Module 2: Installing and Maintaining ISA Server

Installing and Configuring ISA Server Clients Describe the features of each ISA Server client: Web proxy, Firewall, and SecureNAT.. Student computers that are configured as ISA Server cl

Contents

Overview 1

Installing and Configuring ISA Server

Clients 15

Lab A: Installing ISA Server and

Lab B: Configuring ISA Server 44

Review 51

Module 2: Installing and Maintaining ISA Server

Information in this document is subject to change without notice The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended

to represent any real individual, company, product, or event, unless otherwise noted Complying with all applicable copyright laws is the responsibility of the user No part of this document may

be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation If, however, your only means of access is electronic, permission to print one copy is hereby granted

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property

Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A and/or other countries

Other product and company names mentioned herein may be the trademarks of their respective owners

Instructor Notes

This module provides students with the knowledge and skills to install and configure Microsoft® Internet Security and Acceleration (ISA) Server 2000 as a

cache server and as a firewall

After completing this module, students will be able to:

Install ISA Server on a computer running Microsoft Windows® 2000 Server

Configure computers as Web proxy, Firewall, or SecureNAT clients for ISA Server

Perform administrative tasks for maintaining ISA Server

Materials and Preparation

This section provides the materials and preparation tasks that you need to teach this module

Required Materials

To teach this module, you need the Microsoft PowerPoint® file 2159A_02.ppt

Preparation Tasks

To prepare for this module, you should:

Read all of the materials for this module

Complete the labs

Study the review questions and prepare alternative answers to discuss

Anticipate questions that students may ask Write out the questions and provide the answers

Read RFC 1918, “Address Allocation for Private Internets,” under

Additional Reading on the Trainer Materials compact disc

Read RFC1928, “SOCKS Protocol Version 5,” under Additional Reading

on the Student Materials compact disc

Review the document titled “Pre-Migration-Considerations.htm” on the Microsoft ISA Server compact disc

Review the document readme.htm on the ISA Server compact disc

Read the following sections in ISA Server Help: “Planning Considerations,”

“Installing ISA Server,” “Checklist: Migrating from Microsoft Proxy Server 2.0,” “Migrating from Microsoft Proxy Server 2.0,” “ISA Server Clients,”

“Installing and Configuring ISA Server Clients,” “Administering ISA Server,” and “Troubleshooting.”

Presentation:

60 Minutes

Lab:

60 Minutes

Module Strategy

Use the following strategy to present this module:

Installing ISA Server Describe the issues to consider before and during the installation of ISA Server, including a new installation or an upgrade of a server from Microsoft Proxy Server 2.0 Point out the CPU scalability and operating system differences between ISA Server Standard Edition and ISA Server Enterprise Edition Explain that configuring the local address table (LAT) correctly is the single most important part of installing ISA Server

Installing and Configuring ISA Server Clients Describe the features of each ISA Server client: Web proxy, Firewall, and SecureNAT Present or, if possible, demonstrate the procedures for configuring client computers for each type of client

Maintaining ISA Server Present the tasks required to maintain an ISA Server computer, including starting and stopping services and backing up and restoring ISA Server Point out the taskpads and the Advanced view features in ISA Management Present or, if possible, demonstrate the procedures for adding entries to both the LAT and local domain table (LDT) Explain the use of the Msplat.txt file by the Firewall client Emphasize that for maximum security, you should save the backup files to an NTFS file system disk partition and set the appropriate permissions to protect against unauthorized access

Customization Information

This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware

The labs in this module are also dependent on the classroom configuration that is specified in the Customization Information section at the

end of the Classroom Setup Guide for Course 2159A, Deploying and Managing

Microsoft Internet and Security Acceleration Server 2000

Student computers that are configured as ISA Server computers have entries added to the LAT and the LDT

Student computers that are configured as ISA Server client computers have the ISA Server administration tools installed

Student computers that are configured as ISA Server client computers have the Firewall Client software installed

Student computers that are configured as ISA Server client computers have the default gateway set to the Internet Protocol (IP) address of the

ISA Server computer on the private network

Student computers that are configured as ISA Server client computers have Microsoft Internet Explorer configured to use a Proxy server

Important

Overview

Installing ISA Server

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Whether you deploy Microsoft® Internet Security and Acceleration (ISA) Server 2000 as a dedicated firewall, a Web cache server, or an integrated solution, you must plan carefully to ensure that you have the required hardware and software After you perform an ISA Server installation, you must configure client computers Depending on the client operating systems and your specific requirements to control Internet access, you can choose to use the transparent SecureNAT technology or deploy the ISA Firewall Client software You can also configure computers as Web proxy clients to improve browser

performance

In addition, it is important to properly maintain ISA Server to ensure that all client computers have fast and secure access to the Internet

After completing this module, you will be able to:

Install ISA Server on a computer running Microsoft Windows® 2000 Server

Configure computers as Web proxy, Firewall, or SecureNAT clients for ISA Server

Perform administrative tasks for maintaining ISA Server

In this module, you will learn

about the installation and

maintenance tasks for

ISA Server

Installing ISA Server

Identifying Pre-Installation Tasks

Specifying the Initial Cache Size

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Before you install ISA Server, you must set up the hardware and configure the software for the ISA Server computer To help identify the choices that you will make during installation, review the pre-installation checklist before performing the installation If you encounter problems during a new installation or an upgrade from Microsoft Proxy Server 2.0, see the Troubleshooting ISA Server Installation section

You also can automate the installation of ISA Server For more information about performing an unattended setup, see “Unattended setup” in ISA Server Help

Topic Objective

To identify the topics related

to installing ISA Server

Lead-in

Before you install

ISA Server, you must set up

the hardware and configure

the software of the

ISA Server computer

Note

Identifying Hardware and Software Requirements

Hard Disk Space

20 MB

Windows 2000 Server, Windows 2000 Advanced Server, or Windows Datacenter

Hard Disk Format

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

The table below lists the hardware and software requirements for ISA Server

Component Requirements

• ISA Server Standard Edition supports up to 4 processors

• ISA Server Enterprise Edition has no CPU limit

File system and disk format

One local hard disk partition formatted with NTFS file system

Operating system

Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, or Microsoft Windows 2000 Datacenter Server Windows 2000

Service Pack

If running on Windows 2000 Server or Windows 2000 Advanced Server, ISA Server requires Service Pack 1 You should install Service Pack 2 when it becomes available For more information, see “System Requirements” in the ISA Server Release Notes on the ISA Server compact disc

communicating with the internal network and an additional network adapter, modem, or Integrated Services Digital Network (ISDN) adapter that is compatible with Windows 2000 for communicating with the Internet or an upstream server

The Active Directory™ directory service for Windows 2000 must be installed on your network to implement the array feature

Topic Objective

To identify the hardware and

software requirements for

ISA Server

Lead-in

Before you install

ISA Server, consider the

software and hardware

requirements

Delivery Tip

Point out the CPU scalability

difference between ISA

Server Standard Edition and

ISA Server Enterprise

Edition

Explain that Windows 2000

Datacenter Server does not

require Service Pack 1

because it already includes

all of the components of this

Service Pack

Note

Forward Caching Requirements

The following table lists the hardware configurations of a single ISA Server computer for the expected number of users who gain access to objects on the Internet

Number of users ISA Server computer RAM

Disk space allocated for caching

More than 1,000

Two ISA Server computers with Pentium III, 550 MHz processors Additional ISA Server computer for each 2,000 users

256 MB for each 2,000 users

10 GB for each ISA Server computer

If the number of users exceeds 1,000 users, consider better-performing hardware for the ISA Server computer or add more ISA Server computers

Reverse Caching Requirements

The following table lists the hardware configurations of a single ISA Server computer for the expected number of requests from Internet, or external, users The exact RAM requirements depend on the content that you are publishing Ideally, all cacheable content should fit into memory

Number of hits per second for a single ISA Server computer ISA Server computer

can add more processors to your computer or you can add additional ISA Server computers

Firewall Requirements

The following table lists the hardware configurations for the expected rate of data transfer for Firewall and SecureNAT clients that gain access to objects on the Internet

Rate of data transfer ISA Server computer RAM

More than 50 megabits per second

Pentium III, 550 MHz for each 50 megabits per second

256 MB

Although it is important to have the required hardware configuration, the rate of data transfer is highly dependent on the speed of your connection to the Internet

Delivery Tip

Summarize the hardware

configurations that are listed

in the tables It is not

necessary to describe each

configuration in detail

Emphasize that these

recommendations are only

guidelines Students can

monitor ISA Server for

actual performance and

adjust the ISA Server

computers accordingly

Note

Identifying Pre-Installation Tasks

Locate CD Key

Select an Array to Join, If Applicable Select an Installation Option

Select an Installation Mode

Configure Address Ranges for the LAT Configure a Drive to Use for the Cache

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Before installing ISA Server, test your network connectivity to minimize the need for troubleshooting connection problems after installation is complete

Before installing ISA Server, ensure that the Windows 2000 routing table on the ISA Server computer is configured correctly The internal adapter

of the ISA Server computer must be able to route packets to all internal network destinations, and the external network adapter must be able to route packets to the Internet To ensure proper routing, add explicit routes for all internal network destinations, and configure a default gateway on only the external network adapter

When you install ISA Server, you must provide the following information:

CD Key This is the 10-digit number located on back of the CD-ROM case

Installation options As part of the installation process, you can install

options from the following ISA Server components:

ISA Services Controls access of network services for the traffic between

networks This component is required for the installation

Add-In Services Includes the Microsoft H.323 Gatekeeper service, which

allows Microsoft NetMeeting® or other H.323-compliant applications to reach users inside your network The H.323 protocol is a set of standards that enable real-time multimedia conferencing and communications over packet-based networks Also includes the Message Screener, which performs content filtering on incoming Simple Mail Transfer Protocol (SMTP) traffic

Both of these add-in services are optional

Topic Objective

To identify the tasks to

perform before installing

ISA Server

Lead-in

You must provide certain

information when you install

ISA Server

Delivery Tip

Emphasize that configuring

the Windows 2000 routing

table before installing

ISA Server will help ensure

the proper operation of

ISA Server

Important

Administration Tools Includes the ISA Server administration tools, which

are required for the installation, and the H.323 Gatekeeper administration tools, which are optional

You can also install the administration tools separately on a computer running Windows 2000 Server or Microsoft Windows 2000 Professional to remotely administer a stand-alone ISA Server computer or one or more arrays of ISA Server computers

Array selection If you previously modified the Active Directory schema to

initialize the enterprise, you can either select to create an enterprise array or can select an array to join If you did not initialize the enterprise, ISA Server

is installed in a stand-alone array, which contains only a single ISA Server computer

Installation Mode You can select to install ISA Server in Firewall mode,

Cache mode, or Integrated mode

Cache configuration If you install ISA Server in Integrated or Cache mode,

you must configure the drives to use for the cache

Local Address Table (LAT) configuration If you install ISA Server in

Integrated or Firewall mode, you must configure the address ranges to include in the LAT The LAT is a table containing all of the internal Internet Protocol (IP) address ranges that the network behind the ISA Server

Selecting an Installation Mode

Microsoft ISA Server Status

Select the mode for this server:

Firewall mode Select this option to install enterprise firewall functionality.

Cache mode Select this option to install cache and Web hosting functionality.

Cache mode installation is recommended only for computers that are not directly connected to the Internet If this computer is directly connected to the Internet, install ISA Server in integrated mode.

Integrated mode Select this option to install integrated enterprise firewall, cache, and Web hosting functionality.

Continue Exit Setup

Microsoft Internet Security and Acceleration Server Setup

Setup has stopped your IIS publishing service (W3SVC) After Setup is complete, uninstall IIS or reconfigure all IIS sites not to use ports 80 and 8080.

OK Help Help

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Before you can select an installation mode, you must launch the ISA Server installation program and enter the information described in the pre-installation checklist As part of the setup process, you select the mode for ISA Server: Firewall, Cache, or Integrated After you select the server mode, if you have Internet Information Services (IIS) installed and configured to use port 80 or port 8080, ISA Server Setup informs you that it will stop the IIS Web service

To start the ISA Server installation:

1 Insert the compact disc into the CD-ROM drive, or if you copied the contents of the ISA Server compact disc to a network location, open a

command prompt window, and then run the ISAautorun.exe file

2 In the Microsoft ISA Server Setup window, select Install ISA Server, and then click Continue

3 Type the CD Key, and then click OK twice

4 Read the licensing agreement, and then if you agree, click I Agree

5 Click one of the following installations, and then click OK:

• Typical Installation Includes the most commonly used components

• Full Installation Includes all ISA Server components and extensions

• Custom Installation Includes the ISA Server components and

extensions that you specify

Topic Objective

To describe the procedure

that you use to select an

installation mode

Lead-in

You must select one of

three installation modes for

ISA Server during Setup

6 If you are installing ISA Server Enterprise Edition and the computer is not

part of a Windows 2000 domain, click Yes to install ISA Server as a

Setup stops the IIS Web service because its default listening port

is 80, which ISA Server also uses Because ISA Server listens on port 80 and may listen on port 8080, you must modify the listening port settings for IIS because two different services cannot bind to the same port

Note

Important

Specifying the Initial Cache Size

Microsoft Internet Security and Acceleration Server Setup

Specify the NTFS drives on which caches should be located and the maximum size of each cache.

Initial cache size is

100 MB Add 0.5 MB for each Web Proxy client.

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

If you install ISA Server in Cache mode or in Integrated mode, the Setup program prompts you to select the drive for the cache location and the initial cache size Select an NTFS-formatted hard disk of sufficient size to make the cache as large as possible For optimal performance, select a hard disk that you use exclusively for caching You can increase cache size later by allocating more empty disk space or by adding more disk volumes

Consider the following settings when specifying the size of the cache:

Default cache size 100 MB if at least 150 MB of free disk space is

available

Minimum cache size Allocate at least one drive and 5 MB on that drive

Recommended cache size Allocate at least 100 MB and add 0.5 MB for

each Web Proxy client, rounded up to the nearest full megabyte

Although Windows 2000 allows you to format a drive without assigning

a drive letter, you cannot use a drive without a drive letter for ISA Server caching

Topic Objective

To describe the procedure

that you use to specify the

initial size of the cache

Lead-in

You specify the initial size of

the cache during Setup

Note

Configuring the LAT

Microsoft Internet Security and Acceleration Server Setup

Enter the IP address ranges that span the internal network address space.

Internal IP ranges:

Edit From To

Add->

Remove->

OK Cancel Help

192.168.1.200 192.168.255

Microsoft Internet Security and Acceleration Server Setup

Enter the IP address ranges that span the internal network address space.

Internal IP ranges:

Edit From To

Add->

Remove->

To construct a local address table, click Construct

OK Cancel Help

Click Construct Table to

construct a local address table.

To construct a local address table, click Construct

Local Address Table

Select the address ranges (based on the Windows 2000 routing table) for inclusion in the local address table (LAT) The LAT should include all the addresses in you internal network.

Add the following private ranges: 10.xxx, 192.168.xx and 173.31.xx and 169.254.xx

172.16.xx-Add address ranges based on the Windows 2000 Routing Table internal network adapters:

3Com EtherLink PCI (Micros… 192.168.1.200

OK Cancel Help Card IP Addresses

Verify the IP addresses that display in the local address table.

3

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

The LAT is a table of all internal IP addresses If you install ISA Server in Firewall mode or Integrated mode, you can configure the LAT during Setup ISA Server uses the LAT to determine which IP addresses are inside an organization’s network and assumes that all other IP addresses are external ISA Server uses the LAT to control how computers on the internal network communicate with external networks In addition, Firewall clients automatically download LAT updates from the ISA Server computer Firewall clients use the LAT updates to determine which IP addresses they can directly connect to and which requests they need to forward to the ISA Server computer

Overview of the LAT

ISA Server can construct the LAT and add the following IP address ranges:

Private IP addresses ISA Server can add IP addresses that are reserved by

the Internet Assigned Numbers Authority (IANA) for internal use Many organizations use these addresses for internal addresses These addresses include 10.0.0.0 to 10.255.255.255, 192.168.0.0 to 192.168.255.255, and 172.16.0.0 to 172.31.255.255 Add private IP addresses to the LAT only if you use private IP addressing on your network

For more information about private IP addresses, see RFC 1918,

“Address Allocation for Private Internets,” under Additional Reading on

the Student Materials compact disc

Networks from the routing table ISA Server adds all of the networks that

your computer connects to by using one or more network adapters that you select When adding entries from the routing table, ensure that the network adapter that is configured to connect to your internal network has the correct routing information for all network segments on your internal network

Topic Objective

To describe the LAT and the

procedure for configuring

the LAT during Setup

Lead-in

You can add IP addresses

based on routing table

entries or private IP address

ranges

Key Points

ISA Server uses the LAT to

determine which IP

addresses are inside an

organization’s network and

assumes that all other IP

addresses are external

Note

Configuring the LAT

To configure the LAT during Setup:

When configuring the LAT, add addresses on the private network only Do not add the external interface of the ISA Server computer or any external addresses In addition, never configure a network adapter with both an external IP address and an IP address that is in the LAT—doing so can cause ISA Server to incorrectly enforce security rules and can present a serious security risk

1 In the Microsoft Internet Security and Acceleration Server 2000 Setup dialog box, click Table

2 Choose from the following options, and then click OK twice:

• To add private IP address ranges, select the Add the following private ranges check box

• To add routing table entries, select the Add address ranges based on the Windows 2000 Routing Table check box, and then select the check

box for the network adapter that is connected to your internal network

3 In the Internal IP ranges box, review the list of IP address ranges, make the following corrections if necessary, and then click OK:

• To remove an address range, in the Internal IP Ranges box, click the range, and then click Remove

• To add an address range, in the Edit box, type the beginning and end addresses of the range, and then click Add

After configuring the LAT, Setup copies all of the required files and completes all configuration steps Unless you specify a different location during an unattended setup, Setup installs ISA Server in the C:\Program Files\Microsoft ISA Server folder

Key Points

Configuring the LAT

correctly is the single most

important part of installing

ISA Server When

configuring the LAT, include

addresses on the private

network only Do not add

the external interface of the

ISA Server computer or any

external addresses

Important

Upgrading from Microsoft Proxy Server 2.0

Upgrading from Microsoft Windows NT

Upgrade to Windows 2000 Proxy Server 2.0

ServerSOCKS Rules

Comparing Proxy 2.0 and ISA Server Configurations

Cache Content

SOCKS Rules

2.0 2000

Publishing

Winsock Proxy Client

SecureNAT Client

Proxy Server 2.0

ISA Server

IPX Protocol

ISA Server

Upgrading Client Computers

Port 80

Client Requests

Port 8080 ISA Server 2000

Winsock Proxy Clients and Firewall Clients

Proxy Server 2.0

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

ISA Server supports a full migration path for Microsoft Proxy Server 2.0 users Setup migrates most Proxy Server 2.0 rules, network settings, monitoring configurations, and cache configurations to ISA Server when you perform an upgrade

Before migrating from Proxy Server 2.0, review

“PreMigrationConsiderations.htm” on the ISA Server compact disc and review the following sections in ISA Server Help: “Checklist: Migrating from

Microsoft Proxy Server 2.0” and “Migrating from Microsoft Proxy Server 2.0.”

It is recommended that you perform a full backup of the current Proxy Server 2.0 settings before the upgrade and that you disconnect the computer to be upgraded from the Internet during the installation

Upgrading from Microsoft Windows NT 4.0

You can install ISA Server on only computers running Windows 2000 Server with Service Pack 1 installed If you are currently running Proxy Server 2.0 on Microsoft Windows NT® 4.0, you must complete the following steps:

1 Stop and disable all Proxy Server services including:

• Microsoft Winsock Proxy Service (wspsrv)

• Microsoft Proxy Server Administration (mspadmin)

• Proxy Alert Notification Service (mailalrt)

• World Wide Web Publishing Service (w3svc)

2 If Proxy Server 2.0 is installed as an array, remove the server running Proxy Server 2.0 from the array

Topic Objective

To describe the topics that

are related to upgrading to

ISA Server from

Proxy Server 2.0

Lead-in

ISA Server supports a full

migration path for Microsoft

Proxy Server 2.0 users

Key Points

Perform a full backup of the

Proxy Server 2.0 settings

before upgrading, and

disconnect the computer

that you are upgrading from

the Internet during the

installation

Important

3 Perform the upgrade to Windows 2000 During the upgrade to Windows 2000, you may receive a message indicating that Proxy Server 2.0 will not work on a computer running Windows 2000 You can disregard this message and continue installing ISA Server

4 Install Windows 2000 Service Pack 1

5 Begin installing ISA Server

Comparing Proxy Server 2.0 and ISA Server Configurations

When you upgrade to ISA Server, most rules, network settings, monitoring configurations, and cache configurations in Proxy Server 2.0 are migrated to ISA Server The differences and exceptions between Proxy Server 2.0 and ISA Server are listed as follows:

Publishing Proxy Server 2.0 requires that you configure publishing servers

as Winsock Proxy clients ISA Server allows you to publish internal servers without requiring any special configuration or software installation on the publishing server Instead, ISA Server recognizes the publishing servers as SecureNAT clients

Cache Proxy Server 2.0 cache content is not migrated because of the vastly

different cache storage engine in ISA Server ISA Server Setup deletes Proxy Server 2.0 cache content and initializes the new storage engine based

on existing cache and drive settings

SOCKS ISA Server policy does not support the migration of Proxy Server

2.0 SOCKS rules ISA Server includes the SOCKS applications filter, which allows client SOCKS applications to communicate with the network by using the applicable array or enterprise policy to determine if the client request is allowed

For more information about using SOCKS Version 5 protocol, also known as Authenticated Firewall Traversal (AFT), see RFC1928, “SOCKS

Protocol Version 5,” under Additional Reading on the Student Materials

compact disc

Internet Protocol Exchange (IPX) Protocol ISA Server does not support the

IPX protocol

Upgrading Client Computers

After you install ISA Server, you may have to upgrade your client computers:

Winsock Proxy clients Because both the Winsock Proxy Client that is

included with Proxy Server 2.0 and the Firewall Client that is included with ISA Server are compatible with both server products, you can upgrade client computers at any time after installing ISA Server and maintain a mixed environment during migration

Web Proxy clients Proxy Server 2.0 uses port 80 for client Hypertext

Transfer Protocol (HTTP) requests By default, ISA Server uses port 8080 Therefore, you must configure all downstream chain members and browsers that connect to the ISA Server computer to connect to port 8080

Alternatively, you can configure ISA Server to use port 80 for client HTTP requests

Troubleshooting ISA Server Installation

Users Cannot Connect to Resources After Upgrading from Proxy Server 2.0

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

The following list includes common installation problems and solutions:

The LAT that the Setup program generates is incorrect Always

double-check the LAT that the Setup program generates before you continue and make any required changes The automatically generated LAT depends on a correct and complete configuration of your routing table

You are unable to connect to Internet resources immediately after installing ISA Server This result is expected Before you can fully test

your configuration, you must configure access rules

ISA Server presented one or more error messages during installation

Review the event logs in Windows 2000 for more information about the errors Remove ISA Server by using Add/Remove Programs in Control Panel, and then reinstall it If you cannot remove ISA Server by using Add/Remove Programs, use the RMISA.exe program, which is located in the \isa\i386 folder on the ISA Server compact disc

You cannot join an array because the installation program cannot find the array Ensure that the computer can communicate with the other array

members and a domain controller for the current domain

Users can gain access to Internet sites even though you have not defined rules that allow access Your LAT may not be configured correctly Ensure

that the LAT contains only internal IP addresses

After upgrading from Proxy Server 2.0, client computers can no longer connect to Internet resources Change the port that Web Proxy clients use

to gain access to the ISA Server computer or configure automatic discovery for clients ISA Server uses port 8080 for client connections, whereas Proxy Server 2.0 uses port 80

The “Troubleshooting” section of ISA Server Help contains information about solving other common problems

After installing ISA Server

and ISA Server clients, you

may have to troubleshoot

installation problems

Tip

Installing and Configuring ISA Server Clients

Installing and Configuring Firewall Clients

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Before you deploy or configure clients for ISA Server, you must consider the requirements of your organization Some of the considerations include the level

of access control required, the operating systems installed on client computers, the applications and services that your internal clients will use, and how you will publish servers on your internal network If you encounter problems while installing or configuring clients, see the Troubleshooting Client Installation section

Topic Objective

To identify the topics related

to installing and configuring

ISA Server clients

Lead-in

Before you install and

configure ISA Server clients,

evaluate the needs of your

organization and compare

the features of each client

Web Proxy Client

Improve the performance of Web requests for

internal clients

Web Proxy Client

Improve the performance of Web requests for

internal clients

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

ISA Server supports three types of clients: Web Proxy clients, SecureNAT clients, and Firewall clients

Comparing ISA Server Clients

The following list describes the features of each type of ISA Server client:

Web Proxy clients Improve the performance of Web requests A Web Proxy

client sends requests directly to the ISA Server computer, but Internet access is limited to the browser You can configure most Web browsers that support HTTP 1.1 as Web Proxy clients Other applications, such as streaming media client applications, can also function as Web Proxy clients

SecureNAT clients Provide security and caching of HTTP requests, but do

not allow for user-level authentication SecureNAT clients can support most

Transmission Control Protocol/Internet Protocol (TCP/IP) protocols, including Internet Control Message Protocol (ICMP) To configure a SecureNAT client, you configure the client computer to route all packets to the Internet through the ISA Server computer You typically do this by setting the default gateway on the client computer to the IP address of the ISA Server computer Because a SecureNAT client requires no

configuration other than changing the default gateway, any computer that uses the TCP/IP protocol can be a SecureNAT client

Some protocols and applications require secondary connections For example, when you use the File Transfer Protocol (FTP) protocol, by default the client initiates a primary connection to the server, and the server then initiates a secondary connection to the client ISA Server must use an application filter that edits the data stream to allow SecureNAT clients to use such protocols and applications ISA Server includes several application filters, such as an FTP filter and an H.323 filter If ISA Server does not contain the appropriate application filter for a protocol or application, SecureNAT clients cannot use this protocol or application

Only Firewall clients can be

identified and fully

authenticated by

ISA Server

Important

Firewall clients Restrict access on a per-user basis for outbound access for

requests that use the TCP and User Datagram Protocol (UDP) protocols To configure a Firewall client, you must install the Firewall Client software on each client computer You can install the Firewall Client software on computers running Microsoft Windows Millennium Edition, Microsoft Windows 95 OSR2, Microsoft Windows 98, Windows NT 4.0, or Windows 2000 only

You can configure a computer to use multiple client types simultaneously For example, you can configure a computer as a Web Proxy client for requests that are issued from within a browser, as a Firewall client to forward all requests from Winsock applications that use the TCP and UDP protocols, and as a SecureNAT client for all other protocols, such as ICMP

Determining Which ISA Clients to Use

Use the following guidelines to determine which clients to deploy for ISA Server

Improve the performance of Web requests for internal clients

Web Proxy clients

Avoid deploying client software or configuring client computers

SecureNAT clients SecureNAT clients do not require any software or specific configuration.Improve Web performance in an

environment with non-Microsoft operating systems

SecureNAT clients SecureNAT client requests are transparently passed to the Microsoft Firewall service and then to the caching service for caching

Publish servers that are located on your internal network

SecureNAT clients You can publish internal servers to make them available to external users When you publish internal servers, you configure the servers as SecureNAT clients Because the published servers are SecureNAT clients, you do not need to configure settings

on the published server Microsoft does not recommend configuring published servers as Firewall clients

Allow Internet access for only authenticated users

Firewall clients or Web Proxy clients You can configure user-based access policy rules for Firewall clients and Web Proxy clients

Important

Configuring Web Proxy Clients

Select the Use a

proxy server

then click OK.

Bypass proxy server for local addresses

Type the IP address or name

of the ISA Server computer in

the Address box.

2

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

You do not need to install any software to configure Web Proxy clients

However, you must configure the Web browser on the client computer to use the ISA Server computer as the proxy server Other applications that use Web protocols may also be able to function as Web Proxy clients Some of these applications can obtain their configuration settings from your Web browser Others may require additional configuration steps The exact configuration steps for configuring ISA Server depend on the Web browser that you use

Web browser helper applications that use protocols other than HTTP, such as Microsoft Windows Media™ Player, do not use ISA Server to connect to the Web To allow helper applications to connect to the Web, you must use the SecureNAT client or the Firewall client in addition to the Web Proxy client

To configure Microsoft Internet Explorer 5 or later to use the Microsoft Web Proxy service:

1 Open the Properties dialog box for Internet Explorer On the Connections tab, click LAN Settings, and then in the Local Area Network (LAN) Settings dialog box, select the Use a proxy server check box

2 In the Address box, type a valid path to the ISA Server computer

3 In the Port box, type the port number that the ISA Server computer uses for Web Proxy client connections, which is 8080 by default, and then click OK

twice

If you want your Web browser to bypass the ISA Server computer when

connecting to local computers, you can also select the Bypass proxy server for local addresses check box Bypassing the ISA Server computer for

local computers may improve Web browser performance

Topic Objective

To describe the procedure

that is used to configure

Web Proxy clients

Lead-in

To configure Web Proxy

clients, you must configure

the Web browser on the

client computer to use the

ISA Server computer as the

proxy server

Key Points

Web browser helper

applications that use

protocols other than HTTP,

such as Windows Media

Player, do not use

ISA Server to connect to the

Web

Important

Configuring SecureNAT Clients

Routers

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Although SecureNAT clients do not require specific software, you must configure SecureNAT clients to route all network traffic to the Internet through the ISA Server computer How you configure the client computer depends on whether your network uses routers between the ISA Server computer and the SecureNAT clients

Configuring Clients on Networks That Do Not Use Routers

To configure SecureNAT clients on a network without routers, set the SecureNAT client's IP default gateway settings to the IP address of the ISA Server computer's internal network adapter by manually changing the default gateway setting or by using Dynamic Host Configuration Protocol (DHCP)

Configuring Clients on Networks That Use Routers

To configure SecureNAT clients on a network with routers, set the default gateway settings to the router closest to the SecureNAT client Ensure that the router is configured to forward IP packets to the Internet so that all packets are routed through the ISA Server computer Optimally, routers should use a default gateway that routes along the shortest path to the ISA Server computer

In addition, do not configure routers to discard packets destined for addresses outside of the internal network The ISA Server computer will determine how

to route these packets

Consider your network

topology when you

configure the default

gateway for SecureNAT

clients

Resolving Names for SecureNAT Clients

When SecureNAT clients request data from computers on your internal network

or the Internet, clients require Domain Name Service (DNS) servers to resolve names Use the following guidelines to determine the location of a DNS server for resolving names:

If clients request data from Then

Internet and internal servers Use a DNS server on the internal network Ensure

that the internal server can resolve both internal and Internet addresses

the Internet

Installing and Configuring Firewall Clients

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

You can install the Firewall Client software on client computers from a shared folder or from a Web location You can also use Windows 2000 Group Policy

to centrally distribute the Firewall Client software to client computers For all installation methods, you must install the Firewall Client software from the installation point on the ISA Server computer so that the client computer receives all of the required configuration information

Do not install the Firewall Client software on the ISA Server computer It is not recommended that you use this configuration because the operations of the Firewall client may interfere with the operations of ISA Server when both are running on the same computer

Installing from a Shared Folder

When you run the ISA Server Setup program, it automatically creates a folder named Program Files\Microsoft ISA Server\Clients, copies the client

installation files to this location, and then shares that folder as MSPClnt By default, the Firewall Client Setup program installs the Firewall Client in the C:\Program Files\Microsoft Firewall Client folder You can select a different folder during Setup

To install the Firewall Client software from the shared folder:

1 Use Windows Explorer to connect to \\server\MSPClnt (where server is the

name of the ISA Server computer)

2 Run Setup.exe from that location, and then follow the on-screen

instructions

Topic Objective

To describe the options for

installing and configuring the

Firewall Client software

Lead-in

You have three options for

installing the Firewall Client

program on client

computers

Important

Installing from a Web Location

To install the Firewall Client software from a Web location:

1 Copy the Default.htm and Setup.bat files from the Program Files\Microsoft ISA Server\Clients\WEBINST folder to a Web server

2 Use a Web browser to connect to the Web server, and then display Default.htm

3 Start the Setup program by doing one of the following:

• If you are using Internet Explorer, click the Firewall Client software

link

• If you are using Netscape Navigator, follow the instructions to save

Setup.bat to your hard drive, and then run Setup.bat from a command

prompt

For most Winsock applications, the default Firewall client configuration works with no further modification However, in some cases, you may have to modify the client configuration information For more information about configuring Firewall client settings, see “Advanced Firewall client configuration” in ISA Server Help

Installing by Using Group Policy

To install the Firewall Client software by using a group policy, assign the Windows Installer package MS_FWC.msi in the shared folder

\\isa_server\Mspclnt to the users that require the Firewall client

For more information on deploying software by using a group policy, see Module 9, “Using Group Policy to Manage Software,” in Course 2154A,

Implementing and Administering Microsoft Windows 2000 Directory Services

Using the Firewall Client

The Firewall client is transparent to applications and users By default, an icon

on the taskbar appears when a user has the Firewall Client software installed, and the appearance of this icon indicates the status of the connection to the ISA Server computer

You can use Firewall Client in Control Panel to disable the Firewall client, control whether the taskbar icon appears, and update Firewall configuration information from the ISA Server computer

The Firewall client automatically detects when there is no connection to the ISA Server computer When the Firewall client detects that there is no connection, it automatically disables itself so that the client computer connects

to Internet resources directly This action allows users to move a computer, without having to reconfigure the Firewall client, between an office location that uses ISA Server and a home location in which ISA Server is not installed

Note

Note

Tip

Troubleshooting Client Installation

Cannot Connect to Internet After Configuring Web Proxy Client

***************************** ILLEGAL FOR NON - TRAINER USE ******************************

Common client installation problems and possible solutions are as follows:

You can no longer connect to Internet resources immediately after installing the Firewall Client software Before attempting other methods

of troubleshooting, update the Firewall client by using the most recent ISA Server configuration To update the client, in Control Panel, click

Update Now in the Firewall Client program

You can no longer connect to Internet resources immediately after configuring the Web Proxy client Ensure that your computer can

communicate with the ISA Server computer and that your access rules allow you to gain access to the Internet

You cannot gain access to Internet sites from a client computer Attempt

to isolate the problem by answering the following questions:

• Can you gain access to internal resources?

• Can you gain access to external Web-based resources?

• Can you gain access to external resources by using Winsock-based applications?

• Can you gain access to external resources by using SecureNAT?

The most important part of troubleshooting client connection problems is isolating the problem, which includes identifying which client component is involved For example, if you can gain access to Web-based resources but Winsock-based applications do not work, you may need to reconfigure application settings for the Firewall client If you cannot gain access to either internal or external resources, the problem may be unrelated to ISA Server and you will have to examine your network configuration

For more information on troubleshooting client connection problems, see

“Troubleshooting client connections” in ISA Server Help

After installing ISA Server

clients, you may have to

troubleshoot problems with