Chapter 2 PLAN BEFORE ACTING: PREINSTALLATION ACTIVITIES 63 You need to know or arrange for name resolution for these servers either by hosting your own DNS servers or outsourcing name reso- lution with your ISP. If you will be managing your own DNS servers for purposes of Internet name resolution, be sure that you have taken the appropriate steps to establishing those DNS servers con- nectivity with the Internet. Establishing a Connection After you have configured the Windows 2000 server on which you will be installing ISA Server, test Internet connectivity. You may be able to ping your ISPs router from the server, or request that the ISP provide you with other tools or evidence of connectivity. Verify Name Resolution Verify DNS name resolution. Finally, use a browser to test name resolution to the Internet. From a browser on the Windows 2000 server, enter a Web site URL. If the home page is loaded, you are successfully reaching the Internet and DNS is providing name resolution. Routing rules on the ISA Server will configure and secure routing between the external network and servers on the internal network. If the ISA Server IP address is registered in external DNS server, you should test name resolution from the Internet to the ISA server. Although the ISA server is not installed and configured to forward requests to internally published server, you can verify that the server URL is resolving to the address of the ISA Server. 04 mcse CH02 6/5/01 11:56 AM Page 63 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 64 Part I INSTALLATION AND UPGRADE Computer spec’d, configured, and installed? Internet connectivity established and tested? Preparations for a smooth transfer locked and loaded? This chapter detailed the steps to do so. Head on to the next Chapter to install ISA. C HAPTER S UMMARY KEY TERMS • Identd • Schema Admin • Enterprise Admin • Internet Connection Sharing • IPSec • L2TP • SNMP • Computer browser service • Fax service • License logging service • Distributed file system service • Distributed link tracking service • SMTP service 04 mcse CH02 6/5/01 11:56 AM Page 64 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 2 PLAN BEFORE ACTING: PRE-INSTALLATION ACTIVITIES 65 A PPLY Y OUR K NOWLEDGE 5. You want to provide an IPSec/L2TP VPN tunnel on the ISA Server. Management speculates that this will produce a bottleneck. What will you say? Exam Questions 1. The following services should be enabled on the Windows 2000 server which will host the ISA Server. (The message screener option is required.) Choose two correct answers. A. World Wide Web B. SMTP C. Telephony D. Computer browser 2. The following steps should be taken prior to installing ISA Server. Choose two correct answers. A. Install Windows 2000/ sp1. B. Join the Windows 2000 server to a Windows 2000 domain. C. Test network connectivity. D. Configure the network cards via either DHCP or static IP addresses. 3. The ABCD Company is preparing a Windows 2000 computer for the installation of ISA Server on its network. Required Result: The ISA Server computer will provide firewall and server hosting services. Exercises 2.1 Install and Configure Windows 2000 As this chapter emphasized, there are several steps to take prior to installing ISA Server. You will want to fol- low the recommendations detailed in this chapter to setup Windows 2000 to server as the ISA Server host. Don’t forget to verify network and Internet connectiv- ity. You might want to scan ahead to the exercises in Chapter 3 and prepare more than one server in order to be ready for those tasks. Estimated Time: 60 minutes 1. Install Windows 2000 Server or Advanced server and apply Service Pack 1 (or current service pack). 2. Apply any recommended hotfixes. 3. Configure networking using recommendations from this chapter. 4. Verify network connectivity. 5. Verify Internet name resolution. Review Questions 1. Why should you disable unnecessary services? 2. What will be the impact of disabling File Sharing on the external network card be? 3. Should RRAS be configured on the ISA Server computer? 4. You can select RAID for the ISA Server. How will you use them? 04 mcse CH02 6/5/01 11:56 AM Page 65 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 66 Part I INSTALLATION AND UPGRADE A PPLY Y OUR K NOWLEDGE Optional Desired Results: The ISA Server will be part of a centrally managed array of ISA Servers. The ISA Server will provide Web caching services. Proposed Solution: Service Pack 1 for Windows 2000 is applied to the Windows 2000 standalone server. The exter- nal network card is configured with an Internet addressable static IP address. Connectivity with the Internet and the internal network is tested. Hard drives are formatted with the FAT file sys- tem. Recommend services are disabled or avail- able and working as prescribed. Evaluation of Proposed Solution: Which results(s) does the proposed solution pro- duce? A. The proposed solution produces the required result but neither of the optional results. B. The proposed solution produces the required result and one of the optional results. C. The proposed solution produces the required result and both of the optional results. D. The proposed solution does not produce the required result. 4. The ABCD Company is preparing a Windows 2000 computer for the installation of ISA Server on its network. Required Result: The ISA Server computer will provide firewall and server hosting services. Optional Desired Results: The ISA Server will be part of a centrally managed array of ISA Servers. The ISA Server will provide Web caching services. Proposed Solution: Service Pack 1 for Windows 2000 is applied to the Windows 2000 standalone server. The server is joined to a Windows 2000 domain. The exter- nal network card is configured with an Internet addressable static IP address. Connectivity with the Internet and the internal network is tested. Hard drives are formatted with the FAT file sys- tem. Recommend services are disabled or avail- able and working as prescribed. Evaluation of Proposed Solution: Which results(s) does the proposed solution produce? A. The proposed solution produces the required result but neither of the optional results. B. The proposed solution produces the required result and one of the optional results. C. The proposed solution produces the required result and both of the optional results. D. The proposed solution does not produce the required result. 5. The ABCD Company is preparing a Windows 2000 computer for the installation of ISA Server on its network. Required Result: The ISA Server computer will provide firewall and server hosting services. 04 mcse CH02 6/5/01 11:56 AM Page 66 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 2 PLAN BEFORE ACTING: PRE-INSTALLATION ACTIVITIES 67 A PPLY Y OUR K NOWLEDGE C. Operating System on C, ISA on C., Cache on F, Logs on G. D. Operating System on D, ISA on C, Cache on E, Logs on G. Optional Desired Results: The ISA Server will be part of a centrally managed array of ISA Servers The ISA Server will provide Web caching services. Proposed Solution: Service Pack 1 for Windows 2000 is applied to the Windows 2000 standalone server. The server is joined in a Windows 2000 domain. The exter- nal network card is configured with an Internet addressable static IP address. Connectivity with the Internet and the internal network is tested. Hard drives are formatted with the NTFS file system. Recommend services are disabled or available and working as prescribed. Evaluation of Proposed Solution: Which results(s) does the proposed solution produce? A. The proposed solution produces the required result but neither of the optional results. B. The proposed solution produces the required result and one of the optional results. C. The proposed solution produces the required result and both of the optional results. D. The proposed solution does not produce the required result. 6. Figure 2.5 represents the disk arrangement on computer A. Which of the following hard disk arrangements would be preferable for an ISA Server computer? A. Operating System on C, ISA on D, Logs on E. B. Operating System on C, ISA on F, Cache on G, Logs on D. Disk 0 (C:) NTFS (D:) NTFS (E:) NTFS Disk 1 (F:) NTFS Disk 2 (G:) NTFS FIGURE 2.5 Disk drive selection. Answers to Review Questions 1. Removing unnecessary services improves effi- ciency and reduces the possibility of successful attack. Every additional service has its own vul- nerabilities. See the section, “Interoperation with and Requirements for Other Services.” 2. Disabling File Sharing on an external network card will prevent external connection to the file system of the ISA server. If an external client can connect directly to the ISA Server file system, there is a possibility that damage could be done to the server or the network it protects. See the section “TCP/IP Network Card Configuration.” 3. The RRAS service is compatible with ISA, in fact ISA extends this service. However, the ISA Server services should be used to create Virtual Private Networks, provide remote connectivity and packet filtering features. Network address transla- tion should be configured in ISA. The Internet 04 mcse CH02 6/5/01 11:56 AM Page 67 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 68 Part I INSTALLATION AND UPGRADE A PPLY Y OUR K NOWLEDGE Connection Sharing service should not be config- ured on the ISA Server. See the section, “Interoperation with and Requirements for Other Services.” 4. Configure RAID level 1 (mirror) for the operat- ing system partition to provide redundancy. Configure RAID level 5 (striping with parity) for the logs to provide increased read performance. See the section, “Hard Disk Requirements.” 5. Special network cards are available which can offload the IPSec encryption to their onboard processors. Card manufacturers test results show excellent throughput when these cards are used. IPSec/L2TP VPNs are more secure. See the sec- tion, “Additional Hardware Requirements for VPNs.” Answers to Exam Questions 1. B, C. SMTP is necessary prior to the installation of the message screener service. The firewall and Web proxy services are dependent on the Telephony service. A is incorrect. While you can install IIS on the ISA Server computer, it is not necessary. D is incorrect. This service is not nec- essary. See the section, “Windows 2000 Installation and Configuration,” and “Interoperation with and Requirement for Other Services.” 2. A, C. Service Pack 1 is required. Network con- nectivity should be tested. B is wrong. Although you may want to join the Windows 2000 server to a Windows 2000 domain, it is not necessary unless you require Active Directory integration. D is wrong. You should not configure the net- work cards via DHCP. See the sections, “Windows 2000 Installation and Configuration” and “TCP/IP Network Card Configuration.” 3. A. Although the server may require additional steps to make it a more secure firewall, there is nothing in the initial configuration that will pre- vent ISA Server from installing and being config- ured to provide firewall services. However, the two optional results cannot be met. First, because the ISA server is not a member server in a Windows 2000 domain, centralized management of an array of ISA servers cannot be accom- plished. Second, because the file system is FAT, Web caching services cannot be configured. See the sections, “Making Hardware Choices,” and “Windows 2000 Installation and Configuration.” 4. B. Now the computer is joined in a domain, Active Directory Schema modification and the installation of ISA Server in an array can be accomplished. However, Web caching services cannot be provided until NTFS formatted disk space is available. See the sections, “Making Hardware Choices,” and Windows 2000 Installation and Configuration.” 5. C. Now all requirements are met. See the sec- tions, “Making Hardware Choices,” and Windows 2000 Installation and Configuration.” 6. C. Placing the operating system on a drive sepa- rate from the cache or logs provides a greater chance of recovery. No other configuration here does that. See the section, “Hard Disks.” 04 mcse CH02 6/5/01 11:56 AM Page 68 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 2 PLAN BEFORE ACTING: PRE-INSTALLATION ACTIVITIES 69 A PPLY Y OUR K NOWLEDGE 1. Information on licensing and pricing at http://www.microsoft.com/isaserver/pro- ductinfo/pricing.htm . 2. Deployment of ISA Server at Microsoft: Planning, Deploying and Lessons Learned at http://www.microsoft.com/isaserver/tech- info/itgdeploy.htm . 3. Lee, Thomas, Microsoft Windows 2000 TCP/IP Protocols and Services Technical Services. Microsoft Press, 2000. 4. Lieu, Cricket, et all, DNS and Bind. O’Reilly & Associates, Third Edition, 1998, ISBN: 1565925122. Suggested Readings and Resources 04 mcse CH02 6/5/01 11:56 AM Page 69 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 04 mcse CH02 6/5/01 11:56 AM Page 70 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. O BJECTIVES 3 CHAPTER Installing ISA Server This chapter covers the following Microsoft-specified objectives for the Installing ISA Server section of the Installing, Configuring, and Administering Microsoft Internet Security and Acceleration (ISA) Server 2000 exam: Install ISA Server. Installation modes include integrated, firewall, and cache. . Construct and modify the Local Address Table (LAT). . Calculate the size of and configure the cache. There are two versions of ISA Server: . Standard. This version can only be installed on a standalone or member server. It cannot be part of an array. . Enterprise. The Enterprise edition can be part of an array and take advantage of the Active Directory to share policies. Each version can be installed in one of three modes: . Firewall. ISA Server will be a dedicated firewall. . Caching Server. ISA Server will be a caching server. Requests from the private network for access to public network services are filtered through ISA server’s rules and policies. Approved requests (unless they are SSL or HTTPS or otherwise configured will be cached on the ISA Server. Subsequent approved requests for this material are served from the ISA Server. Additional access to the Internet is not necessary. In caching mode, the ISA server can also be configured to forward requests from the public network to Web servers on the private net- work. The requested pages can be cached on ISA Server and served to the public network. 05 mcse CH03 6/5/01 11:57 AM Page 71 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. O UTLINE O UTLINE . Integrated. In integrated mode, ISA Server is both a firewall and a caching server. In addition to the preinstallation determinations, you must understand how the ISA Server is to be used, and configure two major parameters during installation. These parameters are the local LAT and the cache. When ISA Server is used as a caching server, the size of the cache will have important implications for performance and opera- tion. In the firewall mode, the LAT, or Local Address Table defines for ISA server which TCP/IP addresses are considered to be on its local or private network, and which subnets are considered to be on the public network. Improper LAT configura- tion can prevent access to the private network from the local network. More importantly, it can be a severe security liability allowing penetration of the private network from the public network. Troubleshoot problems that occur during setup. . No installation process is without possibility for failure. While the ISA Server installation process is relatively smooth and easy, there are areas where possible problems can occur. Many of the problems can be avoided if the installer is aware of the prob- lem areas. Many of the installation failures can be corrected with the proper application of knowledge. Introduction 6 Installation Processes Common to Several Configurations 6 Constructing and Modifying the Local Address Table (LAT) 7 LAT Problems 8 Configuring the LAT 9 Configuring the Cache 9 Cache Placement 11 Calculating Cache Size 12 Allocation of Memory for Caching 12 Installing ISA Server 12 Installation Defaults 13 Standard Edition Generic Instructions 14 Enterprise Edition 17 Installing the ISA Server Schema in the Active Directory 17 Install ISA Server Enterprise Edition 20 Firewall/Integrated Mode: Configuring the LAT 26 Integrated/Caching Mode— Configuring the Cache 27 Unattended Setup 29 Installing Additional ISA Servers in an Array 32 Troubleshooting the Installation 35 Failed Installation 36 Can’t Install in Existing Array 36 Installation Fails to Complete—You Cannot Run the Uninstall Program 36 Was Installation Successful? 37 Verification Process 37 Event ID 14111 The ISA Server Cache Could Not Start 38 05 mcse CH03 6/5/01 11:57 AM Page 72 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... two parts: á ISA Server Enterprise Initialization á Installing the ISA Server In order to install the Enterprise edition and incorporate the ISA server in arrays, the ISA Server classes and attributes must be added to the Active Directory A separate process, the ISA Server Enterprise Initialization, is used for this FIGURE 3.3 After successful completion of this schema modification, the ISA installation... can install ISA Server arrays and servers within them Step by Step 3.4 provides the details Enterprise initialization STEP BY STEP 3.4 Installing ISA Server Enterprise Edition, Generic Instructions 1 Select Install ISA Server Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 05 mcse CH03 6/5/01 11:57 AM Page 85 Chapter 3 INSTALLING ISA SERVICE 2 The Microsoft ISA Server (Enterprise... arrays in this forest STEP BY STEP 3.3 Adding ISA Modifications to the Active Directory Schema 1 Update Windows 2000 to the current service pack (currently at least Service Pack 1) 2 From the Microsoft ISA Server Setup screen, select Run ISA Server Enterprise Installation or From the command line, type Path \isa\ i386\msisaent.exe Path is the path to the ISA Server installation files (either the CD-ROM or... concentrates on the actual ISA Server installation steps Because there are two versions of ISA Server, and three modes, six possible scenarios exist You should know how all of them work Although client issues are covered in another chapter, you should be aware that none of the six scenarios impact whether non-Microsoft clients can benefit from the introduction of an ISA Server The ISA Server must be installed... Microsoft ISA Server Enterprise Edition must be used to install ISA Server arrays The first server installed creates an array if the decision is made to integrate the server with the Active Directory and the Active Directory schema modifications have been made (The Enterprise edition of ISA server can also be installed as a standalone server. ) Subsequent servers can join this array, or create additional arrays... size, the ISA Server documentation provides specific requirements as listed in Table 3.2 for forward caching This information will help you plan ISA Server arrays by recognizing the appropriate requirements for computer hardware, RAM, and cache size The best information will be information collected by monitoring your current configuration over time and applying this information to tune your ISA Servers... while Setup installs ISA Server classes and properties in Active Directory This may message appears until the process is complete (see Figure 3.6) The Cancel button allows exiting the installation process take several minutes 7 The ISA Enterprise Initialization Tool successfully imported the ISA Server schema into Active Directory … message appears (see Figure 3.7) Click OK Install ISA Server Enterprise... installing additional array members, uninstalling ISA Server, and unattended setup Table 3.3 displays the important installation choices allowed by the various versions and modes of ISA Server TABLE 3.3 ISA S E R V E R I N S TA L L AT I O N C H O I C E S Mode Standard Enterprise Caching Single server, no Active Directory Must have Active Directory in order to place servers in an array and utilize Enterprise... Server (Enterprise Edition) Setup Welcome window appears Click Continue 3 In the Microsoft ISA Server (Enterprise Edition window) enter the 10-digit CD key and click OK The number should be in a sticker on the back of the CD case (The ISA server license allows installation on a single server For each additional ISA Server, you will need an additional license.) FIGURE 3.7 Completion window and warning 4... Multiple Internet requests for objects can obtain them from the network-based caching server Integrated EXAM Secure network communications with rules Publish internal servers Cache ISA Listens at Port 8080 ISA Server listens for client requests on port 8080 (It listens for Web server requests on port 80) If an ISS Server is present on the same machine and has not been configured to use different ports, . NOWLEDGE Optional Desired Results: The ISA Server will be part of a centrally managed array of ISA Servers. The ISA Server will provide Web caching services of ISA Server on its network. Required Result: The ISA Server computer will provide firewall and server hosting services. Optional Desired Results: The ISA