Designing An ISA Server Solution on a Simple NetworkPart 1: Configuring The Network Infrastructure.

I watch the ISA Server web boards very closely. I’ve observed over the last few months that a lot of people would benefit from a description on how to set up a “simple” network using the ISA Server as a Web Proxy Cache and Firewall. A simple network is one that has a single internal network ID. This is a non-routed network. A complex network would be an internal network with multiple network IDs and therefore is a routed network. I’ll write about how to configure ISA Server to work in routed environments in the future.

The key elements to making the configuration work include:

  • Configuring Windows 2000 Networking Services
  • Configuring the ISA Server
  • Configuring the ISA Server clients

After addressing each of these issues, the ISA Server solution for our simple network will work great!

The following diagram represents our example network

Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder

Configuring Windows 2000 Networking Services
To support your ISA Server and both internal and external ISA Server clients, you should have the following Windows 2000 networking services installed and configured on your network:

  • DNS
  • WINS
  • DHCP
  • Domain Controller (Active Directory or NT SAM)

    These supporting services are critical to the proper functioning of your ISA Server network infrastructure.

    DNS configuration issues are among the most common to show up on the web boards. In order to understand how DNS works with ISA Server clients, you need to know how each client uses DNS.

    Web Proxy Clients as DNS Clients
    Web Proxy and Firewall clients both allow the ISA Server to resolves requests on their behalf. The ISA Server performs a proxy DNS function for these clients. Whenever a Web Proxy or Firewall Client makes a request for a non-local host, the request will be sent to the ISA Server for resolution. Requests for local resources will be sent to an internal DNS server, who’s IP address has been entered into the TCP/IP configuration dialog boxes of the ISA Server clients.

    The ISA Server uses the Local Address Table and the Local Domain Table to determine what resources are local and what resources are remote. Be sure that you include your local domains in the Local Domain Table. Otherwise, all FQDNs (or any addresses with ‘dots’) you wish to access will be treated as external requests. When you enter your internal domain in the Local Domain Table, fully qualified requests to your local domain resources will be considered internal requests and will be resolved using the internal DNS server on your network.

    SecureNAT clients never allow the ISA Server to resolves host names for them. The SecureNAT client must be configured with the IP address of a DNS Server that can resolve both internal and external host names. If you have no need to resolve internal host names (for example, you use WINS to resolve internal names), then you can configure the SecureNAT clients with the IP address of a DNS Server on the Internet, such as your ISPs DNS Server.

    In our simple network example, all clients are configured as both Web Proxy and Firewall Clients. All Published Servers are configured as SecureNAT clients. All machines on the network are configured to use our internal DNS Server ( This provides us the widest latitude in terms of host name resolution. The internal DNS Server is configured to resolve both internal and external names for the ISA Server clients.

    Configuring the DNS Server to use a Forwarder
    A Forwarder is a DNS Server that performs iterative queries on the behalf of another DNS Server. The Forwarder takes the responsibility for performing recursion for the Forwarding DNS Server. You internal DNS Server is the Forwarding DNS Server that forwards requests to a Forwarder.

    You want to use a Forwarder to resolve Internet host names. The internal DNS server is configured with zones for your internal domains, and therefore it is authoritative for your internal domains. However, the internal DNS server needs a way to resolve host names for domains for which it is not authoritative. When you configure the DNS server to use a Forwarder, it sends requests for domains for which it is not authoritative to the Forwarder.

    In our example network, we have the DNS server ( located on the Windows 2000 Domain Controller. The internal zone is Active Directory integrated, although you don’t have to use Active Directory integrated zones. You can use Standard Primary zones instead.

    When Active Directory was installed on this server, we did not let the Active Directory DNS Wizard configure the zone. Check out the following link to see how to properly configure your DNS server prior to installing the Active Directory:

    You should also make sure your zone is able to accept Dynamic Updates. Both Standard Primary and Active Directory integrated zones are able to accept dynamic updates after you configure them to do so.

    After you’ve properly configured the DNS Server, perform the following steps to configure it to use a Forwarder:

    1. Open the DNS console from the Administrative Tools menu.
    2. Right click on your server name in the left pane of the console, and then click Properties.
    3. Click on the Forwarders tab and you see what appears below.

    Put a checkmark in the Enable Forwarders checkbox. You should also put a checkmark in the checkbox for Do not use recursion checkbox. This will prevent the internal DNS server from attempting to resolve Internet host names by performing its own iterative DNS queries.

    Type in the IP address of your ISP’s DNS Server(s) and click Add.

    4. Click Apply and then click OK.

    You should not need to restart the DNS service in order for the Forwarder setting to take effect. However, if it doesn’t seem to work properly, stop and restart the DNS service. Use the nslookup utility to confirm that the Forwarder is working properly.

    Note that if you do not configure the DNS properly, you will not be able to configure a Forwarder because the Active Directory DNS Wizard will have configured the DNS server as a root server. You don’t want a root server unless you have some specialized needs. On our simple network, we don’t want our DNS server to be a root server.

    With our DNS server configured to resolve both internal and external host names, the ISA Server clients will always be able to get the IP address for a FQDN.

    In spite of the fact that Windows 2000 is no longer NetBIOS dependent, you should still have a WINS server installed. If you have any applications that are dependent on the NetBIOS interface, you can speed name resolution significantly by running a WINS server on the internal network.

    The WINS server is especially helpful when you configure the ISA Server to support VPN clients. The VPN clients will typically receive the WINS server address configured on the internal interface of the ISA Server. When the VPN clients have a WINS server address, they won’t have to broadcast over the VPN link to resolve NetBIOS names. The VPN clients will be able to directly query the WINS server and you’ll be able to connect to network shares much more quickly and reliably.

    On our sample network, we’ve configured a WINS server on the same machine as the DNS server. This should not adversely affect the performance of the Active Directory or DNS services because our small single segment network will not generate too many NetBIOS name registrations, name releases, or name queries. All machines on the internal network are configured to use the WINS server. This includes the internal interface of the ISA Server.

    DHCP is not required, but is highly recommended. Even on relatively small networks of 250 computers or less, you will benefit from reduced administrative effort by configuring a DHCP server on your internal network.

    All network hosts can be configured to use the DHCP server. However, you should not configure DNS, WINS, and DHCP servers as DHCP clients. In addition, the Domain Controller must not be a DHCP client. When configuring scopes on the DCHP server, make sure you include DHCP Options for the DNS address, WINS address and Default Gateway addresses.

    The DHCP server is also used to support VPN clients. The default setting for VPN clients is to assign them addresses using a DHCP server. The Windows 2000 RRAS will grab a set of IP addresses from the DHCP server with then RRAS server starts up. If it needs more addresses, it will grab another group of addresses.

    However, even though these addresses are obtained from the DHCP server, any DHCP Options configured on the DHCP scope are ignored by the RRAS server. The DNS and WINS addresses on the internal interface of the ISA Server are assigned to the VPN client, and the default gateway is configured by the VPN server rather than the DHCP server. If you need to assign DHCP Options to VPN clients, you will need to configure a DHCP Relay Agent on the RRAS/ISA Server computer.

    On our example network, we’ve installed a DHCP server on the Domain Controller. ISA Server clients obtain their IP addresses via DHCP. Static IP addresses are assigned to WINS, DNS and DHCP servers. Also, Domain Controllers and Published Servers need static IP addresses.

    Domain Controllers
    Domain Controllers perform authentication services for the network. You can use either Windows 2000 or Windows NT 4.0 domains. The ISA Server must be a member of a domain if you want to take advantage of authenticating internal and/or external network clients using user/group membership credentials.

    If you don’t configure a Domain Controller on your network, the local SAM on the ISA Server will be used to authenticate users. You can still take advantage of user/group membership, but the users will have to authenticate against the local SAM on the ISA Server. This method will reduce some of the transparency to Internet access, since credentials will not be sent in the background and users will have to manually authenticate against the stand-alone Windows 2000 Server running ISA Server.

    Configuring The ISA Server
    There are obviously many different ways you can configure the ISA Server. However, in this article lets focus on how to configure the ISA Server to take advantage of the network infrastructure we’ve created. Note: Please check the other articles at for tutorial, tips and tricks on settings up the ISA Server for inbound and outbound access.

    The Internal Interface
    The internal interface of the ISA Server should be configured with a DNS server address that can resolve internal host names. When incoming requests from external clients are forwarded to the internal network, the ISA Server will use the DNS server configured on the internal interface to resolve the internal host name. This is especially important if you choose to use host names when denoting the internal server in your Web Publishing Rules.

    You should also configure a WINS server address on the internal interface of the ISA Server. VPN clients will be able to use the WINS address configured on the internal interface of the ISA Server.

    Do not configure a Default Gateway on the internal interface of the ISA Server. The only interface that should have a Default Gateway is the external interface of the ISA Server. Also, if you have a DMZ segment directly connected to the ISA Server, do not configure a Default Gateway on this adapter either. Only the external interface should have a Default Gateway.

    The External Interface
    In our sample network, the external interface is an ISDN modem with a dedicated IP address. This sort of setup is often referred to as Dedicated ISDN. However, even though you have a dedicated IP address and a “dedicated” connection, you must still use Dial-up networking to establish the physical link via PPP.

    Using PPP Connections on the External Interface
    PPP connections use a Network Control Protocol (NCP) called Internet Protocol Control Protocol (IPCP) to obtain IP addressing information from RAS servers. During the IPCP negotiation between the PPP client and RAS server, IPCP options such as IP compression, IP addresses, WINS and DNS addresses can be assigned to the PPP client.

    Note that the Default Gateway IP address is not allocated by the RAS server. Instead, a default route is created on the remote access client that points to the remote access connection. If the client already has a default gateway configured, then the metric of the existing Default Gateway is increased and a new Default Gateway is added with a lower metric.

    This is the default behavior for remote access clients running Win9x and Windows NT 4.0/2k and can be modified by disabling the Use Default Gateway on Remote Network setting on the TCP/IP properties of a remote access client’s connectoid. However, in the case of the ISA Server connecting to the ISP via dial-up ISDN, you definitely do not want to disable the remote gateway for this connection.

    The figure below shows this setting on a Windows 2000 ISDN Dial-up connection.

    Configuring The ISA Server Clients
    User workstations can be configured as Web Proxy clients, Firewall Clients, or SecureNAT clients. Published Servers should be configured as SecureNAT clients. While you could configure the Published Servers as Firewall clients, you’ll make life a lot easier by configuring them as SecureNAT clients.

    All the computers on the internal network should be configured with the address of the internal DNS server. They should also have a WINS server address and a Default Gateway configured. Workstations can be configured as DHCP clients. When the workstations are configured as DHCP clients, they can take advantage of a wpad entry for their scope. This wpad entry will allow them to automatically detect the ISA Server.

    On our example network, the SecureNAT clients are configured with a Default Gateway of Their WINS and DNS addresses would be There is no other software or IP configuration required for the SecureNAT clients. The configuration of a SecureNAT client is seen below.

    Firewall clients become so when the Firewall Client software installed and enabled. After installing the Firewall Client software, you may need to configure the Firewall Client software options (seen in the figure below). Even though the Firewall Client software allows the Firewall client to use the ISA Server to perform DNS lookups, you should still configure an internal DNS server on the Firewall client so that it can perform internal host name lookups.


    The Web Proxy client is configured by making the appropriate changes in the browser. An example of the Internet Explorer 5.0 configuration interface is seen below. Almost all browsers are designed to allow you to enter the IP address and port number of the Web Proxy Server.

    In our example network, the Web Proxy clients would be configured to use Port 8080 for their web proxy. Like the Firewall client, the ISA Server will resolve external host names for the Web Proxy client. However, you still want the internal DNS server address configured on these computers to allow for internal name lookups.

    In this article we reviewed the network configuration requirements for setting up a ISA Server solution for a simple, single segment network. The Windows 2000 networking services should first be installed and configured to support the ISA Server and ISA Server clients. Then the ISA Server network configuration parameters should be optimized. Finally, the clients are configured to work with the networking services and the ISA Server.

    In the second part of this article, we’ll go over the publishing of the mail, web and FTP servers on the internal network, and how the network configuration steps covered in this article effect the publishing solution. See you then!

  • About The Author

    Leave a Comment

    Your email address will not be published. Required fields are marked *

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Scroll to Top