ISA Server 2006: Installing ISA 2006 Enterprise Edition (beta) in a Unihomed

Workgroup on!iguration
ISA Server 2006 is the ne"t version o! the ISA !ire#all produ$t line% In the past #e&ve
!o$used on the ISA !ire#all&s !ire#all $omponents and ho# 'ou $an deplo' the ISA
!ire#all in a number o! !ire#all roles( su$h as edge !ire#all( ba$k)end !ire#all(
servi$es segment !ire#all( and #ireless *A+ !ire#all% We&ve been promoting the ISA
!ire#all deplo'ment $on$ept !or almost si" 'ears( and #e&ll $ontinue to do that%
,o#ever( #e&ll $hange our approa$h a little bit no# #ith the release o! ISA Server
2006% -he reason !or this is that the ne# ISA !ire#all( ISA Server 2006( has ne#
!eatures and improvements that are primaril' !o$used on the Web pro"' !ilter
$omponents that support Web .ublishing /ules% -hese $omponents in$lude:
Improved 0WA( 01A( A$tiveS'n$ and /.2,--. publishing support
Improved Share.oint .ortal Server support
Improved Windo#s Share.oint Servi$es support
Support !or publishing Web !arms
Support !or binding multiple $erti!i$ates to a single Web listener
Support !or #ild$ard $erti!i$ates bound to the published Web server
Support !or multiple ne# authenti$ation delegation s$enarios
Support !or *3A. authenti$ation !or Web .ublishing /ules
And man' more4
I #on&t go through an entire revie# o! #hat&s ne# and improved in the ne# ISA
!ire#all produ$t at this time% I&ll prepare another arti$le on that topi$ !or 'ou and
publish here on ISAserver%org in the near !uture% At this point I 5ust #ant to make it
$lear that the ma5or thrust o! the ne# ISA !ire#all produ$t is on se$ure Web
.ublishing s$enarios%
Apologia for Unihomed ISA Firewall Deployments
0ne advantage o! the Web .ublishing s$enario is that 'ou $an pla$e the ISA !ire#all
5ust about an'#here on the net#ork% And one o! the most popular deplo'ment
s$enarios in a Web publishing onl' s$enario is pla$ement o! a unihomed ISA !ire#all
in Web pro"' onl' mode in an e"isting !ire#all&s 316 segment% -he e"isting !ire#all
$an be a multihomed ISA !ire#all( or it $an be an' other kind o! net#ork !ire#all%
I&ve alread' gone into the details o! ho# to $on!igure a unihomed ISA !ire#all in a
316 segment over at!we"pro!y.html so
I #on&t repeat that e!!ort here% What I #ill do in this arti$le is demonstrate ho# to
install ISA Server 2006 on a single +I server on the $orporate net#ork% In an arti$le
that !ollo#s this one( I&ll des$ribe ho# to install ISA Server 2006 Enterprise Edition
on an arra' o! single +I servers%
-his arti$le also represents a ma5or departure !rom ho# I usuall' $on!igure the ISA
!ire#all in another #a': the unihomed ISA !ire#all #on&t be a member o! an A$tive
3ire$tor' domain% While domain membership signi!i$antl' enhan$es the overall
se$urit' the ISA !ire#all $an provide #hen deplo'ed in !ull !ire#all mode( this isn&t
ne$essaril' true #hen the ISA !ire#all is installed as a unihomed Web pro"' server
dedi$ated to Web publishing% -his is espe$iall' the $ase #ith ISA Server 2006( given
that #e no# have integrated support !or *3A. authenti$ation%
#roced$re for Installing ISA Server 200% &nterprise
&dition on a Unihomed 'omp$ter
7e!ore 'ou get started installing ISA Server 2006 Enterprise Edition on a ne#
$omputer( make sure 'ou have done the !ollo#ing:
Install Windo#s Server 2008 and installed Windo#s Server 2008 S.9 and all
$urrent updates
3o not 5oin the unihomed $omputer to the domain
on!igure a stati$ I. address on the net#ork inter!a$e
on!igure a 3+S server address on the net#ork inter!a$e that enables the
unihomed ISA !ire#all to resolve its o#n name and the names o! the published
servers% :ou should $on!igure the devi$e to use a domain name su!!i" that
mat$hes 'our A$tive 3ire$tor' domain so that the ma$hine $an resolve its o#n
I! 'ou are not allo#ing d'nami$ 3+S registrations on 'our internal 3+S
servers( manuall' enter a ,ost (A) re$ord !or the unihomed ISA !ire#all
devi$e into 'our 3+S
on!igure the unihomed ISA !ire#all&s net#ork inter!a$e #ith a gate#a'
address that allo#s it to rea$h both the Internet and the published servers
0btain the ISA Server 2006 Enterprise Edition beta trial so!t#are at"eta.msp!
0n$e 'ou&ve per!ormed those a$tions( 'ou&ll be read' to install ISA Server 2006
Enterprise Edition on 'our unihomed $omputer%
.er!orm the !ollo#ing steps to install ISA Server 2006 Enterprise Edition:
9% op' the installation !iles !or ISA Server 2006 Enterprise Edition to the
unihomed ISA !ire#all devi$e% -hen double $li$k on the isaa$tor$n.e!e to
bring up the installation dialog bo"%
2% In the (icrosoft ISA Server 200% "eta installation dialog bo"( $li$k the
Install ISA Server 200% link%
8% li$k )e!t on the *elcome to the Installation *i+ard for (icrosoft ISA
Server 200% ,eta page%
;% 0n the -icense Agreement page( sele$t the I accept the terms in the license
agreement option and $li$k )e!t%
<% 0n the '$stomer Information page( enter 'our User )ame( .rgani+ation
and #rod$ct Serial )$m"er and $li$k )e!t%
6% 0n the Set$p Scenarios page( sele$t the Install "oth ISA Server services
and 'onfig$ration Storage server option% +ote that this option implies that
'ou $an install both ISA Server !ire#all servi$es and the SS at the same time(
and then later install additional arra' members on$e 'ou have this installed%
This is not true% Use this option only if you plan to deploy a single member
ISA Server 2006 Enterprise Edition array% I! 'ou plan to add additional arra'
members later( then do not select this option% Sin$e this arti$le is !o$used on
installing a single ISA Server 2006 Enterprise Edition unihomed devi$e as a
single member arra'( #e #ill use this option% li$k )e!t%
Fig$re /
=% 0n the 'omponent Selection page( a$$ept the de!ault settings% +ote that 'ou
don&t have the option to install the >ire#all $lient% I&m not sure #here or ho#
#e&ll end up doing this in the !uture( as its also not an option on the initial
setup page% -his #ill likel' be #orked out b' the time the produ$t releases%
+ote that Advanced -ogging is 1S3E logging% I! 'ou pre!er to use S?*
logging or te"t based logging( then do not sele$t this option li$k )e!t%
Fig$re 2
@% 0n the &nterprise Installation .ptions page( sele$t the 'reate a new ISA
Server enterprise option% Sin$e this #ill be the onl' ma$hine in the arra'( #e
need to $reate a ne# ISA enterprise% +ote that the option 'reate a replica of
the enterprise config$ration option is not available to #orkgroup
$on!igurations% -his is something to keep in mind in the !uture i! 'ou #ant to
have a ba$kup SS !or 'our enterprise arra'% ,o#ever( its not an issue !or us(
sin$e this is a single ma$hine arra'% li$k )e!t%
Fig$re 0
A% li$k )e!t on the )ew &nterprise *arning page%
90% 0n the Internal )etwor1 page( $li$k the Add button%
99% In the Addresses dialog bo"( $li$k the Add Adapter button% In the Select
)etwor1 Adapters dialog bo"( put a $he$kmark in the $he$kbo" ne"t to the
single inter!a$e installed on the $omputer% +ote that in a t'pi$al !ire#all
installation( this +I #ould be used to de!ine the de!ault Internal net#ork% In a
unihomed ISA !ire#all Web pro"' $on!iguration( this is not the $ase( sin$e all
addresses are $onsidered internal% li$k .2%
Fig$re 3
92% In the Addresses dialog bo"( $li$k .2% +ote that the addresses listed in this
dialog bo" #ill have no meaning in the unihomed ISA !ire#all $on!iguration
s$heme% In a normal ISA !ire#all setup #ith multiple inter!a$es( these
addresses #ould de!ine the de!ault Internal ISA !ire#all +et#ork% ,o#ever( as
I mentioned in the last step( #ith a unihomed ISA !ire#all in Web pro"' mode(
all addresses are considered part of the default Internal ISA firewall Networ%
Fig$re %
98% li$k )e!t on the Internal )etwor1 page% +ote again that the I. addresses
listed here do not represent the de!ault Internal +et#ork on a unihomed ISA
!ire#all as #eBll see later #hen #e appl' the single +I ISA !ire#all template%
Fig$re 4
9;% 0n the Firewall 'lient 'onnections page( $li$k )e!t% We don&t have to
#orr' about >ire#all $lient $onne$tions be$ause both >ire#all and Se$ure+A-
$lients are not supported on a unihomed ISA !ire#all in Web pro"'
$on!iguration% 0nl' Web pro"' $lients are supported%
9<% li$k )e!t on the Services *arning page%
96% li$k Install to being the installation%
9=% 0n the Installation *i+ard 'ompleted page( put a $he$kmark in the Invo1e
ISA Server (anagement when the wi+ard closes $he$kbo" and $li$k
9@% lose the Internet &!plorer #indo# entitled #rotect the ISA Server
#ost Installation 9eview
-he !irst thing 'ou&ll noti$e #hen the $onsole opens is a link entitled 'lic1 here to
learn a"o$t the '$stomer &!perience Improvement #rogram% li$k that link%
Fig$re :
-his brings up the '$stomer Feed"ac1 dialog bo"% I highl' re$ommend that 'ou
parti$ipate in the ustomer E"perien$e Improvement .rogram% +o personal data is
sent to 1i$roso!t and the result o! 'our parti$ipation is to make the ISA !ire#all
produ$t more !le"ible and provide even higher levels o! se$urit' to 'our net#ork%
Sele$t the ;es option to parti$ipate in the program%
Fig$re 8
A!ter 'ou sele$t an option and $li$k .2( the link disappears !rom the middle pane o!
