An Enterprise Edition ISA Server must be installed into anarray or it is installed as a standalone server.. 3.2 Modification of the Active Director ySchema Before you can install an Ente
Trang 12 Start the ISA setup program.
3 Click Continue at the Welcome screen
4 Enter the CD key and click OK
5 Setup searches for installed components and then presentsthe EULA screen Select I Agree
6 Select Custom
7 Verify that the options required have been selected or elected; for example, you might not want the administra-tion program to be applied to every installation in thearray
des-8 Select Continue
9 The message box, Do you want to install ISA Server
as an array member?appears If you do not, select Yesand the ISA server will be installed as a standalone server
Select Yes
10 The installation program searches for arrays and displaysthe names of the arrays it finds
11 Select the array to join and click OK (see Figure 3.15)
12 Select the drive and size of the cache and click OK
13 A progress window indicates that setup is registeringCOM objects and then starting the services Files arecopied and a final window indicating successful setup ispresented Click OK
TE Don’t Confuse It!to install more than one server in an array atYou should not attempt
a time; that is, complete the installation of a server in an array before starting the installa- tion of another server into the same array.
F I G U R E 3 1 5
Selecting the array.
Trang 2Two versions of ISA Server are available: Standard (standalone)and Enterprise.
Three modes of installation are available for either version:Caching, Firewall, and Integrated
By default, all clients are allowed access to all content on allsites at all times; however, there is no default protocol rule so
no traffic can occur
Packet filtering is only available for Firewall or Integratedmode installation
Before the first Enterprise Edition ISA server can be installed
in the forest, modifications must be made to the AD Schema An Enterprise Edition ISA Server must be installed into anarray or it is installed as a standalone server
The default Enterprise policy is configured to use anEnterprise policy and not to allow array policies to restrictEnterprise policy
ISA listens at port 8080 for client requests
A minimum cache of 5MB on an NTFS volume must be figured during setup for caching or integrated mode servers Unattended setups always do a full installation
Troubleshoot problems that occur during setup
Like most modern installations, installation succeeds However, it ispossible to have a failed installation, one that does not complete suc-cessfully, or one that appears to complete successfully and yet doesnot work These issues are categorized in the sections that follow
R E V I E W B R E A K
Trang 3C h a p t e r 3 I N S TA L L I N G I S A S E RV I C E 95
Failed Installation
Most installations of ISA Server will proceed normally and withouterror Most installation problems will be due to minor operatorerrors, typos, and so on However, even the most careful administra-tor can have an aborted installation Here are some issues that may
be the cause
Can’t Install in Existing Array
When installing multiple ISA servers in an array, you receive theerror This computer is not a member of a site and cannot be installed in an array
Windows 2000 computers joined in a domain may be found inmultiple physical locations As you know, the Window 2000 site can
be used to model the physical network The default site is createdwhen the first domain controller in the forest is installed Thisdomain controller automatically becomes a member of this site
Additional sites can be created and the original site can be renamed
Within each site, the appropriate subnets that represent the subnets
at that physical location are entered This maps the physical network
to the active directory object–site Domain controllers are added tosites as they are installed on the system Their site location can bechanged to indicate their true physical location
Member servers are automatically part of an Active Directory site ifthe appropriate subnets have been entered and assigned to the site
You might need, however, to add the member server computerobject to the appropriate site within Active Directory Sites andServices
If the previous error is received, check to see that the subnet hasbeen added to the site and that the server does have an IP addresswithin the same subnet as the first array member
Installation Fails to Complete—You Cannot Run the Uninstall Program
If your attempted installation fails, it might be because some MMCwith related ISA administration or help information has not finishedclosing, even though it has disappeared from the screen If this is the
Trang 4case, simply ending the attempt at uninstallation, clearing all windows and waiting a couple of minutes before trying again, will usually resolve the issue.
If this fails, you can uninstall the program by using the ControlPanel/Add Remove Programs applet
If this fails, use the ISA Server CD-ROM provided Rmisa.exe program
Was Installation Successful?
Immediately after the ISA Server is installed, you should verify theinstallation To do so, follow the steps of the Verification Process sec-tion If they show your installation to be less than perfect, review thesection on known issues
Verification Process
If the installation process ends successfully, how do you know itactually is working correctly? Before you spend hours configuringthe system and then find it not to be working, it makes sense to do alittle testing This way, if there are problems after configuration, youcan limit your troubleshooting to the configuration process and notwonder if something went wrong during installation To verify theinstallation:
1 Examine the Event log for errors If there are no error sages, or they can be resolved, continue the verificationprocess Likely installation error messages are detailed below
mes-2 Set up one local client as a Web proxy client; the Web browserapplication is configured to use the ISA Server
3 In the client’s Web browser, navigate to any page on theInternet
4 The default installation will not allow access and the 502proxy error should be the result
5 Create a protocol rule that allows use of all protocols by allclients
Trang 5C h a p t e r 3 I N S TA L L I N G I S A S E RV I C E 97
6 Create a routing rule that routes the request to the Internet (ifdirectly connected) or to an upstream proxy server or ISAServer
7 On the client, navigate to the same site You should be able toaccess the page
You might then want to remove these routing and protocol rules ifyou require more restrictive rules Remember, the goal here is merely
to test the installation before making major configurations In thismanner you know that the installation is good
Event ID 14111—The ISA Server Cache Could Not Start
The ISA Server Cache can’t start because it’s configured incorrectly
Stop the Web Proxy Service, and then use ISA Management console
or the Registry to correct the problem (\arrays\name\cache ration\HTTP tab – select restore defaults) and then attempt torestart the service The problem might be incorrect configuration(does not meet minimum size, drive too small) or a conflict withother settings
configu-If the condition cannot be resolved in this manner, run setup againand select Reinstall
Event ID 14176, 14164, 14172—The Disk Cache Failed to Initialize and Is Disabled
Check other events (improper configuration, disk cannot be used forcache, disk configuration is wrong) and correct the problem, thenrestart Web Proxy service
Event ID 14010, 14063—The Firewall Service Did Not Start Due to Corrupt Data
Corrupt data in the Registry (14063) or in the Active Directory vents the service from starting Waiting a short while before
Trang 6pre-attempting to start the service may work Otherwise, you must stall and reinstall ISA The ISA Server configuration will be lost.
unin-A Generated Lunin-AT Is Not Correct
Manually adjust the LAT from the ISA Management console
You Are Unable to Access Internet Resources
This is expected The default installation blocks all traffic throughthe ISA Server to the Internet
Users Can Access Sites on the Internet
The LAT is incorrectly configured
The uninstallation process is simple and automated To do so, followthe steps in Step by Step 3.10 Changes made to the Active
Directory Schema cannot be removed
S T E P B Y S T E P
3.10 Uninstall ISA Server
1 If the Event Viewer is open, close it Otherwise some ISAfiles may not be removed
2 From the ISA Server Setup Window, run Install ISAServer
3 Setup searches for installed components and then displaysthe setup window choices (see Figure 3.16):
• Add/Remove—Additional components can beadded, such as adding Firewall mode to a cachingonly ISA Server
• Reinstall—The last installation will be repeated,missing files and settings will be restored
• Remove ALL—Uninstall ISA Server
F I G U R E 3 1 6
Uninstallation choices.
Trang 7C h a p t e r 1 C H A P T E R T I T L E G O E S H E R E 99
4 To remove the ISA Installation, select Remove All
5 On the Are you sure you want to remove Microsoft ISA Server?message box, click Yes The program reportsthat it is stopping services
6 On the Do you want Uninstall to remove the logs and configuration backup files generated by Microsoft ISA Server?message box (see Figure 3.17), click Yes to removeall information
7 The program will report that it is removing ISA COMobjects, stopping relevant services, deleting files, andupdating the system, and then restart or start the relevantservices
8 At the Microsoft Internet Security and Acceleration Server Setup was completed successfullymessage box,click OK
F I G U R E 3 1 7
Remove the logs.
TE rmisa.exeby this method, you might be able to uninstallIf you cannot uninstall ISA Server
it by using Control Panel/Add Remove Programs An uninstall program, rmisa.exe, is also supplied in the \ISA\I386 folder on the Installation CD-ROM This program completely removes ISA Server.
Control and protection of NetMeeting sessions
Public Web server Multiple client OSs Control, cost, and performance issues
CA S E ST U D Y: SE C U R I T Y SY N D I C A T E
S C E N A R I O
Midwest-based security consultant SecuritySyndicate has two new customers withfirewall/caching server needs One customer,Davison & Davison is an accounting firm with tra-ditional small network protection needs A publicWeb server and minimal Web browsing needsrequire perimeter protection The other customer,Fujedenchee, is a leading supplier of innovativecommunications solutions Web access, andusage is considered to be out of control and theyare seeking reduced cost, improved performance,and security Fujednechee currently has a mixedclient environment A Windows 2000 migrationproject is in the implementation stages Not allclients or servers will be moved to W2k
continues
Trang 8at different scale, an ISA team is assembled Youare part of that team.
A N A LY S I STwo seemingly different customer’s needs can bemet by one product, ISA Server Implementation,configuration, and usage patterns will be differ-ent Security Syndicate has decided that ISAServer firewall mode, should be installed and
continued
Installing ISA Server is not a difficult process Although there aremultiple possibilities, there are few choices that once made, cannot
be changed An option can be installed (changing a Firewall mode to
an Integrated mode) or a configuration updated, after the originalinstallation The biggest issues of installation for all versions anduses, is the planning decision on how the product is to be used, andwhere in the network it needs to be placed This chapter has out-lined the installation process and elaborated on three installationprocesses:
á Making the Active Directory schema modifications
á Determining the size of the initial cache
á Configuring the Local Address Table (LAT)
If you will spend some time with the review questions, key terms,and complete the hands-on exercises, you will be ready to proceedwith the next chapter on upgrading Microsoft Proxy Server 2.0 toISA Server
• Request for Comment (RFC)
• Private address ranges
• Active Directory Schema
Trang 9Estimated Time: 20 minutes
1 If you have not configured a Windows 2000standalone server as specified in Exercise 2.1,please do so before continuing This serverrequires two network cards: one on the publicnetwork and one on the private network Thesystem should be a clean install of Windows
2000 (current Service Pack) standalone server
2 Verify connectivity to both networks If you areusing the Internet as your public network, verifyconnectivity by accessing any Internet site via thebrowser If you are using an internal subnet asyour public network, verify access to systems onthat network
3 Install ISA Server Standard edition Install usingthe Custom option and be sure the administra-tion and server modules are chosen Do not selectany add-ins (For detailed instructions see Step byStep 3.2.)
3.2 Modification of the Active Director ySchema
Before you can install an Enterprise ISA Server in anarray, you must modify the Active Directory schema.The process is simple, and need only be done once forthe forest The program you will need to run is onlyprovided on the ISA Server Enterprise edition disk
Estimated Time: 20 minutes
1 If you have not installed your test-domaindomain controller, two member servers andWindows 2000 Professional system as perinstructions in Exercise 2.1, please do so Thetest-domain systems should all be updated to thecurrent Service Pack At least one of the memberservers should have two network cards configuredwith one on the public network and one on theprivate network DO NOT PERFORM THESELABS IN A PRODUCTION SYSTEM
2 Verify your test network You should be able tologon from all systems You need to be a member
of the Enterprise Admins group
3 Verify connectivity with the public network
4 Modify the Active Directory Schema for ISA byrunning the ISA Server Enterprise Installationprogram from the ISA Server CD-ROM
Detailed instructions are in Step by Step 3.3
3.3 Installation of an Enterprise EditionISA Ser ver—Integrated ModeAfter you update the AD Schema, you are ready toinstall ISA Server, Enterprise edition There are
Trang 10AP P L Y YO U R KN O W L E D G Edifferences in the interface and the features of this edi-tion from the standalone edition This exercise is yourfirst exposure to them In your test lab scenario, youcan immediately follow the schema modification exer-cise with this one In the real world, however, you mayneed to wait until the changes to the schema havereplicated to all domain DC’s in the forest
Although in your test you may want to install the firstISA server on the DC (to reduce the number of com-puters you need to use), never do this on a productDC
Please note that the first server installed creates the firstarray It is an array of one server You must retain, andhave available on the network, this first installation inorder to complete Exercise 3.4
Estimated Time: 20 minutes
1 Log on to the two NIC Windows 2000 memberserver
2 Install ISA Server Enterprise edition in Integratedmode (Detailed instructions are in Step by Step3.4.) The following installation configurationschoices should be made:
• Do not select any add-ins
• Select the default Enterprise policy
• Use the Create the LAT button and be sure
to select the appropriate NIC card to includethe private network subnet in the LAT alongwith the default private address ranges
• Do not install the ISA Management console
3 Log on to and install the ISA Server Managementconsole on the Windows 2000 Professional system
4 Review the installation via the ISA ServerManagement console
3.4 Installation of a Second Array MemberEnterprise Edition ISA Ser ver—
Integrated ModeThis exercise helps you understand the differentprocesses followed when adding ISA Servers to an array.You will need to be sure the system on which you aredoing the install can connect to the AD and locate theschema If it cannot, you will not be able to install thisserver to the array Retain both of these servers in theirarray configuration—you will need them for furtherexercises
Estimated Time: 20 minutes
1 Log on to the second member server
2 Install ISA Server Enterprise edition in Integratedmode as a member of the array created inExercise 3.3
3 The following installation configuration choicesshould be made:
• Do not select any add-ins
• Create the server as a member in the samearray as the previous installation
• Use the Create the LAT button and makesure to select the appropriate NIC card toinclude the private network subnet in theLAT along with the default private addressranges
• Do not install the ISA Management console
4 Log on to and install the ISA Server Managementconsole on the Windows 2000 Professional system
5 Review the installation via the ISA ServerManagement console
Trang 11C h a p t e r 3 I N S TA L L I N G I S A S E RV I C E 103
Review Questions
1 You are required to provide a firewall solution for
a non-Windows shop Can ISA Server fit thisbill? If so, what version would you install?
2 A Fortune 500 company requires an Internetaccess control solution They are looking for loadbalancing, fault tolerance, performance, and thecapability to control hours of access, users, andsystems What selections would you make duringinstallation of ISA Server?
3 This same company realizes it must use morethan one server Which version of ISA Servermust they use?
4 What action must be taken prior to installing thefirst ISA Server in the forest? Why is this neces-sary?
5 Which clients can benefit from an installation ofISA Server in caching mode?
6 Installation proceeds smoothly and indicates that
it was successfully accomplished It’s late in theday In the morning, you attempt to verify theinstallation and get an error messaging statingthat a service cannot start What is wrong? Whatshould you do?
7 You would like to provide forward caching vices for a company with 10,545 employees
ser-What configuration would you recommend?
(How many servers? Mode? RAM? Other specs?)
Exam Questions
1 The first ISA server in an array has been fully installed and verified You attempt to installthe second array member but during installationget an error message that the Windows 2000server is not a member of a site and will beinstalled as a standalone server What could bewrong? (Select all that apply.)
success-A The Windows 2000 server is not a domainmember server
B The Windows 2000 server is not a member ofthe original array server’s domain
C You have used the Standard edition ISAServer CD-ROM
D The Windows 2000 server is not a member ofthe same site as the server which is the firstmember of the ISA server array
E The Windows 2000 server is not a member ofthe same subnet as the server, which is thefirst member of the ISA server array It is amember of the same site
F The Windows 2000 Server has not been figured as a member of the same site, or theinformation has not been updated in theActive Directory
con-2 The ISA Server will be used when first installed
as a firewall It may be required to provide ward caching in the future You should:
for-A Install the server in Firewall mode If it isrequired to also provide forward caching, thecaching service can be added at a later date
Trang 12AP P L Y YO U R KN O W L E D G E
B Install the server in Integrated mode Youcannot add a service without uninstalling andreinstalling at a later date because you wouldlose configuration information
C Install in Firewall mode When you need toadd forward caching services later, you canexport the configuration information andthen uninstall, reinstall in Integrated mode,and import the configuration information
D Install in Caching mode Caching mode alsoallows configuring the firewall service Ifcaching is not configured, no caching willoccur
3 The first ISA server in an array has been fully installed and verified You attempt to installthe second array member but during installationget an error message that the Windows 2000Server is not a member of a site and will beinstalled as a standalone server Which two stepsshould you take?
success-A Continue the installation
B Configure the standalone ISA server to be anarray member after installation
C Cancel the installation
D Solve the problem and then begin the lation again
instal-4 During installation of ISA Server in Cachingmode, you must configure the cache You havedetermined that you will require 500MB of spacefor the cache At the cache configuration pointduring installation, you are presented with thedisplay in Figure 3.18 Which steps should youtake? (Select as many steps as apply.)
A Select 500MB on the D: drive
B Select 5MB on the C: drive
C Cancel the install
D Convert the D: drive to NTFS
E Reconfigure the cache using ISAManagement
F I G U R E 3 1 8
Where to put the cache?
Trang 13C h a p t e r 3 I N S TA L L I N G I S A S E RV I C E 105
5 Figure 3.19 is a network diagram for JohnsonCake Candle company It will be using ISAServer to protect access to their internal networkwhile allowing employees to access the Internet
The diagram shows subnets on both sides of theproposed ISA server and the network cardaddresses of both NICs in the server Use thetable that follows to indicate how you would con-figure the LAT
LAT Contents
LAT Contents
7 An analysis has determined that five ISA serverswill be arranged in a single array to handle for-ward caching This array will serve 9,465 users.What size should the cache be on each server?
Internet
Private (accounting and other financial) 208.56.5.0 208.56.4.0 208.56.3.0
Other subnets in company:
208.56.6.0 208.56.7.0 208.56.8.0 208.56.9.0
F I G U R E 3 1 9
Johnson Cake Candle Company network information.
