Monday, April 26, 2010

Installing ISA Server 2000 on Windows Server 2003

There have been a lot of questions on the ISAServer.org message boards on how Windows Server 2003 and ISA Server get along with each other. I didn’t spend too much time trying to figure out issues with pre-release versions of Windows Server 2003 and ISA Server because many of the problems could have been related to beta issues that would be fixed in the final version. You could never know if it was an ISA Server issue, and adverse interaction between ISA Server and Windows Server 2003, or maybe a beta bug. 

Now that Windows Server 2003 is officially released, and ISA Server is officially supported on Windows Server 2003, we can get to the business of testing out ISA Server on Windows Server 2003 machines. There are many compelling reasons to run ISA Server on a Windows Server 2003 machine:

  • Windows Server 2003 is the most secure version of Windows ever

  • Windows Server 2003 is the most stable version of Windows ever

  • Non-essential services are disabled right out of the box

  • Its very difficult to run IIS services on the Windows Server 2003/ISA Server because there is no documentation on how to disable socket pooling for all IIS services except the W3SVC

    •  When you combine high security, rock solid stability and the increased difficulty in harpooning yourself in the foot by running IIS services on your firewall, you get what you’re really looking for in a firewall: protection for your internal network.
    I’ve had the chance to run ISA Server in integrated mode on a Windows Server 2003 machine for over a month and I find it much more stable than my experiences with ISA Server on Windows 2000 machines. This could be due to the better hardware on which the ISA/Windows Server 2003 software is installed on, or it could be an operating system issue.

    Installing ISA Server on a Windows Server 2003 machine is painless, but it is a little different than how you do it on a Windows 2000 machine. We need to go through the follow steps to install ISA Server on a Windows Server 2003 box:

  • Install Windows Server 2003

  • Install ISA Server 2000

  • Install ISA Server Service Pack 1

  • Install isahf255.exe

  • Install Feature Pack 1

    •  Install Windows Server 2003 The Windows Server 2003 machine should have the following characteristics:

  • At least two network interfaces – one internal and one external

  • No extraneous services installed on the machine

  • As much RAM as possible

  • Disable non-essential services

    •  You need at least one internal and one external interface. The internal interface will be on the Local Address Table (LAT) and does not have a default gateway set on it. The external interface is never on the LAT and it’s the only interface with a default gateway set on it. Windows Server 2003 is like Windows 2000 in that only one interface can have a default gateway. This means ISA Server on Windows Server 2003 supports a single external interface. You can have multiple public address DMZ interfaces, but only a single interface that connects the internal network to the Internet.
    Do not  install extra services on the firewall. Do not install a Quake server, do not install a enterprise mail and groupware server, do not install an FTP server, do not install a Web server an do not install a Kaaza server! Your ISA Server is a firewall – you wouldn’t install these services on a PIX or Checkpoint Nokia – so you shouldn’t do it on the ISA Server firewall.
    Most people will use the Web Proxy service to provide Web performance enhancements and increased security for Web Publishing. The cool thing about ISA Server is that it keeps the Web cache in RAM. The more RAM you have, the more cached content can be kept in fast memory and the better end-user perceived performance. Aim for at least 768 MB of RAM in the ISA Server firewall, and more is better.
    You can harden your server by disabling non-essential services. Non-essential services depend on what services you need, so its hard to give you a hard and fast list of what services you should disabled.

    Install ISA Server 2000
    Now for the fun part. Get out your ISA Server 2000 CD-ROM disk and put it into the drive, or connect to a network share that contains the ISA Sever installation files. Then perform the following steps to begin installing ISA Server on a Windows Server 2003 machine:
    1. Double click on the ISAAutorun.exe file on the ISA Server CD
    2. Click on the Install ISA Server link on the Internet Security & Acceleration Server 2000 splash page.
    3. You will see an ISA 2000 dialog box that informs you that you need to install ISA 2000 Service Pack 1 in order for things to work right. We know that, so we’ll click Continue.

    1. Click Continue on the Welcome to the Microsoft ISA Server installation program page.
    2. Enter your CD Key in the CD Key dialog box. Click OK.
    3. Write down your Product ID as list in the Product ID dialog box. Click OK in the Product ID dialog box after writing this number down.
    4. Click I Agree in the Microsoft ISA Server Setup dialog box.
    5. Click the Full Installation button in the installation type dialog box. I am assuming you want to use all the features that ISA Server has to offer. You can use the Add/Remove Programs applet later if you want to remove some ISA Server features.
    6. In this example we are installing ISA Server in standalone mode, not in enterprise array mode. Click Yes in the dialog box that asks if you want to continue.
    1. Select the Integrated mode option on the Select the mode for this server page. You want to take advantage of the full power of your ISA Server firewall. Integrated mode gives you everything the Web Proxy and Firewall services have to offer. Go for it! Click Continue.
    1. On the Web cache page, select a drive to put the Web cache file on. The drive must be NTFS. Type in a size of the cache in the Cache size (MB) text box and then click the Set button. Then click OK.
     
    1. On the LAT page, click the Construct Table button. On the Local Address Table page, remove the checkmark in the Add the following private ranges checkbox. Put a checkmark in the Add address ranges based on the Windows 2000 Routing Table checkbox. Remove the checkmark from the checkbox representing the external interface, and leave the checkmark in the checkbox for the internal interface. Click OK in the Local Address Table dialog box, then click OK in the Setup Message dialog box that informs you that the LAT was contstructed based on the Windows 2000 routing table (in spite of the fact that you’re installing ISA Server on a Windows Server 2003 machine).

            13. Click OK on the LAT dialog box after reviewing the list listing in the Internal IP ranges list.  



    1. Unlike Windows 2000, Windows Server 2003 does not install IIS by default (yeah! You should NEVER run IIS services on a firewall – except for maybe the SMTP service). You will see a dialog box telling you that you’ll have to install the SMTP service if you want to run the SMTP Message Screener. Click OK to continue.
    1. The ISA Server services are installed. You will see a warning balloon informing you that ISA 2000 will cause Windows to become unstable. Close the balloon, remove the checkmark from the Start ISA Server Getting Started Wizard checkbox, and then click OK in the Launch ISA Management Tools dialog box.
    1. Click OK in the dialog box that informs you that setup was completed.
    2. Click OK in the dialog box that informs you that setup has failed to start one or more services.
    Now you’re ready to install ISA Server Service Pack 1.


    Posted by at
    Labels:

    No comments:

    Post a Comment

    Subscribe to: Post Comments (Atom)