How To Connect Your Company to the Internet by Using an ISA Firewall with Windows Server 2003 (323387)


The information in this article applies to:

  • Microsoft Windows Server 2003, Datacenter Edition
  • Microsoft Windows Server 2003, Enterprise Edition
  • Microsoft Windows Server 2003, Standard Edition
  • Microsoft Windows Server 2003, 64-Bit Datacenter Edition
  • Microsoft Windows Server 2003, 64-Bit Enterprise Edition
  • Microsoft Internet Security and Acceleration Server 2000
  • Microsoft Windows Small Business Server 2003, Premium Edition
This article was previously published under Q323387
For a Microsoft Windows 2000 version of this article, see 300876.

IN THIS TASK

SUMMARY

This step-by-step article describes how small businesses with fewer than 255 workstations in an existing Windows-based network can connect computers to the Internet by using the Microsoft Internet Security Acceleration (ISA) firewall-secured services.

back to the top

Install the ISA Server

To install an ISA firewall, you need a computer with two network adapters. You must connect one of these adapters to your internal network and the other adapter to your Internet service provider (ISP). Your ISP can help you make this connection. A firewall acts as a security barrier between your internal network (or intranet) and the Internet by preventing outside users on the Internet from gaining access to the confidential information on your intranet or your computer.

back to the top

Plan the Installation

  • You can run ISA Server Standard Edition on a stand-alone computer, on a computer that is a member of a Microsoft Windows NT domain, or on a computer that is a member of an Active Directory domain.
  • For maximum security, run ISA Server on a stand-alone computer.
  • The configuration of the network adapters involves setting up the external interface to the Internet and then setting up the internal interface to your Windows-based network.
  • Your ISP should provide a static IP address, subnet mask, default gateway, and Domain Name System (DNS) server or servers. Enter this information in the TCP/IP settings of the adapter that is connected to your ISP. Some ISPs prefer to assign this information with Dynamic Host Configuration Protocol (DHCP), which is fine.
  • You will need a permanent address and appropriate subnet mask for your internal network on the internal adapter (do not use DHCP on this interface). Always leave this default gateway blank. The ISA Server computer needs only one default gateway: the one that is configured on the external interface or interfaces. Configuring a default gateway on the internal adapter causes ISA to malfunction.
back to the top

Configure the Server's Network Adapters

  1. Click Start, point to Control Panel, and then click Network Connections.
  2. Right-click your Internet connection, click Rename, and then type Internet connection.

    This will help you remember which network card is connected to the Internet.
  3. Right-click the Internet connection, and then click Properties.
  4. On the General tab, click to select the Show icon in notification area when connected check box.

    Whenever this interface transfers data, a small icon on the taskbar will flash.
  5. Clear the Client for Microsoft Network and File and printer sharing for Microsoft networks check boxes.

    ISA Server automatically blocks these protocols; by clearing these check boxes, you save memory.
  6. Double-click Internet Protocol (TCP/IP), and then do one of the following:
    • If your ISP uses DHCP to assign IP addresses, click the Obtain an IP address automatically and Obtain DNS server address automatically options in the Internet Protocol (TCP/IP) Properties dialog box. Proceed to step 7.
    • If you have to manually enter the IP address information from your ISP, click to select the Use the following IP address in the Internet Protocol (TCP/IP) Properties dialog box, and then type the address, subnet mask, and default gateway information that your ISP provided. Click to select the Use the following DNS server addresses check box, and then type the name of the DNS server or servers that your ISP provided.
  7. Click Advanced, and then click the DNS tab. Click to clear the Register this connection's addresses in DNS check box.
  8. Click the WINS tab next. Under the NETBIOS setting, click Disable Netbios over TCP/IP.
back to the top

Configure the Internal Interface to Your Network

  1. Click Start, point to Control Panel, and then click Network Connections.
  2. Right-click your local area connection, click Rename, and then type Local network.
  3. Right-click Local network, and then click Properties.
  4. On the General tab, click to select the Show icon in taskbar when connected check box.
  5. Click to select the Client for Microsoft networks and File and printer sharing for Microsoft networks check boxes if they are not selected.
  6. Double-click Internet Protocol (TCP/IP), and then click to select the Use the following IP address check box.
  7. In the IP address box, type an internal IP address and subnet mask that makes sense for your internal network's addressing scheme. Leave Default gateway blank. In Preferred DNS server, type the IP address of your network's DNS server or servers.

    NOTE: For very small networks with less than 255 computers, if you are using the Windows 2000 default TCP/IP configuration and you do not have a DNS server in your network, your computers are relying on automatic private IP address assignment (APIPA). Microsoft recommends that you move away from using APIPA and start to use static addresses on your client workstations. Each computer in your network will need a unique IP address. When you configure the internal interface of ISA Server, you have to type a static address. Use 192.168.0.254, and the subnet mask 255.255.255.0. Leave the Default gateway box blank. Type the DNS server of your ISP in the DNS server fields.

    Now configure static addresses on each of your clients:
    1. On the first computer, use the address 192.168.0.1, a subnet mask of 255.255.255.0, and a default gateway of 192.168.0.254. For DNS, type the name of the DNS server (or servers) of your ISP.
    2. On the second computer, use the address 192.168.0.2, and then use the same values as shown in the previous bulleted step. Other than the address, these other values always stay the same, but continue to increment the address for each additional computer. Maintain a list of which computers use which addresses.
  8. Restart your computer, if you are prompted to do so.
back to the top

Install Microsoft Internet Security and Acceleration Server

Use the ISA Server Setup Wizard

  1. In Windows Explorer, double-click to open your CD-ROM drive.

    NOTE: The ISA Server Setup Wizard starts automatically unless the auto-insert notification feature is turned off. If the wizard does not start automatically, navigate to the root directory of the CD-ROM, and then double-click the ISAAutorun.exe file to run it. Click Install ISA Server to start the process.
  2. At the Welcome screen, click Continue. Type the product identification number in the appropriate box. You can locate this number on the back of the CD-ROM case.
  3. Read the license agreement, and then click I Agree.
  4. Click Typical installation for the installation type. This installs ISA services and the administrative tools.
  5. Click Firewall mode. ISA stops relevant services on the computer.
  6. Configure the local address table (LAT) for ISA. Configuring the LAT requires careful consideration. You are presented with two choices: Either construct the LAT or use the Installer Wizard. Base your selection on the following conditions:
    • If you know the subnet (or subnets) that your internal network uses, type it here.

      CAUTION: Do not click the Construct Table button! If you do, the LAT information that you entered will be overwritten.
    • If you do not know your local subnets, click the Construct Table button. The ISA Setup Wizard will determine the local subnets based on the computer's routing table.
      • Click to select the Add the following private ranges check box if it is not already selected.
      • Click to select the Add address ranges based on the Windows Server 2003 routing table if it is not already selected.
      • Click to clear check box that contains the subnet that corresponds to the server's external (Internet) interface.
      • Click to select the check box that contains the subnet that corresponds to the server's internal (LAN) interface.
  7. When Setup is complete, start the Administrator Getting Started Wizard, and then read the next section before you complete this wizard.
ISA Server's post-installation state blocks all access to and from the Internet. This is a good thing! Remember, you are setting up a firewall. The primary function of a firewall is to serve as a check point between two networks. ISA Server's behavior is to block everything that is not specifically permitted through policy.

back to the top

Configure the Post-Installation State of ISA

To configure the following two components of an access policy so that your clients can access the Internet, note the following:
  • You have to configure at least one site and content rule, in which you specify where users can go and what kinds of content they can retrieve.
  • You have to configure at least one protocol rule, which specifies the kinds of traffic that is permitted through ISA Server.
After installation, ISA creates a default site and content rule that permits all clients access to all content on all sites all the time. However, this is not enough for users to start surfing the Internet: You still have not defined a protocol rule. Without this, no traffic is permitted through ISA.

back to the top

The Getting Started Wizard

  1. In the Getting Started Wizard, click Configure Protocol Rules. The protocol rule list is displayed in Microsoft Management Console (MMC).
  2. Click Create a Protocol Rule. Type a name, such as "All protocols".
  3. Click Allow for the rule's action (this is the default).
  4. Click All IP traffic for the protocol list (this is the default).
  5. Click Always for the schedule (this is the default).
  6. Click Any request for the client type (this is the default).
  7. Click Finish.
back to the top

Create Policies Concerning How Users Connect to the Internet

ISA Server does much more than just permit all clients access to all content on all sites at all times by using all (defined) protocols. In ISA, you can create access policies that you can use to define exactly how your users can access the Internet.

ISA access policies are composed of the following three elements:
  • Site and content rules.
  • Protocol rules.
  • IP packet filters.
The rules, in turn, are composed of the following policy elements:
  • Schedules.
  • Destination sets.
  • Client address sets.
  • Protocol definitions.
  • Content groups.
There are dependencies that you have to understand before you try anything complex with the ISA policies. The following table describes which policy elements belong to which policy rules:
Site and content rulesProtocol rules
Destination setsProtocol definitions
Content groups Schedules
SchedulesClient address sets
Client address sets
back to the top

Access the Internet from the ISA Computer

What about accessing the Internet from the ISA computer itself? If you are physically at the ISA computer and you want to access a particular Web site, the protocol rules and site and content rules that you have created apply only to clients that are behind the ISA server. When a client tries to access the Internet (assuming the request is permitted by the rules), ISA creates a dynamic packet filter for that connection request. However, if you are at the ISA computer and you want to access the Internet, you have to create static packet filters according to the kinds of traffic that you will be generating. For example, to access a Web site, follow these steps:
  1. In ISA Management, expand Servers, expand server-name, click Access Policy, and then click IP Packet Filters.
  2. Click Create a packet filter to start a wizard.
  3. Name the packet filter Web access.
  4. Click Allow packet transmission, and then click Custom.
  5. Click TCP as the IP protocol, click Outbound for the direction, click All ports for the local port, and then click Fixed port for the remote port. Type 80 in the Port Number box.
  6. Select default IP addresses for each external interface that is on the ISA server.
  7. Click All remote computers.
Now you can access Web sites from the ISA server. Microsoft recommends that you repeat these steps, but use SSL access as the name in step 3 and 443 (instead of 80) in step 5, because a number of Web servers use the SSL protocol. To permit even more protocols, follow the same steps but use an appropriate name in step 3 and the appropriate number of entries in step 5.

back to the top

Troubleshooting

The most common problems involve not fully understanding the interactions between policy elements, policy rules, and packet filters. If you try to do anything more than use the generic access policy that you first created (by following the procedure in the "Create Policies Concerning How Users Connect to the Internet" section of this article), make sure that you completely understand the "Install Microsoft Internet Security and Acceleration Server" section. Additionally, read the Microsoft Internet Security and Acceleration Server Online Help. Create some policies, and then test them. Also, it is easier to understand access policies if you understand the ISA Server vocabulary and component interactions.

NOTE: ISA Server does not direct connections between anything in the LAT and the outside. You must create some kind of policy that describes the access that you want to permit.

back to the top

REFERENCES

For help in troubleshooting ISA Server, see Microsoft Internet Security and Acceleration Server Online Help.

back to the top
Modification Type:MinorLast Reviewed:7/15/2004
Keywords:kbhowto kbHOWTOmaster kbNetwork KB323387 kbAudDeveloper kbAudITPro
©2004 Microsoft Corporation. All rights reserved.