However, we’ll change our approach a little bit now with the release of ISA Server 2006. The reason for this is that the new ISA firewall, ISA Server 2006, has new features and improvements that are primarily focused on the Web proxy filter components that support Web Publishing Rules. These components include:
I’ve already gone into the details of how to configure a unihomed ISA firewall in a DMZ segment over at http://www.isaserver.org/articles/2004pixwebproxy.html so I won’t repeat that effort here. What I will do in this article is demonstrate how to install ISA Server 2006 on a single NIC server on the corporate network. In an article that follows this one, I’ll describe how to install ISA Server 2006 Enterprise Edition on an array of single NIC servers.
This article also represents a major departure from how I usually configure the ISA firewall in another way: the unihomed ISA firewall won’t be a member of an Active Directory domain. While domain membership significantly enhances the overall security the ISA firewall can provide when deployed in full firewall mode, this isn’t necessarily true when the ISA firewall is installed as a unihomed Web proxy server dedicated to Web publishing. This is especially the case with ISA Server 2006, given that we now have integrated support for LDAP authentication.
Perform the following steps to install ISA Server 2006 Enterprise Edition:
The first thing you’ll notice when the console opens is a link entitled Click here to learn about the Customer Experience Improvement Program. Click that link.
Expand all the nodes in the left pane of the ISA firewall console. Then perform the following steps to see the definition of the default Internal ISA firewall Network:
- Improved OWA, OMA, ActiveSync and RPC/HTTP publishing support
- Improved SharePoint Portal Server support
- Improved Windows SharePoint Services support
- Support for publishing Web farms
- Support for binding multiple certificates to a single Web listener
- Support for wildcard certificates bound to the published Web server
- Support for multiple new authentication delegation scenarios
- Support for LDAP authentication for Web Publishing Rules
- And many more!
Apologia for Unihomed ISA Firewall Deployments
One advantage of the Web Publishing scenario is that you can place the ISA firewall just about anywhere on the network. And one of the most popular deployment scenarios in a Web publishing only scenario is placement of a unihomed ISA firewall in Web proxy only mode in an existing firewall’s DMZ segment. The existing firewall can be a multihomed ISA firewall, or it can be any other kind of network firewall.I’ve already gone into the details of how to configure a unihomed ISA firewall in a DMZ segment over at http://www.isaserver.org/articles/2004pixwebproxy.html so I won’t repeat that effort here. What I will do in this article is demonstrate how to install ISA Server 2006 on a single NIC server on the corporate network. In an article that follows this one, I’ll describe how to install ISA Server 2006 Enterprise Edition on an array of single NIC servers.
This article also represents a major departure from how I usually configure the ISA firewall in another way: the unihomed ISA firewall won’t be a member of an Active Directory domain. While domain membership significantly enhances the overall security the ISA firewall can provide when deployed in full firewall mode, this isn’t necessarily true when the ISA firewall is installed as a unihomed Web proxy server dedicated to Web publishing. This is especially the case with ISA Server 2006, given that we now have integrated support for LDAP authentication.
Procedure for Installing ISA Server 2006 Enterprise Edition on a Unihomed Computer
Before you get started installing ISA Server 2006 Enterprise Edition on a new computer, make sure you have done the following:- Install Windows Server 2003 and installed Windows Server 2003 SP1 and all current updates
- Do not join the unihomed computer to the domain
- Configure a static IP address on the network interface
- Configure a DNS server address on the network interface that enables the unihomed ISA firewall to resolve its own name and the names of the published servers. You should configure the device to use a domain name suffix that matches your Active Directory domain so that the machine can resolve its own name.
- If you are not allowing dynamic DNS registrations on your internal DNS servers, manually enter a Host (A) record for the unihomed ISA firewall device into your DNS
- Configure the unihomed ISA firewall’s network interface with a gateway address that allows it to reach both the Internet and the published servers
- Obtain the ISA Server 2006 Enterprise Edition beta trial software at http://www.microsoft.com/isaserver/2006/beta.mspx
Perform the following steps to install ISA Server 2006 Enterprise Edition:
- Copy the installation files for ISA Server 2006 Enterprise Edition to the unihomed ISA firewall device. Then double click on the isaautorun.exe to bring up the installation dialog box.
- In the Microsoft ISA Server 2006 beta installation dialog box, click the Install ISA Server 2006 link.
- Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2006 Beta page.
- On the License Agreement page, select the I accept the terms in the license agreement option and click Next.
- On the Customer Information page, enter your User Name, Organization and Product Serial Number and click Next.
- On the Setup Scenarios page, select the Install both ISA Server services and Configuration Storage server option. Note that this option implies that you can install both ISA Server firewall services and the CSS at the same time, and then later install additional array members once you have this installed. This is not true. Use this option only if you plan to deploy a single member ISA Server 2006 Enterprise Edition array. If you plan to add additional array members later, then do not select this option. Since this article is focused on installing a single ISA Server 2006 Enterprise Edition unihomed device as a single member array, we will use this option. Click Next.
Figure 1
- On the Component Selection page, accept the default settings. Note that you don’t have the option to install the Firewall client. I’m not sure where or how we’ll end up doing this in the future, as its also not an option on the initial setup page. This will likely be worked out by the time the product releases. Note that Advanced Logging is MSDE logging. If you prefer to use SQL logging or text based logging, then do not select this option Click Next.
Figure 2
- On the Enterprise Installation Options page, select the Create a new ISA Server enterprise option. Since this will be the only machine in the array, we need to create a new ISA enterprise. Note that the option Create a replica of the enterprise configuration option is not available to workgroup configurations. This is something to keep in mind in the future if you want to have a backup CSS for your enterprise array. However, its not an issue for us, since this is a single machine array. Click Next.
Figure 3
- Click Next on the New Enterprise Warning page.
Figure 4
- On the Internal Network page, click the Add button.
- In the Addresses dialog box, click the Add Adapter button. In the Select Network Adapters dialog box, put a checkmark in the checkbox next to the single interface installed on the computer. Note that in a typical firewall installation, this NIC would be used to define the default Internal network. In a unihomed ISA firewall Web proxy configuration, this is not the case, since all addresses are considered internal. Click OK.
Figure 5
- In the Addresses dialog box, click OK. Note that the addresses listed in this dialog box will have no meaning in the unihomed ISA firewall configuration scheme. In a normal ISA firewall setup with multiple interfaces, these addresses would define the default Internal ISA firewall Network. However, as I mentioned in the last step, with a unihomed ISA firewall in Web proxy mode, all addresses are considered part of the default Internal ISA firewall Network.
Figure 6
- Click Next on the Internal Network page. Note again that the IP addresses listed here do not represent the default Internal Network on a unihomed ISA firewall as we'll see later when we apply the single NIC ISA firewall template.
Figure 7
- On the Firewall Client Connections page, click Next. We don’t have to worry about Firewall client connections because both Firewall and SecureNAT clients are not supported on a unihomed ISA firewall in Web proxy configuration. Only Web proxy clients are supported.
- Click Next on the Services Warning page.
- Click Install to being the installation.
- On the Installation Wizard Completed page, put a checkmark in the Invoke ISA Server Management when the wizard closes checkbox and click Finish.
- Close the Internet Explorer window entitled Protect the ISA Server Computer.
The first thing you’ll notice when the console opens is a link entitled Click here to learn about the Customer Experience Improvement Program. Click that link.
This brings up the Customer Feedback dialog box. I highly recommend that you participate in the Customer Experience Improvement Program. No personal data is sent to Microsoft and the result of your participation is to make the ISA firewall product more flexible and provide even higher levels of security to your network. Select the Yes option to participate in the program.
Figure 8
After you select an option and click OK, the link disappears from the middle pane of the console.
Figure 9
Expand all the nodes in the left pane of the ISA firewall console. Then perform the following steps to see the definition of the default Internal ISA firewall Network:
- In the left pane of the ISA firewall console, click the Networks node under the Configuration node.
Figure 10
- In the Networks node, click the Networks tab in the middle pane of the ISA firewall console. Double click on the Internal entry.
- In the Internal Properties dialog box, click the Addresses tab. Here you see the addresses that define the default Internal ISA firewall Network at this time. However, this will change when we configure this ISA firewall to act as a Web proxy only unihomed ISA firewall. Click Cancel to leave this dialog box.
What we need to do now is apply the unihomed ISA firewall template to configure this machine as a unihomed Web proxy only ISA firewall. Perform the following steps to apply the template:
Figure 11
- In the Task Pane, click the Templates tab. Scroll down the list of templates and click the Single Network Adapter template.
Figure 12
- Click Next on the Welcome to the Network Template Wizard page.
- Click Next on the Export the ISA Server Configuration page. Note that you have the option to export the current configuration, but we’ll not use that option because we haven’t made any configuration changes from the default setting.
Figure 13
- On the Internal Network IP Addresses page, you’ll see the addresses that will be configured to define the default ISA firewall Internal Network. Notice that all IP addresses except the local host network range are considered part of the default Internal network. For this reason, SecureNAT and Firewall clients are not supported in a unihomed Web proxy mode ISA firewall configuration. You do not need to make any changes on this page. Click Next.
Figure 14
- On the Select a Firewall Policy page, you are offered a single firewall policy to select from. Click on the Apply default Web proxying and caching configuration option. This will apply the default Deny rule to the firewall policy for the array. No Network Rules are created because the Web proxy always replaces its own IP address for the IP address of the Web proxy client connecting to the Internet through the unihomed Web proxy mode ISA firewall. Click Next.
Figure 15
- On the Completing the Network Template Wizard page, click Finish.
- Click Apply to save the changes and update the firewall policy.
- Click OK in the Apply New Configuration dialog box.
No comments:
Post a Comment