Chapter 3 INSTALLING ISA SERVICE 93 The process is simple and is detailed in Step by Step 3.8. STEP BY STEP 3.8 Installing Additional ISA Servers in the ISA Server Array 1. If the Windows 2000 Server is not joined in the domain, then join it. 2. Start the ISA setup program. 3. Click Continue at the Welcome screen. 4. Enter the CD key and click OK. 5. Setup searches for installed components and then presents the EULA screen. Select I Agree. 6. Select Custom. 7. Verify that the options required have been selected or des- elected; for example, you might not want the administra- tion program to be applied to every installation in the array. 8. Select Continue. 9. The message box, Do you want to install ISA Server as an array member? appears. If you do not, select Yes and the ISA server will be installed as a standalone server. Select Yes. 10. The installation program searches for arrays and displays the names of the arrays it finds. 11. Select the array to join and click OK (see Figure 3.15). 12. Select the drive and size of the cache and click OK. 13. A progress window indicates that setup is registering COM objects and then starting the services. Files are copied and a final window indicating successful setup is presented. Click OK. NOTE Don’t Confuse It! You should not attempt to install more than one server in an array at a time; that is, complete the installation of a server in an array before starting the installa- tion of another server into the same array. FIGURE 3.15 Selecting the array. 05 mcse CH03 6/5/01 11:57 AM Page 93 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 94 Part I INSTALLATION AND UPGRADE . Two versions of ISA Server are available: Standard (standalone) and Enterprise. . Three modes of installation are available for either version: Caching, Firewall, and Integrated. . By default, all clients are allowed access to all content on all sites at all times; however, there is no default protocol rule so no traffic can occur. . Packet filtering is only available for Firewall or Integrated mode installation. . Before the first Enterprise Edition ISA server can be installed in the forest, modifications must be made to the AD Schema. . An Enterprise Edition ISA Server must be installed into an array or it is installed as a standalone server. . The default Enterprise policy is configured to use an Enterprise policy and not to allow array policies to restrict Enterprise policy. . ISA listens at port 8080 for client requests. . A minimum cache of 5MB on an NTFS volume must be con- figured during setup for caching or integrated mode servers. . Unattended setups always do a full installation. T ROUBLESHOOTING THE I NSTALLATION Troubleshoot problems that occur during setup. Like most modern installations, installation succeeds. However, it is possible to have a failed installation, one that does not complete suc- cessfully, or one that appears to complete successfully and yet does not work. These issues are categorized in the sections that follow. REVIEW BREAK 05 mcse CH03 6/5/01 11:57 AM Page 94 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 3 INSTALLING ISA SERVICE 95 Failed Installation Most installations of ISA Server will proceed normally and without error. Most installation problems will be due to minor operator errors, typos, and so on. However, even the most careful administra- tor can have an aborted installation. Here are some issues that may be the cause. Can’t Install in Existing Array When installing multiple ISA servers in an array, you receive the error This computer is not a member of a site and cannot be installed in an array . Windows 2000 computers joined in a domain may be found in multiple physical locations. As you know, the Window 2000 site can be used to model the physical network. The default site is created when the first domain controller in the forest is installed. This domain controller automatically becomes a member of this site. Additional sites can be created and the original site can be renamed. Within each site, the appropriate subnets that represent the subnets at that physical location are entered. This maps the physical network to the active directory object–site. Domain controllers are added to sites as they are installed on the system. Their site location can be changed to indicate their true physical location. Member servers are automatically part of an Active Directory site if the appropriate subnets have been entered and assigned to the site. You might need, however, to add the member server computer object to the appropriate site within Active Directory Sites and Services. If the previous error is received, check to see that the subnet has been added to the site and that the server does have an IP address within the same subnet as the first array member. Installation Fails to Complete—You Cannot Run the Uninstall Program If your attempted installation fails, it might be because some MMC with related ISA administration or help information has not finished closing, even though it has disappeared from the screen. If this is the 05 mcse CH03 6/5/01 11:57 AM Page 95 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 96 Part I INSTALLATION AND UPGRADE case, simply ending the attempt at uninstallation, clearing all windows and waiting a couple of minutes before trying again, will usually resolve the issue. If this fails, you can uninstall the program by using the Control Panel/Add Remove Programs applet. If this fails, use the ISA Server CD-ROM provided Rmisa.exe program. Was Installation Successful? Immediately after the ISA Server is installed, you should verify the installation. To do so, follow the steps of the Verification Process sec- tion. If they show your installation to be less than perfect, review the section on known issues. Verification Process If the installation process ends successfully, how do you know it actually is working correctly? Before you spend hours configuring the system and then find it not to be working, it makes sense to do a little testing. This way, if there are problems after configuration, you can limit your troubleshooting to the configuration process and not wonder if something went wrong during installation. To verify the installation: 1. Examine the Event log for errors. If there are no error mes- sages, or they can be resolved, continue the verification process. Likely installation error messages are detailed below. 2. Set up one local client as a Web proxy client; the Web browser application is configured to use the ISA Server. 3. In the client’s Web browser, navigate to any page on the Internet. 4. The default installation will not allow access and the 502 proxy error should be the result. 5. Create a protocol rule that allows use of all protocols by all clients. 05 mcse CH03 6/5/01 11:57 AM Page 96 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 3 INSTALLING ISA SERVICE 97 6. Create a routing rule that routes the request to the Internet (if directly connected) or to an upstream proxy server or ISA Server. 7. On the client, navigate to the same site. You should be able to access the page. You might then want to remove these routing and protocol rules if you require more restrictive rules. Remember, the goal here is merely to test the installation before making major configurations. In this manner you know that the installation is good. Event ID 14111—The ISA Server Cache Could Not Start The ISA Server Cache can’t start because it’s configured incorrectly. Stop the Web Proxy Service, and then use ISA Management console or the Registry to correct the problem ( \arrays\name\cache configu- ration\HTTP tab – select restore defaults ) and then attempt to restart the service. The problem might be incorrect configuration (does not meet minimum size, drive too small) or a conflict with other settings. If the condition cannot be resolved in this manner, run setup again and select Reinstall. Event ID 14176, 14164, 14172—The Disk Cache Failed to Initialize and Is Disabled Check other events (improper configuration, disk cannot be used for cache, disk configuration is wrong) and correct the problem, then restart Web Proxy service. Event ID 14010, 14063—The Firewall Service Did Not Start Due to Corrupt Data Corrupt data in the Registry (14063) or in the Active Directory pre- vents the service from starting. Waiting a short while before 05 mcse CH03 6/5/01 11:57 AM Page 97 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 98 Part I INSTALLATION AND UPGRADE attempting to start the service may work. Otherwise, you must unin- stall and reinstall ISA. The ISA Server configuration will be lost. A Generated LAT Is Not Correct Manually adjust the LAT from the ISA Management console. You Are Unable to Access Internet Resources This is expected. The default installation blocks all traffic through the ISA Server to the Internet. Users Can Access Sites on the Internet The LAT is incorrectly configured. U NINSTALLING ISA S ERVER The uninstallation process is simple and automated. To do so, follow the steps in Step by Step 3.10. Changes made to the Active Directory Schema cannot be removed. STEP BY STEP 3.10 Uninstall ISA Server 1. If the Event Viewer is open, close it. Otherwise some ISA files may not be removed. 2. From the ISA Server Setup Window, run Install ISA Server. 3. Setup searches for installed components and then displays the setup window choices (see Figure 3.16): • Add/Remove—Additional components can be added, such as adding Firewall mode to a caching only ISA Server. • Reinstall—The last installation will be repeated, missing files and settings will be restored. • Remove ALL—Uninstall ISA Server. FIGURE 3.16 Uninstallation choices. 05 mcse CH03 6/5/01 11:57 AM Page 98 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 1 CHAPTER TITLE GOES HERE 99 4. To remove the ISA Installation, select Remove All. 5. On the Are you sure you want to remove Microsoft ISA Server? message box, click Yes. The program reports that it is stopping services. 6. On the Do you want Uninstall to remove the logs and configuration backup files generated by Microsoft ISA Server? message box (see Figure 3.17), click Yes to remove all information. 7. The program will report that it is removing ISA COM objects, stopping relevant services, deleting files, and updating the system, and then restart or start the relevant services. 8. At the Microsoft Internet Security and Acceleration Server Setup was completed successfully message box, click OK. FIGURE 3.17 Remove the logs. NOTE rmisa.exe If you cannot uninstall ISA Server by this method, you might be able to uninstall it by using Control Panel/Add Remove Programs. An uninstall program, rmisa.exe, is also supplied in the \ISA\I386 folder on the Installation CD-ROM. This program completely removes ISA Server. ESSENCE OF THE CASE Here are the essential elements in this case study: . Perimeter protection required . Load balancing for large amounts of Web access . Control and protection of NetMeeting sessions . Public Web server . Multiple client OSs . Control, cost, and performance issues C ASE S TUDY : S ECURITY S YNDICATE SCENARIO Midwest-based security consultant Security Syndicate has two new customers with firewall/caching server needs. One customer, Davison & Davison is an accounting firm with tra- ditional small network protection needs. A public Web server and minimal Web browsing needs require perimeter protection. The other customer, Fujedenchee, is a leading supplier of innovative communications solutions. Web access, and usage is considered to be out of control and they are seeking reduced cost, improved performance, and security. Fujednechee currently has a mixed client environment. A Windows 2000 migration project is in the implementation stages. Not all clients or servers will be moved to W2k. continues 05 mcse CH03 6/5/01 11:57 AM Page 99 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 100 Part I INSTALLATION AND UPGRADE C ASE S TUDY : S ECURITY S YNDICATE configured to protect Davison & Davison’s net- work. An array of ISA Enterprise edition servers in Integrated mode will be deployed for Fujedenchee. Because both projects will use the same product, but operate in different areas and at different scale, an ISA team is assembled. You are part of that team. ANALYSIS Two seemingly different customer’s needs can be met by one product, ISA Server. Implementation, configuration, and usage patterns will be differ- ent. Security Syndicate has decided that ISA Server firewall mode, should be installed and continued Installing ISA Server is not a difficult process. Although there are multiple possibilities, there are few choices that once made, cannot be changed. An option can be installed (changing a Firewall mode to an Integrated mode) or a configuration updated, after the original installation. The biggest issues of installation for all versions and uses, is the planning decision on how the product is to be used, and where in the network it needs to be placed. This chapter has out- lined the installation process and elaborated on three installation processes: á Making the Active Directory schema modifications. á Determining the size of the initial cache. á Configuring the Local Address Table (LAT). If you will spend some time with the review questions, key terms, and complete the hands-on exercises, you will be ready to proceed with the next chapter on upgrading Microsoft Proxy Server 2.0 to ISA Server. C HAPTER S UMMARY KEY TERMS • Local Address Table • Caching mode • Firewall mode • Integrated mode • Internet Assigned Numbers Authority (IANA) • Request for Comment (RFC) • Private address ranges • Active Directory Schema • H.323 Gateway Service • Enterprise policy • ISA COM objects • ISA management • msisaund.ini file • Site 05 mcse CH03 6/5/01 11:57 AM Page 100 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. Chapter 3 INSTALLING ISA SERVICE 101 A PPLY Y OUR K NOWLEDGE Exercises 3.1 Installation of a Standard Edition ISA Firewall This exercise allows you to see the operation of the standalone server install and also your first insight into the differences in the install process and the resulting ISA administration interface. If at all possible, save this installation (perhaps by making your practice installa- tions dual-boot.) You will need to complete further exercises using a standalone ISA Server. Estimated Time: 20 minutes 1. If you have not configured a Windows 2000 standalone server as specified in Exercise 2.1, please do so before continuing. This server requires two network cards: one on the public network and one on the private network. The system should be a clean install of Windows 2000 (current Service Pack) standalone server. 2. Verify connectivity to both networks. If you are using the Internet as your public network, verify connectivity by accessing any Internet site via the browser. If you are using an internal subnet as your public network, verify access to systems on that network. 3. Install ISA Server Standard edition. Install using the Custom option and be sure the administra- tion and server modules are chosen. Do not select any add-ins. (For detailed instructions see Step by Step 3.2.) 3.2 Modification of the Active Directory Schema Before you can install an Enterprise ISA Server in an array, you must modify the Active Directory schema. The process is simple, and need only be done once for the forest. The program you will need to run is only provided on the ISA Server Enterprise edition disk. Estimated Time: 20 minutes 1. If you have not installed your test-domain domain controller, two member servers and Windows 2000 Professional system as per instructions in Exercise 2.1, please do so. The test-domain systems should all be updated to the current Service Pack. At least one of the member servers should have two network cards configured with one on the public network and one on the private network. DO NOT PERFORM THESE LABS IN A PRODUCTION SYSTEM. 2. Verify your test network. You should be able to logon from all systems. You need to be a member of the Enterprise Admins. group. 3. Verify connectivity with the public network. 4. Modify the Active Directory Schema for ISA by running the ISA Server Enterprise Installation program from the ISA Server CD-ROM. Detailed instructions are in Step by Step 3.3 3.3 Installation of an Enterprise Edition ISA Server—Integrated Mode After you update the AD Schema, you are ready to install ISA Server, Enterprise edition. There are 05 mcse CH03 6/5/01 11:57 AM Page 101 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. 102 Part I INSTALLATION AND UPGRADE A PPLY Y OUR K NOWLEDGE differences in the interface and the features of this edi- tion from the standalone edition. This exercise is your first exposure to them. In your test lab scenario, you can immediately follow the schema modification exer- cise with this one. In the real world, however, you may need to wait until the changes to the schema have replicated to all domain DC’s in the forest. Although in your test you may want to install the first ISA server on the DC (to reduce the number of com- puters you need to use), never do this on a product DC. Please note that the first server installed creates the first array. It is an array of one server. You must retain, and have available on the network, this first installation in order to complete Exercise 3.4. Estimated Time: 20 minutes 1. Log on to the two NIC Windows 2000 member server. 2. Install ISA Server Enterprise edition in Integrated mode. (Detailed instructions are in Step by Step 3.4.) The following installation configurations choices should be made: • Do not select any add-ins. • Select the default Enterprise policy. • Use the Create the LAT button and be sure to select the appropriate NIC card to include the private network subnet in the LAT along with the default private address ranges. • Do not install the ISA Management console. 3. Log on to and install the ISA Server Management console on the Windows 2000 Professional system. 4. Review the installation via the ISA Server Management console. 3.4 Installation of a Second Array Member Enterprise Edition ISA Server— Integrated Mode This exercise helps you understand the different processes followed when adding ISA Servers to an array. You will need to be sure the system on which you are doing the install can connect to the AD and locate the schema. If it cannot, you will not be able to install this server to the array. Retain both of these servers in their array configuration—you will need them for further exercises. Estimated Time: 20 minutes 1. Log on to the second member server. 2. Install ISA Server Enterprise edition in Integrated mode as a member of the array created in Exercise 3.3. 3. The following installation configuration choices should be made: • Do not select any add-ins. • Create the server as a member in the same array as the previous installation. • Use the Create the LAT button and make sure to select the appropriate NIC card to include the private network subnet in the LAT along with the default private address ranges. • Do not install the ISA Management console. 