"This step-by-step article describes how small businesses with less than 255 workstations in an existing Windows-based network can connect computers to the Internet by using the Microsoft Internet Security Acceleration (ISA) firewall secured services. 1. Install the ISA Server An ISA firewall requires a computer with two network adapters. You need to connect one of these adapters to your internal network. You connect the other adapter to your Internet service provider (ISP). Your ISP can help you make this connection. A firewall acts as a security barrier between your intranet and the Internet by keeping other people on the Internet from gaining access to the confidential information on your internal network or your computer. To plan the installation a.. You can run ISA Server Standard Edition on a standalone computer, on a computer that is a member of a Windows NT domain, or on a computer that is a member of a Windows 2000 Active Directory domain. b.. For maximum security run ISA Server on a standalone computer. c.. The configuration of the network adapters involves setting up the external interface to the Internet and setting up the internal interface to your Windows-based network. d.. Your ISP should provide a static IP address, subnet mask, default gateway, and DNS server or servers. Enter this information in the TCP/IP settings of the adapter that is connected to your ISP. Some ISPs prefer to assign this information with Dynamic Host Configuration Protocol (DHCP), which is fine. To configure the server's network adapters 1.. On the desktop, right-click My Network Places, and then click Properties. 2.. Right-click your Internet connection, click Rename, and then type Internet connection. This will help you remember which network card is connected to the Internet. 3.. Right-click the Internet connection, and then click Properties. 4.. On the General tab, click to select the Show icon in taskbar when connected check box. Whenever this interface transfers data, a small icon in the taskbar will flash. 5.. Clear the Client for Microsoft Network and File and printer sharing for Microsoft networks check boxes. ISA Server automatically blocks these protocols; by clearing these check boxes, you are saving memory. 6.. Double-click Internet protocol (TCP/IP), and then do one of the following: a.. If your ISP uses DHCP to assign IP addresses, in the Internet Protoc b.. Click Advanced, then click the DNS tab. Click to clear the Register this connection's addresses in DNS check box. Note: You need to type a permanent address and appropriate subnet mask for your internal network on the internal adapter (do not use DHCP on this interface). Leave the default gateway blank. The ISA Server computer needs only one default gateway: the one that is configured on the external interface. Configuring a default gateway on the internal adapter causes ISA to malfunction. To configure the internal interface to your network 1.. Right-click My Network Places, and then click Properties. Right-click your Local Area Connection (LAN), click Rename, and then type Local network. 2.. Right-click Local network, and then click Properties. 3.. On the General tab, click to select the Show icon in taskbar when connected check box. 4.. Click to select the Client for Microsoft networks and File and printer sharing for Microsoft networks check boxes if they are not selected. 5.. Double-click Internet protocol (TCP/IP), and then click to select the Use the following IP address check box. 6.. In IP address, type an internal IP address and subnet mask that makes sense for your internal network's addressing scheme. Leave Default gateway blank. In Preferred DNS server, type the IP address of your network's DNS server or servers. Note: For very small networks with less than 255 computers, if you are using the Windows 2000 default TCP/IP configuration, and you do not have a DNS server in your network, your computers are relying on automatic private IP address assignment (APIPA). You should migrate away from APIPA and start to use static addresses on your client workstations. Each computer in your network will need a unique IP address. When you configure the internal interface of ISA Server, you need to type a static address, so use the address 192.168.0.254, and the subnet mask 255.255.255.0. Leave the Default gateway box blank. Type the DNS server of your ISP in the DNS server fields. Now configure static addresses on each of your clients: a.. On the first computer, use the address 192.168.0.1, a subnet mask of 255.255.255.0, and a default gateway of 192.168.0.254. For DNS, type the DNS server (or servers) of your ISP. b.. On the second computer, use the address 192.168.0.2, and then use the same values as shown in the previous step. Other than the address, these other values always stay the same, but continue to increment the address for each additional computer. Maintain a list of which computers use which addresses. 7.. Restart your computer, if you are prompted to do so. 2. Install Microsoft Internet Security and Acceleration Server 2000 Standard Edition If you have not installed Windows 2000 Service Pack 1 (SP1) and the hotfixes from the Microsoft ISA Server 2000 Standard Edition CD, install them now. To install the service pack 1.. Insert the Windows 2000 SP1 CD in the CD-ROM drive. 2.. Close the Microsoft ISA Server Setup dialog box that opens (if you have turned off the auto-insert notification feature, this dialog box does not appear). 3.. On the desktop, double-click the My Computer icon. 4.. Right-click your CD-ROM drive, and then click Explore. Navigate to the \Support\Windows2000_SP1 folder. 5.. Double-click the Sp1network.exe program file to install the service pack. 6.. Restart your computer after you install the service pack. To install the hotfixes 1.. Insert the Microsoft Internet Security and Acceleration Server 2000 Standard Edition CD in the CD-ROM drive. 2.. Navigate to the \Support\Hotfixes\Win2000 folder. 3.. Double-click the Q275286_W2K_SP2_x86_en.exe file. 4.. After you have applied the hotfixes, restart your computer. Now you can install Microsoft ISA Server 2000 Standard Edition. The installer asks a number of questions. To use the ISA Server Setup wizard 1.. On the desktop, double-click My Computer. Double-click to open your CD-ROM drive. Note: The ISA Server Setup Wizard starts automatically unless the auto-insert notification feature is turned off. If the wizard does not start automatically, navigate to the root directory of the CD, and then double-click the ISAAutorun.exe file to run it. Click Install ISA Server to begin the process. 2.. At the Welcome screen, click Continue. Type the product identification number in the appropriate box. You can locate this number on the back of the CD-ROM case. 3.. Read the license agreement, and then click I Agree. 4.. Click Typical installation for the installation type. This installs ISA services and the administrative tools. 5.. Click Firewall mode. ISA stops relevant services on the computer. 6.. Configure the local address table (LAT) for ISA. Configuring the LAT requires careful consideration. You are presented with two choices: Either construct the LAT or use the installe 7.. When Setup is complete, start the Administrator Getting Started Wizard, and then read the next section before you complete this wizard. ISA Server's post-installation state blocks all access to and from the Internet. This is a good thing! Remember, you are setting up a firewall. The primary function of a firewall is to serve as a check point between two networks. ISA Server's behavior is to block everything that is not specifically allowed through policy. To configure post-installation state of ISA You have to configure the following two components of an access policy so that your clients can access the Internet: a.. You have to configure at least one site and content rule, in which you specify where users can go and what kinds of content they can retrieve. b.. You have to configure at least one protocol rule, which specifes the kinds of traffic that is allowed through ISA Server. After installation, ISA creates a default site and content rule that allows all clients access to all content on all sites all the time. This is not enough, however, for users to start surfing the Internet: There is still no protocol rule that has been defined. Without this, no traffic is allowed through ISA. The Getting Started Wizard 1.. In the Getting Started Wizard, click Configure Protocol Rules. The protocol rule list is displayed in Microsoft Management Console (MMC). 2.. Click Create a Protocol Rule. Type a name, such as "All protocols". 3.. Click Allow for the rule's action (this is the default). 4.. Click All IP traffic for the protocol list (this is the default). 5.. Click Always for the schedule (this is the default). 6.. Click Any request for the client type (this is the default). 7.. Click Finish. To create policies how users connect to Internet There is much more to ISA Server than simply allowing all clients access to all content on all sites at all times using all (defined) protocols. In ISA, you can create access policies that you can use to define exactly how your users can access the Internet. ISA access policies are composed of the following three elements: a.. Site and content rules b.. Protocol rules c.. IP packet filters The rules, in turn, are composed of the following policy elements: a.. Schedules b.. Destination sets c.. Client address sets d.. Protocol definitions e.. Content groups There are dependencies that you need to understand before you try anything complex with the ISA policies. The following table describes which policy elements belong to which policy rules: Site and content rules Protocol rules Destination sets Protocol definitions Content groups Schedules Schedules Client address sets Client address sets To access the Internet from the ISA computer What about accessing the Internet from the ISA computer itself? If you are physically at the ISA computer and you want to access a particular Web site, the protocol rules and site and content rules that you have created apply only to clients that are behind the ISA server. When a client wants to access the Internet, as long as the request is allowed by the rules, ISA creates a dynamic packet filter for that connection request. However, if you are at the ISA computer, and you want to access the Internet, you need to create static packet filters according to the kinds of traffic that you will be generating. For example, to access a Web site, follow these steps: 1.. In ISA Management, expand Servers, expand server-name, click Access Policy, and then click IP Packet Filters. 2.. Click Create a packet filter to start a wizard. 3.. Name the packet filter: Web access 4.. Click Allow packet transmission, and then click Custom. 5.. Click TCP as the IP protocol, click Outbound for the direction, click All ports for the local port, and then click Fixed port for the remote port. Type 80 in the Port Number box. 6.. Select default IP addresses for each external interface that is on the ISA server. 7.. Click All remote computers. Now you can access Web sites from the ISA server. It is recommended that you repeat these steps using SSL access in step 3 and 443 (in place of 80) in step 6, as a number of Web servers use the SSL protocol. To allow even more protocols, follow the same steps using an appropriate name in step 3 and the necessary entries in step 6. ----- Original Message ----- From: "Wal's" <syoyow@xxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Friday, December 27, 2002 8:34 AM Subject: [isalist] RE: installing ISA server > http://www.ISAserver.org > > > Hi alls, > > My name is YOYO. I'm an IT Staff at Insurance Company. > I need your help. > is there anybody can give me installation and configuration of ISA server > Documentation.....??? or the Site that I can use to learn about it ( > installation and Configuration )...?? > Because, I 'm new comer in ISA server. > > Thanks a lots, > Best Regard, > YOYO > ----- Original Message ----- > From: "Stefaan Pouseele" <stefaan.pouseele@xxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Thursday, December 26, 2002 6:36 PM > Subject: [isalist] RE: installing ISA server > > > > http://www.ISAserver.org > > > > > > > > This is a multi-part message in MIME format. > > > > > -------------------------------------------------------------------------- -- > ---- > > > > Hi Nassit, > > > > without any doubt on a member server! > > > > HTH, > > Stefaan > > > > -----Original Message----- > > From: NASSIT NAJAT [mailto:n.nassit@xxxxxxxxxxxxx] > > Sent: donderdag 26 december 2002 12:17 > > To: [ISAserver.org Discussion List] > > Subject: [isalist] installing ISA server > > > > > > http://www.ISAserver.org > > > > > > > > Hi all, > > > > What's the best way to do : installing ISA Server on a domain controller > > (for a new domain) or on a member server? > > > > List Sponsored by Aspelle > > Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server and > > the Internet to quickly and cost-effectively manage and deliver secure, > > client-less access to all corporate applications (Web, Unix, Windows and > > legacy systems), for all users. > > More info at http://www.aspelle.com/info > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Exchange Server Resource Site: http://www.msexchange.org/ > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > > stefaan.pouseele@xxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > -------------------------------------------------------------------------- -- > ---- > > > > List Sponsored by Aspelle > > Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server and > the Internet to quickly and cost-effectively manage and deliver secure, > client-less access to all corporate applications (Web, Unix, Windows and > legacy systems), for all users. > > More info at http://www.aspelle.com/info > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Exchange Server Resource Site: http://www.msexchange.org/ > > Windows Security Resource Site: http://www.windowsecurity.com/ > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion List as: > syoyow@xxxxxxxxxx > > To unsubscribe send a blank email to $subst('Email.Unsub') > > > > > List Sponsored by Aspelle > Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server and the Internet to quickly and cost-effectively manage and deliver secure, client-less access to all corporate applications (Web, Unix, Windows and legacy systems), for all users. > More info at http://www.aspelle.com/info > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Exchange Server Resource Site: http://www.msexchange.org/ > Windows Security Resource Site: http://www.windowsecurity.com/ > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: nvanh@xxxxxx > To unsubscribe send a blank email to $subst('Email.Unsub') >