This step-by-step article describes how small businesses with less than 255 workstations in an existing Windows-based network can connect computers to the Internet by using the Microsoft Internet Security and Acceleration (ISA) firewall secured services.
Install the ISA Server
An ISA firewall requires a computer with two network adapters. You need to connect one of these adapters to your internal network. You connect the other adapter to your Internet service provider (ISP). Your ISP can help you make this connection. A firewall acts as a security barrier between your intranet and the Internet by keeping other people on the Internet from gaining access to the confidential information on your internal network or your computer.
To plan the installation
- You can run ISA Server Standard Edition on a standalone computer, on a computer that is a member of a Microsoft Windows NT domain, or on a computer that is a member of a Microsoft Windows 2000 Active Directory domain.
- For maximum security run ISA Server on a standalone computer.
- The configuration of the network adapters involves setting up the external interface to the Internet and setting up the internal interface to your Windows-based network.
- Your ISP should provide a static IP address, subnet mask, default gateway, and DNS server or servers. Enter this information in the TCP/IP settings of the adapter that is connected to your ISP. Some ISPs prefer to assign this information with Dynamic Host Configuration Protocol (DHCP), which is fine.
To configure the server's network adapters
- On the desktop, right-click My Network Places, and then click Properties.
- Right-click your Internet connection, click Rename, and then type Internet connection. This will help you remember which network card is connected to the Internet.
- Right-click the Internet connection, and then click Properties.
- On the General tab, click to select the Show icon in taskbar when connected check box. Whenever this interface transfers data, a small icon in the taskbar will flash.
- Clear the Client for Microsoft Network and File and printer sharing for Microsoft networks check boxes. ISA Server automatically blocks these protocols; by clearing these check boxes, you are saving memory.
- Double-click Internet protocol (TCP/IP), and then do one of the following:
- If your ISP uses DHCP to assign IP addresses, in the Internet Protocol (TCP/IP) Properties dialog box, click to select the Obtain an IP address automatically and Obtain DNS server address automatically check boxes. Go to step 7.
- If you need to manually enter the IP address information from your ISP, in the Internet Protocol (TCP/IP) Properties dialog box, click to select the Use the following IP address, and then type the address, subnet mask, and default gateway information that your ISP provided. Click to select Use the following DNS server addresses, and then type the name of the DNS server or servers that your ISP provided.
- Click Advanced, then click the DNS tab. Click to clear the Register this connection's addresses in DNS check box.
: You need to type a permanent address and appropriate subnet mask for your internal network on the internal adapter (do not use DHCP on this interface). Leave the default gateway blank. The ISA Server computer needs only one default gateway: the one that is configured on the external interface. Configuring a default gateway on the internal adapter causes ISA to malfunction.
To configure the internal interface to your network
- Right-click My Network Places, and then click Properties. Right-click your Local Area Connection (LAN), click Rename, and then type Local network.
- Right-click Local network, and then click Properties.
- On the General tab, click to select the Show icon in taskbar when connected check box.
- Click to select the Client for Microsoft networks and File and printer sharing for Microsoft networks check boxes if they are not selected.
- Double-click Internet protocol (TCP/IP), and then click to select the Use the following IP address check box.
- In IP address, type an internal IP address and subnet mask that makes sense for your internal network's addressing scheme. Leave Default gateway blank. In Preferred DNS server, type the IP address of your network's DNS server or servers.
Note: For very small networks with less than 255 computers, if you are using the Windows 2000 default TCP/IP configuration, and you do not have a DNS server in your network, your computers are relying on automatic private IP address assignment (APIPA). You should migrate away from APIPA and start to use static addresses on your client workstations. Each computer in your network will need a unique IP address. When you configure the internal interface of ISA Server, you need to type a static address, so use the address 192.168.0.254, and the subnet mask 255.255.255.0. Leave the Default gateway box blank. Type the DNS server of your ISP in the DNS server fields.
Now configure static addresses on each of your clients:
- On the first computer, use the address 192.168.0.1, a subnet mask of 255.255.255.0, and a default gateway of 192.168.0.254. For DNS, type the DNS server (or servers) of your ISP.
- On the second computer, use the address 192.168.0.2, and then use the same values as shown in the previous step. Other than the address, these other values always stay the same, but continue to increment the address for each additional computer. Maintain a list of which computers use which addresses.
- Restart your computer, if you are prompted to do so.
Install Microsoft Internet Security and Acceleration Server 2000 Standard Edition
If the ISA Server 2000-based computer is running Windows 2000 Server or Microsoft Windows 2000 Advanced Server, you must install Windows 2000 Service Pack 2 (SP2) or a later service pack before you install ISA Server 2000 Standard Edition. For more information, visit the following Microsoft Web site:
To use the ISA Server Setup wizard
- On the desktop, double-click My Computer. Double-click to open your CD-ROM drive.
Note: The ISA Server Setup Wizard starts automatically unless the auto-insert notification feature is turned off. If the wizard does not start automatically, navigate to the root directory of the CD, and then double-click the ISAAutorun.exe file to run it. Click Install ISA Server to begin the process.
- At the Welcome screen, click Continue. Type the product identification number in the appropriate box. You can locate this number on the back of the CD-ROM case.
- Read the license agreement, and then click I Agree.
- Click Typical installation for the installation type. This installs ISA services and the administrative tools.
- Click Firewall mode. ISA stops relevant services on the computer.
- Configure the local address table (LAT) for ISA. Configuring the LAT requires careful consideration. You are presented with two choices: Either construct the LAT or use the installer wizard. Base your selection on the following conditions:
- If you know the subnet(s) that your internal network uses, type it here. Caution: Do not click the Construct Table button! If you do, the LAT information that you entered will be overwritten.
- If you do not know your local subnets, click the Construct Table button. The ISA Setup Wizard will determine the local subnets based on the computer's routing table.
- Click to select the Add the following private ranges check box if it is not already selected.
- Click to select the Add address ranges based on the Windows 2000 routing table if it is not already selected.
- Click to clear check box that contains the subnet that corresponds to the server's external (Internet) interface.
- Click to select the check box that contains the subnet that corresponds to the server's internal (LAN) interface.
- When Setup is complete, start the Administrator Getting Started Wizard, and then read the next section before you complete this wizard.
ISA Server's post-installation state blocks all access to and from the Internet. This is a good thing! Remember, you are setting up a firewall. The primary function of a firewall is to serve as a check point between two networks. ISA Server's behavior is to block everything that is not specifically allowed through policy.
To configure post-installation state of ISA
You have to configure the following two components of an access policy so that your clients can access the Internet:
- You have to configure at least one site and content rule, in which you specify where users can go and what kinds of content they can retrieve.
- You have to configure at least one protocol rule, which specifes the kinds of traffic that is allowed through ISA Server.
After installation, ISA creates a default site and content rule that allows all clients access to all content on all sites all the time. This is not enough, however, for users to start surfing the Internet: There is still no protocol rule that has been defined. Without this, no traffic is allowed through ISA.
The Getting Started Wizard
- In the Getting Started Wizard, click Configure Protocol Rules. The protocol rule list is displayed in Microsoft Management Console (MMC).
- Click Create a Protocol Rule. Type a name, such as "All protocols".
- Click Allow for the rule's action (this is the default).
- Click All IP traffic for the protocol list (this is the default).
- Click Always for the schedule (this is the default).
- Click Any request for the client type (this is the default).
- Click Finish.
To create policies how users connect to Internet
There is much more to ISA Server than simply allowing all clients access to all content on all sites at all times using all (defined) protocols. In ISA, you can create access policies that you can use to define exactly how your users can access the Internet.
ISA access policies are composed of the following three elements:
- Site and content rules
- Protocol rules
- IP packet filters
The rules, in turn, are composed of the following policy elements:
- Destination sets
- Client address sets
- Protocol definitions
- Content groups
There are dependencies that you need to understand before you try anything complex with the ISA policies. The following table describes which policy elements belong to which policy rules:
|Site and content rules||Protocol rules|
|Destination sets||Protocol definitions|
|Content groups ||Schedules|
|Schedules||Client address sets|
|Client address sets|
To access the Internet from the ISA computer
What about accessing the Internet from the ISA computer itself? If you are physically at the ISA computer and you want to access a particular Web site, the protocol rules and site and content rules that you have created apply only to clients that are behind the ISA server. When a client wants to access the Internet, as long as the request is allowed by the rules, ISA creates a dynamic packet filter for that connection request. However, if you are at the ISA computer, and you want to access the Internet, you need to create static packet filters according to the kinds of traffic that you will be generating. For example, to access a Web site, follow these steps:
- In ISA Management, expand Servers, expand server-name, click Access Policy, and then click IP Packet Filters.
- Click Create a packet filter to start a wizard.
- Name the packet filter:
- Click Allow packet transmission, and then click Custom.
- Click TCP as the IP protocol, click Outbound for the direction, click All ports for the local port, and then click Fixed port for the remote port. Type 80 in the Port Number box.
- Select default IP addresses for each external interface that is on the ISA server.
- Click All remote computers.
Now you can access Web sites from the ISA server. It is recommended that you repeat these steps using SSL access in step 3 and 443 (in place of 80) in step 6, as a number of Web servers use the SSL protocol. To allow even more protocols, follow the same steps using an appropriate name in step 3 and the necessary entries in step 6.
The most common problems involve not fully understanding the interactions between policy elements, policy rules, and packet filters. If you try to do anything more than use the generic access policy that you first created (by following the procedure in section 3.4), make sure that you completely understand section 4. In addition, read the Microsoft Internet Security and Acceleration Server 2000 Standard Edition Online Help. Create some policies and then test. In addition, understanding access policies is easier if you understand the ISA Server vocabulary and component interactions.Note
: ISA Server does not direct connections between anything in the LAT and the outside. You must create some kind of policy that describes the access that you want to allow.
For help in troubleshooting ISA Server, see the Microsoft Internet Security and Acceleration Server 2000 Standard Edition Online Help.