I watch the ISA Server web boards very closely. I’ve observed over the last few months that a lot of people would benefit from a description on how to set up a “simple” network using the ISA Server as a Web Proxy Cache and Firewall. A simple network is one that has a single internal network ID. This is a non-routed network. A complex network would be an internal network with multiple network IDs and therefore is a routed network. I’ll write about how to configure ISA Server to work in routed environments in the future.
The key elements to making the configuration work include:
After addressing each of these issues, the ISA Server solution for our simple network will work great!
The following diagram represents our example network
Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder
Configuring Windows 2000 Networking Services
These supporting services are critical to the proper functioning of your ISA Server network infrastructure.
Web Proxy Clients as DNS Clients
The ISA Server uses the Local Address Table and the Local Domain Table to determine what resources are local and what resources are remote. Be sure that you include your local domains in the Local Domain Table. Otherwise, all FQDNs (or any addresses with ‘dots’) you wish to access will be treated as external requests. When you enter your internal domain in the Local Domain Table, fully qualified requests to your local domain resources will be considered internal requests and will be resolved using the internal DNS server on your network.
SecureNAT clients never allow the ISA Server to resolves host names for them. The SecureNAT client must be configured with the IP address of a DNS Server that can resolve both internal and external host names. If you have no need to resolve internal host names (for example, you use WINS to resolve internal names), then you can configure the SecureNAT clients with the IP address of a DNS Server on the Internet, such as your ISPs DNS Server.
In our simple network example, all clients are configured as both Web Proxy and Firewall Clients. All Published Servers are configured as SecureNAT clients. All machines on the network are configured to use our internal DNS Server (192.168.1.10). This provides us the widest latitude in terms of host name resolution. The internal DNS Server is configured to resolve both internal and external names for the ISA Server clients.
Configuring the DNS Server to use a Forwarder
You want to use a Forwarder to resolve Internet host names. The internal DNS server is configured with zones for your internal domains, and therefore it is authoritative for your internal domains. However, the internal DNS server needs a way to resolve host names for domains for which it is not authoritative. When you configure the DNS server to use a Forwarder, it sends requests for domains for which it is not authoritative to the Forwarder.
In our example network, we have the DNS server (192.168.1.10) located on the Windows 2000 Domain Controller. The internal zone is Active Directory integrated, although you don’t have to use Active Directory integrated zones. You can use Standard Primary zones instead.
When Active Directory was installed on this server, we did not let the Active Directory DNS Wizard configure the zone. Check out the following link to see how to properly configure your DNS server prior to installing the Active Directory:
You should also make sure your zone is able to accept Dynamic Updates. Both Standard Primary and Active Directory integrated zones are able to accept dynamic updates after you configure them to do so.
After you’ve properly configured the DNS Server, perform the following steps to configure it to use a Forwarder:
Put a checkmark in the Enable Forwarders checkbox. You should also put a checkmark in the checkbox for Do not use recursion checkbox. This will prevent the internal DNS server from attempting to resolve Internet host names by performing its own iterative DNS queries.
Type in the IP address of your ISP’s DNS Server(s) and click Add.
4. Click Apply and then click OK.
You should not need to restart the DNS service in order for the Forwarder setting to take effect. However, if it doesn’t seem to work properly, stop and restart the DNS service. Use the nslookup utility to confirm that the Forwarder is working properly.
Note that if you do not configure the DNS properly, you will not be able to configure a Forwarder because the Active Directory DNS Wizard will have configured the DNS server as a root server. You don’t want a root server unless you have some specialized needs. On our simple network, we don’t want our DNS server to be a root server.
With our DNS server configured to resolve both internal and external host names, the ISA Server clients will always be able to get the IP address for a FQDN.
The WINS server is especially helpful when you configure the ISA Server to support VPN clients. The VPN clients will typically receive the WINS server address configured on the internal interface of the ISA Server. When the VPN clients have a WINS server address, they won’t have to broadcast over the VPN link to resolve NetBIOS names. The VPN clients will be able to directly query the WINS server and you’ll be able to connect to network shares much more quickly and reliably.
On our sample network, we’ve configured a WINS server on the same machine as the DNS server. This should not adversely affect the performance of the Active Directory or DNS services because our small single segment network will not generate too many NetBIOS name registrations, name releases, or name queries. All machines on the internal network are configured to use the WINS server. This includes the internal interface of the ISA Server.
All network hosts can be configured to use the DHCP server. However, you should not configure DNS, WINS, and DHCP servers as DHCP clients. In addition, the Domain Controller must not be a DHCP client. When configuring scopes on the DCHP server, make sure you include DHCP Options for the DNS address, WINS address and Default Gateway addresses.
The DHCP server is also used to support VPN clients. The default setting for VPN clients is to assign them addresses using a DHCP server. The Windows 2000 RRAS will grab a set of IP addresses from the DHCP server with then RRAS server starts up. If it needs more addresses, it will grab another group of addresses.
However, even though these addresses are obtained from the DHCP server, any DHCP Options configured on the DHCP scope are ignored by the RRAS server. The DNS and WINS addresses on the internal interface of the ISA Server are assigned to the VPN client, and the default gateway is configured by the VPN server rather than the DHCP server. If you need to assign DHCP Options to VPN clients, you will need to configure a DHCP Relay Agent on the RRAS/ISA Server computer.
On our example network, we’ve installed a DHCP server on the Domain Controller. ISA Server clients obtain their IP addresses via DHCP. Static IP addresses are assigned to WINS, DNS and DHCP servers. Also, Domain Controllers and Published Servers need static IP addresses.
If you don’t configure a Domain Controller on your network, the local SAM on the ISA Server will be used to authenticate users. You can still take advantage of user/group membership, but the users will have to authenticate against the local SAM on the ISA Server. This method will reduce some of the transparency to Internet access, since credentials will not be sent in the background and users will have to manually authenticate against the stand-alone Windows 2000 Server running ISA Server.
Configuring The ISA Server
The Internal Interface
You should also configure a WINS server address on the internal interface of the ISA Server. VPN clients will be able to use the WINS address configured on the internal interface of the ISA Server.
Do not configure a Default Gateway on the internal interface of the ISA Server. The only interface that should have a Default Gateway is the external interface of the ISA Server. Also, if you have a DMZ segment directly connected to the ISA Server, do not configure a Default Gateway on this adapter either. Only the external interface should have a Default Gateway.
The External Interface
Using PPP Connections on the External Interface
Note that the Default Gateway IP address is not allocated by the RAS server. Instead, a default route is created on the remote access client that points to the remote access connection. If the client already has a default gateway configured, then the metric of the existing Default Gateway is increased and a new Default Gateway is added with a lower metric.
This is the default behavior for remote access clients running Win9x and Windows NT 4.0/2k and can be modified by disabling the Use Default Gateway on Remote Network setting on the TCP/IP properties of a remote access client’s connectoid. However, in the case of the ISA Server connecting to the ISP via dial-up ISDN, you definitely do not want to disable the remote gateway for this connection.
The figure below shows this setting on a Windows 2000 ISDN Dial-up connection.
Configuring The ISA Server Clients
All the computers on the internal network should be configured with the address of the internal DNS server. They should also have a WINS server address and a Default Gateway configured. Workstations can be configured as DHCP clients. When the workstations are configured as DHCP clients, they can take advantage of a wpad entry for their scope. This wpad entry will allow them to automatically detect the ISA Server.
On our example network, the SecureNAT clients are configured with a Default Gateway of 192.168.1.1. Their WINS and DNS addresses would be 192.168.1.10. There is no other software or IP configuration required for the SecureNAT clients. The configuration of a SecureNAT client is seen below.
Firewall clients become so when the Firewall Client software installed and enabled. After installing the Firewall Client software, you may need to configure the Firewall Client software options (seen in the figure below). Even though the Firewall Client software allows the Firewall client to use the ISA Server to perform DNS lookups, you should still configure an internal DNS server on the Firewall client so that it can perform internal host name lookups.
The Web Proxy client is configured by making the appropriate changes in the browser. An example of the Internet Explorer 5.0 configuration interface is seen below. Almost all browsers are designed to allow you to enter the IP address and port number of the Web Proxy Server.
In our example network, the Web Proxy clients would be configured to use 192.168.1.1 Port 8080 for their web proxy. Like the Firewall client, the ISA Server will resolve external host names for the Web Proxy client. However, you still want the internal DNS server address configured on these computers to allow for internal name lookups.
In the second part of this article, we’ll go over the publishing of the mail, web and FTP servers on the internal network, and how the network configuration steps covered in this article effect the publishing solution. See you then!