RE: installing ISA server
- From: "Nguyen Viet Anh" <nvanh@xxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Fri, 27 Dec 2002 09:42:14 +0700
"This step-by-step article describes how small businesses with less than 255
workstations in an existing Windows-based network can connect computers to
the Internet by using the Microsoft Internet Security Acceleration (ISA)
firewall secured services.
1. Install the ISA Server
An ISA firewall requires a computer with two network adapters. You need to
connect one of these adapters to your internal network. You connect the
other adapter to your Internet service provider (ISP). Your ISP can help you
make this connection. A firewall acts as a security barrier between your
intranet and the Internet by keeping other people on the Internet from
gaining access to the confidential information on your internal network or
your computer.
To plan the installation
a.. You can run ISA Server Standard Edition on a standalone computer, on a
computer that is a member of a Windows NT domain, or on a computer that is a
member of a Windows 2000 Active Directory domain.
b.. For maximum security run ISA Server on a standalone computer.
c.. The configuration of the network adapters involves setting up the
external interface to the Internet and setting up the internal interface to
your Windows-based network.
d.. Your ISP should provide a static IP address, subnet mask, default
gateway, and DNS server or servers. Enter this information in the TCP/IP
settings of the adapter that is connected to your ISP. Some ISPs prefer to
assign this information with Dynamic Host Configuration Protocol (DHCP),
which is fine.
To configure the server's network adapters
1.. On the desktop, right-click My Network Places, and then click
Properties.
2.. Right-click your Internet connection, click Rename, and then type
Internet connection. This will help you remember which network card is
connected to the Internet.
3.. Right-click the Internet connection, and then click Properties.
4.. On the General tab, click to select the Show icon in taskbar when
connected check box. Whenever this interface transfers data, a small icon in
the taskbar will flash.
5.. Clear the Client for Microsoft Network and File and printer sharing
for Microsoft networks check boxes. ISA Server automatically blocks these
protocols; by clearing these check boxes, you are saving memory.
6.. Double-click Internet protocol (TCP/IP), and then do one of the
following:
a.. If your ISP uses DHCP to assign IP addresses, in the Internet Protoc
b.. Click Advanced, then click the DNS tab. Click to clear the Register
this connection's addresses in DNS check box.
Note: You need to type a permanent address and appropriate subnet mask for
your internal network on the internal adapter (do not use DHCP on this
interface). Leave the default gateway blank. The ISA Server computer needs
only one default gateway: the one that is configured on the external
interface. Configuring a default gateway on the internal adapter causes ISA
to malfunction.
To configure the internal interface to your network
1.. Right-click My Network Places, and then click Properties. Right-click
your Local Area Connection (LAN), click Rename, and then type Local network.
2.. Right-click Local network, and then click Properties.
3.. On the General tab, click to select the Show icon in taskbar when
connected check box.
4.. Click to select the Client for Microsoft networks and File and printer
sharing for Microsoft networks check boxes if they are not selected.
5.. Double-click Internet protocol (TCP/IP), and then click to select the
Use the following IP address check box.
6.. In IP address, type an internal IP address and subnet mask that makes
sense for your internal network's addressing scheme. Leave Default gateway
blank. In Preferred DNS server, type the IP address of your network's DNS
server or servers.
Note: For very small networks with less than 255 computers, if you are
using the Windows 2000 default TCP/IP configuration, and you do not have a
DNS server in your network, your computers are relying on automatic private
IP address assignment (APIPA). You should migrate away from APIPA and start
to use static addresses on your client workstations. Each computer in your
network will need a unique IP address. When you configure the internal
interface of ISA Server, you need to type a static address, so use the
address 192.168.0.254, and the subnet mask 255.255.255.0. Leave the Default
gateway box blank. Type the DNS server of your ISP in the DNS server fields.
Now configure static addresses on each of your clients:
a.. On the first computer, use the address 192.168.0.1, a subnet mask of
255.255.255.0, and a default gateway of 192.168.0.254. For DNS, type the DNS
server (or servers) of your ISP.
b.. On the second computer, use the address 192.168.0.2, and then use
the same values as shown in the previous step. Other than the address, these
other values always stay the same, but continue to increment the address for
each additional computer. Maintain a list of which computers use which
addresses.
7.. Restart your computer, if you are prompted to do so.
2. Install Microsoft Internet Security and Acceleration Server 2000 Standard
Edition
If you have not installed Windows 2000 Service Pack 1 (SP1) and the hotfixes
from the Microsoft ISA Server 2000 Standard Edition CD, install them now.
To install the service pack
1.. Insert the Windows 2000 SP1 CD in the CD-ROM drive.
2.. Close the Microsoft ISA Server Setup dialog box that opens (if you
have turned off the auto-insert notification feature, this dialog box does
not appear).
3.. On the desktop, double-click the My Computer icon.
4.. Right-click your CD-ROM drive, and then click Explore. Navigate to the
\Support\Windows2000_SP1 folder.
5.. Double-click the Sp1network.exe program file to install the service
pack.
6.. Restart your computer after you install the service pack.
To install the hotfixes
1.. Insert the Microsoft Internet Security and Acceleration Server 2000
Standard Edition CD in the CD-ROM drive.
2.. Navigate to the \Support\Hotfixes\Win2000 folder.
3.. Double-click the Q275286_W2K_SP2_x86_en.exe file.
4.. After you have applied the hotfixes, restart your computer.
Now you can install Microsoft ISA Server 2000 Standard Edition. The
installer asks a number of questions.
To use the ISA Server Setup wizard
1.. On the desktop, double-click My Computer. Double-click to open your
CD-ROM drive.
Note: The ISA Server Setup Wizard starts automatically unless the
auto-insert notification feature is turned off. If the wizard does not start
automatically, navigate to the root directory of the CD, and then
double-click the ISAAutorun.exe file to run it. Click Install ISA Server to
begin the process.
2.. At the Welcome screen, click Continue. Type the product identification
number in the appropriate box. You can locate this number on the back of the
CD-ROM case.
3.. Read the license agreement, and then click I Agree.
4.. Click Typical installation for the installation type. This installs
ISA services and the administrative tools.
5.. Click Firewall mode. ISA stops relevant services on the computer.
6.. Configure the local address table (LAT) for ISA. Configuring the LAT
requires careful consideration. You are presented with two choices: Either
construct the LAT or use the installe
7.. When Setup is complete, start the Administrator Getting Started
Wizard, and then read the next section before you complete this wizard.
ISA Server's post-installation state blocks all access to and from the
Internet. This is a good thing! Remember, you are setting up a firewall. The
primary function of a firewall is to serve as a check point between two
networks. ISA Server's behavior is to block everything that is not
specifically allowed through policy.
To configure post-installation state of ISA
You have to configure the following two components of an access policy so
that your clients can access the Internet:
a.. You have to configure at least one site and content rule, in which you
specify where users can go and what kinds of content they can retrieve.
b.. You have to configure at least one protocol rule, which specifes the
kinds of traffic that is allowed through ISA Server.
After installation, ISA creates a default site and content rule that allows
all clients access to all content on all sites all the time. This is not
enough, however, for users to start surfing the Internet: There is still no
protocol rule that has been defined. Without this, no traffic is allowed
through ISA.
The Getting Started Wizard
1.. In the Getting Started Wizard, click Configure Protocol Rules. The
protocol rule list is displayed in Microsoft Management Console (MMC).
2.. Click Create a Protocol Rule. Type a name, such as "All protocols".
3.. Click Allow for the rule's action (this is the default).
4.. Click All IP traffic for the protocol list (this is the default).
5.. Click Always for the schedule (this is the default).
6.. Click Any request for the client type (this is the default).
7.. Click Finish.
To create policies how users connect to Internet
There is much more to ISA Server than simply allowing all clients access to
all content on all sites at all times using all (defined) protocols. In ISA,
you can create access policies that you can use to define exactly how your
users can access the Internet.
ISA access policies are composed of the following three elements:
a.. Site and content rules
b.. Protocol rules
c.. IP packet filters
The rules, in turn, are composed of the following policy elements:
a.. Schedules
b.. Destination sets
c.. Client address sets
d.. Protocol definitions
e.. Content groups
There are dependencies that you need to understand before you try anything
complex with the ISA policies. The following table describes which policy
elements belong to which policy rules:
Site and content rules Protocol rules
Destination sets Protocol definitions
Content groups Schedules
Schedules Client address sets
Client address sets
To access the Internet from the ISA computer
What about accessing the Internet from the ISA computer itself? If you are
physically at the ISA computer and you want to access a particular Web site,
the protocol rules and site and content rules that you have created apply
only to clients that are behind the ISA server. When a client wants to
access the Internet, as long as the request is allowed by the rules, ISA
creates a dynamic packet filter for that connection request. However, if you
are at the ISA computer, and you want to access the Internet, you need to
create static packet filters according to the kinds of traffic that you will
be generating. For example, to access a Web site, follow these steps:
1.. In ISA Management, expand Servers, expand server-name, click Access
Policy, and then click IP Packet Filters.
2.. Click Create a packet filter to start a wizard.
3.. Name the packet filter:
Web access
4.. Click Allow packet transmission, and then click Custom.
5.. Click TCP as the IP protocol, click Outbound for the direction, click
All ports for the local port, and then click Fixed port for the remote port.
Type 80 in the Port Number box.
6.. Select default IP addresses for each external interface that is on the
ISA server.
7.. Click All remote computers.
Now you can access Web sites from the ISA server. It is recommended that you
repeat these steps using SSL access in step 3 and 443 (in place of 80) in
step 6, as a number of Web servers use the SSL protocol. To allow even more
protocols, follow the same steps using an appropriate name in step 3 and the
necessary entries in step 6.
----- Original Message -----
From: "Wal's" <syoyow@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Friday, December 27, 2002 8:34 AM
Subject: [isalist] RE: installing ISA server
> http://www.ISAserver.org
>
>
> Hi alls,
>
> My name is YOYO. I'm an IT Staff at Insurance Company.
> I need your help.
> is there anybody can give me installation and configuration of ISA server
> Documentation.....??? or the Site that I can use to learn about it (
> installation and Configuration )...??
> Because, I 'm new comer in ISA server.
>
> Thanks a lots,
> Best Regard,
> YOYO
> ----- Original Message -----
> From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Thursday, December 26, 2002 6:36 PM
> Subject: [isalist] RE: installing ISA server
>
>
> > http://www.ISAserver.org
> >
> >
> >
> > This is a multi-part message in MIME format.
> >
>
>
> --------------------------------------------------------------------------
--
> ----
>
>
> > Hi Nassit,
> >
> > without any doubt on a member server!
> >
> > HTH,
> > Stefaan
> >
> > -----Original Message-----
> > From: NASSIT NAJAT [mailto:n.nassit@xxxxxxxxxxxxx]
> > Sent: donderdag 26 december 2002 12:17
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] installing ISA server
> >
> >
> > http://www.ISAserver.org
> >
> >
> >
> > Hi all,
> >
> > What's the best way to do : installing ISA Server on a domain controller
> > (for a new domain) or on a member server?
> >
> > List Sponsored by Aspelle
> > Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server
and
> > the Internet to quickly and cost-effectively manage and deliver secure,
> > client-less access to all corporate applications (Web, Unix, Windows and
> > legacy systems), for all users.
> > More info at http://www.aspelle.com/info
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > stefaan.pouseele@xxxxxxx
> > To unsubscribe send a blank email to
$subst('Email.Unsub')
> >
>
>
> --------------------------------------------------------------------------
--
> ----
>
>
> > List Sponsored by Aspelle
> > Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server
and
> the Internet to quickly and cost-effectively manage and deliver secure,
> client-less access to all corporate applications (Web, Unix, Windows and
> legacy systems), for all users.
> > More info at http://www.aspelle.com/info
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Exchange Server Resource Site: http://www.msexchange.org/
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> syoyow@xxxxxxxxxx
> > To unsubscribe send a blank email to
$subst('Email.Unsub')
> >
>
>
> List Sponsored by Aspelle
> Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server and
the Internet to quickly and cost-effectively manage and deliver secure,
client-less access to all corporate applications (Web, Unix, Windows and
legacy systems), for all users.
> More info at http://www.aspelle.com/info
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Exchange Server Resource Site: http://www.msexchange.org/
> Windows Security Resource Site: http://www.windowsecurity.com/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
nvanh@xxxxxx
> To unsubscribe send a blank email to $subst('Email.Unsub')
>
Other related posts:
