Documente Academic
Documente Profesional
Documente Cultură
This document has been produced using the resources of Save the Children, US
and contains configuration information about IT infrastructure therefore must be
treated as restricted content.
The Author and MIS Staff, Pakistan reserve the rights to redistribute or reproduce
this document therefore approval from the aforesaid must be taken before
distribution of this document.
Microsoft ISA Server 2004
(Installation and Configuration)
Table of Contents
1. Enterprise Edition
2. Standard Edition.
Enterprise edition is suitable for organizations where more than one ISA servers are
deployed to fulfill users’ needs and all of them must incorporate unified set of rules and
policies. This collection of ISA Servers is called an “Array” and the top level policies are
stored in the “Configuration Store”, installed on array master. It can also join an existing
array of ISA Servers.
Standard Edition is suitable for environments where one ISA server is enough for users; or if
there are more than one ISA servers, they need not to follow the same policies. Standard
edition can easily join the array but cannot contain configuration storage for other ISA
servers.
System Requirements
Given below are the minimum requirements. One should always go for the best
specifications that the organization can bear.
* These are all minimum requirements given by Microsoft and definitely we cannot do
much with these specifications. Xeon processors give very good performance. The
servers equipped with large amount of RAM can provide us fast response at client
side retrieval. Cache should be implemented on separate partition, separate HDD or
even separate Controller (Whatever is convenient).
Similarly, using ISA server just as ISA Server can significantly improve the
performance.
Farrukh Nasim 1
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
It is always a good practice to rename the network interfaces as Names are easy to remember
instead of device models. Typically “Internal” and “External” or “LAN” and “WAN” are
the most commonly used names for private and public interfaces respectively.
LAN Connectivity
Farrukh Nasim 2
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
WAN Connectivity
For any external interface card, the IP address assignment may be automatic or manual.
Farrukh Nasim 3
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Farrukh Nasim 4
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
1. On inserting the CD ROM, autorun file will be executed, bringing up the following
interface. Click “Install ISA Server 2004”. If it doesn’t pop up automatically, go to
the CD ROM or the Installation directory and double click “isaautorun”
executable.
Farrukh Nasim 5
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Farrukh Nasim 6
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Farrukh Nasim 7
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
7. Decide “Internal Network” address space. This address space is the network that will
be protected by the ISA Server. Click Add button.
Farrukh Nasim 8
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
8. Address space can be added manually or automatically based on the routing table for
a specific interface. Use Select Network Adapter button to add the Network
Interface Card’s information.
9. Select the adapter that connects to the internal clients i.e. LAN, Press OK. Do not
include the private ranges.
Farrukh Nasim 9
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Farrukh Nasim 10
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
11. Services warning will appear, representing that SNMP, FTP Publishing, NNTP, IIS
Admin and WWW Publishing services will be restarted during installation and
ICF/ICS and IP NAT Service will be disabled. Press Next to proceed.
Farrukh Nasim 11
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
13. It will take few minutes to complete the installation, depending upon the features
selected.
Farrukh Nasim 12
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
14. Let the installer complete the setup for Additional components and system
initialization.
15. Press Finish when the ISA Server installation gets complete
Farrukh Nasim 13
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Separate service packs are available for Standard and Enterprise editions. Choose according
to the installation type. Service pack 3 included many improved features such as diagnostic
logging features, integration with Best practices Analysis tool, Publishing Exchange Server
2007, Microsoft Update caching, latest fixes and much more.
1. Run the MSI file downloaded from the Microsoft website. It will bring up the
following interface. Click Next.
Farrukh Nasim 14
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
3. Please wait while the installer updates the ISA Server 2004.
Farrukh Nasim 15
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Farrukh Nasim 16
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
2. Under ISA Server name, right click Firewall Policy. Select New Æ Access Rule.
Farrukh Nasim 17
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Farrukh Nasim 18
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
5. Choose “All outbound Traffic” and click Next. Restrictions will be covered in next
phases.
6. Select the source networks. Click Add to select internal network and localhost.
Farrukh Nasim 19
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
7. Add desired networks and click Close. After adding networks, click Next.
Farrukh Nasim 20
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
8. Now select the destination networks. Add External to allow access all over the
Internet.
Farrukh Nasim 21
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Farrukh Nasim 22
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
11. Review the settings and modify them if necessary by pressing Back button.
Otherwise press Finish.
12. Click Apply button to make the changes and respond OK to the success message.
Farrukh Nasim 23
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
2. It will bring up the system policy editor. Under Remote Management, click on
ICMP (Ping) and in “From” tab, Add “Internal” network.
Farrukh Nasim 24
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
4. Now go to any client and PING ISA server. It will show successful results.
Farrukh Nasim 25
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Cache Configuration
Creating Cache
ISA server will start caching pages, once cache is enabled and created. In previous versions
of ISA servers like 2000, cache was created during installation that could be changed at any
time.
2. Select the NTFS partition, give cache size in MBs, press Set button and then OK.
Farrukh Nasim 26
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
3. Apply new settings, save the changes and restart the services. Respond OK to the
success message.
Farrukh Nasim 27
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
1. ISA Server 2004 with Service Pack 2 or higher has the ability to cache the contents
from Microsoft update websites. To enable this, Right click Cache and go to New
Æ Microsoft Update Cache Rule.
2. It will bring up a wizard with default rule name that cannot be changed. Click Next.
3. Microsoft product update websites are already included in the cache rule. If you want
to add more, click Add button otherwise accept default by clicking Next.
Farrukh Nasim 28
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
4. Press Finish to accept the rule settings and enable ISA Server 2004 to cache update
files from Microsoft sites. Apply the changes as earlier.
Farrukh Nasim 29
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Like earlier versions, ISA Server 2004 has the ability to schedule continent download jobs
for users. This phenomenon is known as “Pre-fetching”. ISA Server 2004 automatically
contacts the website and downloads the web pages for its clients.
1. Right click on the Cache object and select New Æ Content Download Job.
Farrukh Nasim 30
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
4. Set other parameters like start date & time and click Next.
Farrukh Nasim 31
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
5. Specify the download location in the form of URL path. Make changes if necessary
and click Next..
Farrukh Nasim 32
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
7. Click Finish to close the wizard the make the changes effective.
8. Now at the specified time, ISA Server will automatically contact the website and
cache the desired contents. This technique is adopted to cache the website having
highest hit ratio at a time when ISA Server is relatively free.
Farrukh Nasim 33
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
2. Type the name for Domain Name Set and add the domains you want to block.
Using asterisk (*) leading to the domain name means that all hosts on the specified
domain are included. Click OK when finished.
3. Now right click on your Firewall Policy and select New Æ Access rule.
Farrukh Nasim 34
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Farrukh Nasim 35
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Farrukh Nasim 36
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
7. Add the “Internal” network as source for this access rule and click Next.
8. For the destinations set, select the domain name set created earlier. In this example
“Blocked website for Quetta” is the intended domain set. As we have selected the
rule behavior to “Deny” therefore access to all these domains will be disallowed.
Farrukh Nasim 37
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
10. Apply the rule for “All Users” set. If you have custom groups or Users, Add them
Farrukh Nasim 38
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
11. On clicking Next, a summary will be displayed. Read the summary to be sure that
the configuration matches your desired purpose. Press Finish.
Farrukh Nasim 39
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
13. Now at client side, type address of the domain you have already blocked. An error
page will be displayed mentioning the blockage of specific domain.
Farrukh Nasim 40
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Blocking Messengers
There are multiple ways to block messenger traffic. One of the most common methods is to
block the specific port number on which the messenger communicates. For example MSN
messenger typically communicates on TCP port 1863. If we wish to block MSN messenger,
port 1863 should be blocked.
Smart users can change the port number and then start communicating again through
messengers. The situation becomes strange if the messenger starts using port 80. Certainly
we can’t block port 80 otherwise entire network traffic will stop to Internet.
In this case we use the HTTP Filtering features in ISA Server 2004. ISA Server has the
ability to deeply inspect the packets and then filter the traffic on the basis of its signatures. A
list of most commonly used application signatures may be found at
http://www.microsoft.com/technet/isa/2004/plan/commonapplicationsignatures.mspx
The following example illustrates how to block Yahoo Messenger. Same method may be
applied for the signatures of other messengers. (See the link in previous paragraph for other
signature definitions)
1. Under Firewall Policy, select your Access rule that allows the users’ traffic to the
Internet. Right click on that rule and click “Configure HTTP”.
Farrukh Nasim 41
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
3. Add a new signature. Set the values as shown in the following table.
Press OK.
Farrukh Nasim 42
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Farrukh Nasim 43
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
5. Apply the changes in ISA Server Management Console and respond OK to the
successful changes message.
6. Now test for the client side. Yahoo messenger will not sign in. To see what is
actually happening to the request, go to msg.yahoo.com and see the error.
Farrukh Nasim 44
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
In the given example, I have illustrated how to block access of few domain users. This will
be independent of PC’s IP address.
Farrukh Nasim 45
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
3. A dialog box will appear, asking what kind of new user objects do you want to
create. Click Add Æ Windows users and groups.
5. Click Locations and select the name of your domain. Click OK.
Farrukh Nasim 46
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
6. Now enter the name of users or groups you want to include. Press OK.
7. The selected usernames or groups will appear in the users window along with their
Domain information. Click Next.
Farrukh Nasim 47
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Farrukh Nasim 48
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
9. Now we have to configure our Internet access rule to deny the said users. In
Firewall Policy, right click the Access rule and click Properties.
10. In Users tab, Add the previously constructed users set in Exceptions area.
Farrukh Nasim 49
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
11. After adding the group, the name will appear in exception area. Apply and Close
the window.
Farrukh Nasim 50
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
13. Try to access any website from the user’s login and see the message from ISA
Server.
Farrukh Nasim 51
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
1. Dashboard
2. Alerts
3. Sessions
4. Services
5. Reports
6. Connectivity
7. Logging
Dashboard
Farrukh Nasim 52
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Alerts
Alerts generated by ISA Server are displayed here. We can acknowledge or reset these alerts
after taking action.
Sessions
ISA Server displays active sessions here. We can disconnect any unwanted session through
this tab. This tab does not give a very detailed view of traffic going through ISA Server and
how ISA Server treats those requests.
Farrukh Nasim 53
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Services
Services tab displays the status of services configured for ISA Server. Services like MDE,
Firewall and Job Scheduler can be stopped or started from this view.
Reports
ISA Server 2004 can generate traffic analysis report for us so that future strategies may be
designed and performance can be optimized.
1. Reports tab displays the previously generated reports and the options to create or
modify the existing reports.
3. This will bring up “Report Wizard”. Type a suitable name for your report and click
Next.
Farrukh Nasim 54
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Farrukh Nasim 55
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Farrukh Nasim 56
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
8. Review the reporting options and press Finish to accomplish the task.
Farrukh Nasim 57
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
9. Modifications may be made to the existing report jobs by going to “Create and
Configure Report Jobs” option in task pane.
10. It will bring up a dialog box, displaying your existing report schedule and options to
create new ones or modify the existing.
11. Select the previously scheduled reporting job and click “Edit”. Go to the Schedule
tab and select the days to be included in reporting. Remove the mark from Off days.
Timing and other options may be modified if necessary. Click Apply when done and
press OK twice to return to ISA Server Management console.
Farrukh Nasim 58
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Farrukh Nasim 59
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
Logging
1. There are built-in logging filters that are rich enough to monitor the traffic in detail.
If necessary, Edit the existing filter.
2. To start the real time traffic monitor, click Start Query. It will display traffic going
through the ISA Server.
3. Columns may be added/ removed or sorted by right clicking on the column name
and clicking Add/Remove Columns.
4. A rich variety of traffic parameters are available to be included in the real time
monitor.
Farrukh Nasim 60
Senior Officer MIS, Quetta, Pakistan.
ISA Server 2004 Installation and Configuration Manual
6. Clicking on any item will display the traffic details in the bottom area. This
information is very useful while troubleshooting ISA Services.
Farrukh Nasim 61
Senior Officer MIS, Quetta, Pakistan.