F I G U R E 3 2 0
ABC Company network information.
6 Figure 3.20 is a network diagram for ABCCompany The ABC Company will be using ISAServer to protect access to several subnets thatrequire additional security These subnets includecomputers in the finance, marketing, and admin-istration departments The diagram shows sub-nets on both sides of the proposed ISA server andthe network card addresses of both NICs in theserver Use the table that follows to indicate howyou would configure the LAT
Trang 14AP P L Y YO U R KN O W L E D G E
8 A single ISA server will provide forward cachingfor 328 users What is the minimum cache sizefor the array?
edi-Your goal is to totally remove any indication thatthe ISA Server was ever there The following stepsshould be taken (Select all that apply.)
A Run the uninstall ISA Server program
B Verify that all Registry entries for ISA Serverand all files that were added are gone
C Run the Remove ISA Enterprise Installationprogram to clean the Active Directoryschema
D Remove the test server from the domain
10 John has installed ISA Server but the verificationprocess fails to allow him to access a Web site Heasks for your help You think that perhaps theLAT is not configured correctly You open theISA Management console to verify the LAT andnavigate to the Network Configuration node andexpand it Your screen looks like Figure 3.21
What’s the next step you take?
A You’re in the wrong place, move to theComputer node, expand it, and open theLocal Address Table (LAT) folder
B Expand the Routing folder and open theLocal Address Table (LAT) folder
C You must have installed the ISA Server incaching mode Caching mode does notrequire configuration of the LAT, thereforethe Local Address Table (LAT) does not exist.Tell John to run the installation program andadd the firewall module
D Right-click the Routing node and selectConfigure LAT The LAT will automatically
be correctly configured from the routing table
on the system
F I G U R E 3 2 1
Where to configure the LAT?
Trang 15C h a p t e r 3 I N S TA L L I N G I S A S E RV I C E 107
Answers to Review Questions
1 Yes The ISA server must be installed on aWindows 2000 system, but clients can be of anytype See the section, “Introduction.”
2 Install Enterprise edition, caching mode, array
Use multiple servers in the array to provide thenecessary load balancing and fault tolerance Seethe sections, “Introduction,”and “Install ISAServer Enterprise Edition.”
3 Enterprise edition See the section, “Install ISAServer Enterprise Edition.”
4 Modify the Active Directory Schema This must
be done to provide the objects and attributes essary Active Directory is necessary to providecentralized management of multiple ISA Servers
nec-No Active Directory, no arrays, no centralizedmanagement See the section, “Installing the ISAServer in the Active Directory.”
5 All types of clients can benefit See the section
“Introduction.”
6 One possibility for the service not starting is thatthere is not adequate cache space A minimum of5MB on an NTFS partition must be provided
Although you would have to have configuredadequate caching space during installation, if thedrive on which it was configured becomes cor-rupt, or crashes, adequate space is not available,and the service will stop and not start You need
to check the Event log for messages to determine
if this might be the case and then prepare anotherdrive See the section, “Failed Installation.”
7 Enterprise edition, caching mode At least sixservers in array(s) At least 256MB RAM perserver Pentium III See the section, “Configurethe Cache.”
Answers to Exam Questions
1 A If the server is not a member of a domain it
cannot be installed as an Enterprise server in anarray B is incorrect Although the server must be
a member of the other server’s domain it can be amember of another domain and still be installed
in an array, just not in this one C is incorrect Ifyou use the standard edition CD-ROM, you willnot be given any opportunity to install in anarray, but this error message will not occur D isincorrect If the server is a member of any site,you will not get this error E is incorrect Theserver can be in another subnet F is correct.Even if the server is a member server, if the infor-mation of its membership in some site is not inthe Active Directory, the installation program willgive this answer See the section, “Failed
Installation.”
2 A You can run the install program and add
mod-ules B is therefore incorrect You could go aheadand install the server in Integrated mode but thereason for doing so is incorrect C is incorrect.You cannot export and import configurations.You can backup a configuration, but restoring itwould overwrite what is currently there D isincorrect Caching mode installation will notinclude the ability to configure the firewall Seethe section, “Installation Procedures Common toAll Server Configurations.”
3 C, D A and B are incorrect Continuing the
installation will install the server as a standaloneserver You can promote a standalone server toarray membership, but in this case, you will stillhave the same problem so that will not be possi-ble C and D are correct, after canceling, solvethe problem then run the installation programagain See the section, “Failed Installation,”