Installing ISA Server 2000 on Windows Server 2003
Installing ISA Server 2000 on Windows Server 2003
By Thomas W Shinder M.D.
There have been a lot of questions on the ISAServer.org message boards on how Windows Server 2003 and ISA Server get along with each other. I didn’t spend too much time trying to figure out issues with pre-release versions of Windows Server 2003 and ISA Server because many of the problems could have been related to beta issues that would be fixed in the final version. You could never know if it was an ISA Server issue, and adverse interaction between ISA Server and Windows Server 2003, or maybe a beta bug.
Now that Windows Server 2003 is officially released, and ISA Server is officially supported on Windows Server 2003, we can get to the business of testing out ISA Server on Windows Server 2003 machines. There are many compelling reasons to run ISA Server on a Windows Server 2003 machine:
When you combine high security, rock solid stability and the increased difficulty in harpooning yourself in the foot by running IIS services on your firewall, you get what you’re really looking for in a firewall: protection for your internal network.
I’ve had the chance to run ISA Server in integrated mode on a Windows Server 2003 machine for over a month and I find it much more stable than my experiences with ISA Server on Windows 2000 machines. This could be due to the better hardware on which the ISA/Windows Server 2003 software is installed on, or it could be an operating system issue. Please let us know about your experiences with ISA Server and Windows Server 2003 over on the message boards on ISAServer.org.
Installing ISA Server on a Windows Server 2003 machine is painless, but it is a little different than how you do it on a Windows 2000 machine. We need to go through the follow steps to install ISA Server on a Windows Server 2003 box:
Install Windows Server 2003
The Windows Server 2003 machine should have the following characteristics:
You need at least one internal and one external interface. The internal interface will be on the Local Address Table (LAT) and does not have a default gateway set on it. The external interface is never on the LAT and it’s the only interface with a default gateway set on it. Windows Server 2003 is like Windows 2000 in that only one interface can have a default gateway. This means ISA Server on Windows Server 2003 supports a single external interface. You can have multiple public address DMZ interfaces, but only a single interface that connects the internal network to the Internet.
Do not install extra services on the firewall. Do not install a Quake server, do not install a enterprise mail and groupware server, do not install an FTP server, do not install a Web server an do not install a Kaaza server! Your ISA Server is a firewall – you wouldn’t install these services on a PIX or Checkpoint Nokia – so you shouldn’t do it on the ISA Server firewall.
Most people will use the Web Proxy service to provide Web performance enhancements and increased security for Web Publishing. The cool thing about ISA Server is that it keeps the Web cache in RAM. The more RAM you have, the more cached content can be kept in fast memory and the better end-user perceived performance. Aim for at least 768 MB of RAM in the ISA Server firewall, and more is better.
You can harden your server by disabling non-essential services. Non-essential services depend on what services you need, so its hard to give you a hard and fast list of what services you should disabled. Check out my articles on securing ISA Server over at www.isaserver.org/shinder for more details.
Install ISA Server 2000
Now for the fun part. Get out your ISA Server 2000 CD-ROM disk and put it into the drive, or connect to a network share that contains the ISA Sever installation files. Then perform the following steps to begin installing ISA Server on a Windows Server 2003 machine:
- Double click on the ISAAutorun.exe file on the ISA Server CD
- Click on the Install ISA Server link on the Internet Security & Acceleration Server 2000 splash page.
- You will see an ISA 2000 dialog box that informs you that you need to install ISA 2000 Service Pack 1 in order for things to work right. We know that, so we’ll click Continue.
- Click Continue on the Welcome to the Microsoft ISA Server installation program page.
- Enter your CD Key in the CD Key dialog box. Click OK.
- Write down your Product ID as list in the Product ID dialog box. Click OK in the Product ID dialog box after writing this number down.
- Click I Agree in the Microsoft ISA Server Setup dialog box.
- Click the Full Installation button in the installation type dialog box. I am assuming you want to use all the features that ISA Server has to offer. You can use the Add/Remove Programs applet later if you want to remove some ISA Server features.
- In this example we are installing ISA Server in standalone mode, not in enterprise array mode. Click Yes in the dialog box that asks if you want to continue.
- Select the Integrated mode option on the Select the mode for this server page. You want to take advantage of the full power of your ISA Server firewall. Integrated mode gives you everything the Web Proxy and Firewall services have to offer. Go for it! Click Continue.
- On the Web cache page, select a drive to put the Web cache file on. The drive must be NTFS. Type in a size of the cache in the Cache size (MB) text box and then click the Set button. Then click OK.
- On the LAT page, click the Construct Table button. On the Local Address Table page, remove the checkmark in the Add the following private ranges checkbox. Put a checkmark in the Add address ranges based on the Windows 2000 Routing Table checkbox. Remove the checkmark from the checkbox representing the external interface, and leave the checkmark in the checkbox for the internal interface. Click OK in the Local Address Table dialog box, then click OK in the Setup Message dialog box that informs you that the LAT was contstructed based on the Windows 2000 routing table (in spite of the fact that you’re installing ISA Server on a Windows Server 2003 machine).
- Click OK on the LAT dialog box after reviewing the list listing in the Internal IP ranges list.
- Unlike Windows 2000, Windows Server 2003 does not install IIS by default (yeah! You should NEVER run IIS services on a firewall – except for maybe the SMTP service). You will see a dialog box telling you that you’ll have to install the SMTP service if you want to run the SMTP Message Screener. Click OK to continue.
- The ISA Server services are installed. You will see a warning balloon informing you that ISA 2000 will cause Windows to become unstable. Close the balloon, remove the checkmark from the Start ISA Server Getting Started Wizard checkbox, and then click OK in the Launch ISA Management Tools dialog box.
- Click OK in the dialog box that informs you that setup was completed.
- Click OK in the dialog box that informs you that setup has failed to start one or more services.
Now you’re ready to install ISA Server Service Pack 1.
Install ISA Server Service Pack 1
The next step is to immediately install ISA Server Service Pack 1. You can get Service Pack 1 at http://www.microsoft.com/isaserver/downloads/sp1.asp Download SP1 to a machine on the internal network, scan it for viruses, then copy it to the ISA Server. Perform the following steps after copying the service pack to the ISA Server:
- Double click on the isasp1.exe file. Type in a path to put the temporary files in the Choose Directory for Extracted Files dialog box. Click OK.
- Click I Agree in the End User License Agreement (EULA) dialog box.
- Click OK in the Microsoft ISA Server 2000 Update Setup dialog box. The computer will restart.
That’s all there is to installing ISA Server service pack 1.
Install HotFix isahf255.exe
Log onto the machine after the ISA Server service pack 1 installation routine restarts the machine. There are a few hotfixes and updates you need to install on the Windows Server 2003/ISA Server machine to insure that everything works correctly. You can download the HotFix pack, isahf255.exe at http://www.microsoft.com/downloads/details.aspx?familyid=77d89f87-5205-4779-b1ab-fc338283b2d9&displaylang=en
Download the file to a machine on the internal network, scan it for viruses, and then copy it to the ISA Server. Perform the following steps after copying the file to the ISA Server:
- Double click on the isahf255.exe file. Type in a path for the temporary files in the Choose Directory for Extracted Files dialog box, then click OK.
- Click I Agree in the EULA dialog box.
- Click OK in the Microsoft ISA Server 2000 Update Setup dialog box that informs you that the update was successful applied.
Note that you do not need to restart the server. The next step is to install Feature Pack 1.
Install Feature Pack 1
Feature Pack 1 (FP1) is not required. You don’t have to install ISA Server Feature Pack 1 on the Windows Server 2003/ISA Server machine to get it working correctly. However, I do highly recommend that you install ISA Server Feature Pack 1 because it adds a lot of cool new capabilities and Wizards. You can download ISA Server Feature Pack 1 at http://www.microsoft.com/downloads/details.aspx?FamilyID=2f92b02c-ac49-44df-af6c-5be084b345f9&DisplayLang=en
Download the feature pack to a machine on the internal network and scan it for viruses. Then copy the file to the ISA Server and perform the following steps:
- Double click on the isaftp1.exe file. Type in a path for the extracted files in the Choose Directory For Extracted Files dialog box.
- Click I Agree in the Feature Pack 1 EULA dialog box.
- Click OK in the Microsoft ISA Server 2000 Feature Pack 1 dialog box. Leave the checkmark in the Read about ISA Server Feature Pack 1 checkbox to learn more about what you get with Feature Pack 1.
I think you’ll find that running ISA Server on Windows Server 2003 will be a good experience. Windows Server 2003 provides the highest level of stability and security ever seen in a Windows-based platform and ISA Server raises the level of security by several orders of magnitude. Give ISA Server on Windows Server 2003 a try and let us know what you think.
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=1;t=002205 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom