Installing ISA Server 2000 on Windows Server 2003

There have been a lot of questions on the ISAServer.org message boards on how Windows Server 2003 and ISA Server get
along with each other. I didnt send too much time tr!ing to figure out issues with re"release versions of Windows Server
2003 and ISA Server because man! of the roblems could have been related to beta issues that would be fi#ed in the final
version. $ou could never %now if it was an ISA Server issue& and adverse interaction between ISA Server and Windows Server
2003& or ma!be a beta bug.
'ow that Windows Server 2003 is officiall! released& and ISA Server is officiall! suorted on Windows Server 2003& we can
get to the business of testing out ISA Server on Windows Server 2003 machines. There are man! comelling reasons to run
ISA Server on a Windows Server 2003 machine(
Windows Server 2003 is the most secure version of Windows ever
Windows Server 2003 is the most stable version of Windows ever
'on"essential services are disabled right out of the bo#
Its ver! difficult to run IIS services on the Windows Server 2003)ISA Server because there is no
documentation on how to disable soc%et ooling for all IIS services e#cet the W3S*+
When !ou combine high securit!& roc% solid stabilit! and the increased difficult! in harooning !ourself in the foot b! running
IIS services on !our firewall& !ou get what !oure reall! loo%ing for in a firewall( rotection for !our internal networ%.
Ive had the chance to run ISA Server in integrated mode on a Windows Server 2003 machine for over a month and I find it
much more stable than m! e#eriences with ISA Server on Windows 2000 machines. This could be due to the better hardware
on which the ISA)Windows Server 2003 software is installed on& or it could be an oerating s!stem issue. ,lease let us %now
about !our e#eriences with ISA Server and Windows Server 2003 over on the message boards on ISAServer.org.
Installing ISA Server on a Windows Server 2003 machine is ainless& but it is a little different than how !ou do it on a
Windows 2000 machine. We need to go through the follow stes to install ISA Server on a Windows Server 2003 bo#(
Install Windows Server 2003
Install ISA Server 2000
Install ISA Server Service ,ac% -
Install isahf2...e#e
Install /eature ,ac% -
Install Windows Server 2003
The Windows Server 2003 machine should have the following characteristics(
At least two networ% interfaces 0 one internal and one e#ternal
'o e#traneous services installed on the machine
As much 1A2 as ossible
3isable non"essential services
$ou need at least one internal and one e#ternal interface. The internal interface will be on the 4ocal Address Table 54AT6 and
does not have a default gatewa! set on it. The e#ternal interface is never on the 4AT and its the onl! interface with a default
gatewa! set on it. Windows Server 2003 is li%e Windows 2000 in that onl! one interface can have a default gatewa!. This
means ISA Server on Windows Server 2003 suorts a single external interface. $ou can have multile ublic address 327
interfaces& but onl! a single interface that connects the internal networ% to the Internet.
3o not install e#tra services on the firewall. 3o not install a 8ua%e server& do not install a enterrise mail and grouware
server& do not install an /T, server& do not install a Web server an do not install a 9aa:a server; $our ISA Server is a firewall 0
!ou wouldnt install these services on a ,I< or +hec%oint 'o%ia 0 so !ou shouldnt do it on the ISA Server firewall.
2ost eole will use the Web ,ro#! service to rovide Web erformance enhancements and increased securit! for Web
,ublishing. The cool thing about ISA Server is that it %ees the Web cache in 1A2. The more 1A2 !ou have& the more
cached content can be %et in fast memor! and the better end"user erceived erformance. Aim for at least =>? 2@ of 1A2 in
the ISA Server firewall& and more is better.
$ou can harden !our server b! disabling non"essential services. 'on"essential services deend on what services !ou need& so
its hard to give !ou a hard and fast list of what services !ou should disabled. +hec% out m! articles on securing ISA Server
over at www.isaserver.org/shinder for more details.
Install ISA Server 2000
'ow for the fun art. Aet out !our ISA Server 2000 +3"1B2 dis% and ut it into the drive& or connect to a networ% share that
contains the ISA Sever installation files. Then erform the following stes to begin installing ISA Server on a Windows Server
2003 machine(
-. 3ouble clic% on the ISAAutorun.exe file on the ISA Server +3
2. +lic% on the Install ISA Server lin% on the Internet Security & Acceleration Server 2000 slash age.
3. $ou will see an ISA 2000 dialog bo# that informs !ou that !ou need to install ISA 2000 Service ac! " in order for
things to wor% right. We %now that& so well clic% #ontinue.
/ig-
C. +lic% #ontinue on the Welcome to the $icroso%t ISA Server installation &rogram age.
.. Dnter !our +3 9e! in the #' (ey dialog bo#. +lic% )(.
>. Write down !our roduct I' as list in the roduct I' dialog bo#. +lic% )( in the roduct I' dialog bo# after
writing this number down.
=. +lic% I Agree in the $icroso%t ISA Server Setu& dialog bo#.
?. +lic% the *ull Installation button in the installation t!e dialog bo#. I am assuming !ou want to use all the features
that ISA Server has to offer. $ou can use the Add/+emove rograms alet later if !ou want to remove some ISA
Server features.
E. In this e#amle we are installing ISA Server in standalone mode& not in enterrise arra! mode. +lic% ,es in the
dialog bo# that as%s if !ou want to continue.
/ig2
-0. Select the Integrated mode otion on the Select the mode %or this server age. $ou want to ta%e advantage of the
full ower of !our ISA Server firewall. Integrated mode gives !ou ever!thing the Web ,ro#! and /irewall services
have to offer. Ao for it; +lic% #ontinue.
/ig3
--. Bn the Web cache age& select a drive to ut the Web cache file on. The drive must be 'T/S. T!e in a si:e of the
cache in the #ache si-e .$/0 te#t bo# and then clic% the Set button. Then clic% )(.
/igC
-2. Bn the 1A2 age& clic% the #onstruct 2able button. Bn the 1ocal Address 2able age& remove the chec%mar% in
the Add the %ollowing &rivate ranges chec%bo#. ,ut a chec%mar% in the Add address ranges based on the
Windows 2000 +outing 2able chec%bo#. 1emove the chec%mar% from the chec%bo# reresenting the e#ternal
interface& and leave the chec%mar% in the chec%bo# for the internal interface. +lic% )( in the 1ocal Address 2able
dialog bo#& then clic% )( in the Setu& $essage dialog bo# that informs !ou that the 4AT was contstructed based
on the Windows 2000 routing table 5in site of the fact that !oure installing ISA Server on a Windows Server 2003
machine6.
/ig.
-3. +lic% )( on the 1A2 dialog bo# after reviewing the list listing in the Internal I ranges list.
/ig>
-C. Fnli%e Windows 2000& Windows Server 2003 does not install IIS b! default 5!eah; $ou should 'D*D1 run IIS
services on a firewall 0 e#cet for ma!be the S2T, service6. $ou will see a dialog bo# telling !ou that !oull have
to install the S2T, service if !ou want to run the S2T, 2essage Screener. +lic% )( to continue.
/ig=
-.. The ISA Server services are installed. $ou will see a warning balloon informing !ou that ISA 2000 will cause
Windows to become unstable. +lose the balloon& remove the chec%mar% from the Start ISA Server 3etting
Started Wi-ard chec%bo#& and then clic% )( in the 1aunch ISA $anagement 2ools dialog bo#.
/ig?
->. +lic% )( in the dialog bo# that informs !ou that setu was comleted.
-=. +lic% )( in the dialog bo# that informs !ou that setu has failed to start one or more services.
'ow !oure read! to install ISA Server Service ,ac% -.
Install ISA Server Service ac! "
The ne#t ste is to immediatel! install ISA Server Service ,ac% -. $ou can get Service ,ac% - at
htt&4//www.microso%t.com/isaserver/downloads/s&".as& 3ownload S,- to a machine on the internal networ%& scan it for
viruses& then co! it to the ISA Server. ,erform the following stes after co!ing the service ac% to the ISA Server(
-. 3ouble clic% on the isas&".exe file. T!e in a ath to ut the temorar! files in the #hoose 'irectory %or
5xtracted *iles dialog bo#. +lic% )(.
/igE
2. +lic% I Agree in the 5nd 6ser 1icense Agreement .561A0 dialog bo#.
3. +lic% )( in the $icroso%t ISA Server 2000 6&date Setu& dialog bo#. The comuter will restart.
/ig-0
Thats all there is to installing ISA Server service ac% -.
Install 7ot*ix isah%288.exe
4og onto the machine after the ISA Server service ac% - installation routine restarts the machine. There are a few hotfi#es
and udates !ou need to install on the Windows Server 2003)ISA Server machine to insure that ever!thing wor%s correctl!.
$ou can download the Got/i# ac%& isah%288.exe at htt&4//www.microso%t.com/downloads/details.as&x9
%amilyid:;;d<=%<;>8208>?;;=>b"ab>%c33<2<3b2d=&dis&laylang:en
3ownload the file to a machine on the internal networ%& scan it for viruses& and then co! it to the ISA Server. ,erform the
following stes after co!ing the file to the ISA Server(
-. 3ouble clic% on the isah%288.exe file. T!e in a ath for the temorar! files in the #hoose 'irectory %or 5xtracted
*iles dialog bo#& then clic% )(.
fig--
2. +lic% I Agree in the 561A dialog bo#.
3. +lic% )( in the $icroso%t ISA Server 2000 6&date Setu& dialog bo# that informs !ou that the udate was
successful alied.
/ig-2
'ote that !ou do not need to restart the server. The ne#t ste is to install /eature ,ac% -.
Install *eature ac! "
/eature ,ac% - 5/,-6 is not required. $ou dont have to install ISA Server /eature ,ac% - on the Windows Server 2003)ISA
Server machine to get it wor%ing correctl!. Gowever& I do highl! recommend that !ou install ISA Server /eature ,ac% -
because it adds a lot of cool new caabilities and Wi:ards. $ou can download ISA Server /eature ,ac% - at
htt&4//www.microso%t.com/downloads/details.as&x9*amilyI':2%=2b02c>ac?=>??d%>a%@c>
8be0<?b3?8%=&'is&lay1ang:en
3ownload the feature ac% to a machine on the internal networ% and scan it for viruses. Then co! the file to the ISA Server
and erform the following stes(
-. 3ouble clic% on the isa%t&".exe file. T!e in a ath for the e#tracted files in the #hoose 'irectory *or 5xtracted
*iles dialog bo#.
/ig-3
2. +lic% I Agree in the /eature ,ac% - 561A dialog bo#.
3. +lic% )( in the $icroso%t ISA Server 2000 *eature ac! " dialog bo#. 4eave the chec%mar% in the +ead about
ISA Server *eature ac! " chec%bo# to learn more about what !ou get with /eature ,ac% -.
#onclusion
I thin% !oull find that running ISA Server on Windows Server 2003 will be a good e#erience. Windows Server 2003
rovides the highest level of stabilit! and securit! ever seen in a Windows"based latform and ISA Server raises the level of
securit! b! several orders of magnitude. Aive ISA Server on Windows Server 2003 a tr! and let us %now what !ou thin%.
I hope you enjoyed this article and found something in it that you can apply to your own network. If
you have any questions on anything I discussed in this article, head on over to
http://forums.isaserver.org/ultimatebb.cgi?ubbget!topic"f#"t$$%%$& and post a message. I'll
be informed of your post and will answer your questions ()(*. +hanks, -+om