Deploying ISA Server

C H A P T E R 5
Microsoft® Internet Security and Acceleration (ISA) Server is an integrated firewall and Internet caching
server. Deploying ISA Server saves network bandwidth by providing faster Web access for users. ISA Server
secures your network, allowing you to implement your business security policy by configuring a broad set of
rules that specify which sites, protocols, and content can be passed through the firewall.

In This Chapter
Overview of ISA Server.........................................................................................................................216
Determining the Role of ISA Server......................................................................................................218
Evaluating Interoperability Issues..........................................................................................................224
Designing for High Availability.............................................................................................................227
Securing the Design...............................................................................................................................234
Implementing Your ISA Server Solution...............................................................................................239
Additional Resources.............................................................................................................................243

Related Information
 For more information about creating a virtual private network (VPN), see “Deploying
Dial-Up and VPN Remote Access Servers” in this book.
216 Chapter 5 Deploying ISA Server

Important
ISA Server (the successor to Proxy Server 2.0) is a separate product
from the Microsoft® Windows® Server 2003 operating system. You must
install ISA Server Service Pack (SP1) for ISA Server immediately after
installing ISA Server for it to be interoperable with Windows Server 2003.

Overview of ISA Server

ISA Server offers a complete Internet connectivity deployment solution as a firewall and a Web caching
server.
ISA Server monitors requests and responses between the Internet and internal client computers;
ISA Server also controls which computers on the Internet the internal clients can access.
ISA Server offers many security and caching options, including:
 Enhanced security with multilayer firewall and integrated intrusion detection.
ISA is a complete firewall product that provides packet filtering, stateful packet inspection
and application-level awareness for many common protocols, such as Simple Mail Transfer
Protocol (SMTP) and Domain Name System (DNS). You can create access policies based on
user-level information, IP addresses, or Web content.
 Secure publishing.
You can use ISA Server as a reverse cache server to define a secure publishing policy. This
protects internal publishing servers and makes them safely accessible to Internet clients.
 ISA Server can cache Web content, potentially reducing your external
bandwidth requirements.
You can configure the cache to contain content that your organization uses frequently or that
your Internet clients access.
 ISA Server is extensible.
You can program the COM interface in ISA Server using high-level programming languages
or scripting languages. Developers can implement application and web filters to extend the
core firewall functionality. You can use the ISA Server management interface to develop
additional administration tools and management scripts.
 Additional Resources 217

ISA Server Deployment Process

The process for deploying ISA Server includes determining the deployment mode (cache, firewall, or
integrated) you need to use, examining the integration between ISA Server and other components in your
network, and choosing the best method for securing your network design.
Figure 5.1 shows the process for deploying ISA Server.
Figure 5.1 Deploying Your ISA Server
218 Chapter 5 Deploying ISA Server

Determining the Role of

ISA Server
ISA Server can act as a firewall, a Web caching server, or both in your network. Figure 5.2 shows the process
for determining the role of your ISA server.
Figure 5.2 Determining the Role of ISA Server
 Additional Resources 219

You can install ISA Server in firewall, cache, or integrated mode.

 In firewall mode, you can secure network communication by configuring rules and
access policies that control communication between your internal network and the
Internet. You can also publish internal servers.
 In cache mode, you can improve network performance and save bandwidth by
storing frequently accessed content closer to the user. You can also route requests
from internal users to the appropriate Web server and publish Web servers in cache
mode.
 In integrated mode, all cache and firewall features are available. You can configure
a policy to meet both cache performance and security requirements.
Use Table 5.1 to determine which mode of ISA Server installation is most appropriate in your network.
Table 5.1 Determining the ISA Server Installation Mode
Goal Mode
Secure your connection to the Internet, connect remote Firewall
offices, or implement secure extranets.
Increase performance of your Internet connection. Cache
Secure your connection to the Internet and increase the Integrated
performance of your Internet connection.
220 Chapter 5 Deploying ISA Server

Implementing ISA Server in Firewall

Mode
ISA Server in firewall mode acts as a secure gateway between the Internet and internal clients. By
configuring the access policies, you can prevent unauthorized access and malicious content from entering the
network, as well as restrict outbound traffic.
In Figure 5.3, ISA Server is deployed in firewall mode and as a publisher of internal services, including e-
mail and Web services.
Figure 5.3 ISA Server in Firewall Mode

All inbound traffic requiring access to the Web or e-mail servers must pass through the firewall first.
Likewise, ISA Server can also limit Internet access to specified clients. In this example, ISA Server is acting
as a dedicated firewall controlling access to the internal network.

Implementing ISA Server in Cache Mode

ISA Server in cache mode accelerates Web access performance by caching Internet content locally. ISA can
provide access control for Web content, both in forward cache mode and reverse cache mode.
Forward Cache Mode
When a client in the internal network requests a Web page, ISA Server in forward cache mode checks if the
content is cached locally. If so, the request is not forwarded to the Internet, and the forward cache server
returns the Web pages to the client. If the Web page is not stored locally, ISA Server (acting on behalf of the
client) retrieves the Web page from the Internet. ISA Server then saves that Web page in the local cache. The
next time a client requests that page, ISA Server can fulfill the request without going to the Internet to
retrieve the page. This results in using less bandwidth on the Internet connection. Figure 5.4 illustrates a
forward cache mode configuration.
 Additional Resources 221

Figure 5.4 ISA Server in Forward Cache Mode

Reverse Cache (Web Publishing) Mode

You can also configure ISA Server in reverse cache mode. ISA Server in reverse cache mode caches content
provided to the Internet from the Web server. When an Internet client requests a Web page, the request is
sent to the ISA Server–based computer first. If the page is stored there locally, there is no need to retrieve the
page from the Web server. This increases performance for Internet clients accessing the Web site from the
Internet, as well as increasing security for the server. Figure 5.5 illustrates a reverse cache mode
configuration.
Figure 5.5 ISA Server in Reverse Cache Mode
222 Chapter 5 Deploying ISA Server

Implementing ISA Server in Integrated

Mode
ISA Server in integrated mode provides a firewall solution and acts as a Web cache server simultaneously by
allowing both services to coexist on the same server.
Before implementing both the firewall and Web cache on the same server, consider the following points:
 Purchasing less equipment can minimize costs.
 Centralizing the management of both resources on a single computer can simplify
administration.
 Implementing both services on a single computer presents a single point of failure for
both services. If that computer goes offline, multiple services are taken offline.

Determining Client Types

ISA Server supports the following types of clients.
Web Proxy client
Makes all Internet requests to the ISA Server “Outgoing Web Requests” listener. Most often, this is a Web
browser that is either configured manually by the user, or is configured automatically by using Group Policy
or a configuration script. ISA restricts user-based Web access controls to Web Proxy clients only.
SecureNAT client
Provides IP-based security, but does not allow for user-level authentication. To configure a SecureNAT
client, you only have to set the default route between the client and the ISA Server default internal IP
address. Because a SecureNAT client uses no other configuration, any computer that uses TCP/IP can be a
SecureNAT client.
Firewall client
Restricts access on a per-user, per-application basis for outbound access for requests that use Transmission
Control Protocol (TCP) and User Datagram Protocol (UDP). To configure a firewall client, you must install
the Firewall Client software on each client computer. You can install the Firewall Client software from the
shared folder \\ISA Server Name\mspclnt on the ISA Server–based computer.
 Additional Resources 223

You can only install the Firewall Client software on computers running Microsoft® Windows® 95 Service
Release 2, Windows NT 4.0, Windows® 98, Windows® Millennium Edition, Windows® 2000 Professional,
Windows XP Professional, Windows® XP 64-Bit Edition, or the Windows Server 2003 family.
Before you deploy or configure client software assess your organizational needs, determine which
applications and services your internal clients require, and assess how you plan to publish servers. Finally,
map these needs to the client types supported by ISA Server.
Use Table 5.2 to determine which clients to deploy on your network.
Table 5.2 Determining Which Clients to Deploy
Goal Client Reason
Improve the performance Web Proxy Web Proxy clients do not
of Web requests for require any software to be
internal clients. installed but does require
Combine user-level and specific configuration.
content controls to Web
access.
Avoid deploying client SecureNAT SecureNAT clients do not
software or configuring require any software or specific
client computers. configuration.
Improve Web SecureNAT SecureNAT client requests
performance in an pass transparently to the
environment with non- ISA Server firewall service and
Microsoft operating then to the caching service.
systems.
Publish servers that are SecureNAT You can publish Internal
located on your internal servers as SecureNAT clients,
network. which eliminates the need for
creating special configuration
settings on the publishing
server.
Allow Internet access Firewall or Web You can configure user-based
only for authenticated Proxy access policy rules for firewall
users. clients. There is also an option
to require authentication with
Web Proxy clients.
224 Chapter 5 Deploying ISA Server

