ISA Server 2000 Quick Start Guide

By /

ISA Server 2000 Quick Start Guide

by Thomas W. Shinder, M.D.

Download the ISA Server 2000 Quick Start Guide at:
http://www.isaserver.org/img/upl/gettingstarted/ISA2KQSG.zip 

Are you entirely new to ISA Server 2000? A lot of ISAServer.org visitors are! If you’re like most of us, you probably aren’t sure where to start. ISA Server 2000 is an extremely flexible and powerful firewall and a big part of that flexibility and power is the large number of options available to you. Right now you just want to get it installed with the least amount of hassle and then you can worry about making it do some neat firewall tricks later.

Its was with the new ISA Server 2000 firewall admin in mind that I’ve put together the ISA Server 2000 Quick Start Guide. This Quick Start Guide guides you through the steps of installing and configuring your ISA Server firewall so that you’re protected from external intruders and still have access to the Internet from computers on your internal network. I’ve made all the decisions for you. Just go through the steps, follow up on the recommendations, and things will “just work”. You can then get into the fancy stuff, like user/group based access control, Web and Server Publishing, VPNs and logging/reporting after you’re confident that your ISA Server 2000 firewall actually works.

Let’s get started!

Welcome to Your ISA Server 2000 Firewall

Welcome to your ISA Server 2000 firewall software. ISA Server 2000 is designed from from the ground up to provide a very high level of security and protection against Internet intruders and attackers. In addition to robust security ISA Server 2000 provides for your network, the firewall software also allows you to connect all your computers to the Internet.

Your ISA Server 2000 firewall software has a wide range of capabilities. Although ISA Server’s impressive feature set makes it the firewall for Microsoft networks, your challenge right now is to get the software installed correctly so that:

  • Your network is protected against Internet attackers, and
  • The computers on your network can connect to the Internet

    • This Guide walks you through, step by step, the following:

  • How to configure your Windows 2000 or Windows Server 2003 computer
  • How to install the ISA Server 2000 software
  • How to configure the ISA Server 2000 software to protect your network and allow your computers to connect to the Internet
  • How to configure the computers on your LAN to connect to the Internet through the ISA Server 2000 firewall computer

    • After completing the instructions in this guide, your network will be protected and your computers will be able to connect to the Internet.

    The next section discusses assumptions we make about the Windows 2000 or Windows Server 2003 computer that you’ll be installing your ISA Server 2000 software onto.

    Windows 2000/Windows Server 2003 Configuration Baseline

    ISA Server 2000 can be installed on either Windows 2000 or Windows Server 2003. There should be no extra services or applications on the ISA Server 2000 machine. It’s important because extra services or applications can complicate installing the ISA Server 2000 firewall software and reduce the level of security the firewall software provides for your network.

    The firewall should not be acting any of the following roles:

  • Domain controller
  • Web Server
  • FTP Server
  • Certificate Server
  • NNTP Server
  • Exchange Server
  • Sharepoint Server

    • You should find another machine to install the ISA Server 2000 firewall software onto if the machine you were planning on installing the ISA Server 2000 firewall software onto is acting in any of these roles.

    Each of these services either:

  • Increases the complexity of the ISA Server 2000 installation and configuration, or
  • They introduce an unacceptable security risk to the firewall.

    • The firewall is the first computer Internet intruders try to attack because it is directly connected to the Internet. ISA Server 2000 is the wall protecting your network from attackers and that wall must be made as hard and secure as possible to protect your assets.

    WARNING:


    The Guidelines in this Quick Start Guide do not apply to Small Business Server (SBS). SBS enforces a unique set of requirements on the ISA Server 2000 software which fall outside the scope of this Quick Start Guide. Please refer to your SBS documentation for details on how to install and configure ISA Server 2000 on a SBS machine.

    This Quick Start Guide makes the following assumptions about the Windows 2000 or Windows Server 2003 computer you will be installing the ISA Server 2000 firewall software onto:

  • We do not assume that you have any other Windows servers on your network. You can have other Windows servers on your network, but they are not required
  • You are installing ISA Server 2000 on either a Windows 2000 or Windows Server 2003 computer
  • You have installed Windows 2000 or Windows Server 2003 on a computer using the default software settings and have not added any additional software to the Windows 2000 or Windows Server 2003 computer that you will install the ISA Server 2000 firewall software onto
  • Your Windows 2000 or Windows Server 2003 computer already has two Ethernet cards installed, where one of the Ethernet cards is connected to the LAN and the other is connected to the Internet, or it has a single Ethernet card connected to your LAN and a modem that connects to the Internet.
  • All the machines on your internal network use the TCP/IP networking protocol to connect to one another.
  • The Windows 2000 or Windows Server 2003 machine you’re installing the ISA Server 2000 firewall software onto is not a member of a Windows domain. You can have a Windows 2000 or Windows Server 2003 domain on the internal network, but the computer running ISA Server 2000 on does not need to be a member of your domain. However, if you do have an internal network domain and the Windows 2000 or Windows Server 2003 computer that you plan to install the ISA Server 2000 software onto is already a member of the internal network domain, then its fine to install the ISA Server 2000 software onto that computer; it will not change any of the steps.

    • Your network will be protected from outside intruders, and your computers will be able to access the Internet, after you complete the procedures in this guide. This Quick Start Guide’s goal is just that: to get you started quickly. The next step, after your firewall is configured and the computers on your network can access the Internet, is to learn about your ISA Server 2000 firewall in more detail. Please see the

    ISA Server 2000 Resources section at the end of this document.

    Throughout this Quick Start Guide we will refer to internal and external interfaces. The internal interface is the Ethernet card connecting the ISA Server 2000 firewall computer to your private network or LAN. The external interface is a network interface connecting you to the Internet. This external interface can be an Ethernet card, a modem or even a broadband router.

    Figure 1

    shows the ISA Server 2000 firewall and its relationship to the internal and external networks. The internal interface is an Ethernet card connected to a hub or switch on the internal network and the external interface is an Ethernet card or a modem connecting the ISA Server 2000 firewall to the Internet.

    Figure 1: The physical relationships between the ISA Server 2000 firewall and the internal and external networks.

    There are 5 steps required to get the ISA Server 2000 firewall running securely:

  • STEP 1:

    • Configure the network interfaces

  • STEP 2:

    • Install and configure a DNS server on the ISA Server 2000 firewall computer

  • STEP 3:

    • Install and configure a DHCP server on the ISA Server 2000 firewall computer

  • STEP 4:

    • Install and configure the ISA Server 2000 software

  • STEP 5:

    • Configure the internal network computers as DHCP clients

    The rest of this Quick Start Guide walks you through each of these steps. Separate sets of instructions are included for Windows 2000 and Windows Server 2003 systems when the procedures differ between the two operating systems. Go to the section in each step applying to your operating system.

    STEP 1: Configuring the Network Interfaces

    The ISA Server 2000 firewall computer must have at least one internal network interface and one external network interface. The internal network interface is the network interface directly connected to the internal network. The external network interface can be an Ethernet card, a cable modem, a DSL modem, or a dial-up analog modem. The external network interface allows the ISA Server 2000 firewall to connect to the Internet.

    You will carry out the following procedures to correctly configure the network interfaces on the ISA Server 2000 firewall computer:

  • Assign IP addresses to the internal and external network interfaces
  • Assign a DNS server address to the ISA Server 2000 computer
  • Arrange the network interface order
  • Set up the Dial-up Networking connectoid if you use a dial-up connection to the Internet

    • IP Address and DNS Server Assignment

    You must assign IP addresses to the internal and external interfaces of the ISA Server 2000 firewall computer. The ISA Server 2000 firewall computer also requires a DNS server address so that it can translate the names used to connect to Internet servers to IP addresses (which is what Internet programs like Internet Explorer use to connect to Internet servers).

    In this section we discuss the following:

  • Configure the internal network interface
  • Configure the external network interface

    • Internal Network Interface

    The internal network interface must have an IP address that is on the same network ID as other computers on the directly attached network. This address must be in the private network address range and the address must not already be in use on the network.

    You must configure the ISA Server 2000 firewall to use the internal interface address as its DNS server address. This Quick Start Guide assumes your internal network computers use DHCP to obtain IP addressing information and the ISA Server 2000 computer will be their DHCP Server.

    The ISA Server 2000 firewall must have a static IP address bound to its internal interface. Perform the following steps on the Windows 2000 or Windows Server 2003 computer that will be the ISA Server 2000 firewall computer:

    1. Right click on the My Network Places icon on the desktop and click the Properties command.
    2. In the Network Connections window, right click on the internal network interface and click the Properties command.
    3. In the network interface’s Properties dialog box, click the Internet Protocol (TCP/IP) entry and then click the Properties button.
    4. In the Internet Properties (TCP/IP) Properties dialog box, select the Use the following IP address option. Type in the IP address for the internal interface in the IP address text box. Type in the subnet mask for the internal interface in the Subnet mask text box. Do not enter a default gateway for the internal interface.
    5. Select the Use the following DNS server addresses option. Enter the IP address of the internal interface in the Preferred DNS server text box. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
    6. Click OK in the internal interface’s Properties dialog box.

      WARNING:


      Never enter a default gateway address on the internal interface

    External Network Interface

    The external interface configuration varies depending on the type of interface used to connect to the Internet. There are two primary types of external interfaces:

  • An external interface using a statically assigned or permanent IP address
  • An external interface using a dynamic or non-permanent IP address

    • ISP’s offer “business accounts” that provide a permanent, statically assigned IP address. Hobbyist or home accounts are usually assigned a non-permanent address. Dial-up modem connections, (with the exception of ISDN dial-up connections), usually are assigned non-permanent IP addresses. In this section you’ll see how to configure each connection type.

    NOTE:


    Cable, DSL and T1 connections, among others, can have either a permanent, or non-permanent IP address assigned to the external interface.

    External Interface with a Permanent IP Address

    There are four common situations where you use an Ethernet card on the external interface of the ISA Server 2000 firewall computer:

  • You have a DSL connection plugging into a DSL modem (note: some DSL modems install as network interface cards which are installed into the ISA Server 2000 firewall computer; in those circumstances, the internal DSL modem plugs into the DSL filtered wall jack)
  • You have a cable Internet connection plugging into a cable modem. The Ethernet card plugs into the cable modem’s Ethernet connection
  • You have a T1, fractional T1 or similar type connection to the Internet and there is a router in front of the ISA Server 2000 firewall computer
  • You have a broadband DSL or cable Internet connection and you are using a broadband router in front of the ISA Server 2000 firewall.

    • Figure 2

    shows the relationship between the ISA Server 2000 firewall computer and the broadband router.

    NOTE:


    Throughout this Quick Start Guide we use the terms “in front of” and “behind” the ISA Server 2000 firewall computer. Devices “in front of” the ISA Server 2000 firewall computer are closer to the Internet and you must go through the ISA Server 2000 firewall computer to connection to machines that are in front of the ISA Server 2000 firewall computer. Devices “behind” the ISA Server 2000 computer are on the internal network and these devices are protected by the ISA Server 2000 firewall computer.

    Figure 2: Diagram shows the relationship between the ISA Server 2000 firewall, the internal network and the router in front of the ISA Server 2000 computer

    Perform the following procedures if your external interface uses an Ethernet card and has a permanent IP address assigned to it:

    1. Right click on the My Network Places icon on the desktop and click the Properties command.
    2. In the Network Connections window, right click on the external network interface and click the Properties command.
    3. In the network interface’s Properties dialog box, click the Internet Protocol (TCP/IP) entry and then click the Properties button.
    4. In the Internet Properties (TCP/IP) Properties dialog box, select the Use the following IP address option. Type in the IP address for the external interface in the IP address text box. Type in the subnet mask for the external interface in the Subnet mask text box. Enter a default gateway for the external interface. Check with your ISP to obtain the proper IP address, subnet mask and default gateway addresses.

      WARNING:

      Do not guess what you external IP address should be. If your ISP assigns you a permanent IP address, ask your ISP to confirm the numbers used for your IP address, Subnet mask, Default gateway and Preferred DNS server. If you use a broadband router in front of the ISA Server 2000 firewall computer, then use the IP address, subnet mask and default gateway recommended by your broadband router manufacturer

  • Select the Use the following DNS server addresses option. Enter the IP address of the internal (yep, that’s right, INTERNAL) interface in the Preferred DNS server text box. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
  • Click OK in the exteranl interface’s Properties dialog box.

    NOTE:


    Dial up connections represent a special case and are discussed in the

    • Setting up a Dial-up Connection section. Do not perform the following steps on configuring the external interface if you use a dial-up connection to connect to the Internet.

    External Interface with a Dynamic IP Address

    The most common situation where an Ethernet card is used on the external interface with a non-permanent IP address is when the Ethernet card is a cable or DSL modem, or it connects to a DSL or cable modem. Your DSL or cable provider will inform you if you have a permanent or non-permanent address.

    Perform the following steps if your external interface uses a non-permanent IP address:

    1. Right click on the My Network Places icon on the desktop and click the Properties command.
    2. In the Network Connections window, right click on the external network interface and click the Properties command.
    3. In the network interface’s Properties dialog box, click the Internet Protocol (TCP/IP) entry and then click the Properties button.
    4. In the Internet Properties (TCP/IP) Properties dialog box, select the Obtain an IP address automatically option.

    5. Select the Use the following DNS server addresses option. Enter the IP address of the internal interface in the Preferred DNS server text box. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
    6. Click OK in the internal interface’s Properties dialog box.

    Network interface Order

    The internal interface of the ISA Server 2000 computer should be placed on top of the network interface list to insure the best performance for name resolution. Perform the following steps to configure the network interface order on both Windows 2000 and Windows Server 2003 computers:

    WARNING:

    Do not change the interface order if you are using a Dial-up connection to connect to the Internet. This procedure applies only to situations where you use non-dialup connections to connect to the Internet.

    Perform the following steps to change the network interface order:

    1. Right click on the My Network Places icon on the desktop and click the Properties command.
    2. In the Network and Dial-up Connections window, click the Advanced menu, then click the Advanced Settings command.
    3. In the Advanced Settings dialog box, click on the internal interface in the list of Connections on the Adapters and Bindings tab. After the internal interface is highlighted, click the up-arrow to move the internal interface to the top of the list of interfaces.

    4. Click OK in the Advanced Settings dialog box.

    Setting up a Dial-up Connection

    ISA Server 2000 firewall computers can use Dial-up Networking connections, which are configured in the Network and Dial-up Connections window in Windows 2000 and the Network Connections window in Windows Server 2003, to connect the ISA Server 2000 firewall to the Internet. These dial-up connection entries are named connectoids. You’ll use Dial-up Networking connectoids to create a Dial-up Entry in the ISA Server 2000 management console later in this Quick Start Guide.

    In this ISA Server 2000 Quick Start Guide we assume your dial-up hardware is already installed and is working properly. The next step is to create the Dial-up Networking connectoid you’ll use to connect the ISA Server 2000 firewall computer to your ISP. We will cover procedures for creating the connectoid in Windows 2000 and Windows Server 2003 computers separately.

    NOTE

    :
    These steps are performed differently in Windows 2000 and Windows Server 2003. Go to the section applying to the operating system you’re installing ISA Server 2000 on and follow those steps.

    Creating the Dial-up Connectoid on a Windows 2000 Computer

    Perform the following steps on the Windows 2000 computer to create the dial-up connectoid that connects the machine to the Internet:

    1. Right click the My Network Places icon on the desktop and click the Properties command.
    2. In the Network and Dial-up Connections window, double click on the Make New Connection icon.
    3. In the Location Information dialog box, enter your area code and access number if required. Click OK.
    4. Click OK in the Phone and Modem Options dialog box.
    5. Click Next on the Welcome to the Network Connection Wizard page.
    6. Select the Dial-up to the Internet option on the Network Connection Type page and click Next.
    7. On the Welcome to the Internet Connection Wizard page, select the I want to set up my Internet connection manually, or I want to connect through a local area network (LAN) option and click Next.
    8. Select the I connect through a phone line and a modem option on the Setting up you Internet connection page and click Next.
    9. On the Step 1 of 3: Internet account connection information page, type in the correct Area code and Telephone number for your ISP Internet connection. Click Next.
    10. On the Step 2 of 3: Internet account logon information page, type in the User name and Password provided to you by your ISP and click Next.
    11. On the Step 3 or 3: Configuring your computer page, type in a Connection name. For example, name the connection ISP Internet Link. Click Next.
    12. Select No on the Set Up Your Internet Mail Account page and click Next.
    13. Click Finish on the Completing the Internet Connection Wizard page.
    14. The ISP Internet Link entry now appears in the Network and Dial-up Connections window and it has a telephone icon associated with it.
    15. Right click the ISP Internet Link and click the Properties command. In the ISP Internet Link Properties dialog box, click on the Options tab. If you want the link to automatically redial if the connection is dropped, put a checkmark in the Redial if line is dropped checkbox. You can then configure the Redial attempts and Time between redial attempts to meet your preferences. The default Idle time before hanging up value is set to never. If you want the modem to drop a connection after an idle period, change this value.

      NOTE:


      Modem networks and applications require frequent connections to the Internet. You should anticipate that the dial-up connection will remain connected most of the time as internal network hosts connect to the Internet at any time of day for a variety of reasons.

    Creating the Dial-up Connectoid on a Windows Server 2003 Computer

    Perform the following steps on the Windows Server 2003 computer to create the dial-up connectoid that connects the machine to the Internet:

    1. Right click the My Network Places icon on the desktop and click the Properties command.
    2. In the Network Connections window, double click on the New Connection Wizard icon.
    3. Click Next on the Welcome to the New Connection Wizard page.
    4. On the Network Connection Type page, select the Connect to the Internet option and click Next.
    5. On the Internet Connection page, select the Connect using a dial-up modem option and click Next.
    6. On the Connection Name page, type ISP Internet Link in the ISP Name text box and click Next.
    7. On the Phone Number to Dial page, type the area code and phone number you use to connect to the ISP in the Phone number text box and click Next.
    8. On the Connection Availability page, select the Anyone’s use page and click Next.
    9. On the Internet Account Information page, type in the User name and Password provided to you by your ISP. Confirm the password in the Confirm password text box. Place checkmarks in the Use this account name and password when anyone connect to the Internet from this computer and Make this the default Internet connection checkboxes. Remove the checkmark from the Turn on Internet Connection Firewall for this connection checkbox. Click Next.
    10. Click Finish on the Completing the New Connection Wizard page.
    11. The Connect ISP Internet Link dialog box appears. Click the Properties button.
    12. On the ISP Internet Link Properties dialog box, click on the Options tab. If you want the connection to automatically redial if the link is dropped, put a checkmark in the Redial if line is dropped checkbox. You can configure custom Redial attempts and Time between redial attempts values if you select this option. If you want the connection to drop after a period of idleness, then change the value in the Idle time before hanging up list box. If you do not want the link to drop, select the never option in the idle time drop down list. Click OK after making the changes.
    13. Close the Connect ISP Internet Link dialog box.

      NOTE:


      Modem networks and applications require frequent connections to the Internet. You should anticipate that the dial-up connection will remain connected the most of the time as internal network hosts connect to the Internet at any time of day for a variety of reasons.

    STEP 2: Installing and Configuring a DNS Server on the ISA Server Firewall

    You will install a DNS server on the ISA Server 2000 firewall computer. This enables machines on your network to perform Internet host name resolution. Computers must be able to resolve the names of Internet servers in order to contact computers that are not located on the internal network. Even if you already have a DNS server located on the internal network, you should configure the ISA Server 2000 firewall computer as a caching-only DNS server and configure the computers on the internal network to use the ISA Sever 2000 machine as their DNS server.

    Installing the DNS Service

    The DNS Server service in not installed by default. Procedures for installing the DNS Server service on Windows 2000 and Windows Server 2003 machines are very similar. We will discuss the installation procedures for Windows 2000 and Windows Server 2003 separately in this section.

    NOTE

    :
    These steps are performed differently in Windows 2000 and Windows Server 2003. Go to the section applying to the operating system you’re installing ISA Server 2000 on and follow those steps.

    Installing the DNS Server Service on Windows 2000

    Perform the following steps to install the DNS Server service on a Windows 2000 computer:

    1. Click Start point to Settings and click Control Panel.
    2. In the Control Panel window, double click on the Add/Remove Programs entry.
    3. In the Add/Remove Programs window, click on the Add/Remove Windows Components button.
    4. In the Windows Components Wizard dialog box, select the Networking Services entry in the list of Components. Do not put a checkmark in the checkbox! After highlighting the Networking Services entry, click the Details button.
    5. In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox and click OK.

    6. Click Next in the Windows Components dialog box.
    7. If terminal services is enabled on the machine, click Next in the Terminal Service Setup dialog box.
    8. Click OK in the Insert Disk dialog box. In the Files Needed dialog box, provide a path to the i386 folder in the Copy files from text box, then click OK.
    9. Click Finish in the Completing the Windows Components Wizard page.
    10. Click Close in the Add/Remove Programs window.

    Installing the DNS Server Service on Windows Server 2003

    Perform the following steps to install the DNS Server service on a Windows 2000 computer:

    1. Click Start point to Control Panel and click Add or Remove Programs.
    2. In the Add or Remove Programs window, click on the Add/Remove Windows Components button.
    3. In the Windows Components Wizard dialog box, select the Networking Services entry in the list of Components. Do not put a checkmark in the checkbox! After highlighting the Networking Services entry, click the Details button.
    4. In the Networking Services dialog box, put a checkmark in the Domain Name System (DNS) checkbox and click OK.

    5. Click Next in the Windows Components dialog box.
    6. Click OK in the Insert Disk dialog box. In the Files Needed dialog box, provide a path to the i386 folder in the Copy files from text box, then click OK.
    7. Click Finish in the Completing the Windows Components Wizard page.
    8. Close

      9. the Add or Remove Programs window.

    Configuring the DNS Service

    The DNS Server on the ISA Server 2000 firewall machine performs DNS queries for Internet host names on the behalf of computers on the internal network. The DNS Server on the ISA Server 2000 firewall is configured as a caching-only DNS server. A caching-only DNS Server does not contain information about your public or private DNS names. The caching-only DNS Server can resolve Internet host names and cache the results, but it does not answer DNS queries for names on your private internal network DNS zone or your public DNS zone.


    NOTE

    :
    DNS is an inherently complex topic. Do not be concerned if you do not completely understand the details of how DNS operates. The DNS service will be configured correctly when you perform the steps in this section.

    However, if you have an internal network DNS server to support an Active Directory domain, you can configure the caching-only DNS server located on the ISA Server 2000 firewall to refer requests to your internal network domain to the DNS server on your internal network. The bottom line is that the caching-only DNS server on the ISA Server 2000 firewall computer will not interfere with your current DNS server setup (if you have one already).

    In this section we provide instructions on how to configure the DNS Server service on Windows 2000 and Windows Server 2003 computers.

    NOTE

    :
    These steps are performed differently in Windows 2000 and Windows Server 2003. Go to the section applying to the operating system you’re installing ISA Server 2000 on and follow those steps.

    Configuring the DNS Service in Windows 2000

    Perform the following steps to configure the DNS service on the Windows 2000 computer:

    1. Click Start, point to Programs and point to Administrative Tools. Click on the DNS entry in the Administrative Tools menu.
    2. Expand all nodes in the left pane of the DNS console. Right click on your server name, point to View and click on Advanced.
    3. Right click on the server name in the left pane of the console and click the Properties command.
    4. In the server Properties dialog box, click on the Interfaces tab. Select the Only the following IP addresses option. Click on any IP address in the list of IP addresses that is not the IP address on the internal interface. Select this non-internal interface IP address and click the Remove button. Click Apply.
    5. Click on the Forwarders tab. Put a checkmark in the Enable forwarders checkbox. Type in the IP address of your ISP’s DNS server in the IP address text box and click Add. Put a checkmark in the Do not use recursion checkbox. Click Apply and the click OK.

    6. Right click on the server name in the left pane of the console, point to All Tasks and click on Restart.

    Perform the following steps only if you have an internal network Active Directory domain and an existing DNS server on the internal network:

      WARNING:

      DO NOT perform the following steps if you do not already have a DNS server on your internal network. These steps are only for those networks already using Windows 2000 or Windows Server 2003 Active Directory domains.

  • Right click on the Reverse Lookup Zone node in the left pane of the console and click the New Zone command.
  • Click Next on the Welcome to the New Zone Wizard page.
  • Select the Standard primary on the Zone Type page and click Next.
  • Select the Network ID option on the Reverse Lookup Zone page and type in the network ID where your domain controller is located in the text box. Click Next.
  • Accept the default file name on the Zone File page and click Next.
  • Click Finish on the Completing the New Zone Wizard page.
  • Right click on the Forward Lookup Zones node in the left pane of the console and click the New Zone command.
  • Click Next on the Welcome to the New Zone Wizard page.
  • Select Standard primary on the Zone Type page and click Next.
  • Type in the name of your internal network domain in the Type the name of the zone text box on the Zone Name page. Click Next.
  • Accept the default file name on the Zone File page and click Next.
  • Click Finish on the Completing the New Zone Wizard page.
  • Expand the Forward Lookup Zones node in the left pane of the console and right click the domain name. Click the New Host command.
  • In the New Host dialog box, type in the computer name of DNS server on the internal network that is authoritative for your Active Directory domain in the Name (uses parent domain name if blank) text box. Type in the IP address of the DNS server on the internal network in the IP address text box. Put a checkmark in the Create an associated pointer (PTR) record checkbox. Click Add Host.

  • Click OK in the DNS dialog box. Click Done in the New Host dialog box.
  • In the right pane of the DNS console, right click on the NS record for the domain and click the Properties command. In the domain’s Properties dialog box, click the current entry in the server list and then click the Remove button.
  • Click the Add button on the Name Servers tab. In the New Resource Record dialog box, click the Browse button. In the Browse dialog box, double click on your server name, then double click on the Forward Lookup Zones folder. Double click on your internal network domain name. Double click on the name of the DNS server on the internal network. Click OK in the New Resource Record dialog box.
  • Click Apply and then click OK in the domain Properties dialog box.
  • Right click on the SOA record in the left pane of the DNS console and click the Properties command.
  • On the Start of Authority (SOA) tab, click the Browse button that lies to the right of the Primary server text box. In the Browse dialog box, double click on your server name, then double click on the Forward Lookup Zones folder. Double click on your domain name and then double click on the DNS server name on the internal network.
  • Click Apply and then click OK in the domain Properties dialog box.
  • Right click on the server name in the left pane of the console, point to All Tasks and then click Restart.

    • Configuring the DNS Service in Windows Server 2003

    Perform the following steps to configure the DNS service on the Windows Server 2003 computer:

    1. Click Start and point to Administrative Tools. Click on the DNS entry.
    2. Right click on the server name in the left pane of the console, point to View and click on Advanced.
    3. Expand all nodes in the left pane of the DNS console.
    4. Right click on the server name in the left pane of the DNS console and click on the Properties command.
    5. In the server Properties dialog box, click on the Interfaces tab. Select the Only the following IP addresses option. Click on any IP address that is not an IP address bound to the internal interface of the computer. After highlighting the non-internal IP address, click the Remove button. Click Apply.
    6. Click the Forwarders tab. Enter the IP address of your ISP’s DNS server in the Selected domain’s forwarder IP address list text box and then click Add. Put a checkmark in the Do not use recursion for this domain checkbox. Click Apply.

    7. Click OK in the server Properties dialog box.
    8. Right click the server name, point to All Tasks and click the Restart command.

    Perform the following steps only if you have an internal network DNS server that you are using to support an Active Directory domain:

      WARNING:

      DO NOT perform the following steps if you do not already have a DNS server on your internal network. These steps are only for those networks already using Windows 2000 or Windows Server 2003 Active Directory domains.

  • Right click the Reverse Lookup Zones node in the left pane of the console and click New Zone.
  • Click Next on the Welcome to the New Zone Wizard page.
  • On the Zone Type page, select the Stub zone option and click Next.
  • Select the Network ID option and then type in the network ID on which the internal network DNS server is located on the Reverse Lookup Zone Name page in the Network ID text box. Click Next.

  • Accept the default file name on the Zone File page and click Next.
  • On the Master DNS Servers page, type in the IP address of your internal network DNS server in the IP address text box and click Add. Click Next.
  • Click Finish on the Completing the New Zone Wizard page.
  • Right click on the Forward Lookup Zones node in the left pane of the console and click the New Zone command.
  • Click Next on the Welcome to the New Zone Wizard page.
  • On the Zone Type page, select the Stub zone option. Click Next.
  • On the Zone name page, type in the name of your internal network domain in the Zone name text box. Click Next.
  • On the Zone File page, accept the default name for the zone file and click Next.

  • On the Master DNS Servers page, type in the IP address of your internal network DNS server in the IP address text box and click Add. Click Next.
  • Click Finish on the Completing the New Zone Wizard page.
  • Right click on the server name in the left pane of the console, point to All Tasks and click Restart.

    • STEP 3: Installing and Configuring a DHCP Server on the ISA Server Firewall

    Your computers need an IP address and other information that allows them to communicate with each other and with computers on the Internet. The DHCP Server service can be installed on the ISA Server 2000 firewall computer and provide IP addressing information to internal network computers. This Quick Start Guide assumes you will use the ISA Server 2000 firewall computer to assign IP addresses and other networking information to computers on your network.

    WARNING:

    You must not have any other DHCP servers on the network. If you have another machine on the network acting as a DHCP server, disable the DHCP service on that machine so that the ISA Server 2000 firewall as your DHCP server on the network.

    Installing the DHCP Service

    The DHCP Server service can be installed on Windows 2000 and Windows Server 2003 computers. The procedure varies slightly between the two operating systems. In this section we discuss procedures for installing DHCP Server service on Windows 2000 and Windows Server 2003 computers.

    NOTE

    :
    These steps are performed differently in Windows 2000 and Windows Server 2003. Go to the section applying to the operating system you’re installing ISA Server 2000 on and follow those steps.

    Installing the DHCP Server Service on a Windows 2000 Computer

    Perform the following steps to install the DHCP Server service on a Windows 2000 computer:

    1. Click Start point to Settings and click Control Panel.
    2. In the Control Panel window, double click on the Add/Remove Programs entry.
    3. In the Add/Remove Programs window, click on the Add/Remove Windows Components button.
    4. In the Windows Components Wizard dialog box, select the Networking Services entry in the list of Components. Do not put a checkmark in the checkbox! After highlighting the Networking Services entry, click the Details button.
    5. In the Networking Services dialog box, put a checkmark in the Dynamic Host Configuration Protocol (DHCP) checkbox and click OK.

    6. Click Next in the Windows Components dialog box.
    7. If terminal services is enabled on the machine, click Next in the Terminal Service Setup dialog box.
    8. Click Finish in the Completing the Windows Components Wizard page.
    9. Click Close in the Add/Remove Programs window.

    Installing the DHCP Server Service on a Windows Server 2003 Computer

    Perform the following steps to install the DNS Server service on a Windows 2000 computer:

    1. Click Start point to Control Panel and click Add or Remove Programs.
    2. In the Add or Remove Programs window, click on the Add/Remove Windows Components button.
    3. In the Windows Components Wizard dialog box, select the Networking Services entry in the list of Components. Do not put a checkmark in the checkbox! After highlighting the Networking Services entry, click the Details button.
    4. In the Networking Services dialog box, put a checkmark in the Dynamic Host Configuration Protocol (DHCP) checkbox and click OK.

    5. Click Next in the Windows Components dialog box.
    6. Click Finish in the Completing the Windows Components Wizard page.
    7. Close

      8. the Add or Remove Programs window.

    Configuring the DHCP Service

    The DHCP Server must be configured with a collection of IP addresses it can assign to computers on your network. The DHCP Server also provides other networking information to your computers, such as a DNS Server and default gateway addresses. The DNS server and default gateway addresses for your computers will be the IP address on the internal interface of the ISA Server 2000 firewall. The DHCP server uses a DHCP scope to provide this information to the internal network clients. You will create a DHCP scope that provides the correct information.

    NOTE:

    The DHCP server must not assign addresses that are already in use on your network. You will create exclusions for these IP addresses. Examples of excluded IP addresses might be addresses assigned to print servers, file servers, mail servers or Web servers; these are just a few examples of devices or server that always have the same IP address assigned to them. These addresses are permanently assigned to these servers and network devices.

    The procedure varies slightly for Windows 2000 and Windows Server 2003 computers. We will discuss each configuration in this section.

    NOTE

    :
    These steps are performed differently in Windows 2000 and Windows Server 2003. Go to the section applying to the operating system you’re installing ISA Server 2000 on and follow those steps.

    Configuring the Windows 2000 DHCP Server Service

    Perform the following steps to configure the Windows 2000 DHCP Sever with a scope that assigns the proper IP addressing information to the internal network computers:

    1. Click Start point to Programs and then point to Administrative Tools. Click on the DHCP entry.
    2. Expand all nodes in the left pane of the DHCP console. Right click on the server name in the left pane of the console and click New Scope.
    3. Click Next on the Welcome to the New Scope Wizard page.
    4. Type SecureNAT Client Scope in the Name text box on the Scope Name page. Click Next.
    5. On the IP Address Range page, type in the first IP address and the last IP address for the range in the Start IP address and End IP address text boxes. For example, if you are using the network ID 192.168.1.0 with a subnet mask of 255.255.255.0, then enter the start IP address 192.168.1.1 and the end IP address 192.168.1.254. Click Next.
    6. On the Add Exclusions page, type in the IP address of the internal interface of the ISA Server 2000 firewall in the Start IP address text box and click Add. If you have any other servers on the network that already have a statically assigned IP address that you do not want to change, then add those addresses to the list. Click Next after adding all the addresses you want to exclude from the DHCP scope.
    7. Accept the default value on the Lease Duration page and click Next.
    8. On the Configuring DHCP Options page, select Yes, I want to configure these options now and click Next.
    9. On the Router page, type in the IP address of the internal interface of the ISA Server 2000 firewall computer and then click Add. Click Next.
    10. On the Domain Name and DNS Servers page, enter the IP address of the internal interface of the ISA Server 2000 firewall computer in the IP address text box and click Add. If you have an Active Directory domain on the internal network, then enter the name of your internal network domain in the Parent domain text box. Do not enter a domain name in the Parent domain text box unless you have an existing Active Directory domain on the internal network. Click Next.
    11. Do not enter any information on the WINS Servers page. Click Next.
    12. Select the Yes, I want to activate this scope now option on the Activate Scope page and click Yes.
    13. Click Finish on the Completing the New Scope Wizard page.

    Configuring the Windows Server 2003 DHCP Server Service

    Perform the following steps to configure the Windows 2000 DHCP Sever with a scope that will assign the proper IP addressing information to the internal network clients:

    1. Click Start point to Administrative Tools. Click on the DHCP entry.
    2. Expand all nodes in the left pane of the DHCP console. Right click on the server name in the left pane of the console and click New Scope.
    3. Click Next on the Welcome to the New Scope Wizard page.
    4. Type SecureNAT Client Scope in the Name text box on the Scope Name page. Click Next.
    5. On the IP Address Range page, type in the first IP address and the last IP address for the range in the Start IP address and End IP address text boxes. For example, if you are using the network ID 192.168.1.0 with a subnet mask of 255.255.255.0, then enter the start IP address 192.168.1.1 and the end IP address 192.168.1.254. Click Next.
    6. On the Add Exclusions page, type in the IP address of the internal interface of the ISA Server firewall in the Start IP address text box and click Add. If you have any other servers on the network that already have a statically assigned IP address that you do not want to change, then add those addresses to the list. Click Next after adding all the addresses you want to exclude from the DHCP scope.
    7. Accept the default value on the Lease Duration page and click Next.
    8. On the Configuring DHCP Options page, select Yes, I want to configure these options now and click Next.
    9. On the Router page, type in the IP address of the internal interface of the ISA Server 2000 firewall computer and then click Add. Click Next.
    10. On the Domain Name and DNS Servers page, enter the IP address of the internal interface of the ISA Server 2000 firewall computer in the IP address text box and click Add. If you have an Active Directory domain on the internal network, then enter the name of your internal network domain in the Parent domain text box. Do not enter a domain name in the Parent domain text box unless you have an existing Active Directory domain on the internal network. Click Next.
    11. Do not enter any information on the WINS Servers page. Click Next.
    12. Select the Yes, I want to activate this scope now option on the Activate Scope page and click Yes.
    13. Click Finish on the Completing the New Scope Wizard page.

    STEP 4: Installing and Configuring the ISA Server 2000

    The Windows 2000 or Windows Server 2003 computer is now ready for the ISA Server 2000 software. The procedures for installing ISA Server 2000 on Windows 2000 and Windows Server 2003 are similar. However, ISA Server 2000 requires a special update to work properly on Windows Server 2003.

    We will discuss the ISA Server 2000 installation procedures for both Windows 2000 and Windows Server 2003 in this section.

    NOTE

    :
    These steps are performed differently in Windows 2000 and Windows Server 2003. Go to the section applying to the operating system you’re installing ISA Server 2000 on and follow those steps.

    Installing ISA Server 2000 on Windows 2000

    Perform the following steps to install ISA Server 2000 on the Windows 2000 computer:

    1. Double click on the ISAAutorun.exe file in the ISA Server 2000 share point or allow the ISA Server 2000 CD-ROM to autorun.
    2. Click the Install ISA Server icon on the initial Microsoft ISA Server Setup page.
    3. Click Continue on the Welcome to the Microsoft ISA Server installation program page.
    4. Enter your CD key on the CD Key page and click OK.
    5. Click OK on the page showing your registration number.
    6. Click I Agree on the License Agreement page.
    7. Click the Full Installation button on the Installation Type page.

    8. Click Yes on the dialog box informing that the ISA Server schema has not been installed in the Active Directory.
    9. Select Integrated Mode in the mode type page. Click Continue.

    10. Click OK in the dialog box informing that IIS W3SVC service must be stopped.
    11. On the cache size page, select an NTFS formatted drive and then type 150 in the Cache size (MB) text box. Click Set, then click OK.
    12. Click the Construct Table button on the LAT configuration page.
    13. In the Local Address Table dialog box, remove the checkmark from the Add the following private ranges… checkbox. Confirm that there is a checkmark in the Add address ranges based on the Windows 2000 Routing Table checkbox. Put a checkmark in the checkbox next to the internal interface network interface card. Click OK.

  • Click OK in the Setup Message dialog box that informs that that the LAT was constructed based on the routing table entries on the ISA Server 2000.
  • Click OK on the LAT configuration page.
  • Remove the checkmark from the Start ISA Server Getting Started Wizard checkbox and click OK.
  • Click OK in the dialog box informing that the installation has completed successfully.

    • The next step is to install ISA Server 2000 Service Pack 1:

    1. From another computer that has Internet access, go to http://www.microsoft.com/isaserver/downloads/default.asp and download ISA Server 2000 Service Pack 1. Scan the download for viruses and copy the file to the ISA Server 2000 firewall computer. (The computer you download the file from can not be behind the ISA Server 2000 firewall because the firewall does not allow access to the Internet yet.)
    2. Double click on the isasp1.exe file.
    3. On the Choose Directory for Extracted Files dialog box, enter C:\ISASP1 in the Choose Directory for Extracted Files text box. Click OK.
    4. Click I Agree in the Microsoft ISA Server 2000 Service Pack dialog box.
    5. Click OK in the dialog box informing that the update was successful and that the system must be restarted.
    6. When the system restarts, download the ISA Server 2000 Feature Pack 1 file isafp1.exe from http://www.microsoft.com/isaserver/downloads/default.asp and scan the file for viruses. Copy the file to the ISA Server 2000 firewall and double click it. (The computer you download the file from can not be behind the ISA Server 2000 firewall because the firewall does not allow access to the Internet yet.)
    7. In the Choose Directory for Extracted Files dialog box, type C:\ISAFP1 in the Choose Directory for Extract Files text box and click OK.
    8. Click I Agree on the License Agreement page.
    9. Remove the checkmark from the Read about ISA Server Feature Pack 1 checkbox and click OK.

    IIS services should be disabled on the firewall for security and performance reasons. Perform the following steps to disable IIS services on the ISA Server 2000 firewall:

    1. Click Start, point to Programs and point to Administrative Tools. Click the Services entry.
    2. Locate the following services in the Services console:

        FTP Publishing Service

        Network News Transport Protocol (NNTP)

        Simple Mail Transport Protocol (SMTP)

        World Wide Web Publishing Service

    3. Perform the following steps for each of these services:

        a. Right click on the service and click Properties.

        b. In the Startup type drop down list, select the Manual entry.

        c. Click the Stop button.

        d. Click Apply and click OK.

    None of these services will start automatically when the ISA Server 2000 firewall machine restarts. The ISA Server 2000 firewall software is now installed and ready to be configured for secure Internet access.

    Installing ISA Server 2000 on Windows 2003

    1. Double click on the ISAAutorun.exe file in the ISA Server 2000 share point or allow the ISA Server 2000 CD-ROM to autorun.
    2. Click the Install ISA Server icon on the initial Microsoft ISA Server Setup page.
    3. An ISA 2000 dialog box appears warning that Service Pack 1 is required. Click Continue.
    4. Click Continue on the Welcome to the Microsoft ISA Server installation program page.
    5. Enter your CD key on the CD Key page and click OK.
    6. Click OK on the page showing your Product ID.
    7. Click I Agree on the License Agreement page.
    8. Click the Full Installation button on the Installation Type page.

    9. Click Yes on the dialog box informing you that the ISA Server schema has not been installed in the Active Directory.
    10. Select Integrated Mode in the mode type page. Click Continue.

    11. On the cache size page, select an NTFS formatted drive and then type 150 in the Cache size (MB) text box. Click Set, then click OK.
    12. Click the Construct Table button on the LAT configuration page.
    13. In the Local Address Table dialog box, remove the checkmark from the Add the following private ranges… checkbox. Confirm that there is a checkmark in the Add address ranges based on the Windows 2000 Routing Table checkbox. Put a checkmark in the checkbox next to the internal interface network interface card. Click OK.

    14. Click OK in the Setup Message dialog box that informs that that the LAT was constructed based on the routing table entries on the ISA Server 2000.
    15. Click OK on the LAT configuration page.
    16. Click OK in the Setup Message dialog box warning that the SMTP service is required for the SMTP Message Screener to work correctly.
    17. Remove the checkmark from the Start ISA Server Getting Started Wizard checkbox and click OK.
    18. Click OK in the dialog box informing that the installation has completed successfully.
    19. Click OK in the Setup Warning dialog box informing you that Setup has failed to start one or more services.

      20. The next step is to install ISA Server 2000 Service Pack 1:

      1. Go to http://www.microsoft.com/isaserver/downloads/default.asp and download ISA Server 2000 Service Pack 1. Scan the download for viruses and copy the file to the ISA Server 2000 firewall computer. (The computer you download the file from can not be behind the ISA Server 2000 firewall because the firewall does not allow access to the Internet yet.)
      2. Double click on the isasp1.exe file.
      3. On the Choose Directory for Extracted Files dialog box, enter C:\ISASP1 in the Choose Directory for Extracted Files text box. Click OK.
      4. Click I Agree in the Microsoft ISA Server 2000 Service Pack dialog box.
      5. Click OK in the dialog box informing that the update was successful and that the system must be restarted.

      There is a hotfix required to allow all ISA Server 2000 services to work properly in Windows Server 2003. Perform the following steps to install this hotfix:

      1. Go to the http://www.microsoft.com/isaserver/ site and click the link to download required updates for Windows Server 2003. Scan the file for viruses and then copy the isahf255.exe file to the ISA Server 2000 firewall. Double click on the file. (The computer you download the file from can not be behind the ISA Server 2000 firewall because the firewall does not allow access to the Internet yet.)
      2. In the Choose Directory for Extracted Files dialog box, type in C:\isa255 in the Choose Directory For Extract Files text box and click OK.
      3. Click I Agree in the Microsoft ISA Server 2000 Update dialog box.
      4. Click OK in the Microsoft ISA Server 2000 Update Setup dialog box informing that ISA Server 2000 has been successfully updated.

      ISA Server 2000 Feature Pack 1 contains important hotfixes and enhancements. All ISA Server 2000 firewalls should have ISA Server 2000 Feature Pack 1 installed on them. Perform the following steps to install ISA Server 2000 Feature Pack 1:

      1. Download the ISA Server 2000 Feature Pack 1 file isafp1.exe from http://www.microsoft.com/isaserver/downloads/default.asp and scan the file for viruses. Copy the file to the ISA Server 2000 firewall and double click it. (The computer you download the file from can not be behind the ISA Server 2000 firewall because the firewall does not allow access to the Internet yet.)
      2. In the Choose Directory for Extracted Files dialog box, type C:\ISAFP1 in the Choose Directory for Extract Files text box and click OK.
      3. Click I Agree on the License Agreement page.
      4. Remove the checkmark from the Read about ISA Server Feature Pack 1 checkbox and click OK.

      The ISA Server 2000 firewall software is now installed and ready to be configured for secure Internet access.

      Configuring ISA Server 2000

      ISA Server 2000 configuration is the same for both Windows 2000 and Windows Server 2003. From this point onward, the same procedures apply to ISA Server 2000 firewall software installed on both Windows 2000 and Windows Server 2003.

      The goal is to provide Internet access for all the computers on the internal network while protecting the internal network from external intruders. The following procedures insure internal network computers have the greatest level of Internet access with the best possible performance without requiring more advanced configuration.

      Enabling the DHCP Packet Filter (only for external interfaces using DHCP)

      The ISA Server 2000 firewall has a built-in packet filter that can allow the firewall to obtain a non-permanent IP address for a cable or DSL connections. This filter does NOT apply to dial-up connections. If your external interface uses DHCP to obtain an IP address, then you must enable the DHCP packet filter. Perform the following steps to enable the DHCP packet filter:

      1. Click Start and point to Programs. Point to Microsoft ISA Server and click the ISA Management entry.
      2. In the ISA Management console, expand the Servers and Arrays node and then expand the server name. Expand the Access Policy node and click on IP Packet Filters.
      3. In the right pane of the ISA Management console you will see the DHCP Client packet filter. This packet filter is disabled by default. You must enable this packet filter to allow the external interface of the ISA Server 2000 firewall to obtain an IP address. Double click on the DHCP Client packet filter. On the General tab, put a checkmark in the Enable checkbox. Click Apply and then click OK.

      4. Open a command prompt window on the ISA Server 2000 firewall computer, type ipconfig /renew and press ENTER. You should be able to successfully renew your IP address.

      Creating an All Open Protocol Rule

      Protocol Rules allow internal network computers access to specific application protocols when connecting to Internet servers. Examples of such protocols include the HTTP protocol that allows you to connect to Web servers and the FTP protocol that allows you to connect to FTP servers. You will create an “All IP Traffic” Protocol Rule that allows your network computers access to all Internet network protocols included in the Protocol Definitions node in the ISA Management console. Perform the following steps to create the Protocol Rule:

        WARNING:

        This configuration allows your network computers to access almost all content available on the Internet. However, there are some Internet applications that require special configuration. If you find that there are Internet applications that do not work for you, please refer to the ISA Server 2000 Resources section for helpful information on solving the problem.

    20. Open the ISA Management console, expand the Servers and Arrays node and then expand your server name. Expand the Access Policy node and right click on the Protocol Rules node. Point to New and click Rule.
    21. In the Welcome to the New Protocol Rule Wizard page, enter All Open in the Protocol Rule name text box and click Next.
    22. Select the Allow option on the Rule Action page and click Next.
    23. Select the All IP traffic on the Protocols page and click Next.

    24. Accept the default settings, Always, on the Schedule page and click Next.
    25. Select the Any request option on the Client Type page and click Next.
    26. Click Finish on the Completing the New Protocol Rule Wizard page.

      27. Enable IP Routing, Enable PPTP Passthrough and Block IP Options

      Enabling IP Routing on the ISA Server 2000 firewall computer significantly increases performance for your internal network computers and also allows them to use PING and connect to Internet VPN servers using the PPTP VPN protocol. Perform the following steps to enable IP Routing:

      1. Open the ISA Management console, expand the Servers and Arrays node and then expand your server name. Expand the Access Policy node and right click on the IP Packet Filters node and click Properties.
      2. On the General tab in the IP Packet Filters Properties dialog box, put a checkmark in the Enable IP routing checkbox.

      3. Click on the Packet Filters tab. Put a checkmark in the Enable filtering of IP options.
      4. Click the PPTP tab. Put a checkmark in the PPTP through ISA firewall checkbox.

      5. Click Apply and then click OK.

      Disable the HTTP Redirector

      The HTTP Redirector can be used to accelerate Web connections for your network computers. However, the benefits are usually seen in larger networks and the performance overhead may not be acceptable to your organization. You can improve the Web browsing experience by disabling the HTTP Redirector filter.

      NOTE

      :
      The HTTP Redirector Filter can be very useful once your ISA Server 2000 firewall is configured to support Web caching. This feature requires advanced configuration. You may wish to re-enable the HTTP Redirector later, but at this time you should disable it.

      Perform the following steps to disable the HTTP Redirector Filter:

      1. Open the ISA Management console, expand the Servers and Arrays node, and then expand your server name. Expand the Extensions node and then click the Application Filters node.
      2. In the right pane of the console, double click on the HTTP Redirector Filter entry.
      3. In the HTTP Redirector Filter Properties dialog box, remove the checkmark from the Enable this filter checkbox. Click Apply and then click OK.

      4. In the ISA Sever Warning dialog box, select the Save the changes and restart the service(s) option and click OK.

      Configuring a Dial-up Entry (dial-up connections only)

      An ISA Server 2000 firewall computer using a dial-up connection to connect to the Internet requires a Dial-up Entry in the ISA Management console. The Dial-up entry depends on the Dial-up Networking connectoid you configured for your dial-up connection. Perform the following step to configure the Dial-up entry in the ISA Management console:

      1. Open the ISA Management console, expand the Servers and Arrays node and expand your server name. Expand the Policy Elements node and click on the Dial-up Entries node. Right click the Dial-up Entries node, point to New and click Dial-up Entry.
      2. In the New Dial-up Entry dialog box, type ISP in the Name text box.
      3. Click the Select button. In the Select Network Dial-up Connection dialog box, select the dial-up connectoid you use to connect to your ISP and click OK.
      4. Click the Set Account button. In the Set Account dialog box, type in the user name your ISP has assigned to your dial-up account. Type in the password your ISP has assigned to your account in the Password text box and confirm the password in the Confirm password text box. Click OK.
      5. Click OK in the New Dial-up Entry dialog box.
      6. Right click on the Network Configuration node in the left pane of the ISA Management console and select the Use primary connection option. In the Network Configuration Properties dialog box, put a checkmark in the Use dial-up entry checkbox.
      7. Click Apply and then click OK in the Network Configuration Properties dialog box.

      STEP 5: Configuring the Internal Network Computers

      Internal network computers are set up as ISA Server SecureNAT clients. A SecureNAT client is a machine with a default gateway address set to an IP address of a network device that routes Internet-bound requests to the internal IP address of the ISA Server 2000 firewall.

      When internal network computers are on the same network ID as the internal interface of the ISA Server 2000 firewall, then the default gateway of the internal network computers is set as the internal IP address on the ISA Server 2000 firewall machine. This is how the DHCP scope on the DHCP server located on the ISA Server 2000 firewall is configured.

      In this section we configure internal network computers that are on the same network ID as the internal interface of the ISA Server 2000 firewall and clients that may be located on network IDs that are not on the same network ID. This latter configuration is more common on larger networks that have more than one network ID on the internal network.

      NOTE:

      The “network ID” is part of the IP address. Network IDs are part of advanced TCP/IP networking concepts. Most small networks have only one Network ID and you do not need to be concerned about knowing your network ID. If you have a router anywhere behind the ISA Server 2000 computer, then you need to understand network IDs. Please refer to the resources listed in the ISA Server 2000 Resources section for help with network IDs if you find you need more information on this issue.

      Configuring Internal Clients as DHCP Clients

      Internal network clients should be configured as DHCP clients. The DHCP client is able to request IP addressing information from a DHCP server. In this section you will see how to configure the Windows 2000 client as a DHCP client. The procedure is similar for all Windows-based clients. Perform the following steps to configure the internal network client and a DHCP client:

      1. Right click on the My Network Places icon on the desktop and click the Properties command.
      2. In the Network Connections window, right click on the external network interface and click the Properties command.
      3. In the network interface’s Properties dialog box, click the Internet Protocol (TCP/IP) entry and then click the Properties button.
      4. In the Internet Properties (TCP/IP) Properties dialog box, select the Obtain an IP address automatically option.

      5. Select the Use the following DNS server addresses option. Enter the IP address of the internal interface in the Preferred DNS server text box. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
      6. Click OK in the internal interface’s Properties dialog box.

      Configuring DHCP Clients on Remote Internal Networks

      DHCP clients on remote networks are computers that have a router (or layer 3 switch) separating them from the internal interface of the ISA Server 2000 firewall. DHCP clients on these remote networks are not able to contact the DHCP server located on the ISA Server 2000 firewall because the DHCP messages can’t pass routers by default. Most routers allow you to configure them to pass these DHCP requests using methods variously described as “IP Helper”, “BOOTP relay” or “DHCP relay”. Check your router documentation for detailed procedures on how to allow the DHCP requests from clients on remote networks to contact the internal interface of the ISA Server 2000 firewall computer.

      Troubleshooting

      The procedures described in this Quick Start Guide are designed to provide a quick and reliable method for creating a secure firewall configuration while allowing a rich Internet experience for internal network clients. However, there are some common problems you may encounter which are related to the type of Internet connection you use on the external interface of the ISA Server 2000 firewall.

      Troubleshooting Cable Connections

      Cable modem connections with non-permanent IP addresses on the external interface of the ISA Server 2000 firewall computer usually work fine when the DHCP Client packet filter is enabled. However, some cable providers use variants of the DHCP protocol that do not work correctly with the ISA Server 2000 firewall’s DHCP Client packet filter.

      If you find the connection to the Internet stops after it has been functional for a period of time, perform the following steps to confirm the problem:

      1. Open a command prompt and type ipconfig /all and press ENTER
      2. If you see that the IP address for your PPP connection is 0.0.0.0, this indicates that the ISA Server 2000 firewall was not able to renew its IP address because the cable company is using an incompatible DHCP method.
      3. Close the command prompt window.

      If you encounter this problem, you have two choices:

      • Put a cable router in front of the ISA Server firewall and use an Ethernet connection on the external interface of the ISA Server 2000 firewall computer. Configure the external interface of the ISA Server 2000 firewall to use the internal IP address of the cable router as its default gateway
      • Use a script that disables the ISA Server services on and renews the firewall’s IP address on a periodic basis. You can download the script from the www.isatools.org  site. The script is at http://www.isatools.org/ISA_IP_Refresh.vbs  Schedule this script to run with a periodicity of less than half the lease period used by the cable network’s DHCP server. You can determine the lease period by examining the output of the ipconfig /all command.

      Troubleshooting DSL Connections

      DSL connections using ATM routers almost never introduce problems for ISA Server 2000 firewalls. However, there are often issues with using a PPPoE dial-up connectoid. The most common issue is related to the MTU (Mean Transfer Unit) setting on the clients and server. You can learn more about the problem and how to fix it at http://www.isaserver.org/tutorials/ISA_Server_2000_and_DSL_by_David_Fosbenner.html 

      If you prefer to not change the MTU settings on all your computers, then you can put a cable router in front of the ISA Server firewall and use an Ethernet connection on the external interface of the ISA Server 2000 firewall computer. Configure the external interface of the ISA Server 2000 firewall to use the internal IP address of the cable router as its default gateway. This configuration allows the ISA Server 2000 firewall to have a permanent IP address on its external interface.

      Troubleshooting Name Resolution

      Your caching-only DNS server on the ISA Server 2000 firewall handles all Internet name resolution. This caching only DNS server is configured to use your ISP’s DNS server as a forwarder. If you find that you can reach Web sites using an IP address, but not the name of the Web site, then there may be problems with your ISP’s DNS server. If you suspect that there is a problem with your ISP’s DNS sever, you can reverse the forwarder configuration you set when you configured the caching-only DNS server and allow your DNS server to perform recursion. If disabling the forwarder fixes the problem, contact your ISP to see if there is a problem with their DNS server or if they have changed their DNS server’s IP address.

      ISA Server 2000 Resources

      Congratulations! If you have completed all the procedures in this Quick Start Guide, your network is protected from Internet intruders and your computers can connect to the Internet. When you’re comfortable with your new ISA Server 2000 firewall, you might want to learn more about advanced firewall configuration options. Advanced configuration allows you to:

    27. Make the ISA Server 2000 firewall a VPN server allowing you to connect to your network from any location in the world
    28. Publish your Exchange Server so that you can use the full Outlook 2000, Outlook 2002 or Outlook 2003 email client from any location in the world
    29. Publish your Exchange Outlook Web Access site so that you can connect to Outlook Web Access from any location in the world
    30. Control what users on your network can access on the Internet sites
    31. And much more…

      32. The following is a list of useful resources will help you configure the ISA Server 2000 firewall’s advanced options:

      The ISA Server 2000 Help File

      The first place to look for Help is the ISA Server 2000 Help File. The Help file contains a wealth of information on almost every component and feature included with ISA Server 2000 firewalls. Check the Help File first to see if it has the information you need.

      The Microsoft ISA Server 2000 Web Site

      The Microsoft official ISA Server 2000 Web site is located at www.microsoft.com/isaserver  Visit this site regularly for information about ISA Server 2000 and new documents that help make setting up and maintaining your ISA Server 2000 firewall even easier.

      The Microsoft ISA Server 2000 Discussion Groups

      The Microsoft discussion groups are a place you can go to read about the experiences of other ISA Server 2000 firewall owners. You can also ask questions of other ISA Server 2000 firewall owners. There are a number of people on these groups who help ISA Server 2000 firewall owners, and some of them are Microsoft Most Valuable Professionals. This is designation given to people who are ISA Server 2000 firewall experts. Visit the Official Microsoft discussion groups at http://www.microsoft.com/isaserver/community/newsgroups/default.asp 

      The ISAServer.org Web Site

      ISAServer.org is an independent Web site dedicated to the ISA Server firewall community. The ISAServer.org site has hundreds of articles on ISA Server firewall configuration, maintenance and management. The discussion boards there are very active and some of the foremost ISA Server firewall experts in the world are regular attendees of this highly interactive site. Visit the site at www.isaserver.org 

      Configuring ISA Server 2000 by Dr. Thomas Shinder

      Configuring ISA Server by Dr. Thomas Shinder is the best selling book on installing and configuring ISA Server 2000. This book helps you understand how ISA Server 2000 firewalls work and how to configure them. Novice ISA Server 2000 firewall uses will benefit most from this book.

      Dr. Tom Shinder’s ISA Server and Beyond

      Dr. Tom Shinder’s ISA Server and Beyond is for the experienced ISA Server 2000 firewall administrator. This book provides detailed information on configuring ISA Server 2000-based DMZs, such as trihomed and back to back DMZ segments. There is also detailed information on how to place an Exchange Server on the ISA Server 2000 firewall, for those ISA Server 2000 owners who must run Microsoft Exchange on the firewall computer.

      Microsoft Internet Security and Acceleration Server 2000 Administrator’s Pocket Reference Guide

      This book by Bud Ratliff and Jason Ballard provides hundreds of focused step by step procedures on common ISA Server 2000 related tasks. Experienced ISA Server 2000 administrators will find this book a great “peripheral brain” that reminds how to perform ISA Server 2000 related tasks that they haven’t performed for a while or have never performed.

      Reprinted with Permission from Microsoft.

      I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=011216 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

      About The Author

      Tom Shinder is a Program Manager at Microsoft and has two decades of networking and security experience. He has written dozens of books, thousands of articles, and spoken at large industry conferences on the topics of IT infrastructure, Cloud computing, and cybersecurity. In his free time, Tom enjoys participating in equine prediction markets.

      Read Next

      Static vs Dynamic IP Address

      Static vs Dynamic IP Address

      Most people are familiar with Internet Protocol (IP) Addresses, but many people don’t know you have 2 types. In this article, you’ll learn about static…

      Read More »

      Leave a Comment

      Your email address will not be published. Required fields are marked *

      This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

      Scroll to Top