ISA Server 2006: Installing ISA 2006 Enterprise Edition (beta) in a Unihomed Workgroup Configuration

[18 April 2006]

If you would like to read the other parts in this article series please go to:

ISA Server 2006 is the next version of the ISA firewall product line. In the past weve focused on the ISA firewalls firewall components and how you can deploy the ISA firewall in a number of firewall roles, such as edge firewall, back-end firewall, services segment firewall, and wireless LAN firewall. Weve been promoting the ISA firewall deployment concept for almost six years, and well continue to do that.

However, well change our approach a little bit now with the release of ISA Server 2006. The reason for this is that the new ISA firewall, ISA Server 2006, has new features and improvements that are primarily focused on the Web proxy filter components that support Web Publishing Rules. These components include:

  • Improved OWA, OMA, ActiveSync and RPC/HTTP publishing support
  • Improved SharePoint Portal Server support
  • Improved Windows SharePoint Services support
  • Support for publishing Web farms
  • Support for binding multiple certificates to a single Web listener
  • Support for wildcard certificates bound to the published Web server
  • Support for multiple new authentication delegation scenarios
  • Support for LDAP authentication for Web Publishing Rules
  • And many more!

I wont go through an entire review of whats new and improved in the new ISA firewall product at this time. Ill prepare another article on that topic for you and publish here on ISAserver.org in the near future. At this point I just want to make it clear that the major thrust of the new ISA firewall product is on secure Web Publishing scenarios.

Apologia for Unihomed ISA Firewall Deployments

One advantage of the Web Publishing scenario is that you can place the ISA firewall just about anywhere on the network. And one of the most popular deployment scenarios in a Web publishing only scenario is placement of a unihomed ISA firewall in Web proxy only mode in an existing firewalls DMZ segment. The existing firewall can be a multihomed ISA firewall, or it can be any other kind of network firewall.

Ive already gone into the details of how to configure a unihomed ISA firewall in a DMZ segment over at http://www.isaserver.org/articles/2004pixwebproxy.html so I wont repeat that effort here. What I will do in this article is demonstrate how to install ISA Server 2006 on a single NIC server on the corporate network. In an article that follows this one, Ill describe how to install ISA Server 2006 Enterprise Edition on an array of single NIC servers.

This article also represents a major departure from how I usually configure the ISA firewall in another way: the unihomed ISA firewall wont be a member of an Active Directory domain. While domain membership significantly enhances the overall security the ISA firewall can provide when deployed in full firewall mode, this isnt necessarily true when the ISA firewall is installed as a unihomed Web proxy server dedicated to Web publishing. This is especially the case with ISA Server 2006, given that we now have integrated support for LDAP authentication.

Procedure for Installing ISA Server 2006 Enterprise Edition on a Unihomed Computer

Before you get started installing ISA Server 2006 Enterprise Edition on a new computer, make sure you have done the following:

  • Install Windows Server 2003 and installed Windows Server 2003 SP1 and all current updates
  • Do not join the unihomed computer to the domain
  • Configure a static IP address on the network interface Configure a DNS server address on the network interface that enables the unihomed ISA firewall to resolve its own name and the names of the published servers. You should configure the device to use a domain name suffix that matches your Active Directory domain so that the machine can resolve its own name.
  • If you are not allowing dynamic DNS registrations on your internal DNS servers, manually enter a Host (A) record for the unihomed ISA firewall device into your DNS
  • Configure the unihomed ISA firewalls network interface with a gateway address that allows it to reach both the Internet and the published servers
  • Obtain the ISA Server 2006 Enterprise Edition beta trial software at http://www.microsoft.com/isaserver/2006/beta.mspx

Once youve performed those actions, youll be ready to install ISA Server 2006 Enterprise Edition on your unihomed computer.

Perform the following steps to install ISA Server 2006 Enterprise Edition:

  1. Copy the installation files for ISA Server 2006 Enterprise Edition to the unihomed ISA firewall device. Then double click on the isaautorun.exe to bring up the installation dialog box.
  2. In the Microsoft ISA Server 2006beta installation dialog box, click the Install ISA Server 2006 link.
  3. Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2006 Beta page.
  4. On the License Agreement page, select the I accept the terms in the license agreement option and click Next.
  5. On the Customer Information page, enter your User Name, Organization and Product Serial Number and click Next.
  6. On the Setup Scenarios page, select the Install both ISA Server services and Configuration Storage server option. Note that this option implies that you can install both ISA Server firewall services and the CSS at the same time, and then later install additional array members once you have this installed. This is not true. Use this option only if you plan to deploy a single member ISA Server 2006 Enterprise Edition array. If you plan to add additional array members later, then do not select this option. Since this article is focused on installing a single ISA Server 2006 Enterprise Edition unihomed device as a single member array, we will use this option. Click Next.
    Figure 1
  7. On the Component Selection page, accept the default settings. Note that you dont have the option to install the Firewall client. Im not sure where or how well end up doing this in the future, as its also not an option on the initial setup page. This will likely be worked out by the time the product releases. Note that Advanced Logging is MSDE logging. If you prefer to use SQL logging or text based logging, then do not select this option Click Next.
    Figure 2
  8. On the Enterprise Installation Options page, select the Create a new ISA Server enterprise option. Since this will be the only machine in the array, we need to create a new ISA enterprise. Note that the option Create a replica of the enterprise configuration option is not available to workgroup configurations. This is something to keep in mind in the future if you want to have a backup CSS for your enterprise array. However, its not an issue for us, since this is a single machine array. Click Next.
    Figure 3
  9. Click Next on the New Enterprise Warning page.
    Figure 4
  10. On the Internal Network page, click the Add button.
  11. In the Addresses dialog box, click the Add Adapter button. In the Select Network Adapters dialog box, put a checkmark in the checkbox next to the single interface installed on the computer. Note that in a typical firewall installation, this NIC would be used to define the default Internal network. In a unihomed ISA firewall Web proxy configuration, this is not the case, since all addresses are considered internal. Click OK.
    Figure 5
  12. In the Addresses dialog box, click OK. Note that the addresses listed in this dialog box will have no meaning in the unihomed ISA firewall configuration scheme. In a normal ISA firewall setup with multiple interfaces, these addresses would define the default Internal ISA firewall Network. However, as I mentioned in the last step, with a unihomed ISA firewall in Web proxy mode, all addresses are considered part of the default Internal ISA firewall Network.
    Figure 6
  13. Click Next on the Internal Network page. Note again that the IP addresses listed here do not represent the default Internal Network on a unihomed ISA firewall as we'll see later when we apply the single NIC ISA firewall template.
    Figure 7
  14. On the Firewall Client Connections page, click Next. We dont have to worry about Firewall client connections because both Firewall and SecureNAT clients are not supported on a unihomed ISA firewall in Web proxy configuration. Only Web proxy clients are supported.
  15. Click Next on the Services Warning page.
  16. Click Install to being the installation.
  17. On the Installation Wizard Completed page, put a checkmark in the Invoke ISA Server Managementwhen the wizard closes checkbox and click Finish.
  18. Close the Internet Explorer window entitled Protect the ISA Server Computer.

Post Installation Review

The first thing youll notice when the console opens is a link entitled Click here to learn about the Customer Experience Improvement Program. Click that link.

Figure 8

This brings up the Customer Feedback dialog box. I highly recommend that you participate in the Customer Experience Improvement Program. No personal data is sent to Microsoft and the result of your participation is to make the ISA firewall product more flexible and provide even higher levels of security to your network. Select the Yes option to participate in the program.

Figure 9

After you select an option and click OK, the link disappears from the middle pane of the console.

Expand all the nodes in the left pane of the ISA firewall console. Then perform the following steps to see the definition of the default Internal ISA firewall Network:

  1. In the left pane of the ISA firewall console, click the Networks node under the Configuration node.
    Figure 10
  2. In the Networks node, click the Networks tab in the middle pane of the ISA firewall console. Double click on the Internal entry.
  3. In the Internal Properties dialog box, click the Addresses tab. Here you see the addresses that define the default Internal ISA firewall Network at this time. However, this will change when we configure this ISA firewall to act as a Web proxy only unihomed ISA firewall. Click Cancel to leave this dialog box.
Figure 11

What we need to do now is apply the unihomed ISA firewall template to configure this machine as a unihomed Web proxy only ISA firewall. Perform the following steps to apply the template:

  1. In the Task Pane, click the Templates tab. Scroll down the list of templates and click the Single Network Adapter template.
    Figure 12
  2. Click Next on the Welcome to the Network Template Wizard page.
  3. Click Next on the Export the ISA Server Configuration page. Note that you have the option to export the current configuration, but well not use that option because we havent made any configuration changes from the default setting.
    Figure 13
  4. On the Internal Network IP Addresses page, youll see the addresses that will be configured to define the default ISA firewall Internal Network. Notice that all IP addresses except the local host network range are considered part of the default Internal network. For this reason, SecureNAT and Firewall clients are not supported in a unihomed Web proxy mode ISA firewall configuration. You do not need to make any changes on this page. Click Next.
    Figure 14
  5. On the Select a Firewall Policy page, you are offered a single firewall policy to select from. Click on the Apply default Web proxying and caching configuration option. This will apply the default Deny rule to the firewall policy for the array. No Network Rules are created because the Web proxy always replaces its own IP address for the IP address of the Web proxy client connecting to the Internet through the unihomed Web proxy mode ISA firewall. Click Next.
    Figure 15
  6. On the Completing the Network Template Wizard page, click Finish.
  7. Click Apply to save the changes and update the firewall policy.
  8. Click OK in the Apply New Configuration dialog box.

At this point youre ready to start configuring firewall policy and customizing the installation.

Summary

In this article we went over the concepts involved with deploying and installing a unihomed Web proxy mode ISA firewall. We then went over the step by step details of installing a unihomed Web proxy mode ISA firewall. At the end of the process the ISA firewall was ready for configuration and customization. Ill follow up on this article with one on what I consider to be key post configuration tasks that you should perform before configuring ISA firewall policy.

If you would like to read the other parts in this article series please go to:

Author: Thomas Shinder

Thomas ShinderDr. Thomas W. Shinder is an MCSE, MCP+I, and MCT. He has worked as a technology trainer and consultant in the Dallas-Ft. Worth metro area, assisting in development and implementation of IP-based communications strategies for major firms such as Xerox, Lucent and FINA.

This article has been republished with permission from: www.isaserver.org
Source: http://www.isaserver.org/...ition-beta-Unihomed-Workgroup-Configuration.html

Additional Links

Search

SurfCop

SurfCop Software solution designed for internet usage monitoring and controlling internet traffic in companies that uses Microsoft ISA Server 2004/2006 or Microsoft Forefront TMG software products as corporate Internet gateway (Firewall).
more…

ISA Server Toolkit

ISA Server Toolkit Set of free tools making the work of a Microsoft ISA Server administrator easier.
more…

Internet Access Monitor

Software for monitoring the efficiency of your company's Internet bandwidth usage. Using this product you can easily find out who, when, where to, where from and what accessed the Internet. Works with Microsoft ISA Server and other proxy servers.
more…

Mail Access Monitor

Software for monitoring the efficiency of your company's mail server operations. Using this product, you can easily determine the who, when, where and amount of e-mail that has been sent. Works with Microsoft Exchange Server and other mail servers.
more…

Printer Activity Monitor

Software for monitoring your company's printers. Using this product you can easily find out who, when and how many pages have been printed.
more…

News

Printer Activity Monitor 4.0 is ready for download
[29 October 2012] Printer Activity Monitor 4.0 just released. Added support for x64 operating systems, improved Data Center stability.
SurfCop 2.1 is ready for download
[23 January 2012] SurfCop 2.1 just released. Added support of SP1 and SP2 of Microsoft Forefront TMG 2010. Added new features. Improved filters stability.
SurfCop 2.0 is ready for download
[30 October 2011] SurfCop 2.0 just released. Finally added Microsoft Forefront TMG 2010 support. Added new features. Improved filters stability.

All news

RSS

Authorization

 
Forgot your password?
Register

Subscribe

Subscribe to company news