Evaluating Interoperability Issues

Before you can make ISA Server interoperable with other network services and computers, you need to
evaluate possible implementation and integration issues within your configuration, as shown in Figure 5.6.
Figure 5.6 Evaluating Interoperability Issues
 Additional Resources 225

Running Other Services with ISA Server

You can run ISA Server on a computer with other services running already, such as e-mail or Web servers.
However, it is not recommended to place other services on the firewall. For improved security and
protection, place services behind the firewall, as shown in Figure 5.7. For example, if your organization
needs to deploy ISA Server to connect branch offices to the Internet in integrated mode, ISA Server can be
installed on existing e-mail or Web servers to simplify deployment and minimize the cost.
Figure 5.7 Running Other Services with ISA Server
226 Chapter 5 Deploying ISA Server

Implementing ISA Server in a Domain

ISA Server with ISA Server SP1 can be installed as a stand-alone server or as a member of an array in a
Microsoft® Windows® 2000 Server or Windows Server 2003 domain. When you install ISA Server as a
stand-alone server, the configuration information is saved to the local registry. When you install ISA Server
as a member of an array in a Windows 2000 or Windows Server 2003 domain, the ISA Server schema is
installed into the Active Directory®. You need to install Active Directory on the ISA Server domain to use
ISA Server arrays.
ISA Server can be installed as a stand-alone server in a Windows NT Server 4.0 domain. No special
configuration is required. You can use arrays of ISA Server computers to connect and secure
Windows NT 4.0 domain users and clients to the Internet. However, the array must be set up on a separate
Windows 2000 or Windows Server 2003 domain. Then you can establish a trust relationship from the
domain containing the ISA Server computer to the Windows NT 4.0 domain.

Using ISA Server with Other Network Services

You might have run the Routing and Remote Access service in Windows 2000 or Windows Server 2003 to
make network services and computers available to remote clients. ISA Server enables remote connectivity
and extends routing and remote access functionality by providing additional security features. ISA Server
packet filtering replaces the packet filtering functionality in the Routing and Remote Access service. In
addition, ISA Server uses the dial-up connections that you previously configured for routing and remote
access.
Similarly, you might have used Internet Connection Sharing (ICS) or network address translation (NAT) to
access the Internet. ISA Server provides the connectivity enabled by NAT or ICS, while adding sophisticated
security and caching features.
 Additional Resources 227

Caution
You cannot combine ICS or the NAT that is included with the Routing
and Remote Access service for Windows Server 2003 with ISA Server or
else you will lose firewall functionality. Also, IIS cannot run on the same
computer as ISA Server without special configuration. For more
information about configuring IIS for use with ISA Server, see the
ISA Server link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources, and then
search for the keyword socket pooling.

Designing for High Availability

Before deploying ISA Server, estimate your Internet connectivity requirements. Use the following sections as
guidelines for planning the size and type of your servers, and whether to deploy them as an array. Figure 5.8
shows the process for designing for high availability.
Figure 5.8 Designing for High Availability
228 Chapter 5 Deploying ISA Server

Performing Capacity Planning

The flowchart in Figure 5.9 outlines the capacity planning process for ISA Server.
Figure 5.9 ISA Server Capacity Planning Process

Use the following guidelines for capacity planning:

 Ensure the minimum hardware requirements deploying ISA Server are met.
 Decide whether to install ISA Server as a firewall. If yes, ensure that the minimum
firewall requirements are met.
 Decide whether or not to install ISA Server as a Web cache server. If yes, ensure that
the minimum hardware requirements are met.
 Additional Resources 229

Note
You can
Using thealso
latest
useservice
Performance
pack is Monitor
always recommended.
to identify bottlenecks and
determine whether to add more servers.