the $onsole%
E"pand all the nodes in the le!t pane o! the ISA !ire#all $onsole% -hen per!orm the
!ollo#ing steps to see the de!inition o! the de!ault Internal ISA !ire#all +et#ork:
9% In the le!t pane o! the ISA !ire#all $onsole( $li$k the )etwor1s node under the
'onfig$ration node%
Fig$re /0
2% In the )etwor1s node( $li$k the )etwor1s tab in the middle pane o! the ISA
!ire#all $onsole% 3ouble $li$k on the Internal entr'%
8% In the Internal #roperties dialog bo"( $li$k the Addresses tab% ,ere 'ou see
the addresses that de!ine the de!ault Internal ISA !ire#all +et#ork at this time%
,o#ever( this #ill $hange #hen #e $on!igure this ISA !ire#all to a$t as a Web
pro"' onl' unihomed ISA !ire#all% li$k 'ancel to leave this dialog bo"%
Fig$re //
What #e need to do no# is appl' the unihomed ISA !ire#all template to $on!igure
this ma$hine as a unihomed Web pro"' onl' ISA !ire#all% .er!orm the !ollo#ing steps
to appl' the template:
9% In the -ask .ane( $li$k the <emplates tab% S$roll do#n the list o! templates
and $li$k the Single )etwor1 Adapter template%
Fig$re /2
2% li$k )e!t on the *elcome to the )etwor1 <emplate *i+ard page%
8% li$k )e!t on the &!port the ISA Server 'onfig$ration page% +ote that 'ou
have the option to e"port the $urrent $on!iguration( but #e&ll not use that
option be$ause #e haven&t made an' $on!iguration $hanges !rom the de!ault
Fig$re /0
;% 0n the Internal )etwor1 I# Addresses page( 'ou&ll see the addresses that
#ill be $on!igured to de!ine the de!ault ISA !ire#all Internal +et#ork% +oti$e
that all I. addresses e"$ept the lo$al host net#ork range are $onsidered part o!
the de!ault Internal net#ork% >or this reason( Se$ure+A- and >ire#all $lients
are not supported in a unihomed Web pro"' mode ISA !ire#all $on!iguration%
:ou do not need to make an' $hanges on this page% li$k )e!t%
Fig$re /
<% 0n the Select a Firewall #olicy page( 'ou are o!!ered a single !ire#all poli$'
to sele$t !rom% li$k on the Apply defa$lt *e" pro!ying and caching
config$ration option% -his #ill appl' the de!ault 3en' rule to the !ire#all
poli$' !or the arra'% +o +et#ork /ules are $reated be$ause the Web pro"'
al#a's repla$es its o#n I. address !or the I. address o! the Web pro"' $lient
$onne$ting to the Internet through the unihomed Web pro"' mode ISA
!ire#all% li$k )e!t%
Fig$re /3
6% 0n the 'ompleting the )etwor1 <emplate *i+ard page( $li$k Finish%
=% li$k Apply to save the $hanges and update the !ire#all poli$'%
@% li$k .2 in the Apply )ew 'onfig$ration dialog bo"%
At this point 'ou&re read' to start $on!iguring !ire#all poli$' and $ustomiCing the
In this arti$le #e #ent over the $on$epts involved #ith deplo'ing and installing a
unihomed Web pro"' mode ISA !ire#all% We then #ent over the step b' step details
o! installing a unihomed Web pro"' mode ISA !ire#all% At the end o! the pro$ess the
ISA !ire#all #as read' !or $on!iguration and $ustomiCation% I&ll !ollo# up on this
arti$le #ith one on #hat I $onsider to be ke' post $on!iguration tasks that 'ou should
per!orm be!ore $on!iguring ISA !ire#all poli$'%
