For the latest information, please see http://www.microsoft.com/isaserver/
Contents
Chapter 1
How to Use the Guide
Chapter 2
Installing Certificate Services
Chapter 3
Installing and Configuring the Microsoft Internet Authentication Service
Chapter 4
Installing and Configuring Microsoft DHCP and WINS Server Services
Chapter 5
Configuring DNS and DHCP Support for Web Proxy and Firewall Client Autodiscovery
Chapter 6
Installing and Configuring a DNS Caching-only DNS Server on the Perimeter Network
Segment
Chapter 7
Installing ISA Server 2004 on Windows Server 2003
Chapter 8
Backing Up and Restoring Firewall Configuration
Chapter 9
Simplifying Network Configuration with Network Templates
Chapter 10
Configuring ISA Server 2004 SecureNAT, Firewall and Web Proxy Clients
Chapter 11
Configuring ISA Server 2004 Access Policy
Chapter 12
Publishing a Web and FTP Server on the Perimeter Network
Chapter 13
Configuring the Firewall as a Filtering SMTP Relay
Chapter 14
Publishing the Exchange Outlook Web Access, SMTP Server and POP3 Server Sites
Chapter 15
Configuring the ISA Server 2004 Firewall as a VPN Server
Chapter 16
Creating a Site-to-Site VPN with ISA Server 2004 Firewalls
ISA Server 2004 Configuration Guide:
How to Use the Guide
Chapter 1
For the latest information, please see http://www.microsoft.com/isaserver/
ISA Server 2004 Configuration Guide1
Introduction
Welcome to the ISA Server 2004 Configuration Guide! This guide was designed to help you
get started using ISA Server 2004 firewalls to protect your network and allow secure remote
access to your network. While the Guide isn’t a comprehensive set of documentation of all
network scenarios, it will expose you to many of the most commonly used features of ISA
Server 2004.
Firewalls have traditionally been among the most difficult network devices to configure and
maintain. You need to have a basic understanding of TCP/IP and networking services in order
to fully understand how a firewall works. The good news is that you don’t need to be a
network infrastructure professional to use ISA Server 2004 as your network firewall. ISA
Server 2004 is designed from the ground up to secure your network and it does so right out of
the box.
This chapter of the ISA Server 2004 Configuration Guide will:
• Help you learn about ISA Server 2004 features
• Provide advice on how to use the Guide to configure the ISA Server 2004 firewall
• Describe the details of the ISA Server 2004 Configuration Guide Lab Configuration
ISA Server 2004 Configuration Guide 2
Learn about ISA Server 2004 features
ISA Server 2004 is designed to protect your network from intruders located on the inside of
your network and those outside of your network. The ISA Server 2004 firewall does this by
controlling what communications can pass through the firewall. The basic concept is simple: if
the firewall has a rule that allows the communication through the firewall, then it is passed
through. If there is no rule that allows the communication, or if there is a rule that explicitly
denies the connection, then the communication is stopped by the firewall.
The ISA Server 2004 firewall contains dozens of features you can use to provide secure
access to the Internet and secure access to resources on your network from machines
located on the Internet. While this Guide can’t provide comprehensive step-by-steps for all the
possible features included with ISA Server 2004, we have provided for you a number of stepby-step walkthroughs that will allow you to learn how the most common, and most popular,
features of the ISA Server 2004 work.
Firewalls do not work in a vacuum. There are a number of networking services required to
assist the firewall protect your network. This guide provides you with detailed information on
how to install and configure these services. It’s critical that the network is set up properly
before you install and configure the firewall. Proper network service support will help you
avoid the most common problems seen in ISA Server 2004 firewall deployments.
This guide will walk you through setup and configuration of the following network services and
ISA Server 2004 firewall features:
• Install and configure Microsoft Certificate Services
• Install and configure Microsoft Internet Authentication Services (RADIUS)
• Install and configure the Microsoft DHCP and WINS Services
• Configure WPAD entries in DNS to support autodiscovery and autoconfiguration of Web
Proxy and Firewall clients
• Install the Microsoft DNS server on a perimeter network server
• Install the ISA Server 2004 firewall software
• Back up and restore the ISA Server 2004 firewall configuration
• Use ISA Server 2004 Network Templates to configure the firewall
• Configure ISA Server 2004 clients
• Create Access Policy on the ISA Server 2004 firewall
• Publish a Web Server on a Perimeter network
• Use the ISA Server 2004 firewall as a spam filtering SMTP relay
• Publish Microsoft Exchange Server services
• Make the ISA Server 2004 firewall into a VPN server
• Create a site to site VPN connection between two networks
ISA Server 2004 Configuration Guide 3
Practice configuring the ISA Server 2004 firewall
The firewall is your first line of defense against Internet attackers. A misconfigured firewall can
potentially allow Internet attacks access to your network. For this reason, it’s very important
that you understand how to configure the firewall for secure Internet access.
By default, the ISA Server 2004 prevents all traffic from moving through the firewall. This is a
secure configuration because the firewall must be explicitly configured to allow network traffic
through it. However, this level of security can be frustrating when you want to get connected
to the Internet as quickly as possible.
We strongly encourage you to create a test lab and perform each of the walkthroughs in this
guide. You will learn how to configure the ISA Server 2004 firewall correctly and become
familiar with the ISA Server 2004’s configuration interface. You can make mistakes in the
practice lab and not worry about attackers taking control of machines on your network. On the
lab network, you’ll be able to learn from your mistakes instead of suffering from them.
ISA Server 2004 Configuration Guide4
The ISA Server 2004 Configuration Guide Lab
Configuration
We will use a lab network configuration to demonstrate the capabilities and features of ISA
Server 2004 in this ISA Server 2004 Configuration Guide. We recommend that you set up a
test lab with a similar configuration. If you do not have the resources to create a physical test
lab, you can use operating system virtualization software to create the test lab. We
recommend that you use Microsoft’s Virtual PC software to create your test lab. You can find
more information about Virtual PC at
In this section we will review the following:
• The ISA Server 2004 Configuration Guide network
• Installing Windows Server 2003 on the domain controller machine and then promoting the
machine to a domain controller
• Installing Exchange Server 2003 on the domain controller and configuring the Outlook
Web Access site to use Basic authentication
http://www.microsoft.com/windowsxp/virtualpc/
ISA Server 2004 Configuration Guide Network Diagram
The figure below depicts the lab network. There are 7 computers on the lab network.
However, none of the scenarios we will work with in this ISA Server 2004 Configuration Guide requires all the machines to be running at the same time. This will make it easier for
you to use operating system virtualization software to run your lab network.
.
The network has a local network and a remote network. There is an ISA Server 2004 firewall
at the edge of the local and remote networks. All the machines on the local network are
members of the msfirewall.org domain, including the ISA Server 2004 firewall machine. No
other machines on the lab network are members of the domain.
On our lab network, the external interfaces of the ISA Server 2004 firewalls connect to the
production network, which allows them access to the Internet. You should create a similar
configuration so that you can test actual Internet connectivity for the clients behind the ISA
Server 2004 firewalls.
If you are using operating system virtualization software, then you should note that there are
three virtual networks in this lab setup. The Internal network (which contains the domain
controller) is on a virtual network, the TRIHOMELAN1 machine on a perimeter network is on
another virtual network, and the REMOTECLIENT machine is on a third virtual network.
Make sure you separate these virtual networks by placing the machines on different virtual
switches so as to prevent Ethernet broadcast traffic from causing unusual results.
Installing and Configuring the Internal Network Domain Controller
Other than the ISA Server 2004 firewall computer itself, the second most influential machine
used in the scenarios discussed in the ISA Server 2004 Configuration Guide is the domain
controller. The domain controller computer will also be used to support a number of network
services that are used in the variety of ISA Server 2004 scenarios discussed in this guide. It is
for this reason that we will walk through the installation and configuration of the domain
controller together.
You will perform the following steps to install and configure the Windows Server 2003 domain
controller:
• Install Windows Server 2003
• Install and Configure DNS
• Promote the machine to a domain controller
The machine will be a functioning domain controller by the time you have completed these
steps and will be ready for you to install Microsoft Exchange Server 2003.
Installing Windows Server 2003
Perform the following steps on the machine that acts as your domain controller computer:
1. Insert the CD into the CD-ROM tray and restart the computer. Allow the machine to boot
from the CD.
2. Windows setup begins loading files required for installation. Press ENTER when you see
the Welcome to Setup screen.
3. Read the Windows Licensing Agreement by pressing the PAGE DOWN key on the
keyboard. Then press F8 on the keyboard.
4. On the Windows Server 2003, Standard Edition Setup screen you will create a partition
for the operating system. In the lab, the entire disk can be formatted as a single partition.
Press ENTER.
ISA Server 2004 Configuration Guide7
5. On the Windows Server 2003, Standard Edition Setup screen, select the Format the partition using the NTFS file system by using the up and down arrows on the keyboard.
Then press ENTER.
6. Windows Setup formats the hard disk. This can take quite some time if the disk is large.
Setup will copy files to the hard disk after formatting is complete.
7. The machine will automatically restart itself after the file copy process is complete.
8. The machine will restart in graphic interface mode. Click Next on the Regional and Language Options page.
9. On the Personalize Your Software page, enter your Name and Organization and click Next.
10. On the Your Product Key page, enter your 25-digit Product Key and click Next.
11. On the Licensing Modes page, select the option that applies to the version of Windows
Server 2003 you have. If you have per server licensing, enter the value for the number of
connections you have licensed. Click Next.
12. On the Computer Name and Administrator Password page, enter the name of the
computer in the Computer Name text box. In the walkthroughs in this Guide, the domain
controller/Exchange Server machine is named EXCHANGE2003BE, so we will enter that
into the text box. Enter an Administrator password and Confirm password in the text
boxes. Be sure to write down this password so that you will remember it later. Click Next.
13. On the Date and Time Settings page, set the correct date, time and time zone. Click Next.
14. On the Networking Settings page, select the Custom settings option.
15. On the Network Components page, select the Internet Protocol (TCP/IP) entry in the Components checked are used by this connection list and click Properties.
16. On the Internet Protocol (TCP/IP) Properties dialog box, select the Use the following IP address option. In the IP address text box, enter 10.0.0.2. In the Subnet mask text
box enter 255.255.255.0. In the Default gateway text box enter 10.0.0.1. In the
Preferred DNS server text box, enter 10.0.0.2.
17. Click the Advanced button on the Internet Protocol (TCP/IP) Properties dialog box. In
the Advanced TCP/IP Settings dialog box, click the WINS tab. On the WINS tab, click
the Add button. In the TCP/IP WINS Server dialog box, enter 10.0.0.2 and click Add.
18. Click OK in the Advanced TCP/IP Settings dialog box.
19. Click OK in the Internet Protocol (TCP/IP) Properties dialog box.
20. Click Next on the Networking Components page.
21. Accept the default selection on the Workgroup or Computer Domain page. We will later
make this machine a domain controller and the machine will be a member of the domain
we create at that time. Click Next.
22. Installation continues and when it finishes, the computer will restart automatically.
23. Log on to the Windows Server 2003 using the password you created for the Administrator
account.
24. On the Manage Your Server page, put a checkmark in the Don’t display this page at
logon checkbox and close the window.
ISA Server 2004 Configuration Guide 8
Install and Configure DNS
The next step is to install the Domain Naming System (DNS) server on the machine that will
be the domain controller. This is required because the Active Directory requires a DNS server
into which it registers domain-related DNS records. We will install the DNS server and then
create the domain into which we will promote the machine.
Perform the following steps to install the DNS server on the domain controller machine:
1. Click Start and point to Control Panel. Click Add or Remove Programs.
2. In the Add or Remove Programs window, click the Add/Remove Windows Components button on the left side of the window.
3. In the Windows Components dialog box, scroll through the list of Components and
click the Networking Services entry. Click Details.
4. Place a checkmark in the Domain Name System (DNS) checkbox and click OK.
5. Click Next in the Windows Components page.
6. Click Finish on the Completing the Windows Components Wizard page.
7. Close the Add or Remove Programs window.
Now that the DNS server is installed, we can add forward and reverse lookup zones to
support our network configuration. Perform the following steps to configure the DNS server:
1. Click Start and then click Administrative Tools. Click DNS.
2. In the DNS console, expand the server name and then click on the Reverse Lookup Zones node. Right click on the Reverse Lookup Zones and click New Zone.
3. Click Next on the Welcome to the New Zone Wizard page.
4. On the Zone Type page, select the Primary zone option and click Next.
5. On the Reverse Lookup Zone Name page, select the Network ID option and then enter
10.0.0 in the text box below it. Click Next.
6. Accept the default selection on the Zone File page, and click Next.
7. On the Dynamic Update page, select the Allow both nonsecure and secure dynamic updates option. Click Next.
8. Click Finish on the Completing the New Zone Wizard page.
Now we can create the forward lookup zone for the domain that this machine will be promoted
into. Perform the following steps to create the forward lookup zone:
1. Right click the Forward Lookup Zone entry in the left pane of the console and click New Zone.
2. Click Next on the Welcome to the New Zone Wizard page.
3. On the Zone Type page, select the Primary zone option and click Next.
4. On the Zone Name page, enter the name of the forward lookup zone in the Zone name
text box. In this example, the name of the zone is msfirewall.org. We will enter
msfirewall.org into the text box. Click Next.
5. Accept the default settings on the Zone File page and click Next.
6. On the Dynamic Update page, select the Allow both nonsecure and secure dynamic updates. Click Next.
7. Click Finish on the Completing the New Zone Wizard page.
ISA Server 2004 Configuration Guide9
8. Expand the Forward Lookup Zones node and click on the msfirewall.org zone. Right
click on the msfirewall.org and click New Host (A).
9. In the New Host dialog box, enter the value EXCHANGE2003BE in the Name (uses
parent domain name if blank) text box. In the IP address text box, enter the value
10.0.0.2. Place a checkmark in the Create associated pointer (PTR) record checkbox.
Click Add Host. Click OK in the DNS dialog box informing you that the record was
created. Click Done in the New Host text box.
10. Right click on the msfirewall.org forward lookup zone and click Properties. Click the
Name Servers tab. On the Name Servers tab, click the exchange2003be entry and click
Edit.
11. In the Server fully qualified domain name (FQDN) text box, enter the fully qualified
domain name of the domain controller computer, exchange2003be.msfirewall.org. Click
Resolve. The IP address of the machine appears in the IP address list. Click OK.
12. Click Apply and then click OK on the msfirewall.org Properties dialog box.
13. Right click the server name in the left pane of the console and point to All Tasks. Click
Restart.
14. Close the DNS console.
The machine is now ready to be promoted to a domain controller in the msfirewall.org
domain. Perform the following steps to promote the domain to a domain controller:
1. Click Start and click the Run command.
2. In the Run dialog box, enter dcpromo in the Open text box and click OK.
3. Click Next on the Welcome to the Active Directory Installation Wizard page.
4. Click Next on the Operating System Compatibility page.
5. On the Domain Controller Type page, select the Domain controller for a new domain
option and click Next.
6. On the Create New Domain page, select the Domain in a new forest option and click Next.
7. On the New Domain Name page, enter the name of the domain in the Full DNS name for new domain text box. Enter msfirewall.org in the text box and click Next.
8. On the NetBIOS Domain Name page, accept the default NetBIOS name for the domain,
which is in this example MSFIREWALL. Click Next.
9. Accept the default settings on the Database and Log Folders page and click Next.
10. On the Shared System Volume page, accept the default location and click Next.
11. On the DNS Registration Diagnostics page, select the I will correct the problem later by configuring DNS manually (Advanced). Click Next.
12. On the Permissions page, select the Permissions compatible only with Windows 2000 or Windows Server 2003 operating system option. Click Next.
13. On the Directory Services Restore Mode Administrator Password page, enter a Restore Mode Password and then Confirm password. Click Next.
14. On the Summary page, click Next.
15. The machine now starts to configure itself as a domain controller.
16. Click Finish on the Completing the Active Directory Installation Wizard page.
ISA Server 2004 Configuration Guide 10
17. Click Restart Now on the Active Directory Installation Wizard page.
18. Log on as Administrator after the machine restarts.
Installing and Configuring Microsoft Exchange on the Domain
Controller
The machine is ready for installing Microsoft Exchange. In this section we will perform the
following steps:
• Install the IIS World Wide Web, SMTP and NNTP services
• Install Microsoft Exchange Server 2003
• Configure the Outlook Web Access Web Site
Perform the following steps to install the World Wide Web, SMTP and NNTP services:
1. Click Start and point to Control Panel. Click Add or Remove Programs.
2. In the Add or Remove Programs window, click the Add/Remove Windows Components button on the left side of the window.
3. On the Windows Components page, select the Application Server entry in the Components page. Click the Details button.
4. In the Application Server dialog box, put a checkmark in the ASP.NET checkbox. Select
the Internet Information Services (IIS) entry and click Details.
5. In the Internet Information Services (IIS) dialog box, put a checkmark in the NNTP Service checkbox. Put a checkmark in the SMTP Service checkbox. Click OK.
6. Click OK in the Application Server dialog box.
7. Click Next on the Windows Components page.
8. Click OK in the Insert Disk dialog box.
9. In the Files Needed dialog box, enter the path to the i386 folder for the Windows Server
2003 CD in the Copy file from text box. Click OK.
10. Click Finish on the Completing the Windows Components Wizard page.
11. Close the Add or Remove Programs window.
Perform the following steps to install Microsoft Exchange:
1. Insert the Exchange Server 2003 CD into the machine. On the initial autorun page, click
the Exchange Deployment Tools link under the Deployment heading.
2. On the Welcome to the Exchange Server Deployment Tools page, click the Deploy the first Exchange 2003 server link.
3. On the Deploy the First Exchange 2003 Server page, click the New Exchange 2003 Installation link.
4. On the New Exchange 2003 Installation page, scroll down to the bottom of the page.
Under step 8, click the Run Setup now link.
5. On the Welcome to the Microsoft Exchange Installation Wizard page, click Next.
6. On the License Agreement page, select the I agree option and click Next.
7. Accept the default settings on the Component Selection page and click Next.
ISA Server 2004 Configuration Guide 11
8. Select the Create a New Exchange Organization option on the Installation Type page
and click Next.
9. Accept the default name in the Organization Name text box on the Organization Name
page, and click Next.
10. On the Licensing Agreement page, select the I agree that I have read and will be bound by the license agreement for this product and click Next.
11. On the Installation Summary page, click Next.
12. In the Microsoft Exchange Installation Wizard dialog box, click OK.
13. Click Finish on the Completing the Microsoft Exchange Wizard page when installation
is complete.
14. Close all open windows.
The Exchange Server is now installed and you can create user mailboxes at this point. The
next step is to configure the Outlook Web Access site to use Basic authentication only. This is
a critical configuration option when you want to enable remote access to the OWA site. Later,
we will request a Web site certificate for the OWA site and publish the site using a Web
Publishing Rule, which will allow remote users to access the OWA site.
Perform the following steps to configure the OWA site to use Basic authentication only:
1. Click Start and point to Administrative Tools. Click Internet Information Services (IIS) Manager.
2. In the Internet Information Services (IIS) Manager console, expand the server name
and then expand the Web Sites node. Expand the Default Web Site node.
3. Click on the Public node and then right click on it. Click Properties.
4. In the Public Properties dialog box, click the Directory Security tab.
5. On the Directory Security tab, click the Edit button in the Authentication and access control frame.
6. In the Authentication Methods dialog box, remove the checkmark from the Integrated Windows authentication checkbox. Click OK.
7. Click Apply and then click OK.
8. Click on the Exchange node in the left pane of the console and right click on it. Click
Properties.
9. On the Exchange Properties dialog box, click the Directory Security tab.
10. On the Directory Security tab, click the Edit button in the Authentication and access control frame.
11. In the Authentication Methods dialog box, remove the checkmark from the Integrated Windows authentication checkbox. Click OK.
12. Click Apply and then click OK in the Exchange Properties dialog box.
13. Click on the ExchWeb node in the left pane of the console, then right click on it. Click
Properties.
14. In the ExchWeb Properties dialog box, click the Directory Security tab.
15. On the Directory Security tab, click the Edit button in the Authentication and access control frame.
16. In the Authentication Methods dialog box, remove the checkmark from the Enable
anonymous access checkbox. Place a checkmark in the Basic authentication
ISA Server 2004 Configuration Guide 12
(password is sent in clear text) checkbox. Click Yes in the IIS Manager dialog box
informing you that the password is sent in the clear . In the Default domain text box,
enter the name of the Internal network domain, which is MSFIREWALL. Click OK.
17. Click Apply in the ExchWeb Properties dialog box. Click OK in the Inheritance Overrides dialog box. Click OK in the ExchWeb Properties dialog box.
18. Right click the Default Web Site and click Stop. Right click the Default Web Site again
and click Start.
ISA Server 2004 Configuration Guide 13
Conclusion
In this ISA Server 2004 Configuration Guide document we discussed the goals of this guide
and suggested methods you can use to get the most out of this guide. The remainder of this
ISA Server 2004 Configuration Guide provided detailed step-by-step instructions on how to
install and configure the domain controller computer on the internal network. In the next
chapter of this guide, we will go over the procedures required to install Microsoft Certificate
Services on the ISA Server 2004 firewall machine.
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in
this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does
not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Microsoft, Windows, Windows 2000, Windows 2000 Server, Windows Server 2003, Windows Server System, ISA Server, and ISA
Server 2004 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
ISA Server 2004 Configuration Guide 14
ISA Server 2004 Configuration Guide:
Installing Certificate Services
Chapter 2
For the latest information, please see http://www.microsoft.com/isaserver/
ISA Server 2004 Configuration Guide 15
Introduction
Microsoft Certificate Services can be installed on the domain controller on the internal
network and issue certificates to hosts within the internal network domain, as well as to hosts
that are not members of the Internal network domain. We will use certificates in a variety of
configuration scenarios in this ISA Server 2004 Configuration Guide series, including to
accomplish the following:
• Allow the ISA Server 2004 firewall to use the L2TP/IPSec VPN protocol for a site-to-site
VPN link
• Allow the ISA Server 2004 firewall to use the L2TP/IPSec VPN protocol for a VPN client
connection from a remote access VPN client
• Enable remote users to access the Outlook Web Access site using highly secure SSL-toSSL bridged connections
• Publish secure Exchange SMTP and POP3 services to the Internet
The certificates enable us to use SSL/TLS security. The SSL (Secure Sockets Layer) protocol
is a session layer protocol that encrypts data moving between the client and server machines.
SSL security is considered the current standard for providing secure remote access to Web
sites. In addition, certificates can be used to confirm the identity of VPN clients and servers so
that mutual machine authentication can be performed.
In this document we will discuss the following procedures:
• Installing Internet Information Services 6.0 to support the Certificate Authority’s Web
enrollment site
• Installing Microsoft Certificate Services in Enterprise CA mode
ISA Server 2004 Configuration Guide 16
Install Internet Information Services 6.0
The Certificate Authority’s Web enrollment site uses the Internet Information Services World
Wide Publishing Service. Because Exchange 2003 has already been installed on this
machine, we will not need to manually install the IIS Web services. The Exchange 2003 setup
routine requires that you install the IIS Web services so that the Outlook Web Access site
functions properly. However, you should confirm that the WWW Publishing Service is enabled
before starting installation of the Enterprise CA.
Perform the following steps to confirm that the WWW Publishing Service is running on the
domain controller:
1. Click Start and point to Administrative Tools. Click on Services.
2. In the Services console, click on the Standard tab in the right pane. Scroll down to the
bottom of the list and find the World Wide Web Publishing Service entry. Double click
on that entry.
3. In the World Wide Web Publishing Server Properties dialog box, confirm that the Startup type is set to Automatic, and that the Service status is Started.
4. Click Cancel and close the Services console.
Now that we’ve confirmed that the WWW Publishing Service is started, the next step is to
install the Enterprise CA software.
ISA Server 2004 Configuration Guide 17
Install Microsoft Certificate Services in Enterprise CA
Mode
Microsoft Certificate Services will be installed in Enterprise CA mode on the domain
controller. There are several advantages to installing the CA in enterprise mode versus
standalone mode. These include:
• The root CA certificate is automatically entered into the Trusted Root Certification
Authorities certificate store on all domain member machines
• You can use the Certificates MMC snap-in to easily request a certificate. This greatly
simplifies requesting machine and Web site certificates
• All machines can be assigned certificates using the Active Directory autoenrollment
feature
• All domain users can be assigned user certificates using the Active Directory
autoenrollment feature
Note that you do not need to install the CA in enterprise mode. You can install the CA in
standalone mode, but we will not cover the procedures involved with installing the CA in
standalone mode or how to obtain a certificate from a standalone CA in this ISA Server 2004 Configuration Guide series.
Perform the following steps to install the Enterprise CA on the EXCHANGE2003BE domain
controller computer:
1. Click Start, then point to Control Panel. Click on Add or Remove Programs.
2. In the Add or Remove Programs window, click the Add/Remove Windows Components button on the left side of the window.
3. On the Windows Components page, scroll through the list and put a checkmark in the Certificate Services checkbox. Click Yes in the Microsoft Certificate Services dialog
box informing you that you may not change the name of the machine or the machine’s
domain membership while it is acting as a CA. Click Yes to continue.
4. Click Next on the Windows Components page.
5. On the CA Type page, select the Enterprise root CA option and click Next.
ISA Server 2004 Configuration Guide 18
6. On the CA Identifying Information page, enter a name for the CA in the Common name for this CA text box. This should be the DNS host name for the domain controller. Ideally,
you will have configured a split DNS infrastructure and this name will be accessible from
internal and external locations, so that external hosts will be able to check the certificate
revocation list. We will not cover the issue of a split DNS infrastructure in this document.
You can find more information about designing and configuring a split DNS infrastructure
in the ISA Server 2000 Branch Office Kit document “DNS Considerations for ISA Server
2000 Branch Office Networks” at
http://www.tacteam.net/isaserverorg/isabokit/9dnssupport/9dnssupport.htm. In this
example we will enter the domain controllers NetBIOS name, EXCHANGE2003BE. Click
Next.
ISA Server 2004 Configuration Guide 19
7. If the same machine had been configured as a CA in the past, you will be presented with
a dialog box asking if you wish to overwrite the existing key. If you have already deployed
certificates to hosts on your network, then do not overwrite the current key. If you have
not yet deployed certificates to hosts on your network, then choose to overwrite the
existing key. In this example, we have not previously installed a CA on this machine and
we do not see this dialog box.
8. In the Certificate Database Settings page, use the default locations for the Certificate Database and Certificate database log text boxes. Click Next.
9. Click Yes in the Microsoft Certificate Services dialog box informing you that Internet
Information Services must be restarted. Click Yes to stop the service. The service will be
restarted for you automatically.
10. Click OK in the Insert Disk dialog box. In the Files Needed dialog box, enter the path to
the i386 folder in the Copy file from text box and click OK.
11. Click Finish on the Completing the Windows Components Wizard page.
12. Close the Add or Remove Programs window.
At this point, the Enterprise CA is able to issue certificates to machines via autoenrollment,
the Certificates mmc snap-in, or via the Web enrollment site. Later in this ISA Server 2004 Getting Start Guide series, we will issue a Web site certificate to the OWA Web site and also
issue machine certificates to the ISA Server 2004 firewall computer and to an external VPN
client and VPN gateway (VPN router) machine.
ISA Server 2004 Configuration Guide 20
Conclusion
In this ISA Server 2004 Configuration Guide document we discussed the uses of a
certificate authority and how to install an Enterprise CA on the domain controller on the
internal network. Later in this guide, we will use this Enterprise CA to issue machine
certificates to VPN clients and servers and issue a Web site certificate to the Exchange
Server’s Outlook Web Access Web site.
This is a preliminary document and may be changed substantially prior to final commercial release of the software described herein.
The information contained in this document represents the current view of Microsoft Corporation on the issues discussed as of the
date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment
on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.
This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, IN THIS
DOCUMENT.
Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in, or introduced into a retrieval system, or transmitted in any form or by any means (electronic,
mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft
Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in
this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does
not give you any license to these patents, trademarks, copyrights, or other intellectual property.
The example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted
herein are fictitious. No association with any real company, organization, product, domain name, e-mail address, logo, person, place,
or event is intended or should be inferred.
Microsoft, Windows, Windows 2000, Windows 2000 Server, Windows Server 2003, Windows Server System, ISA Server, and ISA
Server 2004 are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries.
The names of actual companies and products mentioned herein may be the trademarks of their respective owners.
ISA Server 2004 Configuration Guide 21
ISA Server 2004 Configuration Guide:
Installing and Configuring the Microsoft
Internet Authentication Service
Chapter 3
For the latest information, please see http://www.microsoft.com/isaserver/
ISA Server 2004 Configuration Guide 22
Introduction
The Microsoft Internet Authentication Server (IAS) is an industry standard RADIUS server that
can be used to authenticate users connecting to the ISA Server 2004 firewall machine. You
can use IAS to authenticate Web Proxy clients on the internal network and VPN clients and
VPN gateways calling in from an external network location. In addition, you can use RADIUS
authentication to remote users who connect to Web servers published using ISA Server 2004
Web Publishing rules.
The major advantage of using RADIUS authentication for Web proxy and VPN connections is
that the ISA Server 2004 firewall computer does not need to be a member of the domain to
authenticate users whose accounts are contained in the Active Directory on the internal
network. Many firewall administrators recommend that the firewall not be a member of the
user domain. This prevents attackers who may compromise the firewall from taking
advantage of the firewall’s domain member status to amplify an attack against the internal
network.
One major drawback to not making the ISA Server 2004 firewall a member of the internal
network domain is that you cannot use the Firewall client to provide authenticated access to
all TCP and UDP protocols. For this reason, we make the ISA Server 2004 firewall computer
a member of the domain in this ISA Server 2004 Configuration Guide series. However, if
you choose to not join the firewall to the domain, you can still use IAS to authenticate your
VPN and Web Proxy clients.
We will discuss the following procedures in this document:
• Installing the Microsoft Internet Authentication Service
• Configuring the Microsoft Internet Authentication Service
ISA Server 2004 Configuration Guide 23
Installing the Microsoft Internet Authentication
Service
The Microsoft Internet Authentication Service server is a RADIUS server. We will use the
RADIUS server later in this ISA Server 2004 Configuration Guide to enable RADIUS
authentication for Web Publishing Rules and investigate how RADIUS authentication can be
used to authenticate VPN clients.
Perform the following steps to install the Microsoft Internet Authentication Server on the
domain controller EXCHANGE2003BE on the internal network:
1. Click Start and point to Control Panel. Click on Add or Remove Programs.
2. In the Add or Remove Programs window, click the Add/Remove Windows Components button in the left pane of the console.
3. On the Windows Components page, scroll through the Components list and select the Networking Services entry. Click Details.
4. Place a checkmark in the Internet Authentication Service checkbox and click OK.
5. Click Next on the Windows Components page.
6. Click Finish on the Completing the Windows Components Wizard page.
7. Close the Add or Remove Programs window.
The next step is to configure the Internet Authentication Service.
ISA Server 2004 Configuration Guide 24
Configuring the Microsoft Internet Authentication
Service
You need to configure the IAS server to work together with the ISA Server 2004 firewall
computer so that they can communicate properly. At this time, we will configure the IAS
Server to work with the ISA Server 2004 firewall. Later we will configure the firewall to
communicate with the IAS server.
Perform the following steps on the domain controller on the internal network to configure the
IAS server:
1. Click Start and point to Administrative Tools. Click Internet Authentication Service.
2. In the Internet Authentication Service console, expand the Internet Authentication
Service (Local) node. Right click on the RADIUS Clients node and click New RADIUS
Client.
3. On the Name and Address page of the New RADIUS Client wizard, enter a friendly
name for the ISA Server 2004 firewall computer in the Friendly name text box. This
name is used to identify the RADIUS client and not used for operational purposes. Enter
the fully qualified domain name of the ISA Server 2004 firewall computer in the Client
address (IP or DNS) text box.
ISA Server 2004 Configuration Guide 25
4. Click the Verify button. In the Verify Client dialog box, the fully qualified domain name of
the ISA Server 2004 firewall computer will appear in the Client text box. Click the
Resolve button. If the RADIUS server is able to resolve the name, the IP address will
appear in the IP address frame. If the RADIUS server is not able to resolve the name,
this indicates that the ISA Server 2004 firewall’s name has not been entered into the
DNS. In that case, you can choose to enter the name of the ISA Server 2004 firewall
computer into the DNS server on the domain controller, or you can use the IP address on
the internal interface of the ISA Server 2004 firewall in the Client address (IP and DNS)
text box on the Name or Address page (as seen above). Click OK in the Verify Client
dialog box.
ISA Server 2004 Configuration Guide 26
5. Click Next on the Name and Address page of the New RADIUS Client wizard.
6. On the Additional Information page of the wizard, use the default Client-Vendor entry,
which is RADIUS Standard. Enter a password in the Shared secret text box and confirm
the password in the Confirm shared secret text box. This shared secret will allow the
ISA Server 2004 firewall and the RADIUS server to confirm each other’s identities. The
shared secret should contain at least 8 characters and include mixed case letters,
numbers and symbols. Place a checkmark in the Request must contain the Message Authenticator attribute check box. Click Finish.
7. The new RADIUS client entry appears in the right pane of the console.
ISA Server 2004 Configuration Guide 27
8. Close the Internet Authentication Service console.
Later in this ISA Server 2004 Configuration Guide series we will configure a RADIUS server
entry in the Microsoft Internet Security and Acceleration Server 2004 management
console and use that entry for Web and VPN client requests.
ISA Server 2004 Configuration Guide 28
Loading...
+ 233 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.