Get your copy of the German language “Microsoft ISA Server 2004 – Das Handbuch”
ISA Server 2004 Service Pack 2 has been available for public download since 2006/01/31. SP2 is available for ISA Server 2004 Standard and ISA Server 2004 Enterprise.
ISA Server 2004 SP2 contains several hotfixes after ISA Server 2004 SP1 was released. For a complete list of all hotfixes click here.
Microsoft recommends deploying ISA Server 2004 SP2 ASAP. You should test ISA Server 2004 SP2 in your lab environment and after that you should deploy SP2.
What about the Branchoffice Updates for ISA?
At TechEd 2005, Microsoft announced the Branch Office Updates for ISA Server 2004 which should help Administrators to effectively connect Branch Offices with ISA Server 2004.
Now, the Branch Office Update has gone and Microsoft has put all the features of the Branch Office Update in ISA Server 2004 SP2.
ISA Server 2004 SP2 contains the following updates:
- Every Software Update since ISA Server 2004 RTM or SP1 (ISA Service Packs are cumulative)
- Hotfixes from Microsoft PSS
- Some enhancements in CARP (Cache Array Routing Protocol) for ISA Server 2004 Enterprise Edition
- New certificate alerts
- Caching of BITS (Background Intelligence Updates) for Windows Updates
- Diffserv for Quality of Service for HTTP/HTTPS only
- HTTP compression and decompression
Important notice before SP2 installation:
It is possible to uninstall ISA Server 2004 Service Pack 2 if your system has Windows Installer 3.0 but Windows Installer 3.0 must be installed BEFORE you install ISA Server 2004 Service Pack 2.
Important notice for ISA Server 2004 Enterprise Edition:
— ISA Server 2004 SP2 must be installed on all ISA Array Members and on the Configuration Storage Server (CSS).
— If some ISA services on ISA Array Members don’t start, try to manually start the service because there is a problem when the ISA Array members try to reach the Configuration Storage Server (CSS)
Some other pitfalls:
- After installation of ISA Server 2004 SP2 an ISA Alert could come up that says that the ISA Cache couldn’t be initialized. This error can be ignored safely. The ISA Cache should be initialized successfully after a second alert message.
- If ISA services are installed in the machine to be updated, ISA goes into Lockdown mode and stops all services. After SP2 installation you must restart the ISA Server computer.
- The Firewallclient update in ISA Server 2004 SP2 is identical to the Firewallclient Update that came with ISA Server 2004 SP1.
Installation of ISA Server 2004 SP2
First we need to download the ISA Server 2004 SP2 from here. After downloading follow the Installation Wizard instructions.
Figure 1: Start the Installation Wizard
After reading the License Agreement, accept the License Agreement and click Update.
Figure 2: Setup has finished
You must restart the computer after SP2 installation.
After rebooting the machine, a webpage automatically starts up which tells you how to secure ISA Server 2004. I hope you followed the instructions on how to protect ISA Server 2004 and how to harden the Windows Server operating system and ISA Server 2004 before or after you installed ISA Server from the Microsoft ISA Server website.
Figure 3: Setup has finished
Start the ISA Server 2004 Management Console. One of the first visual changes you will see is the Customer Experience Improvement Program. If you click the link in Figure 4 you can choose if you want to be part of the Customer Experience Program or not.
Figure 4: Customer Feedback
Click Yes or No.
Figure 5: Customer Feedback
Error Level Tracing
ISA Server 2004 SP2 provides a new feature called Error Level Tracing. With the help of Error Level Tracing, ISA Server will send critical information about problems and crashes to Microsoft. Microsoft says that no confidential and personal information will be transmitted to Microsoft.
Error Level Tracing creates a file about 400 MB in size under %windir%\debug. The filename is ISALOG.BIN.
An enabled Error Level Tracing can have a negative impact on performance so you have the option of deactivating this feature.
To modify or disable Error Level Tracing, start Regedit and navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ISATrace.
To change the file size of the Trace file, change the value for the CircularlLogSizeMB key.
To disable Error Level Tracing change the BootTracing Value to 0 and reboot the machine.
Windows Update / BITS Caching
With ISA Server 2004 SP2 it is possible to cache Updates from Microsoft Update and Windows Server Update Services (WSUS) transmitted via BITS (Background Intelligent Transfer Service). Windows Update caching is available through a new Caching rule. Right click the Cache button and then create a new Microsoft Update Cache Rule.
Figure 6: New Microsoft Update Cache Rule
The name of the rule is predefined and cannot be changed through the GUI.
Figure 7: The name of the rule is predefined
The Microsoft Update Cache Rule Wizard automatically creates a Domain name set with the URL of the Windows Update website. The following Figure shows the Domain name set of ISA Server 2004 Enterprise. ISA Server 2004 Standard SP2 creates some more URLs in the Domain set.
Figure 8: New Microsoft Update Cache Rule
After creating the rule it is possible to disable or enable caching of content received through the Background Intelligent Transfer Service (BITS).
Figure 9: Disable or enable BITS caching
Diffserv for HTTP
With ISA Server 2000 it was possible to create Bandwith rules for limiting traffic. Bandwith rules in ISA Server 2000 were rarely used so Microsoft didn’t implement this feature in ISA Server 2004.
With ISA Server 2004 SP2 it is possible to use Diffserv for HTTP because a small number of Enterprise customers requested this feature. Diffserv is an extension of the IP-protocol that uses flags in the IP Header to priorize HTTP/HTTPS traffic. To implement Diffserv you must have a good understanding of Diffserv and network protocols. Diffserv for HTTP in ISA Server 2004 uses the Diffserv Priorities configured on your routers and other network devices.
It is possible to define Diffserv Preferences in the Global HTTP Policy Settings in the Microsoft ISA Server 2004 Management Console.
Figure 10: Specify Diffserv Preferences
ISA Server 2004 uses a Diffserv Filter. You can find the Diffserv Filter in the ISA Server Management Console in the Global section under Webfilters. It is only possible to enable or disable the Diffserv Filter.
Figure 11: Diffserv Filter in the ISA Management Console
Paket Priorization in ISA Server 2004 is a global setting for all HTTP and HTTPS Traffic. The Diffserv filter scans every URL or domain and associates a packet priority based on the Diffserv priorities.
To activate Diffserv, go to the global HTTP settings in the ISA Management console and click Specify Diffserv Preferences.
Figure 12: Activate Diffserv
Please note that Diffserv doesn’t support a bandwidth control based on users and groups, and that Diffserv is limited to HTTP and HTTPS if you use the Webproxy Client.
For more information about Diffserv click here.
It is possible to set Priorities based on the Diffserv Bits configured in your network infrastructure.
Figure 13: Define Priorities
You can specify different Priorities to URLs and Domains. Click Add to insert new URL or domain and an associated Priority.
Figure 14: Add Priorities to URLs
Now it is time to apply Diffserv to the Networks that should use Diffserv.
Figure 15: Apply Diffserv to networks
ISA Server 2004 SP2 allows you to use HTTP compression. HTTP compression in ISA Server 2004 SP2 is a global HTTP policy setting. It applies to all HTTP traffic that flows through ISA Server to or from a specified network. HTTP compression is based on two Web filters:
- Compression Filter
- Caching Compressed Content Filter
The compression filter is responsible for compression and decompression of HTTP requests and responses. The filter must have a high priority because it is responsible for decompression and only after decompression can you use other webfilters.
Caching Compressed Content Filter
This filter is responsible for caching of compressed content and serving a request from the compressed content in the cache. The Compressed Content Filter has the lowest Priority because caching occurs after all other enabled webfilters in ISA Server 2004 have done their work. The configuration of the new HTTP compression filter is done in the global HTTP settings of the ISA Server 2004 Management console.
Click Add to select the networks for which you want to use the HTTP compression feature.
Figure 16: Enable HTTP compression / decompression
Click Set Compression to specify compression settings for the selected network.
Figure 17: Configure reply for compressed content
If you select Reply with compressed HTTP content, ISA Server returns compressed content when client request from the selected network ask for compression.
If you select Request compressed HTTP content from servers, ISA Server 2004 will ask for compressed content.
Figure 18: Select content types to compress
The following content types cannot be compressed:
- application/[email protected]@
It is possible to activate or deactivate the compression of incoming packets. If you disable decompressing of incoming packets, an ISA Server webfilter can’t inspect the content.
Compressing and decompressing incoming packets from ISA Server 2004 can result in more workload on ISA and an increased response time.
Figure 19: Activate or deactivate HTTP Compression
- New Certificate alerts
- CARP extensions
New certificate alerts
Configuring ISA Server 2004 for SSL Bridging is a time consuming task for new ISA Server Administrators because they don’t know the exact way to request certificates for SSL Publishing and how to use these certificates in ISA Server. ISA Server 2004 SP2 has some enhancements for this problem in form of additional information, for example in the SSL Weblistener that can give you more information about what to do with certificates in this configuration dialogue.
In ISA Server 2004 Enterprise SP2, Microsoft changed the CARP (Cache Array Routing Protocol) hash-based routing to use the host name to determine which array member should handle the request. CARP assigns all of the requests for a particular host, such as www.it-training-grote.de, to a specific array member so that all traffic is cached for one domain on one Array member.
ISA Server 2004 SP2 hosts many new features to make Branch Office Deployments easier, to reduce the bandwidth while downloading Windows Updates. ISA Server 2004 SP2 supports Diffserv for only HTTP content. Please keep in mind that the rest of your network infrastructure, like routers, must also support Diffserv. Microsoft recommends to install ISA Server 2004 SP2 immediately.
ISA Server 2004 SP2 Enterprise download
ISA Server 2004 SP2 Standard download
List of fixes in ISA Server 2004 SP2