ISA 2004 Installation and Configuration

Configuration Guide for
Microsoft ISA Server 2004 Deployment

at Save the Children, US.
(Version 1.1)
Prepared by: Farrukh Nasim Chughtai

Senior Officer, MIS, Quetta, Pakistan.
January 22, 2008.
fnasim@qta.savechildren.org.pk
This document has been produced using the resources of Save the Children, US
and contains configuration information about IT infrastructure therefore must be
treated as restricted content.
The Author and MIS Staff, Pakistan reserve the rights to redistribute or reproduce
this document therefore approval from the aforesaid must be taken before
distribution of this document.
Microsoft ISA Server 2004
(Installation and Configuration)
Table of Contents
Introduction to Microsoft ISA Server 2004 ................................................................................1

System Requirements .................................................................................................................1
Setting up Connectivity for ISA Server Deployment.................................................................2
Deciding Client Types.....................................................................................................................4
ISA Server 2004 Installation ..........................................................................................................5
Installing Service Pack 3 for ISA Server 2004 Standard Edition............................................14
Creating New Access Rule to Allow Outbound Traffic..........................................................17
What if ISA Server 2004 doesn’t respond to PING requests? ...............................................24
Cache Configuration .....................................................................................................................26
Creating Cache ..........................................................................................................................26
Configuring Microsoft Update Caching ................................................................................28
Caching for Scheduled Content Download Jobs .................................................................30
Deny requests to certain websites/ domains.............................................................................34
Blocking Messengers.....................................................................................................................41
Deny Users/ Groups to access Internet ....................................................................................45
Monitoring ISA Server 2004........................................................................................................52
Dashboard..................................................................................................................................52
Alerts...........................................................................................................................................53
Sessions.......................................................................................................................................53
Services .......................................................................................................................................54
Reports .......................................................................................................................................54
Logging.......................................................................................................................................60
ISA Server 2004 Installation and Configuration Manual
Introduction to Microsoft ISA Server 2004

Microsoft ISA Server 2004 is an integrated solution for firewall, caching and VPN facilities.
It also incorporates improved management, monitoring and security features with enhanced
performance.
Microsoft ISA Server 2004 is available in two flavors:
1. Enterprise Edition
2. Standard Edition.
Enterprise edition is suitable for organizations where more than one ISA servers are
deployed to fulfill users’ needs and all of them must incorporate unified set of rules and
policies. This collection of ISA Servers is called an “Array” and the top level policies are
stored in the “Configuration Store”, installed on array master. It can also join an existing
array of ISA Servers.
Standard Edition is suitable for environments where one ISA server is enough for users; or if
there are more than one ISA servers, they need not to follow the same policies. Standard
edition can easily join the array but cannot contain configuration storage for other ISA
servers.
System Requirements
Given below are the minimum requirements. One should always go for the best
specifications that the organization can bear.
System Component Minimum Requirement

Operating System Windows Server 2003 (Service Pack 1)
No. of CPUs Not more than 4
CPU clock rate 550 MHz
RAM 256 MB
Disk Space 150 MB for installation + The amount to be utilized as cache
(Cache can be maintained only on NTFS formatted partition.
NICs For communication with internal and external networks
* These are all minimum requirements given by Microsoft and definitely we cannot do
much with these specifications. Xeon processors give very good performance. The
servers equipped with large amount of RAM can provide us fast response at client
side retrieval. Cache should be implemented on separate partition, separate HDD or
even separate Controller (Whatever is convenient).
Similarly, using ISA server just as ISA Server can significantly improve the
performance.
Farrukh Nasim 1
Senior Officer MIS, Quetta, Pakistan.
Setting up Connectivity for ISA Server Deployment

Ensuring the server meets the minimum requirements, the next step is to configure the
server for ISA server installation.
¾ If the server is already setup for ICS/ ICF, it will be disabled.

¾ NAT service will be disabled on the computer by ISA Server.
It is always a good practice to rename the network interfaces as Names are easy to remember
instead of device models. Typically “Internal” and “External” or “LAN” and “WAN” are
the most commonly used names for private and public interfaces respectively.
LAN Connectivity
¾ For internal interface, it is always recommended to use static IP instead of DHCP

assigned address.
¾ Do not use default gateway for internal interface as there can be only one default
gateway for a computer. If the ISA server is connected to its local clients through IP
assigned manageable switch, or the environment is subnetted, use “Static Routes” to
connect to those subnets. The external interface should be configured with default
gateway.
¾ If there are no internal DNS servers, leave the Preferred and Alternate DNS Servers’
fields empty.
¾ If the ISA server is also a domain controller (not recommended), loop back address
may be used in the DNS servers list for internal interface.
¾ If ISA server is to be joined to Microsoft Active Directory Domain, use the IP
address of domain controller as Preferred DNS server for internal interface.
Farrukh Nasim 2
WAN Connectivity
For any external interface card, the IP address assignment may be automatic or manual.
¾ In case of DHCP assigned addresses by ISP, set all behaviors to automatic.

¾ For manual configuration, fill all fields including Default Gateway and DNS Servers.
Default gateways are typically router’s address and DNS Server refers to the DNS
server of the service provider. If internal DNS servers or forwarders to public access
are present, use those instead.
¾ More than one DNS servers may be given to provide fault tolerance for name
resolution.
¾ “Advanced” tab in connection’s properties may be used to assign multiple IP
addresses, gateways or DNS server for network redundancy.
Farrukh Nasim 3
Deciding Client Types

Depending upon design and environment, ISA server supports 3 major kinds of clients.
Sr. Client Type Details

No
1 Web Proxy Implemented by setting web browser’s connection settings
to use a proxy server or automatically detect settings.
Supports few protocols such as HTTP, HTTPS and FTP.
2 Secure NAT Implemented by using ISA server’s IP address as default

gateway for the clients.
Support all features except client authentication.
3 Firewall Client Supports all functionalities including client authentication.

Microsoft Firewall Client software is to be installed on all
clients.
Platform dependent (Microsoft Only)
Farrukh Nasim 4
ISA Server 2004 Installation

Microsoft ISA Server 2004 installation is simple and straight forward.
1. On inserting the CD ROM, autorun file will be executed, bringing up the following
interface. Click “Install ISA Server 2004”. If it doesn’t pop up automatically, go to
the CD ROM or the Installation directory and double click “isaautorun”
executable.
2. Press “Next” to begin installation.
Farrukh Nasim 5
3. Accept license agreement and click Next.
4. Provide customer information and Serial key. Click Next.
Farrukh Nasim 6
5. Select setup type. Most administrators like Custom installation.
6. Select the components to be installed and Click Next.
Farrukh Nasim 7
7. Decide “Internal Network” address space. This address space is the network that will
be protected by the ISA Server. Click Add button.
Farrukh Nasim 8
8. Address space can be added manually or automatically based on the routing table for
a specific interface. Use Select Network Adapter button to add the Network
Interface Card’s information.
9. Select the adapter that connects to the internal clients i.e. LAN, Press OK. Do not
include the private ranges.
Farrukh Nasim 9
10. Select firewall client clients compatibility and click Next.
Farrukh Nasim 10
11. Services warning will appear, representing that SNMP, FTP Publishing, NNTP, IIS
Admin and WWW Publishing services will be restarted during installation and
ICF/ICS and IP NAT Service will be disabled. Press Next to proceed.
Farrukh Nasim 11
12. Press Install to start copying files and service setup.
13. It will take few minutes to complete the installation, depending upon the features
selected.
Farrukh Nasim 12
14. Let the installer complete the setup for Additional components and system
initialization.
15. Press Finish when the ISA Server installation gets complete
Farrukh Nasim 13
Installing Service Pack 3 for ISA Server 2004 Standard Edition

After installing ISA Server 2004 Standard Edition, install the latest Service pack available. By
the time I have written this configuration guide, Service Pack 3 is available.
Microsoft ISA Server 2004 Service Pack 3 can be downloaded from

http://www.microsoft.com/technet/downloads/isa/2004/servicepacks/default.mspx
Separate service packs are available for Standard and Enterprise editions. Choose according
to the installation type. Service pack 3 included many improved features such as diagnostic
logging features, integration with Best practices Analysis tool, Publishing Exchange Server
2007, Microsoft Update caching, latest fixes and much more.
1. Run the MSI file downloaded from the Microsoft website. It will bring up the
following interface. Click Next.
2. Accept the license agreement and click Update.
Farrukh Nasim 14
3. Please wait while the installer updates the ISA Server 2004.
4. On completion, click Finish. System reboot is required to update settings.
Farrukh Nasim 15
5. Click Yes to restart the system.
Farrukh Nasim 16
Creating New Access Rule to Allow Outbound Traffic

1. The default behavior of ISA Server 2004 is to BLOCK all traffic. There is a “Last
Default rule” under “ISA Server Æ Firewall Policy” head, representing denial of all
traffic from all sources to all destinations at any given time. I recommend creating
new rules instead of modifying default rule.
2. Under ISA Server name, right click Firewall Policy. Select New Æ Access Rule.
3. Give a suitable name to the rule and click Next.
Farrukh Nasim 17
4. Allow the packet transmission and click Next.
Farrukh Nasim 18
5. Choose “All outbound Traffic” and click Next. Restrictions will be covered in next
phases.
6. Select the source networks. Click Add to select internal network and localhost.
Farrukh Nasim 19
7. Add desired networks and click Close. After adding networks, click Next.
Farrukh Nasim 20
8. Now select the destination networks. Add External to allow access all over the
Internet.
Farrukh Nasim 21
9. Once External network appears in the list, click Next.
10. At the moment, click Next to accept All Users.
Farrukh Nasim 22
11. Review the settings and modify them if necessary by pressing Back button.
Otherwise press Finish.
12. Click Apply button to make the changes and respond OK to the success message.
Farrukh Nasim 23
What if ISA Server 2004 doesn’t respond to PING requests?

1. By default, ISA server will not respond to the ping messages but it will still provide
the services to its clients. For enabling ISA server to reply to Ping, Edit the system
policy by right clicking the Firewall Policy and select Edit System Policy.
2. It will bring up the system policy editor. Under Remote Management, click on
ICMP (Ping) and in “From” tab, Add “Internal” network.
Farrukh Nasim 24
3. Apply the changes and respond OK to the message box.
4. Now go to any client and PING ISA server. It will show successful results.
Farrukh Nasim 25
Cache Configuration
Creating Cache
ISA server will start caching pages, once cache is enabled and created. In previous versions
of ISA servers like 2000, cache was created during installation that could be changed at any
time.
1. In ISA Server 2004, cache can be created by going to Configuration Æ Cache

object properties and can be changed later on.
2. Select the NTFS partition, give cache size in MBs, press Set button and then OK.
Farrukh Nasim 26
3. Apply new settings, save the changes and restart the services. Respond OK to the
success message.
Farrukh Nasim 27
Configuring Microsoft Update Caching
1. ISA Server 2004 with Service Pack 2 or higher has the ability to cache the contents
from Microsoft update websites. To enable this, Right click Cache and go to New
Æ Microsoft Update Cache Rule.
2. It will bring up a wizard with default rule name that cannot be changed. Click Next.
3. Microsoft product update websites are already included in the cache rule. If you want
to add more, click Add button otherwise accept default by clicking Next.
Farrukh Nasim 28
4. Press Finish to accept the rule settings and enable ISA Server 2004 to cache update
files from Microsoft sites. Apply the changes as earlier.
Farrukh Nasim 29
Caching for Scheduled Content Download Jobs
Like earlier versions, ISA Server 2004 has the ability to schedule continent download jobs
for users. This phenomenon is known as “Pre-fetching”. ISA Server 2004 automatically
contacts the website and downloads the web pages for its clients.
1. Right click on the Cache object and select New Æ Content Download Job.
2. Provide a suitable name for the job and click Next.
Farrukh Nasim 30
3. Select the download frequency and click Next.
4. Set other parameters like start date & time and click Next.
Farrukh Nasim 31
5. Specify the download location in the form of URL path. Make changes if necessary
and click Next..
6. Accept defaults and click Next.
Farrukh Nasim 32
7. Click Finish to close the wizard the make the changes effective.
8. Now at the specified time, ISA Server will automatically contact the website and
cache the desired contents. This technique is adopted to cache the website having
highest hit ratio at a time when ISA Server is relatively free.
Farrukh Nasim 33
Deny requests to certain websites/ domains

1. Under firewall policy, go to Toolbox Æ Network objects in the task pane and click
New Æ Domain Name Set.
2. Type the name for Domain Name Set and add the domains you want to block.
Using asterisk (*) leading to the domain name means that all hosts on the specified
domain are included. Click OK when finished.
3. Now right click on your Firewall Policy and select New Æ Access rule.
Farrukh Nasim 34
4. Type a suitable name for this rule and click Next.
5. Choose the rule action to “Deny” and click Next.
Farrukh Nasim 35
6. Apply the rule to “All outbound traffic” and click Next.
Farrukh Nasim 36
7. Add the “Internal” network as source for this access rule and click Next.
8. For the destinations set, select the domain name set created earlier. In this example
“Blocked website for Quetta” is the intended domain set. As we have selected the
rule behavior to “Deny” therefore access to all these domains will be disallowed.
Farrukh Nasim 37
9. After adding the domain set, click Next.
10. Apply the rule for “All Users” set. If you have custom groups or Users, Add them
Farrukh Nasim 38
11. On clicking Next, a summary will be displayed. Read the summary to be sure that
the configuration matches your desired purpose. Press Finish.
12. Apply the changes and Press OK on confirmation dialog box.
Farrukh Nasim 39
13. Now at client side, type address of the domain you have already blocked. An error
page will be displayed mentioning the blockage of specific domain.
Farrukh Nasim 40
Blocking Messengers
There are multiple ways to block messenger traffic. One of the most common methods is to
block the specific port number on which the messenger communicates. For example MSN
messenger typically communicates on TCP port 1863. If we wish to block MSN messenger,
port 1863 should be blocked.
Smart users can change the port number and then start communicating again through
messengers. The situation becomes strange if the messenger starts using port 80. Certainly
we can’t block port 80 otherwise entire network traffic will stop to Internet.
In this case we use the HTTP Filtering features in ISA Server 2004. ISA Server has the
ability to deeply inspect the packets and then filter the traffic on the basis of its signatures. A
list of most commonly used application signatures may be found at
http://www.microsoft.com/technet/isa/2004/plan/commonapplicationsignatures.mspx
The following example illustrates how to block Yahoo Messenger. Same method may be
applied for the signatures of other messengers. (See the link in previous paragraph for other
signature definitions)
1. Under Firewall Policy, select your Access rule that allows the users’ traffic to the
Internet. Right click on that rule and click “Configure HTTP”.
Farrukh Nasim 41
2. A dialog box will appear. Go to the Signatures tab.
3. Add a new signature. Set the values as shown in the following table.
Name As you like. I have used “Block Yahoo Messenger”

Search in Request headers
HTTP Header Host
Signature msg.yahoo.com
Press OK.
Farrukh Nasim 42
4. Make sure that newly created signature is checked. Press OK.
Farrukh Nasim 43
5. Apply the changes in ISA Server Management Console and respond OK to the
successful changes message.
6. Now test for the client side. Yahoo messenger will not sign in. To see what is
actually happening to the request, go to msg.yahoo.com and see the error.
Farrukh Nasim 44
Deny Users/ Groups to access Internet

ISA Server can allow or deny access based on domain users and groups. To do this, ISA
Server should first be joined to Windows Domain. Once ISA server becomes a member
server in domain, all users and groups are visible to ISA Server and we can grant or deny
access to specified objects.
In the given example, I have illustrated how to block access of few domain users. This will
be independent of PC’s IP address.
1. In ISA Server Management console, go to Firewall Policy. Under Toolbox in the

Task pane, select Users and click New.
2. Give a meaningful name to the rule and click Next.
Farrukh Nasim 45
3. A dialog box will appear, asking what kind of new user objects do you want to
create. Click Add Æ Windows users and groups.
4. Enter the domain admin account information if asked.
5. Click Locations and select the name of your domain. Click OK.
Farrukh Nasim 46
6. Now enter the name of users or groups you want to include. Press OK.
7. The selected usernames or groups will appear in the users window along with their
Domain information. Click Next.
Farrukh Nasim 47
8. Confirm the users selection by pressing Finish.
Farrukh Nasim 48
9. Now we have to configure our Internet access rule to deny the said users. In
Firewall Policy, right click the Access rule and click Properties.
10. In Users tab, Add the previously constructed users set in Exceptions area.
Farrukh Nasim 49
11. After adding the group, the name will appear in exception area. Apply and Close
the window.
Farrukh Nasim 50
12. Apply the changes and Press OK on configuration successful message.
13. Try to access any website from the user’s login and see the message from ISA
Server.
Farrukh Nasim 51
Monitoring ISA Server 2004

ISA Server 2004 provides a rich monitoring and logging capability. It has got a built-in
session viewer and real time traffic monitor.
To access these features, go to Monitoring object in ISA Server Management Console

where monitoring options are categorized in different tabs. These include
1. Dashboard
2. Alerts
3. Sessions
4. Services
5. Reports
6. Connectivity
7. Logging
Dashboard
Dashboard is a place where aggregate information of ISA Server objects is displayed.

Basically it is a summary, showing the connectivity, services, reports, alerts and sessions
overview.
Farrukh Nasim 52
Alerts
Alerts generated by ISA Server are displayed here. We can acknowledge or reset these alerts
after taking action.
Sessions
ISA Server displays active sessions here. We can disconnect any unwanted session through
this tab. This tab does not give a very detailed view of traffic going through ISA Server and
how ISA Server treats those requests.
To have a detailed view, go to Logging tab.
Farrukh Nasim 53
Services
Services tab displays the status of services configured for ISA Server. Services like MDE,
Firewall and Job Scheduler can be stopped or started from this view.
Reports
ISA Server 2004 can generate traffic analysis report for us so that future strategies may be
designed and performance can be optimized.
1. Reports tab displays the previously generated reports and the options to create or
modify the existing reports.
2. To setup reporting on ISA Server, click “Generate a New Report”
3. This will bring up “Report Wizard”. Type a suitable name for your report and click
Next.
Farrukh Nasim 54
4. Select the contents of the report and click Next.
Farrukh Nasim 55
5. Decide the report period and click Next.
6. The reports can be published to any web server (if required).
Farrukh Nasim 56
7. SMTP messages can be sent to administrator mail box if needed.
8. Review the reporting options and press Finish to accomplish the task.
Farrukh Nasim 57
9. Modifications may be made to the existing report jobs by going to “Create and
Configure Report Jobs” option in task pane.
10. It will bring up a dialog box, displaying your existing report schedule and options to
create new ones or modify the existing.
11. Select the previously scheduled reporting job and click “Edit”. Go to the Schedule
tab and select the days to be included in reporting. Remove the mark from Off days.
Timing and other options may be modified if necessary. Click Apply when done and
press OK twice to return to ISA Server Management console.
Farrukh Nasim 58
12. Double click to view the already created report.
Farrukh Nasim 59
Logging
1. There are built-in logging filters that are rich enough to monitor the traffic in detail.
If necessary, Edit the existing filter.
2. To start the real time traffic monitor, click Start Query. It will display traffic going
through the ISA Server.
3. Columns may be added/ removed or sorted by right clicking on the column name
and clicking Add/Remove Columns.
4. A rich variety of traffic parameters are available to be included in the real time
monitor.
Farrukh Nasim 60
5. To stop the traffic monitor, click “Stop Query”
6. Clicking on any item will display the traffic details in the bottom area. This
information is very useful while troubleshooting ISA Services.
Farrukh Nasim 61

ISA 2004 Installation and Configuration

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

ISA 2004 Installation and Configuration

Încărcat de

Drepturi de autor:

Formate disponibile

Configuration Guide for

Microsoft ISA Server 2004 Deployment

Prepared by: Farrukh Nasim Chughtai

Introduction to Microsoft ISA Server 2004 ................................................................................1

Introduction to Microsoft ISA Server 2004

Microsoft ISA Server 2004 is available in two flavors:

System Component Minimum Requirement

Setting up Connectivity for ISA Server Deployment

¾ If the server is already setup for ICS/ ICF, it will be disabled.

¾ For internal interface, it is always recommended to use static IP instead of DHCP

¾ In case of DHCP assigned addresses by ISP, set all behaviors to automatic.

Deciding Client Types

Sr. Client Type Details

2 Secure NAT  Implemented by using ISA server’s IP address as default

3 Firewall Client  Supports all functionalities including client authentication.

ISA Server 2004 Installation

2. Press “Next” to begin installation.

3. Accept license agreement and click Next.

4. Provide customer information and Serial key. Click Next.

5. Select setup type. Most administrators like Custom installation.

6. Select the components to be installed and Click Next.

10. Select firewall client clients compatibility and click Next.

12. Press Install to start copying files and service setup.

Installing Service Pack 3 for ISA Server 2004 Standard Edition

Microsoft ISA Server 2004 Service Pack 3 can be downloaded from

2. Accept the license agreement and click Update.

4. On completion, click Finish. System reboot is required to update settings.

5. Click Yes to restart the system.

Creating New Access Rule to Allow Outbound Traffic

3. Give a suitable name to the rule and click Next.

4. Allow the packet transmission and click Next.

9. Once External network appears in the list, click Next.

10. At the moment, click Next to accept All Users.

What if ISA Server 2004 doesn’t respond to PING requests?

3. Apply the changes and respond OK to the message box.

1. In ISA Server 2004, cache can be created by going to Configuration Æ Cache

Configuring Microsoft Update Caching

Caching for Scheduled Content Download Jobs

2. Provide a suitable name for the job and click Next.

3. Select the download frequency and click Next.

6. Accept defaults and click Next.

Deny requests to certain websites/ domains

4. Type a suitable name for this rule and click Next.

5. Choose the rule action to “Deny” and click Next.

6. Apply the rule to “All outbound traffic” and click Next.

9. After adding the domain set, click Next.

12. Apply the changes and Press OK on confirmation dialog box.

2. A dialog box will appear. Go to the Signatures tab.

Name As you like. I have used “Block Yahoo Messenger”

4. Make sure that newly created signature is checked. Press OK.

Deny Users/ Groups to access Internet

1. In ISA Server Management console, go to Firewall Policy. Under Toolbox in the

2. Give a meaningful name to the rule and click Next.

4. Enter the domain admin account information if asked.

8. Confirm the users selection by pressing Finish.

12. Apply the changes and Press OK on configuration successful message.

Monitoring ISA Server 2004

To access these features, go to Monitoring object in ISA Server Management Console

Dashboard is a place where aggregate information of ISA Server objects is displayed.

To have a detailed view, go to Logging tab.

2. To setup reporting on ISA Server, click “Generate a New Report”

4. Select the contents of the report and click Next.

5. Decide the report period and click Next.

2 Secure NAT Implemented by using ISA server’s IP address as default

3 Firewall Client Supports all functionalities including client authentication.