This step-by-step instruction guide describes how to provide Internet access through a firewall by using Internet Security and Acceleration (ISA) Server. This procedure provides internal clients unrestricted outbound access to the Internet.
For best results, verify that the computer that is running ISA Server has two network interfaces installed: one with a direct connection to the Internet and another that is connected to the internal network. Make sure that the IP address of the external interface is publicly accessible, and make sure that the internal adapter has a private IP address. This article assumes that the external adapter has full and direct access to the Internet without having to route requests to an upstream server. ISA Server requires Microsoft Windows 2000 Server Service Pack 1 (SP1) or later.
Install ISA Server
To install ISA Server:
- Insert the Internet Security and Acceleration Server 2000 CD-ROM.
- On the splash screen, click Install ISA Server.
- Review the End User License Agreement, and then click Continue.
- Type the CD key number, which is located on the back of the CD-ROM case.
- In the Product ID dialog box, click OK.
- Review the license agreement, and then click I Agree to proceed.
- Click Typical Installation.
- Click Integrated Mode, and then click Continue.
- Click OK to stop W3SVC.
- Set the cache size to the sum of 100 plus 0.5 per user, and then click OK.
- Click Construct LAT (Local Address Table). Leave any check boxes that are selected by default selected. Click to select the check box for your internal adapter. Click OK twice.
- Click OK to accept the LAT settings.
- Click OK to start the ISA Management tool.
- Click OK to finish.
Create a Protocol Rule
To create a protocol rule that allows your clients unrestricted access to the Internet:
- Open the ISA Management console (Click Start, point to Programs, click Microsoft ISA Server, and then click ISA Management.
- In the tree, click the name of the server to expand the tree for the computer that is running ISA Server.
- Expand Access Policy, and then click Select Protocol Rules.
- Click the Create a Protocol Rule icon.
- Type Full Internet Access Rule on the first page of the wizard, and then click Next.
- Click Next four more times to accept all of the default settings of a new protocol rule.
- Click Finish.
Enable IP Routing
To enable IP routing for SNAT (Secure Network Address Translation) clients:
- In the Access Policy subtree, click IP Packet Filters.
- Right-click IP Packet Filters, and then click Properties.
- Click to select the Enable IP Routing check box.
- Click OK.
- On the client computers, under TCP/IP Properties, set the client computer's default gateway to be the internal adapter of the computer that is running ISA Server.
: After you complete these steps, only internal clients have Internet access. Not even the ISA Server itself has Internet access. This is by design, for security reasons. Granting Internet access to the ISA Server console would require the creation of packet filters that allow this access, which might reduce the level of security that ISA Server provides.
Article ID: 297922 - Last Review: October 31, 2006 - Revision: 1.3
- Microsoft Internet Security and Acceleration Server 2000 Standard Edition
|kbhowto kbhowtomaster KB297922|