the array because
only the members of this group have the required permissions to administer
enterprise policies. When a user who is not a member of the Enterprise Admins
group creates an array, the default enterprise policy automatically applies to the
array.

members, these array members automatically retrieve most of the configuration
information from Active Directory.
Installing the First ISA Server Computer
To install ISA Server on the first computer in an array:
1. Start the Microsoft Internet Security and Acceleration Server Enterprise
Edition Setup program, and choose whether to perform a typical, custom, or
full installation.
2. In the Microsoft ISA Server Setup dialog box, click Yes to install
ISA Server as an array member.
3. If the domain already contains arrays, in the Microsoft ISA Server Setup
dialog box, click New.
4. In the New Array dialog box, type a name for the array that you are
creating, and then click OK.
5. In the Configure enterprise policy setting dialog box, select one of the
following options:
• Use default enterprise policy settings. The array will use the default
enterprise policy settings. These settings are normally the policy settings
that you configured when you imported the ISA Server schema.
• Use custom enterprise policy settings. The array will not use the
default enterprise policy settings.
Topic Objective
To describe the key steps to
perform when you install the
first ISA Server computer in
an array.
Lead-in
When you install the first
ISA Server computer after
importing the ISA Server
schema into

Creating and Deleting Arrays in ISA Management

Creating New Arrays

Deleting Arrays

*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
You can create a new array before installing ISA Server on the first computer in
the array, which allows you to configure the array before you install ISA Server
on the first computer in the array. When you create a new array, you can create
a new configuration or you can copy a configuration from another array. After
you have created an array, computers can join the array when you install
ISA Server or when you promote a stand-alone server to an array member.

You must be a member of the Domain Admins group or the
Enterprise Admins group to create an array. You must be a member of the
Enterprise Admins group to configure how the enterprise policies apply.

Creating New Arrays
To create a new array:
1. In ISA Management, in the console tree, right-click Servers and Arrays,
point to New, and then click Array.
2. In the New Array Wizard, type a name for the array, and then click Next.
3. On the Domain Name page, select the site and domain in which to create
the new array, and then click Next.
4. On the Create or Copy an Array page, select one of the following options:

• Use default enterprise policy settings.
• Use custom enterprise policy settings. Use this option to specify an
enterprise policy. You can also select the Allow array policy check box.
6. On the Array type page, select one of the following options, and then click
Next:
• Cache only
• Firewall only
• Integrated
7. On the Array Global Policy Options page, select one or both of the
following options, and then click Next:
• Allow publishing rules to be created on the array
• Force packet filtering on the array
8. On the Completing the New Array Wizard page, review your choices, and
then click Finish.

Deleting Arrays
You can delete an array in ISA Management after you uninstall ISA Server
from all array members.
To delete an array:
• In ISA Management, in the console tree, right-click the appropriate array,
and then click Delete. If you accidentally delete an array that has members, you must
re-create the array, uninstall ISA Server on each of the members, re-create each
array member, and then reinstall ISA Server on all array members.

Note
Caution
16 Module 9: Configuring ISA Server for an Enterprise

Are enterprise policy only Deletes all of the array policy rules.
Are enterprise policy and array policy Deletes all of the array policy rules that allow
access.
Disallow publishing Deletes the publishing rules that are defined
for the array.

Topic Objective
To identify the topics related
to promoting a stand-alone
server.
Lead-in
After you initialize the
enterprise, you can promote
stand-alone servers to array
members.
Delivery Tip
Explain that ISA Server may
delete policy rules and
publishing rules to ensure
that array policies are not
more permissive than an
applicable enterprise policy.
Note
Module 9: Configuring ISA Server for an Enterprise 17 Promoting a Stand-Alone Server
To promote a stand-alone server:
1. In ISA Management, in the console tree, right-click the server, and then
click Promote.