Dec 6, 2009

Installing ISA 2006 Enterprise Edition (beta) in a Unihomed Workgroup Configuration

Once you’ve performed those actions, you’ll be ready to install ISA Server 2006 Enterprise Edition on your unihomed computer.

Perform the following steps to install ISA Server 2006 Enterprise Edition:

  1. Copy the installation files for ISA Server 2006 Enterprise Edition to the unihomed ISA firewall device. Then double click on the isaautorun.exe to bring up the installation dialog box.
  2. In the Microsoft ISA Server 2006 beta installation dialog box, click the Install ISA Server 2006 link.
  3. Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2006 Beta page.
  4. On the License Agreement page, select the I accept the terms in the license agreement option and click Next.
  5. On the Customer Information page, enter your User Name, Organization and Product Serial Number and click Next.
  6. On the Setup Scenarios page, select the Install both ISA Server services and Configuration Storage server option. Note that this option implies that you can install both ISA Server firewall services and the CSS at the same time, and then later install additional array members once you have this installed. This is not true. Use this option only if you plan to deploy a single member ISA Server 2006 Enterprise Edition array. If you plan to add additional array members later, then do not select this option. Since this article is focused on installing a single ISA Server 2006 Enterprise Edition unihomed device as a single member array, we will use this option. Click Next.


Figure 1

  1. On the Component Selection page, accept the default settings. Note that you don’t have the option to install the Firewall client. I’m not sure where or how we’ll end up doing this in the future, as its also not an option on the initial setup page. This will likely be worked out by the time the product releases. Note that Advanced Logging is MSDE logging. If you prefer to use SQL logging or text based logging, then do not select this option Click Next.


Figure 2

  1. On the Enterprise Installation Options page, select the Create a new ISA Server enterprise option. Since this will be the only machine in the array, we need to create a new ISA enterprise. Note that the option Create a replica of the enterprise configuration option is not available to workgroup configurations. This is something to keep in mind in the future if you want to have a backup CSS for your enterprise array. However, its not an issue for us, since this is a single machine array. Click Next.


Figure 3

  1. Click Next on the New Enterprise Warning page.


Figure 4

  1. On the Internal Network page, click the Add button.
  2. In the Addresses dialog box, click the Add Adapter button. In the Select Network Adapters dialog box, put a checkmark in the checkbox next to the single interface installed on the computer. Note that in a typical firewall installation, this NIC would be used to define the default Internal network. In a unihomed ISA firewall Web proxy configuration, this is not the case, since all addresses are considered internal. Click OK.


Figure 5

  1. In the Addresses dialog box, click OK. Note that the addresses listed in this dialog box will have no meaning in the unihomed ISA firewall configuration scheme. In a normal ISA firewall setup with multiple interfaces, these addresses would define the default Internal ISA firewall Network. However, as I mentioned in the last step, with a unihomed ISA firewall in Web proxy mode, all addresses are considered part of the default Internal ISA firewall Network.


Figure 6

  1. Click Next on the Internal Network page. Note again that the IP addresses listed here do not represent the default Internal Network on a unihomed ISA firewall as we'll see later when we apply the single NIC ISA firewall template.


Figure 7

  1. On the Firewall Client Connections page, click Next. We don’t have to worry about Firewall client connections because both Firewall and SecureNAT clients are not supported on a unihomed ISA firewall in Web proxy configuration. Only Web proxy clients are supported.
  2. Click Next on the Services Warning page.
  3. Click Install to being the installation.
  4. On the Installation Wizard Completed page, put a checkmark in the Invoke ISA Server Management when the wizard closes checkbox and click Finish.
  5. Close the Internet Explorer window entitled Protect the ISA Server Computer.

Post Installation Review

The first thing you’ll notice when the console opens is a link entitled Click here to learn about the Customer Experience Improvement Program. Click that link.


Figure 8

This brings up the Customer Feedback dialog box. I highly recommend that you participate in the Customer Experience Improvement Program. No personal data is sent to Microsoft and the result of your participation is to make the ISA firewall product more flexible and provide even higher levels of security to your network. Select the Yes option to participate in the program.


Figure 9

After you select an option and click OK, the link disappears from the middle pane of the console.

Expand all the nodes in the left pane of the ISA firewall console. Then perform the following steps to see the definition of the default Internal ISA firewall Network:

  1. In the left pane of the ISA firewall console, click the Networks node under the Configuration node.


Figure 10

  1. In the Networks node, click the Networks tab in the middle pane of the ISA firewall console. Double click on the Internal entry.
  2. In the Internal Properties dialog box, click the Addresses tab. Here you see the addresses that define the default Internal ISA firewall Network at this time. However, this will change when we configure this ISA firewall to act as a Web proxy only unihomed ISA firewall. Click Cancel to leave this dialog box.


Figure 11

What we need to do now is apply the unihomed ISA firewall template to configure this machine as a unihomed Web proxy only ISA firewall. Perform the following steps to apply the template:

  1. In the Task Pane, click the Templates tab. Scroll down the list of templates and click the Single Network Adapter template.


Figure 12

  1. Click Next on the Welcome to the Network Template Wizard page.
  2. Click Next on the Export the ISA Server Configuration page. Note that you have the option to export the current configuration, but we’ll not use that option because we haven’t made any configuration changes from the default setting.


Figure 13

  1. On the Internal Network IP Addresses page, you’ll see the addresses that will be configured to define the default ISA firewall Internal Network. Notice that all IP addresses except the local host network range are considered part of the default Internal network. For this reason, SecureNAT and Firewall clients are not supported in a unihomed Web proxy mode ISA firewall configuration. You do not need to make any changes on this page. Click Next.


Figure 14

  1. On the Select a Firewall Policy page, you are offered a single firewall policy to select from. Click on the Apply default Web proxying and caching configuration option. This will apply the default Deny rule to the firewall policy for the array. No Network Rules are created because the Web proxy always replaces its own IP address for the IP address of the Web proxy client connecting to the Internet through the unihomed Web proxy mode ISA firewall. Click Next.


Figure 15

  1. On the Completing the Network Template Wizard page, click Finish.
  2. Click Apply to save the changes and update the firewall policy.
  3. Click OK in the Apply New Configuration dialog box.

At this point you’re ready to start configuring firewall policy and customizing the installation.



Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)