The following list describes the minimum hardware requirements for installing ISA Server:
 A computer with a 300 megahertz (MHz) or higher Pentium II-compatible CPU.
 The computer must be running either a member of the Windows 2000 Server family,
or a member of the Windows Server 2003 family. If you are installing ISA Server on
a computer running Windows Server 2003, you must also install ISA Server SP1.
 256 megabytes (MB) of memory.
 20 MB of available hard disk space.
 A network adapter to communicate with the internal network.
 One local hard disk partition that is formatted with the NTFS file system.
 To implement the array and enterprise-level policy configuration, you must also run
Active Directory.
 If you are using ISA Server in firewall or integrated mode, two network adapters are
required.
 If your ISA Server is also supporting other services, such as e-mail or Web services,
additional resources might be required.
Use Table 5.3 to determine the type of computers to use and whether you require an array.
Table 5.3 Hardware Requirements for Different Network Loads
Hits per Second Minimum Hardware Required RAM
Less than 500 One computer, Pentium II, 300 MHz 256 MB
processor
500 to 900 One computer, Pentium III, 550 MHz 256 MB
processor
More than 900 One computer, Pentium III, 550 MHz 256 MB per server
processor, for each 800 hits per
second increment

If multiple computers are required to handle the network load, consider setting up an array of
ISA Server–based computers. Arrays allow Web cache routing across a group of ISA Server–based
computers. For more information, see “Configuring ISA Server in an Array” later in this chapter.
230 Chapter 5 Deploying ISA Server

Firewall Requirements
Table 5.4 lists hardware requirements and network connections based on expected throughput for firewall
clients accessing content on the Internet.
Table 5.4 Hardware Requirements for Firewall
Throughput Internet Connection
Minimum Hardware Required
Requirements Type
36 Kilobits per second One computer, Pentium II, POTS modem, cable
(Kbps) to 1 Megabits per 300 MHz processor modem, or xDSL
second (Mbps)
384 Kbps to 1.5 One computer, Pentium II, T1
Megabits per second 300 MHz processor
(Mbps)
3 Mbps - 44 Mbps One computer, Pentium III, T3 or faster
550 MHz processor
More than 44 Mbps One computer, Pentium III, OC3 or faster
550 MHz, for each
50 MB/second required

Forward Caching Requirements

You can deploy ISA Server as a forward-caching server, which maintains a centralized cache of frequently-
requested Internet content. In this case, consider how many users might access the Internet.
Table 5.5 lists the hardware requirements for using ISA Server in forward cache mode.
Table 5.5 Hardware Requirements for Forward Caching
Minimum Hardware Disk Space for
Internet Users RAM
Required Caching
Up to 500 One computer, Pentium II, 256 MB 2–4 Gigabytes
300 MHz processor (GB)
500 -1,000 One computer, two 256 MB 10 GB
Pentium III, 550 MHz
processors
More than Two computers, Pentium 256 MB for 10 GB for each
1,000 III, 550 MHz processors each server server

If your user-base exceeds 1,000 users, you can use hardware with faster processors and more memory, or you
can add more ISA Server installations.
 Additional Resources 231

Reverse Caching Requirements

You can deploy ISA Server as a reverse-caching server to fulfill Web requests from the Internet to your
network. For example, you might place an ISA Server computer between the Internet and an organization’s
Web server that is hosting a commercial Web business or providing access to business partners. In that case,
you need to consider how often external clients might request content from the publishing servers.
Table 5.6 lists hardware requirements for ISA Server in reverse cache mode, based on the number of hits per
second from Internet users.
Table 5.6 Hardware Requirements for Reverse Caching
Hits Per Second Minimum Hardware Required
Fewer than 100 One computer, Pentium II, 300 MHz processor
101 to 250 One computer, Pentium III, 450 MHz processor
More than 250 One computer, Pentium III, 550 MHz processor for
each 250 hits per second. You can use Performance
Monitor to determine bottlenecks, and then add
more servers or more powerful hardware, as
necessary.

Memory requirements depend on the size of the cacheable content that you are publishing, and the working
set of the content. Ideally, all cacheable content should fit into the available memory. By default, the ISA
Web Proxy service uses half of the available server memory for RAM caching. For example, if the Web site
you are publishing has 250 MB of cacheable content, then your ISA server computer should have at least
twice this much available RAM before the Web Proxy service starts.

Adding Computers
In some cases, you need to decide whether to add an additional ISA Server–based computer or to improve
the performance of the existing computer by adding an additional processor. Each option has different
advantages.
When you add a new computer and create an array of ISA Server–based computers, you set up a fault-
tolerant system. If one computer fails, the other continues to function. On the other hand, adding a computer
means that you have to purchase and manage additional hardware and any software that is installed on the
computer.
232 Chapter 5 Deploying ISA Server

Note
All array members must be in the same domain and in the same site.

Designing for Scalability

When designing for scalability, consider differences between Microsoft® Internet Security and Acceleration
(ISA) Server Standard Edition and Microsoft® Internet Security and Acceleration (ISA) Server Enterprise
Edition, such as:
 ISA Server Standard Edition supports only a single computer configuration, and
therefore, cannot be used in an array.
 ISA Server Enterprise Edition can be configured either in a single computer
configuration or in an array.

Configuring ISA Server in an Array

Computers running ISA Server Enterprise Edition can be grouped together in arrays. An array is a group of
ISA Server–based computers used to perform Web cache routing. Arrays allow a group of ISA Server–based
computers to be treated and managed as a single, logical entity. An array installation also provides increased
performance and bandwidth savings. Grouping your ISA Server–based computers in an array allows your
client requests to be distributed among multiple servers, thereby improving response time for clients.
All the servers in an array share a common configuration. This saves management time because the array is
configured once and the configuration is applied to all the servers in the array. Furthermore, you can apply an
enterprise policy to an array. This allows centralized management for all the arrays in the enterprise. A
unique array policy can be applied to each array in the enterprise.
It is recommended that you consider installing ISA Server as an array even if there is only one server. The
advantages to this include the ability to easily add an additional server to the array in the future and the
ability to use the advanced array management features.
Table 5.7 compares ISA Server features as a stand-alone server and in an array configuration.
Table 5.7 Comparing Features of ISA Server as a Stand-Alone Server or as an Array
ISA Server Stand-Alone Server ISA Server Array
Can be installed in a Windows NT 4.0 Requires Active Directory.
domain.
Cannot use array or enterprise Uses both enterprise- and array-level
policies. policies.
Installs from either ISA Server Installs from ISA Server Enterprise
Standard or ISA Server Enterprise Edition only.
Edition.
 Additional Resources 233

Note
For DNS round robin to work for an ISA array, the duplicated resource
records must all use the array name.

ISA Server and DNS Round Robin

Firewall and Web proxy clients can achieve fault tolerance when two or more computers running ISA Server
are used together with a Domain Name System (DNS) server.
You can use DNS to assign the same name to all the ISA Server–based computers in a cluster. With this
configuration, when a client requests an object from the ISA Server–based computer specifying the DNS
name, the DNS server resolves the name to one of the computers running ISA Server in the array in a round
robin fashion. This increases fault tolerance through redundancy and improves performance through the use
of multiple computers answering client requests.
Figure 5.10 shows the DNS server receiving a request from the clients and forwarding the request to
the computers running ISA Server in a round-robin configuration.
Figure 5.10 DNS Round Robin
234 Chapter 5 Deploying ISA Server

Securing the Design

ISA Server secures your connection to the Internet or to remote sites and extranets. Security decisions for
implementing ISA Server are discussed in the following sections. Figure 5.11 shows the process for securing
the design.
Figure 5.11 Securing the Design
 Additional Resources 235

Connecting Remote Sites Using

ISA Server
Using ISA Server to connect remote offices includes the following benefits:
 The ability to connect remote offices together through the Internet using a virtual
private network (VPN).
 Hierarchical caching can also be implemented across the wide area network (WAN)
on ISA Server–based computers.

Securing Network Perimeters with

ISA Server
A perimeter network, also known as a screened subnet, is a network that is set up separately from an
organization’s private network and the Internet. The perimeter network allows external users access to the
specific servers located in the perimeter network, while preventing access to the internal network. In
addition, an organization might allow very limited access from computers in the perimeter networks to
computers in the internal network.
A perimeter network is commonly used for deploying the e-mail and Web servers. The perimeter network
can be set up using either of the following configurations:
 Back-to-back perimeter network configuration with two ISA Server–based computers
on either side of the perimeter network.
 Three-homed ISA Server–based computer with both the perimeter and internal
network protected by the same computer.
236 Chapter 5 Deploying ISA Server

Designing a Back-to-Back Perimeter Network

In a back-to-back perimeter network configuration, two ISA Server–based computers are located on either
side of the perimeter network. Figure 5.12 shows a back-to-back perimeter network configuration.
Figure 5.12 Back-to-Back Perimeter Network

Both ISA Server–based computers are set up in integrated or firewall mode. This configuration reduces the
risk of compromise by requiring anyone attempting to access the internal network from the Internet to access
both systems to reach the internal network.
Perform the following steps to make the servers on the perimeter network available to Internet clients:
1. Configure the local address table (LAT) on the ISA Server–based computer that is
connected to the internal network to include the IP addresses of the computers in the
internal network.
2. Configure the LAT on the ISA Server–based computer connected to the Internet to
include the IP address of the ISA Server–based computer connected to the internal
network, and the IP addresses of all the publishing servers in the perimeter network.
3. Create a Web publishing rule on the ISA Server–based computer connected to the
Internet to publish the Web server.
4. Create a server publishing rule on the ISA Server–based computer connected to the
Internet to publish the e-mail server. Configure the server publishing rule to apply to
the e-mail server.
5. Create a Web publishing rule to publish the Web server, and configure the rule to
redirect requests to the hosted site.
6. With this back-to-back perimeter network design, selected traffic can access the e-
mail or Web server without accessing the internal network. This example publishes
the e-mail and the Web servers without exposing the internal network to the Internet.
 Additional Resources 237

Designing a Three-Homed Perimeter Network

In a three-homed perimeter network, a single ISA Server–based computer is set up with three network
adapters:
 The first network adapter connects to clients on the internal network.
 The second network adapter connects to the servers located in the perimeter network.
 The third network adapter connects to the Internet.
Figure 5.13 illustrates the three-homed perimeter network configuration.
Figure 5.13 Three-Homed Perimeter Network

Perform the following configuration steps for the three-homed ISA Server perimeter network:
 Configure the LAT to include all of the addresses on the internal network. The LAT
should not include the addresses on the perimeter network.
 Enable packet filtering and IP routing.
 Create IP packet filters for each of the servers in the perimeter network. For each IP
packet filter, the local computer should be specified as the IP address of the server on
the perimeter network.
238 Chapter 5 Deploying ISA Server

Using ISA Server in Extranets

An extranet is a private network that is configured for use outside your internal network. The extranet is
installed to support selected partners who require access to your network. ISA Server supports the installation
of extranets through the built-in capability of VPNs. Figure 5.14 shows ISA Server within an extranet design.
Figure 5.14 ISA Server in Extranets
 Additional Resources 239

Implementing Your ISA Server

Solution
After determining the roles you want for ISA Server and completing your ISA Server design, you will
implement your ISA Server solution. Figure 5.15 shows when to implement your ISA Server solution.
Figure 5.15 Implementing Your ISA Server Solution
240 Chapter 5 Deploying ISA Server

Figure 5.16 shows the process for implementing the ISA Server solution in your network.
Figure 5.16 Details of Implementing Your ISA Server Solution

Use the following steps to deploy ISA Server in your network:

1. Ensure that you are running either Windows 2000 Server or the Windows
Server 2003 family. If necessary, upgrade the operating system before continuing
with the deployment.
2. Ensure that the latest service pack in installed. If necessary, install the service pack
before proceeding with the deployment.
 Additional Resources 241

3. Ensure that the network adapters are installed and working correctly; make sure you
have a valid connection to the Internet.
 You can choose to connect your network to the Internet through either a
persistent connection (T1, T3, xDSL, or cable modem) or a dial-up connection. If
you choose a direct connection, you need to set up a network adapter that
connects the ISA Server–based computer to the Internet.
 When you set TCP/IP properties for the external network adapter, consult with
your ISP for the correct settings. Specifically, you need the IP address, subnet
mask, default gateway, and IP addresses for the DNS servers to use in DNS
name searches. In some cases, your ISP might be using Dynamic Host
Configuration Protocol (DHCP) or bootstrap protocol (BOOTP) for dynamic
assignment of client addresses.
 Typically, ISA Server has only one IP default gateway. You should configure the
IP address of the default gateway on the external — not internal — network
adapter. Leave the Default Gateway setting for the internal network adapter
blank.
 When setting TCP/IP properties for any internal network adapter, you should
enter a permanently reserved IP address for the ISA Server–based computer and
an appropriate subnet mask for your internal network. Addressing that is
assigned by DHCP should not be used for the internal network adapter, because
DHCP might reset the default gateway you selected for the ISA Server–based
computer. The external network adapter can be DHCP-enabled, including the
default gateway and DNS settings, or these settings can be statically defined.
4. If you are installing ISA Server Enterprise Edition you need to initialize the
enterprise. You can run the Enterprise Initialization Tool in ISA Server startup.
 If this is the first time you are installing ISA Server as an array member, you
should run the ISA Server Enterprise Initialization Tool.
 If you are installing a stand-alone server, or if you have previously installed
ISA Server in your enterprise as an array member, you do not need to run the
Enterprise Initialization Tool, and you can select Install ISA Server.
242 Chapter 5 Deploying ISA Server

Important
In order to install the ISA Server schema to Active Directory, you must be
a member of both the Enterprise Administrators and Schema
Administrators groups.

5. Install ISA Server. Setup asks for the following information:

 Installation options.
You can select a Typical installation, Full installation, or Custom installation.
 Array selection.
If you previously initialized the enterprise, you can select which array to join. If you did
not initialize the enterprise, then ISA Server is installed as a stand-alone server.
 Mode.
You can install ISA Server in firewall mode, integrated mode, or cache mode.
 Cache configuration.
If you install ISA Server in integrated or cache mode, you need to configure which
cache drives to use and the size of the cache.
 LAT configuration.
If you install ISA Server in integrated or firewall mode, you need to configure the
address ranges to include in the LAT.
6. Before building your LAT, ensure that you enter all subnets correctly.
 The LAT is automatically constructed from the Windows Server 2003 routing
table. If the computer is connected to a routed internal network and you are
unsure of the routing topology of your network or how to add static routes, you
can manually construct the LAT to contain the range(s) of IP addresses that your
internal clients use.
 Because a default gateway cannot be set on the internal interface of the
ISA Server–based computer, you need to create static routes for your internal
network at a later time to achieve full connectivity. You can do this using the
route command from the command prompt.
 A LAT that is configured correctly ensures that ISA Server can determine which
network adapter to use, in order to access different portions of your internal
network. If the LAT is not configured correctly, a client request for an internal IP
address might be incorrectly routed to the Internet or redirected through the
firewall service.
7. After installation, ISA Server effectively blocks all communication between your
internal network and the Internet. No communication can occur until you configure
an access policy with the protocol, site, and content rules specifically allowing
access. Similarly, you must configure publishing rules if you want to allow Internet
clients access to computers on your internal network.
 Additional Resources 243

If you installed ISA Server as an array member, then an enterprise policy might be applied to
the array. In this case, ISA Server might allow communication if the enterprise policy is
configured appropriately.
8. Install the latest service pack for ISA Server.
244 Chapter 5 Deploying ISA Server

Additional Resources
These resources contain additional information and tools related to this chapter.

Related Information
 “Deploying Dial-Up and VPN Remote Access Servers” in this book for more
information about creating a virtual private network (VPN).
 The Migrating from Proxy Server 2.0 link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information about
migrating from Proxy Server 2.0 to ISA Server.
 The Internet Engineering Task Force link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information about
RFC documents and Internet Engineering Task Force (IETF) Internet-Drafts.
 The ISA Server link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information about
extending ISA Server.
 The Hardware Compatibility List (HCL) link on the Web Resources page at
http://www.microsoft.com/windows/reskits/webresources for more information about
hardware compatibility.