Get Up and Running with ISA Server 2004
By Thomas W Shinder, M.D.
Yeow! Today’s a big day here at www.isaserver.org. That’s right, today ISA Server 2004 beta 2 was released to the public. Yes, that’s right, beta 2. Earlier betas were done in a private beta testing group, so that you wouldn’t be exposed to problems you usually see in beta 1 releases. The good news is that the beta 2 version has been out for a few weeks already, and it’s pretty reliable and just about all the features work how they say they do.
You can head over to the Microsoft Web site and download the ISA Server 2004 Beta 2 software at http://www.microsoft.com/isaserver/beta/default.asp. If you’re like me and most others I know in the ISAServer.org community, you’ll want to install the software and kick the tires as soon as possible. For that reason, I’ll hold off on the review of new features and functionality included in ISA Server 2004 until later this week. What you want to do is get ISA Server 2004 up and running now!
First, some suggestions:
Stephen Chetcuti and I will be working on Web boards dedicated to ISA Server 2004, but until then, just post your questions to the Web boards at http://forums.isaserver.org in the appropriate section and make a note in the title of the post that it refers to ISA Server 2004 and I’ll give it priority!
Now let’s get to business. In this article we’ll go over the following steps to get you up and running:
We’re only going to scratch the surface of ISA Server 2004 today. Expect tons of articles on ISA Server 2004 beta 2 over the next couple of months. Don’t worry – Debi and I will have a book for you soon enough. But until then, stay tuned here at www.isaserver.org for news, tutorials, help and support for ISA Server 2004 beta 2. Also, keep your eye out for the Reviewer’s Guide at the Microsoft Web site (www.microsoft.com/isaserver). It has a fantastic section with a lot of walk-throughs that will familiarize you with the new interface and almost all the new features included in ISA Server 2004.
Let’s get started!
Installing Windows Server 2003 and Setting Up the Supporting Network Infrastructure
Like ISA Server 2000, ISA Server 2004 has modest hardware requirements. You can install ISA Server 2004 on any machine with a Pentium III 500+ MHz processor with at least 256MB of RAM. Of course, I recommend that you increase the processor speed and memory to as much as you can afford, but you don’t need a PC that can run the starship Enterprise to run ISA Server 2004.
The machine should have at least two network interface cards. One of the cards is the external interface and the other card will be the internal interface. Unlike ISA Server 2000, there is no Local Address Table, so you can install multiple internal interface cards to create multiple internal networks, in addition to multiple public or private address DMZs. Firewall Access Policy controls traffic moving between all network interface cards.
The test network used in the discussion in this article is configured as shown below. The ISA Server 2004 firewall is located behind a DSL router, and the external interface of the ISA Server 2004 firewall uses the LAN address of the DSL router as its default gateway.
I have not yet tested ISA Server 2004 using a dial-up interface, so I won’t be covering that configuration in this article. I’ll be very interested in your experiences using a dial-up interface with ISA Server 2004, so if you’re using a dial-up interface, make sure to post your experiences with using a dial-up interface over at the Web boards at http://forums.isaserver.org.
As with all firewall installations, DNS and DHCP are critical factors in making sure that everything works correctly. You can install a DNS server on the ISA Server 2004 firewall computer and use it to connect to the Internet, or you can use a DNS server located on your internal network. In this example, we will install a DNS server on the ISA Server 2004 firewall and configure your client located behind the ISA Server 2004 firewall to use the ISA Server 2004 DNS server as its DNS server.
DHCP is a bit stickier. You can install a DHCP server on the ISA Server 2004 machine, but there is a beta issue where you need to allow all networks access to inbound DHCP REQUEST messages. For this reason, external hosts can send DHCP REQUEST messages to the DHCP server on the ISA Server 2004 firewall. While the firewall is not required to send a reply to these hosts, there are potential security risks with allowing these inbound DHCP REQUEST messages. This problem should be fixed by the time the software is finalized. At this time, I recommend that you do not install a DHCP server on the ISA Server 2004 firewall machine until this problem is addressed. If you want to use DHCP, install a DHCP server on the internal network.
Perform the following steps to install the DNS server on the Windows Server 2003 machine that will be the ISA Server 2000 firewall. If you already have a DNS server on your network that can resolve Internet host names, then you do not need to perform these steps and you can configure your clients to use your current DNS server:
- Click Start and point to Control Panel. Click the Add/Remove Programs entry.
- In the Add or Remove Programs window, click the Add/Remove Windows Components button on the left side of the window.
- In the Windows Components page, click on the Networking Services entry in the Components list and click Details.
- In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox and click OK.
- Click Next on the Windows Components page.
- Point the installer to the Windows Server 2003 installation files when asked.
- Click Finish on the Completing the Windows Components Wizard page.
At this point the DNS server is listening on all interfaces. That isn’t a problem because there will be no Access Policy that enables inbound access to the DNS server for external hosts.
Installing ISA Server 2004
The next step is to install the ISA Server 2004 software. Setup is relatively straightforward, but we’ll go through the steps in detail to make sure you understand what’s happening.
Perform the following steps to install the ISA Server 2004 software on the dual-homed Windows Server 2003 machine:
- Download the ISA Server 2004 beta 2 software from http://www.microsoft.com/isaserver/beta/default.asp. When you run the exe file, it will create a folder on your C: drive containing the installation files. Double click on the isaautorun.exe file.
- On the Microsoft Internet Security and Acceleration Server 2004 Beta 2 Setup page, click the link for Review Release Notes and read the release notes. The doc isn’t that long, and you’ll get some useful information about what works and what doesn’t, as well as some useful tips on how to access the Internet from the ISA Server 2004 firewall machine itself. After reading the release notes, click the Read Setup and Feature Guide link. You don’t need to read the entire guide right now, but you might want to print it out to read later. Click the Install ISA Server 2004 link.
- Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2004 Beta 2 page.
- Select the I accept the terms in the license agreement option on the License Agreement page. Click Next.
- On the Customer Information page, enter your name and the name of your organization in the User Name and Organization text boxes. The Product Serial Number is automatically entered for you. Click Next.
- On the Setup Type page, select the Custom option. If you do not want to install the ISA Server 2004 software on the C: drive, then click the Change button to change the location of the program files on the hard disk. Click Next.
- On the Custom Setup page you can choose which components to install. By default, the Firewall Services, ISA Server Management and Firewall Client Installation Share are installed. The Message Screener, which is used to control spam and file attachments from entering and leaving the network, is not installed by default. You need to install the IIS 6.0 SMTP service on the ISA Server 2004 firewall computer before you install the Message Screener. I will do some articles in the near future on how to install the Message Screener on the ISA Server 2004 firewall to control inbound and outbound flow of spam and email attachments. Use the default settings and click Next.
- On the Internal Network page, click the Add button. The Internal network is different than how the LAT was used in ISA Server 2000. In the case of ISA Server 2004, the internal network contains trusted network services that the ISA Server 2004 firewall must communicate with. Examples of such services include Active Directory domain controllers, DNS, DHCP, terminal services clients, and others. The firewall System Policy is automatically applied to the Internal network. We will look at the System Policy later in this article.
- In the Internal Network setup page, click the Configure Internal Network button.
- In the Configure Internal Network dialog box, remove the checkmark from the Add the following private ranges… checkbox. Leave the checkmark in the Add address ranges based on the Windows Routing Table checkbox. Put a checkmark in the checkbox next to the adapter that is connected to the Internal network. Click OK.
- Click OK in the dialog box informing you that the Internal network was defined, based on the Windows routing table.
- Click OK on the Internal network address ranges dialog box.
- Click Next on the Internal Network page.
- Click Install on the Ready to Install the Program page.
- On the Installation Wizard Completed page, put a checkmark in the Invoke ISA Server Management when wizard closes checkbox and click Finish.
- The Microsoft Internet Security and Acceleration Server 2004 management console opens. By default you are taken to the top node in the left pane of the console. Notice that ISA Server 2004 console requires quite a bit more screen real-estate than ISA Server 2000 did. To get the most out of the interface, change your screen resolution to 1024x768 or higher. I will need to keep the resolution at 640x480 for these screen shots to make them fit the Web page. For that reason, I will use the Show/Hide Console Tree button in the button bar of the console frequently.
Viewing the System Policy
By default, ISA Server 2004 does not allow outbound access to the Internet and does not allow Internet hosts to access the firewall. However, a default firewall System Policy is installed that allows network management tasks to be completed.
Perform the following steps to see the default firewall System Policy:
- In this Microsoft Internet Security and Acceleration Server 2004 management console, expand the server node in the scope pane (left pane) and click on the Firewall Policy node. Right click on the Firewall Policy node, point to View and click Show System Rules.
- Click the Show/Hide Console Tree button and then click the Open/Close Task Pane arrow (the little blue arrow on the left edge of the task pane on the right side of the console). Notice that the ISA Server 2004 Access Policy represents an ordered list. Policies are processed from top to bottom, which is a significant departure from how ISA Server 2000 processed Access Policy. The System Policy represents a default list of rules that controls access to and from the ISA Server 2004 firewall by default. Scroll down the list of System Policy Rules. Notice that the rules are defined by:
Action (allow or deny)
From (source network or host)
To (destination network or host)
Condition (who or what the rule applies to)
You may want to widen the Name column to get a quick view of the rules. Notice that not all the rules are enabled. System Policy Rules that are disabled by default have a tiny down-pointing red arrow in their lower right corner. The disabled System Policy Rules will become automatically enabled when you make configuration changes to the ISA Server 2004 firewall, such as when you enable VPN access.
Notice that one of the System Policy Rules allows the firewall to perform DNS queries to DNS servers on all networks.
- Review the System Policy Rule and then hide the rules by clicking the Show/Hide System Policy Rules button in the console’s button bar. This is the depressed (pushed in) button seen in the figure below.
Creating an "All Open" Outbound Access Policy
The first thing most of you will want to do is see if the ISA Server 2004 is actually working. You can do this by creating an "all open" outbound access policy that allows SecureNAT clients to access the Internet. It’s important to keep in mind that this "all open" outbound access policy is for testing only. Secure networks do not allow all traffic outbound, and users should be given access only to the protocols they require. This is the difference between an ISA Server 2004 firewall and your old traditional packet filter based firewall!
Perform the following steps to create the "all open" outbound access policy:
- In the Microsoft Internet Security and Acceleration Server 2004 management console, click the Show/Hide Console Tree button to expose the scope pane. Right click the Firewall Policy node, point to New and click Access Rule.
- On the Welcome to the New Access Rule Wizard page, enter All Open Outbound in the Access policy rule name text box. Click OK.
- On the Rule Action page, select the Allow option, then click Next.
- On the Protocols page, select the All outbound protocols option and click Next.
- On the Access Rule Sources page, click the Add button. In the Add Network Entities dialog box, click on the Networks folder. Double click on the Internal network, then click the Close button in the Add Network Entities dialog box. You may want to click on each of the folders so that you can see the Network Entities that come predefined with the ISA Server 2004 firewall. These Network Entities give you very fined tuned control over inbound and outbound access control. Click Next in the Access Rule Sources dialog box.
- Click the Add button on the Access Rule Destinations page. In the Add Network Entities dialog box, click the Networks folder. Double click the External entry and click Close in the Add Network Entities dialog box. Click Next on the Access Rule Destinations page.
- On the User Sets page, accept the default setting of All Users. ISA Server 2004 enables you to create custom user sets based on Active Directory or local SAM groups. This enables the firewall administrator to create custom firewall user groups without requiring access to the Active Directory and creating groups there. Click Next.
- Review your settings and click Finish on the Completing the New Access Rule Wizard page.
- Click the Apply button to save the changes and update the firewall policy. This button is located at the top of the Details pane (the middle pane) of the console. This Apply button enables you to make multiple changes to the firewall policy before they are applied. Change take place immediately after you click the Apply button.
- Click the Show/Hide Console Tree button so that you can expose the entire line of the Access Policy in the Details pane.
Internal network clients now have full access to the Internet. SecureNAT clients have access to all protocols listed in the Protocols list in the Firewall Policy toolbox. Perform the following steps to view the Firewall Policy toolbox:
- In this Microsoft Internet Security and Acceleration Server 2004 management console, expose the scope pane if it is not visible by using the Show/Hide Console Tree button.
- If the Task Pane is not visible in the right side of the console, click the Open/Close Task Pane button.
- In the Task Pane, click the Toolbox tab. Click on the Protocols label. You will see protocols grouped into logical groups. Click on the All protocols folder. This displays a list of all the predefined protocols on the ISA Server 2004 firewall. You can create your own protocols if you like later. SecureNAT clients have access to all these protocols. SecureNAT client access to complex protocols still requires an application filter. Firewall clients can access all protocols, even those not included in this list (including complex protocols).
The next rule we need to create is an Access Policy that allows Internal network clients to connect to the DNS sever on the ISA Server 2004 firewall. Remember, ISA Server 2004 is different from ISA Server 2000; Access Policy is applied to all interfaces, so the Internal network interface is protected just like all other interfaces.
Perform the following steps to create the DNS rule that allows Internal network clients DNS access:
- Click the Show/Hide Console Tree button to expose the scope pane. Right click on the Firewall Policy node, point to New and click Access Rule.
- In the Welcome to the New Access Rule Wizard page, enter DNS from Internal Network in the Access policy rule name text box. Click Next.
- Select Allow on the Rule Action page and click Next.
- On the Protocols page, select the Selected protocols option from the This rule applies to list. Click the Add button.
- In the Add Protocols dialog box, click the Infrastructure folder. Double click on the DNS protocol and click Close in the Add Protocols dialog box. Click Next on the Protocols page.
- On the Access Rule Sources page, click Add. Click on the Networks folder and then double click on the Internal network. Click Close in the Add Network Entities dialog box. Click Next on the Access Rule Sources page.
- On the Access Rule Destinations page, click the Add button. In the Add Network Entities dialog box, click the Networks folder. Double click on the Local Host entry. Click Close in the Add Network Entities dialog box. Click Next on the Access Rule Destinations page.
- Accept the default entry of All Users on the User Sets page. Click Next.
- Click Finish on the Completing the New Access Rule Wizard page.
- Click Apply to save the changes and update the firewall policy.
Create an HTTP Policy that Prevents HTTP Downloads
ISA Server 2004 HTTP Policy allows you to get very fined-tuned control over what users can access via the HTTP protocol. HTTP policy can be used to prevent users from accessing any site, any content, and any protocol that might be tunneled in an HTTP header. In the future we will go over the details of HTTP Policy, but in this introductory article, we’ll see how you can quickly and easily prevent users from downloading Windows executables using HTTP. Note that HTTP policy will not look inside .zip files to determine if a Windows executable is inside it.
Perform the following steps to configure HTTP Policy to prevent access to Windows executable files:
- Right click on the All Open Outbound Access Policy and click on the Configure HTTP command.
- On the General tab of the Configure HTTP policy for rule dialog box, put a checkmark in the Block responses with Windows executable content checkbox. Click Apply, then click OK.
- Click the Apply button to save the changes and update the firewall policy.
Now let’s test the policy from an internal network client. The internal network client is a SecureNAT client, which means that it is not a Web Proxy or Firewall client. The default gateway on the client is set to the internal IP address on the ISA Server 2004 firewall. The DNS server setting on the client is also configured as the internal IP address on the ISA Server 2004 firewall.
Perform the following steps on the SecureNAT client behind the ISA Server 2004 firewall computer:
- Open Internet Explorer and go to the
www.isaserver.org Web site. Great! You were able to access the site.
- The ISA Server 2004 firewall blocks the request because the HTTP Policy is configured to block access to Windows executable files. Close the Web browser.
In this article we went over some basic configuration options in ISA Server 2004 that allows you to test the firewall and allow unfettered access to the Internet for all internal network clients. This article was aimed at getting you up and running with your ISA Server 2004 firewall beta software. We only barely touched the surface of the subject and later this week I’ll provided more detailed information on what’s new, cool and really fantastic about ISA Server 2004. I know you’re going to like it. Spend some time looking around the interface and see where everything else and make sure to ask questions over in the Web forums.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=011885 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom
If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our 'Real-Time Article Update'
by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy!