In this ISA Server 2004 Configuration Guide document we will install the ISA Server 2004 software onto the Windows Server 2003 computer we installed and configured in Chapter 1. Installing ISA Server 2004 is straightforward as there are only a few decisions that need to be made during installation.
The most important configuration made during installation is the Internal network IP address range(s). Unlike ISA Server 2000, ISA Server 2004 does not use a Local Address Table (LAT) to define trusted and untrusted networks. Instead, the ISA Server 2004 firewall asks for the IP addresses defining a network entity known as the Internal network. The internal network contains important network servers and services such as Active Directory domain controllers, DNS, WINS, RADIUS, DHCP, firewall management stations, and others. These are services the ISA Server 2004 firewall needs to communicate with immediately after installation is complete.
Communications between the Internal network and the ISA Server 2004 firewall are controlled by the firewall’s System Policy. The System Policy is a collection of predefined Access Rules that determine the type of traffic allowed inbound and outbound to and from the firewall immediately after installation. The System Policy is configurable, which enables you can tighten or loosen the default System Policy Access Rules.
In the document we will discuss the following procedures:
- Installing ISA Server 2004 on Windows Server 2003
- Reviewing the Default System Policy
Installing ISA Server 2004 on Windows Server 2003 is relatively straightforward. The major decision you make during setup is what IP addresses should be part of the Internal network. The Internal network address configuration is important because the firewall’s System Policy uses the Internal network addresses to define a set of Access Rules.
Perform the following steps to install the ISA Server 2004 software on the dual-homed Windows Server 2003 machine:
- Insert the ISA Server 2004 CD-ROM into the CD drive. The autorun menu will appear.
- On the Microsoft Internet Security and Acceleration Server 2004 page, click the link for Review Release Notes and read the release notes. The release notes contain useful information about important issues and configuration options. After reading the release notes, close the release notes window and then click the Read Setup and Feature Guide link. You don’t need to read the entire guide right now, but you may want to print it out to read later. Close the Setup and Feature Guide window. Click the Install ISA Server 2004 link.
- Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2004 page.
- Select the I accept the terms in the license agreement option on the License Agreement page. Click Next.
- On the Customer Information page, enter your name and the name of your organization in the User Name and Organization text boxes. Enter Product Serial Number. Click Next.
- On the Setup Type page, select the Custom option. If you do not want to install the ISA Server 2004 software on the C: drive, then click the Change button to change the location of the program files on the hard disk. Click Next.
- On the Custom Setup page you can choose which components to install. By default, the Firewall Services and ISA Server Management options are installed. The Message Screener, which is used to help prevent spam and file attachments from entering and leaving the network, is not installed by default; neither is the Firewall Client Installation Share. You need to install the IIS 6.0 SMTP service on the ISA Server 2004 firewall computer before you install the Message Screener. Use the default settings and click Next.
- On the Internal Network page, click the Add button. The Internal network is different from the LAT, which was used in ISA Server 2000. In the case of ISA Server 2004, the Internal network contains trusted network services the ISA Server 2004 firewall must be able to communicate. Examples of such services include Active Directory domain controllers, DNS, DHCP, terminal services client management workstations, and others. The firewall System Policy automatically uses the Internal network. We will look at the System Policy later in this document.
- In the Internal Network setup page, click the Select Network Adapter button.
- In the Select Network Adapter dialog box, remove the check mark from the Add the following private ranges… check box. Leave the check mark in the Add address ranges based on the Windows Routing Table check box. Put a check mark in the check box next to the adapter connected to the Internal network. The reason why we remove the check mark from the add private address ranges check box is that you may want to use these private address ranges for perimeter networks. Click OK.
- Click OK in the Setup Message dialog box informing you that the Internal network was defined, based on the Windows routing table.
- Click OK on the Internal network address ranges dialog box.
- Click Next on the Internal Network page.
- On the Firewall Client Connection Settings page, place checkmarks in the Allow non-encrypted Firewall client connections and Allow Firewall clients running earlier versions of the Firewall client software to connect to ISA Server check boxes. These settings will allow you to connect to the ISA Server 2004 firewall using downlevel operating systems and from Windows 2000/Windows XP/Windows Server 2003 operating systems running the ISA Server 2000 version of the Firewall client. Click Next.
- On the Services page, click Next.
- Click Install on the Ready to Install the Program page.
- On the Installation Wizard Completed page, click Finish.
- Click Yes in the Microsoft ISA Server dialog box informing you that the machine must be restarted.
- Log on as Administrator after the machine restarts
By default, ISA Server 2004 does not allow outbound access to the Internet from any protected network and it does not allow Internet hosts access the firewall or any networks protected by the firewall. However, a default firewall System Policy is installed that allows network management tasks to be completed.
|A protected network is any network defined by the ISA Server 2004 firewall that is not part of the default External network.|
Perform the following steps to see the default firewall System Policy:
- Click Start and point to All Programs. Point to Microsoft ISA Server and click ISA Server Management.
- In the Microsoft Internet Security and Acceleration Server 2004 management console, expand the server node in the scope pane (left pane) and click the Firewall Policy node. Right-click the Firewall Policy node, point to View and click Show System Policy Rules.
- Click the Show/Hide Console Tree button and then click the Open/Close Task Pane arrow (the little blue arrow on the left edge of the task pane on the right side of the console). Notice that the ISA Server 2004 Access Policy represents an ordered list. Policies are processed from top to bottom, which is a significant departure from how ISA Server 2000 processed Access Policy. The System Policy represents a default list of rules controlling access to and from the ISA Server 2004 firewall by default. Note that the System Policy Rules are ordered above any custom Access Policies you will create, and therefore are processed before them. Scroll down the list of System Policy Rules. Notice that the rules are defined by:
Action (Allow or Deny)
From (source network or host)
To (destination network or host)
Condition (who or what the rule applies to)
You may want to widen the Name column to get a quick view rule the rule descriptions. Notice that not all the rules are enabled. Disabled System Policy Rules have a tiny down-pointing red arrow in their lower right corner. Many of the disabled System Policy Rules will become automatically enabled when you make configuration changes to the ISA Server 2004 firewall, such as when you enable VPN access.
Notice that one of the System Policy Rules allows the firewall to perform DNS queries to DNS servers on all networks.
- You can change the settings on a System Policy Rule by double-clicking the rule.
- Review the System Policy Rules and then hide the rules by clicking the Show/Hide System Policy Rules button in the console’s button bar. This is the pressed (pushed in) button seen in the following figure.
The following table includes a complete list of the default, built-in System Policy:
Table 1: System Policy Rules
|1||Allow access to directory services for authentication purposes||Allow||LDAPLDAP(GC)
|Local Host||Internal||All Users|
|2||Allow Remote Management using MMC||Allow||Microsoft Firewall ControlRPC(all interfaces)
NetBIOS Name Service
|Remote Management Computers||Local Host||All Users|
|3||Allow Remote Management using Terminal Server||Allow||RDP(Terminal Services)||Remote Management Computers||Local Host||All Users|
|4||Allow remote logging to trusted servers using NetBIOS||Allow||NetBIOS DatagramNetBIOS Name Service
|Local Host||Internal||All Users|
|5||Allow RADIUS authentication from ISA Server to trusted RADIUS servers||Allow||RADIUSRADIUS Accounting||Local Host||Internal||All Users|
|6||Allow Kerberos authentication from ISA Server to trusted servers||Allow||Kerberos-Sec(TCP)Kerberos-Sec(UDP)||Local Host||Internal||All Users|
|7||Allow DNS from ISA Server to selected servers||Allow||DNS||Local Host||All Networks||All Users|
|8||Allow DHCP requests from ISA Server to all networks||Allow||DHCP(request)||Local Host||Anywhere||All Users|
|9||Allow DHCP replies from DHCP servers to ISA Server||Allow||DHCP(reply)||Anywhere||Local Host||All Users|
|10||Allow ICMP (PING) requests from selected computers to ISA Server||Allow||Ping||Remote Management Computers||Local Host||All Users|
|11||Allow ICMP requests from ISA Server to selected servers||Allow||ICMP Information RequestICMP Timestamp
|Local Host||All Networks||All Users|
|121||Allow VPN client traffic to ISA Server||Allow||PPTP||External||Local Host||All Users|
|132||Allow VPN site-to-site to ISA Server||Allow||ExternalIPSec Remote Gateways||Local Host||All Users|
|142||Allow VPN site-to-site from ISA Server||Allow||Local Host||ExternalIPSec Remote Gateways||All Users|
|15||Allow Microsoft CIFS protocol from ISA Server to trusted servers||Allow||Microsoft CIFS(TCP)Microsoft CIFS(UDP)||Local Host||Internal||All Users|
|167||Allow Remote logging using Microsoft SQL protocol from firewall to trusted servers||Allow||Microsoft SQL(TCP)Microsoft SQL(UDP)||Local Host||Internal||All Users|
|17||Allow HTTP/HTTPS requests from ISA Server to specified sites||Allow||HTTPHTTPS||Local Host||System Policy Allowed Sites||All Users|
|183||Allow HTTP/HTTPS requests from ISA Server to selected servers for HTTP connectivity verifiers||Allow||HTTPHTTPS||Local Host||All Networks||All Users|
|198||Allow access from trusted computers to the Firewall Client installation share on ISA Server||Allow||Microsoft CIFS(TCP)Microsoft CIFS(UDP)
NetBIOS Name Service
|Internal||Local Host||All Users|
|209||Allow remote performance monitoring of ISA Server from trusted servers||Allow||NetBIOS DatagramNetBIOS Name Service
|Remote Management Computers||Local Host||All Users|
|21||Allow NetBIOS from ISA Server to trusted servers||Allow||NetBIOS DatagramNetBIOS Name Service
|Local Host||Internal||All Users|
|22||Allow RPC from ISA Server to trusted servers||Allow||RPC(all interfaces)||Local Host||Internal||All Users|
|23||Allow HTTP/HTTPS from ISA Server to specified Microsoft Error Reporting sites||Allow||HTTPHTTPS||Local Host||Microsoft Error Reporting sites||All Users|
|244||Allow SecurID protocol from ISA Server to trusted servers||Allow||SecurID||Local Host||Internal||All Users|
|255||Allow remote monitoring from ISA Server to trusted servers, using Microsoft Operations Manager (MOM) Agent||Allow||Microsoft Operations Manager Agent||Local Host||Internal||All Users|
|266||Allow HTTP from ISA Server to all networks for CRL downloads||Allow||HTTP||Local Host||All Networks||All Users|
|27||Allow NTP from ISA Server to trusted NTP servers||Allow||NTP(UDP)||Local Host||Internal||All Users|
|28||Allow SMTP from ISA Server to trusted servers||Allow||SMTP||Local Host||Internal||All Users|
|29||Allow HTTP from ISA Server to selected computers for Content Download Jobs||Allow||HTTP||Local Host||All Networks||System and Network Service|
1 This policy is disabled until the VPN Server component is activated
2 These two policies are disabled until a site to site VPN connection is configured
3 This policy is disabled until a connectivity verifier that uses HTTP/HTTPS is configured
4 This policy is disabled until the SecureID filter is enabled
5 This policy must be manually enabled
6 This policy is disabled by default
7 This policy is disabled by default
8 This policy is automatically enabled when the Firewall client share is installed
9 This policy is disabled by default
At this point, the ISA Server 2004 firewall is ready to be configured to allow inbound and outbound access through the firewall. However, before you start creating Access Policies, you should back up the default configuration. This allows you to restore the ISA Server 2004 firewall to its post-installation state. This is useful for future troubleshooting and testing.
Perform the following steps to back up the post installation configuration:
- Open the Microsoft Internet Security and Acceleration Server 2004 management console and right-click the server name in the left pane of the console. Click the Back Up command.
- In the Backup Configuration dialog box, enter a name for the backup file in the File name text box. Be sure to note where you are saving the file by checking the entry in the Save in drop-down list. In this example we will call the backup file backup1. Click the Backup button.
- In the Set Password dialog box, enter a password and confirm the password in the Password and Confirm password text boxes. The information in the backup file is encrypted because it can potentially contain passwords and other confidential information that you do not want others to access. Click OK.
- Click OK in the Exporting dialog box when you see the The configuration was successfully backed up message.
Make sure to copy the backup file to another location on the network after the backup is complete. The backup file should be stored offline on media that supported NTFS formatting so that you can encrypt the file
In this ISA Server 2004 Configuration Guide document we discussed the procedures required to install the ISA Server 2004 software on a Windows Server 2003 computer. We also examined the firewall System Policy that is created during installation. Finally, we finished up with step by step procedures required to back up the post-installation firewall configuration. In the next document in this ISA Server 2004 Configuration Guide series, we will enable the VPN remote access server.