If you have not yet installed ISA Server on your network, this is the article for you. In this article I will walk you through, step-by-step, the installation of ISA Server 2000 onto a computer in your network. We will cover the different types of installations you can perform (either as a stand-alone server or as part of an array of ISA Servers) and discuss the caveats associated with each.
Before we get started on the actual installation of ISA Server, there are some things you should do beforehand though:
- Ensure that Windows 2000 Server is installed on your ISA Server machine, including the most recent Service Pack. Service Pack 1 is required to be installed, at a minimum, before installing ISA Server.
- Configure the server that will be hosting the ISA Server installation. You should start with Jim Harrison’s wonderful article Configuring ISA Server Interface Settings, which will walk you through the setup of your ISA Server machine’s network adapters.
- Figure out what your internal network will encompass, both presently and in the future in regards to IP addresses. Write these down if it’s a complicated picture—you will need this information again later.
- If your internal network contains more than one range of IP addresses (say 192.168.x.y and 10.x.y.z, for example), then you need to create the routing table on the server that is to be the ISA Server via the command shell route command. If you only have one address range, Windows will do this for you. Be sure to view the routing table before installing ISA Server to make sure it’s correct…this can prevent problems later.
- Two articles by Tom Shinder, Designing An ISA Server Solution on a Simple Network and Designing An ISA Server Solution on a Complex Network should help you get a good idea of where you want to go with you ISA Server setup.
Some basic information before we get our hands dirty
The process of installing ISA Server can be started by inserting ISA Server CD-ROM into your CD drive. Under most cases, the installation program should auto-start and display the screen shown in Figure 1.
Figure 1 – The ISA Server 2000 installation screen.
If for some reason the installation program doesn’t auto-start, just double click the ISAAutorun.exe file in the root of the CD-ROM as shown in Figure 2.
Figure 2 – Starting the ISA Server 2000 installation manually.
The Installation and Deployment Guide, as shown in Figure 3 is very good reading before getting started on your installation if you have any questions. We will try to cover most of the basic situations here in this tutorial. If you are migrating from Microsoft Proxy Server 2.0, there is some outstanding migration information available in the Read About Migrating to ISA Server area, as shown in Image 4.
Figure 3 – The Installation and Deployment Guide.
Figure 4 – Migration instructions.
To initialize or not to initialize…
Up to this point, you haven’t had to make any decisions…well, the time has come for making a decision, and your first one is big one indeed. If you will be using this ISA Server as an array member, then you must install the ISA Server schema into Active Directory. This is a one-way decision—you cannot undo it later if you change your mind. However, if you want to add additional ISA Servers to the ISA Server array at a later time, you will not have to reinstall the schema changes. In order to make the changes to the schema, you must be a member of the Enterprise Admins and Schema Admins groups. To initialize the schema, click Run ISA Server Enterprise Initialization, which will bring up a dialog box as shown in Figure 5. (Note that this is not your last chance to abort this procedure, as we will see later.)
Figure 5 – Initializing the schema for ISA Server.
Like previously mentioned, you will have one more chance to abort the schema initialization process, as shown in Figure 6. There are, however, options on this dialog box that require some discussion, so we will address them before moving any further into the installation.
Figure 6 – Configuring Enterprise initialization options prior to schema initialization.
- Your first option is whether to select Use array policy only or Use this enterprise policy. If you select the Use array policy only option, then no enterprise policy is applied to the array and the array Administrator can create any rule they desire. If the Use this enterprise policy option is selected, then an Administrator at the enterprise level dictates that only the selected policy may be applied—no additional rules may be created.
- If you place a check mark in the selection box for Allow array-level access policy rules… you have created a Combined enterprise and array policy. In this case, an array policy is added to the enterprise policy. The enterprise policy overrides the array policy. That is, the array policy can impose additional limitations, but cannot be more permissive than the enterprise policy.
- Checking Allow publishing rules allows you to create publishing rules (which must be created separately on each server), which will listen for publishing requests. Web publishing rules essentially map incoming requests to the appropriate Web servers behind the ISA Server computer.
- Checking Force packet filtering on the array does just that. Packet filtering allows you to control the flow of IP packets in and out of your network. With packet filtering enabled, all packets that arrive at the external (Internet) interface will be dropped unless they have been explicitly allowed. This occurs statically via IP packet filters or dynamically by access policy and publishing rules. This serves to further protect your internal network from attacks originating outside of your network.
- Note that you can change all of these options from the Getting Started Wizard after installation of ISA Server has completed.
If you choose to continue the process, you will see two new windows on your machine, shown in Figure 7 and Figure 8 as well as a lot of disk activity for about 2 – 5 minutes (depending on the machine configuration and loading). After the initialization is done, both windows will close out, the dialog box shown in Figure 9 will be displayed, and you are ready to continue the process of installing ISA Server.
Figure 7 – Now we sit on our hands and wait…
Figure 8 – There are over 300 changes made to the schema during the initialization process.
Figure 9 – Schema initialization has been completed.
Now that we have done all of our preparatory work, we can now move on to the actual process of installing ISA Server on our machine as follows:
- Clicking Install ISA Server from the ISA Server Setup window (shown in Figure 1) will start the process.
- A informational window will appear shortly letting you know that the process is underway then you will be presented with the standard Wizard first page—you can dismiss it by clicking Continue.
- Doing so brings up the next window, in which we must input our CD-KEY. Unlike most other high-end Microsoft products, ISA Server does not require Windows Product Activation (WPA). Enter your CD-KEY and click OK to continue on. The next window will display your Product ID, but it’s available under the Help > About… option within the program, so you don’t have to write it down. Click OK to continue past this screen.
- After Setup quickly scans your hard drive you will be presented with the EULA window, on which you must click I Agree (as always) to continue the installation process.
- As shown in Figure 10, you are now faced with three different installation options, which are fairly simple. You can choose which one suits your needs; most often this will be Typical Installation. (In our example, I am going to perform a Full Installation.)
Figure 10 – Choosing the type of installation to perform.
- If you haven’t already installed Windows 2000 SP1, you will get the error window as shown in Figure 11.
Figure 11 – Looks like someone forgot to install SP1 on the Server!
- Continuing on with the installation, we are next presented with the window shown in Figure 12 if we have initialized the schema or the window shown in Figure 13 if we have not. Note that if you install as a stand-alone server for either reason, you can upgrade to an array server later (we will talk about this later).
Figure 12 – What kind of ISA Server will this be?
Figure 13 – Installing as a stand-alone server.
- In this instance, I am going to install as a stand-alone server (we can always upgrade later as previously mentioned), so I will click NO to continue on (this is assuming that I have initialized the schema—otherwise you would click YES as shown Figure 13).
- The next window presents, as shown in Figure 14, asks to choose what mode this server will be operating in. The most robust option is Integrated mode and is the recommended mode…thus we will continue the installation by selecting Integrated mode as shown and clicking Continue.
Figure 14 – Selecting the mode of the server.
- The setup process will not stop the IIS publishing service and present you a dialog box instructing you to reconfigure Web site as required; this is shown in Figure 15. Click OK to continue the installation.
Figure 15 – Instructions for IIS Web sites…
11. On the next window, you must configure the cache size. This option, like most others can be changed after installation is complete. The default setting is for a 100 MB sized cache, and for now we will leave it be. Click OK to continue.
12. The next step, one of great importance if you want this whole thing to work properly, is to construct the LAT table. The easiest way to do this is to click the Construct Table… button and select the range for the internal network adapter as shown in Figure 16. The results of this are shown in Figure 17. Click OK to continue past this step.
Figure 16 – Selecting local addresses.
Figure 17 – The results, showing the Internal IP address range ISA Server will recognize.
- The setup program works for a while, installing ISA Server, and you are in business. That was pretty easy, wasn’t it? The only decision we have left to make is whether or not to start the Getting Started Wizard after the setup program closes out. I recommend doing so, as your ISA Server must still be configured. Tom Shinder has written a great article in this: Getting Started with ISA Server.
That’s all for now folks…
That’s all there is to this process. Installing ISA Server is actually one of the simplest product installations you will perform—provided you have done your research ahead of time.