4. Log on to and install the ISA Server Management console on the Windows 2000 Professional system. 5. Review the installation via the ISA Server Management console. 05 mcse CH03 6/5/01 11:57 AM Page 102 Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark. [...]... Security and Acceleration (ISA) Server 2000 exam: Upgrade a Microsoft Proxy 2.0 Server computer to ISA Server Back up the Proxy 2.0 Server configuration Microsoft Proxy Server is ISA Server s predecessor Although Proxy Server does not have the extensive firewall services of ISA, Proxy Server has extensive caching services and packet filtering capability Like ISA Server, Proxy Server 2.0 can be installed... Resources 1 Sections in ISA Server Help 2 ISA Server Installation Guide 3 The sample msisaund.ini file from the ISA folder on the ISA Server CD-ROM 4 ISA Server release notes Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark 06 mcse CH04 6/5/01 11:58 AM Page 109 OBJECTIVES This chapter covers the following Microsoft-specified objectives for the Installing ISA Server section of the... domain member server B The Windows 2000 server is not a member of the original array server s domain C You have used the Standard edition ISA Server CD-ROM D The Windows 2000 server is not a member of the same site as the server which is the first member of the ISA server array E The Windows 2000 server is not a member of the same subnet as the server, which is the first member of the ISA server array... test Enterprise edition ISA Server in an array in a production domain There are no other ISA Servers in the entire forest You must remove your test system Your goal is to totally remove any indication that the ISA Server was ever there The following steps should be taken (Select all that apply.) A Run the uninstall ISA Server program B Verify that all Registry entries for ISA Server and all files that... the Proxy before migration Array Migration Proxy Server 2.0 servers in an array can be migrated to a standalone ISA Server configuration, to an existing ISA Server array, or to a new ISA Server array The preparation process is the same for any of these choices: Remove the Proxy 2.0 server from its array The array settings are saved to the individual Proxy Server and are thus available for migration How... existing ISA Server array and make modifications as necessary á Array member to new ISA Server array If a new array will be created, it is possible to migrate all settings that would normally be migrated If this is the first ISA Server in the enterprise, and thus no other arrays exist, all migratable settings will migrate from the Proxy array to the new ISA Server array However, if other ISA servers,... M I G R AT I O N ON PROXY Install to Existing ISA Array Install to New ISA Array Array Install ISA Standalone Server Proxy Server 2.0 standalone ISA Enterprise configuration determines final configuration ISA Enterprise configuration set during installation determines final configuration Retains most Proxy Server 2.0 configuration Proxy Server 2.0 Array member ISA Enterprise configuration determines final configuration... systems What selections would you make during installation of ISA Server? 3 This same company realizes it must use more than one server Which version of ISA Server must they use? 4 What action must be taken prior to installing the first ISA Server in the forest? Why is this necessary? 5 Which clients can benefit from an installation of ISA Server in caching mode? 6 Installation proceeds smoothly and indicates... Integrated with Windows 2000 Active Directory THE MIGRATION PROCESS Upgrade a Microsoft Proxy 2.0 Server computer to ISA Server You may migrate Proxy Server 2.0 to ISA server The Proxy server installation may be on Windows NT 4.0 or Windows 2000 There is no direct migration path from Proxy Server 1.0, Small Business Server, or BackOffice The migration path you follow depends on several variables Table 4.1 identifies... standalone server Most rules and configuration settings will be retained when migrating to a standalone server However, when migrating to an array, the ISA Enterprise policy settings will determine what is migrated from Proxy Server 2.0 Back Up the Proxy Server Configuration FIGURE 4.1 Windows 2000 install error message Back up the Proxy 2.0 Server configuration Migrating from Proxy Server 2.0 to ISA Server . Sections in ISA Server Help. 2. ISA Server Installation Guide. 3. The sample msisaund.ini file from the ISA folder on the ISA Server CD-ROM. 4. ISA Server release. 2.0 Server computer to ISA Server. . Back up the Proxy 2.0 Server configuration. Microsoft Proxy Server is ISA Server s predecessor. Although Proxy Server