Thursday, February 10, 2011

ISA Server 2004 Enterprise Edition - Installation, configuration tips and tricks

I recently upgraded one of our servers from ISA 2000 to ISA 2004 (yeah, yeah, I know that sounds like really old technology) - but so it was.

Found that the upgrade was a far more bigger headache than it should have been because of some changes in the way ISA 2004 works as compared to the earlier version. Hence, here are some tips and tricks that may help you save some time and not spend few days scratching your head.
  1. Make sure the Windows server is up to date and is 32-bit, mine was Windows 2003 32-bit.
  2. Install the latest Windows service pack.
  3. You can't or shouldn't preferably install ISA on your Domain controller. 
  4. You can join the ISA machine to your domain which we did.
  5. Your ISA machine will normally have two network cards - one for the internal LAN and the other for the external WAN.
  6. It is very important that you only specify the DNS servers of your internal LAN and not the external DNS servers of your ISP. In other words, your internal LAN card will have your internal DNS servers but your external WAN card should not have any DNS servers specified.
  7. If this is not followed, your ISA Server will lose the domain credentials once you reboot the server and all systems will stop - the event viewer will have a "RPC Server unavailable" error along with many other consequential errors. This link is a good example of the errors you will encounter - http://www.eggheadcafe.com/aspnet_answers/isaenterprise/Aug2006/post27617673.asp
  8. Do not specify a Default Gateway on your internal LAN card.
  9. The default gateway on your external WAN card will be the Router IP.
  10. The old ISA stored all its configuration data in Active Directory on the DC. ISA 2004 stores its data in an LDAP version of AD called ADAM. 
  11. This data is stored in what is called a Configuration Storage Server. Hence you cannot join the old ISA server enterprise as another array.
  12. As a first step, you need to install the Configuration Storage Server. We installed this on the ISA machine itself - preferably install on a different machine for better redundancy.
  13. Once this is installed, go ahead and install ISA Server 2004 and also the latest Service Pack 3.
  14. ISA 2004 comes with a migration wizard that you can run on ISA 2000 and export the configuration as an XML file. Preferably run this wizard on the ISA 2000 server itself and export all the configuration to an XML file.
  15. Please note that NO RULES are exported and cannot be migrated. The Export will basically take care of all the destination sets, protocols, etc.
  16. Export at the root level and import also at the root level of the enterprise in ISA 2004.
  17. This import will create the Enterprise policy which existed in ISA 2000 as a similar enterprise policy in 2004 with the objects but sans the rules.
  18. For the ISA machine to allow internet access, you will need to configure DNS resolving.
  19. On your domain's DNS server, go to Forwarders and for "All other DNS Domains" - add the IP addresses of your ISP's DNS servers. This essentially means that your network will route the internet access requests to your DNS server for resolving which in turn will retrieve the same from your ISP's DNS servers.
  20. Once you have configured the DNS server for forwarding - create your DNS servers as Network Objects in ISA Server 2004 i.e. as Computer objects - give their name and IP address.
  21. Now you want to create a rule "Forward DNS Requests to ISP" which ALLOWS all traffic from your INTERNAL DNS SERVER Computers to External Network and for ALL USERS. 
  22. Once this is done - you can check by opening the command prompt on your ISA machine and typing NSLOOKUP followed by a domain like google.com. IF all is setup well, you should get a response from your internal DNS server with the IP address of the requesteed domain.
  23. Set the default gateway on the network card of your DNS server machine to point to the ISA Server box. 
  24. This is a good link to better understand the DNS configuration - http://technet.microsoft.com/en-us/library/cc302590.aspx
  25. After this create an Network object for your internal domain (say ABC.com) and specify the IP range that your domain is using (for example 192.168.0.0 to 192.168.0.255).
  26. Create a NETWORK RULE to take all traffic from Internal Network to External Network as NAT.
  27. Add an Enterprise Rule to ALLOW all HTTP / HTTPS / SMTP / POP3 protocols from Internal Network to External Network for all users.
  28. Go to your Array server node, under configuration, bind the Internal Network with the ABC.com object that you specified. This tells the ISA machine which are the internal IP addresses.
  29. Under Configuration - General - Firewall Client configuration - change the "Outlook" entry from 0 to 1.
  30. Under network properties - allow Web Proxy clients and set authentication to integrated, preferably with "Must authenticate" set to true.
  31. Under the same tab, define the Proxy client settings for automatic configuration and give the name of your machine for resolution - isa.abc.com for example.

If all goes well, by this time, you will have your ISA Server functional and a client computer should be able to access the internet through your firewall. It's a good time to back up your configuration!


No comments: