Contents Overview 1 Introducing ISA Server Enterprise Edition 2 Installing ISA Server in the Enterprise 7 Using Enterprise Policies and Array Policies 19 Managing Network Connections 25 Scaling ISA Server 36 Extending and Automating ISA Server Functionality 42 Lab A: Configuring ISA Server for the Enterprise 47 Review 58 Module 9: Configuring ISA Server for an Enterprise Information in this document is subject to change without notice. The names of companies, products, people, characters, and/or data mentioned herein are fictitious and are in no way intended to represent any real individual, company, product, or event, unless otherwise noted. Complying with all applicable copyright laws is the responsibility of the user. No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical, for any purpose, without the express written permission of Microsoft Corporation. If, however, your only means of access is electronic, permission to print one copy is hereby granted. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.  2001 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting, Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and/or other countries. Other product and company names mentioned herein may be the trademarks of their respective owners. Module 9: Configuring ISA Server for an Enterprise i Instructor Notes This module provides students with the knowledge and skills to install and configure Microsoft ® Internet Security and Acceleration (ISA) Server 2000 in an enterprise environment. After completing this module, students will be able to:  Describe the use of ISA Server in an enterprise environment.  Install ISA Server in an enterprise environment.  Use enterprise and array policies.  Scale ISA Server.  Manage network connections.  Extend and automate ISA Server functionality. Materials and Preparation This section provides the materials and preparation tasks that you need to teach this module. Required Materials To teach this module, you need the Microsoft PowerPoint® file 2159A_09.ppt. Preparation Tasks To prepare for this module, you should:  Read all of the materials for this module.  Complete the lab.  Study the review questions and prepare alternative answers to discuss.  Anticipate questions that students may ask. Write out the questions and provide the answers.  Read “Firewall client application settings,” “Using Network Load Balancing,” “Configuring Automatic Discovery,” “The Enterprise, Arrays, and Stand-Alone Servers,” and “Cache Array and Routing Protocol” in ISA Server Help.  Read the section “Network Load Balancing” in the Microsoft Windows ® 2000 Server Resource Kit.  Read the white papers entitled “Network Load Balancing Technical Overview” and “Cache Array Routing Protocol and Microsoft Proxy Server 2.0” under Additional Reading on the Trainer Materials compact disc.  Read Module 2, “Installing and Maintaining ISA Server,” and Module 3, “Enabling Secure Internet Access,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Read Module 4, "Designing a Schema Policy," in Course 1561B, Designing a Microsoft Windows 2000 Directory Services Infrastructure.  Read Module 12, "Managing Operations Masters," in Course 2154A, Implementing and Administering Microsoft Windows 2000 Directory Services. Presentation: 75 Minutes Lab: 30 Minutes ii Module 9: Configuring ISA Server for an Enterprise Module Strategy Use the following strategy to present this module:  Introducing ISA Server Enterprise Edition Explain that you can install ISA Server Enterprise Edition as a stand-alone server or as an array member. Emphasize that if you choose not to apply an enterprise policy to an array installation, the array administrator can create any rule to allow or deny access.  Installing ISA Server in the Enterprise Ensure that students understand the impact that modifying the schema has on the entire Active Directory ™ directory service forest and that changes to the schema are irreversible. Explain that when you promote a stand-alone server, ISA Server may delete policy rules and publishing rules to ensure that array policies are not more permissive than an applicable enterprise policy.  Using Enterprise Policies and Array Policies Emphasize that when you apply an enterprise policy to an array, ISA Server deletes all of the previously defined array-level site and content rules and protocol rules that allow access.  Managing Network Connections Use the slide example to explain the use of routing rules for conditionally routing requests. Explain that firewall chaining enables requests from Firewall clients and SecureNAT clients to be routed to upstream servers. Use the animated slide to explain automatic discovery. Explain that using automatic discovery helps you to minimize the time spent troubleshooting connection problems on the client computers. Emphasize that to use the Dynamic Host Configuration Protocol (DHCP) protocol for automatic discovery, you must ensure that there is a DHCP server with a valid scope for each network segment that has ISA Server clients. Emphasize that to use Domain Name System (DNS) for automatic discovery, you must ensure that there is a Web Proxy AutoDiscovery Protocol (WPAD) entry for each DNS domain that has ISA Server clients.  Scaling ISA Server Explain that to use Cache Array Routing Protocol (CARP) and to use Network Load Balancing efficiently, you must use ISA Server Enterprise Edition. Explain that by using hash-based routing instead of queries to determine the location of cached information, CARP becomes faster and more efficient as more member servers are added to the array. For more information about CARP, tell students to see the white paper “Cache Array Routing Protocol and Microsoft Proxy Server 2.0” under Additional Reading on the Student Materials compact disc. Mention that Network Load Balancing is available with Microsoft Windows 2000 Advanced Server only.  Extending and Automating ISA Server Functionality Mention that you can gain benefits from using the extensibility and automation features of ISA Server whether you use the Standard Edition or the Enterprise Edition. Module 9: Configuring ISA Server for an Enterprise iii Customization Information This section identifies the lab setup requirements for a module and the configuration changes that occur on student computers during the labs. This information is provided to assist you in replicating or customizing Microsoft Official Curriculum (MOC) courseware. The lab in this module is also dependent on the classroom configuration that is specified in the Customization Information section at the end of the Classroom Setup Guide for Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000. Lab Setup The following list describes the setup requirements for the lab in this module. Setup Requirement 1 The lab in this module requires that ISA Server be installed on all ISA Server computers. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Perform a full installation of ISA Server manually. Setup Requirement 2 The lab in this module requires that the ISA Server administration tools be installed on all ISA Server client computers. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Install the ISA Server administration tools manually. Setup Requirement 3 The lab in this module requires that the Firewall Client be installed on all ISA Server client computers. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Install the Firewall Client manually. Importan t iv Module 9: Configuring ISA Server for an Enterprise Setup Requirement 4 The lab in this module requires that all ISA Server client computers be configured to use the ISA Server computer’s Internet Protocol (IP) address on the private network as their default gateway. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Configure the default gateway manually. Setup Requirement 5 The lab in this module requires that Microsoft Internet Explorer be configured on all student computers to use the ISA Server computer as a Web Proxy server. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Configure Internet Explorer manually. Setup Requirement 6 The lab in this module requires that Internet Information Services (IIS) be configured on all ISA Server computers to use Transmission Control Protocol (TCP) port 8008 for the default Web site. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 2, “Installing and Maintaining ISA Server,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Configure IIS manually. Setup Requirement 7 The lab in this module requires a protocol rule on the ISA Server computer that allows all members of the Domain Admins group to gain access to the Internet by using any protocol. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 3, “Enabling Secure Internet Access,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Create the rule manually. Setup Requirement 8 The lab in this module requires that packet filtering be enabled on the ISA Server computer. To prepare student computers to meet this requirement, perform one of the following actions:  Complete Module 6, “Configuring the Firewall,” in Course 2159A, Deploying and Managing Microsoft Internet Security and Acceleration Server 2000.  Enable packet filtering manually. Module 9: Configuring ISA Server for an Enterprise v Lab Results Performing the lab in this module introduces the following configuration changes:  DHCP on the second computer in each student computer pair has DHCP option 252 enabled.  DNS for the student computer zones has a WPAD entry added.  The Active Directory schema update for ISA Server is installed.  The stand-alone ISA Server computer is promoted to an array.  An enterprise policy is created. Module 9: Configuring ISA Server for an Enterprise 1 Overview  Introducing ISA Server Enterprise Edition  Installing ISA Server in the Enterprise  Using Enterprise Policies and Array Policies  Managing Network Connections  Scaling ISA Server  Extending and Automating ISA Server Functionality ***************************** ILLEGAL FOR NON-TRAINER USE****************************** Microsoft ® Internet Security and Acceleration (ISA) Server 2000 provides many features to support an enterprise-wide deployment. Some of these features are available in only the Enterprise Edition of ISA Server. The security, caching, management, performance, and extensibility capabilities of ISA Server are the same in both the Standard Edition and the Enterprise Edition. The Standard Edition, however, is limited to a stand-alone server, a local policy only, and computers with up to four processors. For large-scale deployments, server array support, multi-level policy, and computers with more than four processors, you must use the ISA Server Enterprise Edition. After completing this module, you will be able to:  Describe the use of ISA Server in an enterprise environment.  Install ISA Server in an enterprise environment.  Use enterprise and array policies.  Scale ISA Server.  Manage network connections.  Extend and automate ISA Server functionality. Topic Objective To provide an overview of the module topics and objectives. Lead-in In this module, you will learn about configuring ISA Server in an enterprise environment. 2 Module 9: Configuring ISA Server for an Enterprise    Introducing ISA Server Enterprise Edition  Benefits of ISA Server Enterprise Edition  Using ISA Server Enterprise Edition ***************************** ILLEGAL FOR NON-TRAINER USE****************************** There are many benefits for an organization to deploy ISA Server Enterprise Edition in an enterprise environment. When you deploy ISA Server Enterprise Edition, you must select an installation configuration and a policy configuration. Topic Objective To introduce ISA Server Enterprise Edition. Lead-in There are many benefits for an organization to deploy ISA Server Enterprise Edition in an enterprise environment. [...].. .Module 9: Configuring ISA Server for an Enterprise 3 Benefits of ISA Server Enterprise Edition Topic Objective To describe the benefits of ISA Server Enterprise Edition Scalability Scalability Lead-in ISA Server Enterprise Edition offers several benefits to organizations that want fast, secure, and manageable Internet connectivity in an enterprise environment Scales ISA Server functionality... Datacenter Server, which supports up to 32 processors 4 Module 9: Configuring ISA Server for an Enterprise Network Load Balancing ISA Server Enterprise Edition efficiently uses Network Load Balancing, which is available in Windows 2000 Advanced Server and Windows 2000 Datacenter Server, to provide fault tolerance, high availability, efficiency, and performance through the clustering of multiple ISA Server. .. click Set as Default Policy Module 9: Configuring ISA Server for an Enterprise 21 Changing Default Settings for the Enterprise Policy After initializing ISA Server for the enterprise, you can change the default policies that ISA Server applies when you create a new array To change the default policies: 1 In ISA Management, in the console tree, right-click Enterprise, and then click Set Defaults 2... administrator from configuring ISA Server in an insecure manner Module 9: Configuring ISA Server for an Enterprise 23 To force packet filtering for an array: 1 In ISA Management, in the console tree, expand Servers and Arrays, rightclick the applicable array, and then click Properties 2 On the Policies tab, verify that Use custom enterprise policy settings is selected, select the Force packet filtering... defined for the array Module 9: Configuring ISA Server for an Enterprise Promoting a Stand-Alone Server To promote a stand-alone server: 1 In ISA Management, in the console tree, right-click the server, and then click Promote 2 Click Yes to verify that you want the ISA Server to become an array member 3 If you are not a member of the Enterprise Admins group, click Yes to confirm that the default enterprise. .. centralize management for multiple arrays in your enterprise 6 Module 9: Configuring ISA Server for an Enterprise Selecting a Policy Configuration Key Points If you choose not to apply an enterprise policy to an array installation, the array administrator can create any rule to allow or deny access When you enforce enterprise policies, an array policy can never allow any type of access that an enterprise. .. Internet Security and Acceleration Server Setup dialog box, click Yes to install ISA Server on an array member 3 In the Microsoft ISA Server Setup dialog box, click the array that you want to add the computer to, click OK, and then configure the cache settings as you would for a stand-alone server 14 Module 9: Configuring ISA Server for an Enterprise Creating and Deleting Arrays in ISA Management Topic... When you apply enterprise policies, array policies can create additional restrictions over the enterprise policies However, an array policy can never allow any type of access that an enterprise policy does not first allow Module 9: Configuring ISA Server for an Enterprise 7 Installing ISA Server in the Enterprise Topic Objective To present the topics related to installing ISA Server in the enterprise. .. information 8 Module 9: Configuring ISA Server for an Enterprise Installing ISA Server Schema in Active Directory Topic Objective To describe the procedure that you use to install ISA Server schema in Active Directory Lead-in Before you can set up ISA Server as an array member, you must install the ISA Server schema in Active Directory ISA Enterprise Initialization Specify how to apply the enterprise. .. Important You can use ISA Server Standard Edition or ISA Server Enterprise Edition to manage network connections for ISA Server However, customizing network connections yields the most benefits in an enterprise- wide installation 26 Module 9: Configuring ISA Server for an Enterprise Routing Overview Topic Objective To describe the process of routing in an ISA Server enterprise environment Lead-in Array . deploy ISA Server Enterprise Edition in an enterprise environment. Module 9: Configuring ISA Server for an Enterprise 3 Benefits of ISA Server Enterprise. environment. 2 Module 9: Configuring ISA Server for an Enterprise    Introducing ISA Server Enterprise Edition  Benefits of ISA Server Enterprise