Isa Guide Review

8/3/2019 Isa Guide Review

1/30

Microsoft

ISA Server 2000 Configuration Notes

Version: 1.10

Date: 14thJune 2004

Author: Matthew Cook


2/30

2

Contents

1. Introduction

1.1 Background to the Bandwidth Management Advisory Service

1.2 Introduction to WWW Caching

1.3 Introduction to Microsoft ISA Server 2000

1.4 Formatting conventions

2. Preparation

2.1 Resources needed to install Microsoft ISA Server 2000

2.2 Sizing for ISA Server

3. Installation of Windows 2000 Server

3.1 Introduction

3.2 Installation

3.3 Post installation configuration

4. Patching and Securing Windows 2000 Server

4.1 Install SP4 and Current Hotfixes

4.2 Configure TCP/IP

5. Installation of Microsoft Internet Security and Acceleration Server

6. Patching of Microsoft Internet Security and Acceleration Server

7. Configuring Microsoft Internet Security and Acceleration Server

8. Upgrading from Microsoft Proxy Server 2.0

9. Upgrading to ISA Server, Enterprise Edition

10. Optimising ISA Server

11. Logging

12. Useful Resources and URLs


3/30

3

1. Introduction

1.1 Background to the Bandwidth Management Advisory Service

The United Kingdom Education and Research Networking Association (UKERNA), theorganisation responsible for running JANET, the high speed academic and researchcomputer network, has recently signed a contract with the University of Manchester toprovide the JANET Bandwidth Management Advisory Service (BMAS) for the UKHigher and Further Education community. The Services primary task will be to adviseHigher Education (HE) and Further Education (FE) organisations on how to maximisethe efficiency of their connection to JANET, thereby facilitating the best possible levels ofservice for their users.

The Service is operated by the University of Manchester and Loughborough University.This is a consortium that brings together a wealth of technical and user support expertisebased on past experience in establishing and running a national web caching

infrastructure a very popular and effective form of bandwidth management and anadvisory service.

We are currently witnessing significant growth in the use of JANET and the Internet fore-learning and teaching, videoconferencing and video streaming, remote collaborationand many other real-time applications. The remit of BMAS to provide advice on howbest to use an organisations bandwidth allocation will help to identify, and hopefullyresolve, some of the problems associated with increasing use of the above mentionedtechnologies. Work is currently underway to ensure that BMAS will be able to meet thechallenge of delivering the best possible advisory service for these demandingenvironments in the coming months.

[George Neisser]

1.2 Introduction to World Wide Web (WWW) Caching

Bandwidth management encompasses many different techniques and technologies thathelp make best use of a bandwidth link. Caching is one of the oldest and most effectiveforms of bandwidth management and as such is widely used throughout many differenttypes of establishments, including Internet Service providers (ISPs).

In WWW terms, a cache is a place where temporary copies of objects are kept.Essentially, once the object pointed to by a Universal Resource Locator (URL) has beencached, subsequent requests for the URL will result in the cached copy being returned,and little or no extra network traffic.

Caching is nothing new. Most modern computer systems use it in a number of places, toimprove the performance of the main processor(s), speed up disk accesses and so on.Some components of the Internet have been caching for a long time, like the DomainName System. The WWW has been a bit late to take up the idea, and it was notpossibly catered for in its original design. As a result a great deal of WWW traffic isunnecessary, re-fetching from remote sites objects that someone else at ones own or aneighbouring site already has on their hard disk. As the Internet has become more andmore popular, this repeated downloading of the same object has become a problem.Network links are getting clogged up, and popular sites often find their WWW serversoftware or hardware is unable to cope with the volume of demand. Consequently, muchwork has been done (and is still being done) on retrofitting caching to the WWW design.

Some WWW browsers implement their own caches on disk and/or in memory. Theseusually use schemes that are specific to the browser in question and not shared by

multiple users. This is a bad thing for users if they are part of a large organisation. Ideallyit should be possible to pool all the browsers' caches of one organisation together.

[from the Janet Web Caching Service Home Page]


4/30

4

1.3 Introduction to Microsoft ISA Server 2000

Microsoft Internet Security and Acceleration (ISA) Server 2000 is an Internet firewalland web cache that is capable of integrating into an existing Windows infrastructure.

Further details and resources are available at:

http://www.microsoft.com/isaserver/Firewalls prevent unauthorised access to an internal network by examining and stoppingunwanted traffic. They also control users access to Internet resources.

Caching can improve network performance resulting in faster object retrieval. Thecache will store and serve the most requested items from local storage and can be tunedto fetch and refresh items automatically when extra bandwidth is available.

Microsoft ISA Server 2000 is a vast improvement over Microsoft Proxy Server2.0 in terms of manageability and the fine granular controls available to control internetusage. The inclusion of policy based access controls can restrict access to certain websites by using a number of rules:

time of day;

user name;

IP address;

content type;

website address.

There are various forms of caching, including:

hierarchical caching - allowing one to setup a hierarchy of caches that requestscan pass through, all with different or the same policy rule sets;

reverse caching - with ISA Server accelerating the content of locale web or FTPserver farms, improving the retrieval rate of objects;

scheduled caching - where ISA Server will pre-download and refresh content.

Figure 1 A basic network configuration with a proxy server

1.4 Formatting Conventions

Text as seen on screen Courier New

Text typed at the keyboard or option to be selected Courier New Bold

Workstation

Workstation

Workstation

Workstation

Proxy Server

LAN SuperJANET4 Internet


5/30

5

Menu Items, windows icons, tabs Arial Bold

Important note Italics

2. Preparation

2.1 Resources needed to install Microsoft ISA Server 2000

2.1.1 HardwareMicrosoft recommends an Intel Pentium II 300Mhz processor, 20Mb of NewTechnology File System (NTFS) disc space and 256Mb RAM.

The test system was an Intel Pentium II 450Mhz processor, 2Gb system disc, with two4Gb Small Computer System Interface (SCSI) drives and 256Mb RAM for the cache.

2.1.2 Essential Software

Microsoft Windows 2000 (Minimum SP1)Microsoft ISA Server 2000Service Packs and Patches.

A 120 day evaluation copy of Microsoft ISA Server2000 is available for freedownload from:

http://www.microsoft.com/isaserver/evaluation/trial/default.asp

When using ISA Server in firewall or integrated mode, two network adapters arerequired. If hardware and software combinations different from those used to producethis guide are used, the dialogue boxes shown may appear slightly different to thoseshown here as being seen on the screen.

For remote management and administration purposes, only the ISA Management pluginneeds to be installed. This is a MultiMedia Card (MMC) snap-in, therefore an OperatingSystem that supports MMC snap-ins is required.

It is however recommended that Terminal Services in remote administration mode isinstalled on the server upon which ISA server is installed.

2.2. Sizing for ISA Server

When installing ISA Server to use as a simple web cache (Forward caching) the numberof clients accessing the internet at one time needs to be considered.

The recommendations in Table 1 are Microsoft guidelines only. With the advent of

faster machines, specifications will have to be adjusted accordingly.


6/30

6

Note: Setting up more than one ISA server needs an upgrade to ISA Server,Enterprise Edition.

Number of users Machine RAM

DiscStorage

up to 500 1 x Single PII300Mhz

256 2 - 4Gb

500 - 1,000 1 x Dual PIII550Mhz

256 10Gb

more than 1,000 2 x Dual PIII550Mhz

256 10Gb

Table 1 Microsoft guidelines

3. Installation of Windows 2000 ServerThis chapter is included to aid users installing Windows 2000 Server for the first time.Experienced users or users with a working system can skip this chapter.

3.1 Installation

1. Connect to a network drive with the Windows 2000 Server CD on and typewinnt /B.

Alternatively, boot the machine using the three floppies supplied and use a localCD-ROM drive.

2. Setup reports that Setup is inspecting the computers hardware configuration.

3. At this stage select F6 if a third party SCSI or mass storage driver needs to beinstalled.

4. Windows 2000 Server Setup begins.

Press ENTERto set up Windows 2000 now.

5. Setup presents the Windows 2000 Licensing Agreement.

Select PAGE DOWN to read the license agreement.

Select F8=I agree or ESC=I do not agree.

6. Windows 2000 then lists the partitions available for installation and allows thepartition table to be edited.

After creating a partition upon which to install Windows 2000 server, selectENTERto install into that partition.

The cursor keys will move the horizontal selection bar up and down the bottom halfof the screen.

Select D to delete the highlighted partition after the subsequent confirmationscreens.

Select C to create a partition in the Unpartitioned space.

7. After selecting the partition for installation, select the ENTERkey.

8. Windows then prompts for the filesystem type.

Format the partition using the NTFS filesystem

or


7/30

7

Format the partition using the FAT filesystem.

It is strongly recommended all discs are partitioned as NTFS unless there arespecific reasons not to, for example dual booting Operating Systems.

An NTFS partition is needed for the caching discs.

9. Windows

setup will then format the disc using the file system type selectedpreviously.

10. The System will then Reboot

11. Setup will continue and will report Windows 2000 Setup ... Please wait.

Select .

12. Wait while Setup detects and installs devices such as the keyboard and mouse. Thiswill take several minutes. During this time, the screen may flicker for a few seconds.

Select .

13. Windows 2000 can be customised for different regions and languages.

To change system or user locale settings, from English (UnitedStates) to English (United Kingdom) select

Select the English (United Kingdom) locale from the General taband the English (United Kingdom) input language from the inputlocales tab.

14. Setup uses the information provided by the user to personalise the Windows2000 software.

Type the full user name and the name of the company or organisation.

Select ..

15. Windows 2000 supports two licensing modes.

Select the licensing mode required, either Per server or Per seat.

Select .

16. Computer Name and Administrator Password.

Provide a name and an Administrative password for the computer. It is goodpractice to ensure the Windows name of the machine and DNS entry are thesame.

Select

17. Windows 2000 Components.

Add or remove components of Windows 2000. As this is a server install, only a

minimal number of components are necessary. The following list is arecommendation.

In the Accessories and Utilities category:

deselect Accessibility Wizard.

In the Accessories subcategory:

select Calculator;

deselect Character Map;

deselect Clipboard Viewer;

deselect Desktop Wallpaper;

deselect Document Templates;

deselect Mouse Pointers;


8/30

8

deselect Object Packager;

deselect paint;

select WordPad;

deselect Communications;

deselect Games.In the Multimedia subcategory:

deselect CD Player;

deselect Media Player;

deselect Sample Sounds;

deselect Sound Recorder;

deselect Utopia Sound Scheme;

select Volume Control;

deselect Certificate Services category; deselect Indexing Service component;

deselect Internet Information Services (IIS) category;

deselect Management and Monitoring Tools category;

deselect Message Queuing Services component;

deselect Networking Services category;

deselect Other Network File and Print Services category;

deselect Remote Installation Services component;

deselect Remote Storage component;

deselect Script Debugger component;

select Terminal Services component;

deselect Windows Media Services category.

Select .

18. Date and Time Settings.

Set the correct date, time and time zone for the computer.

Select .

19. Terminal Services Setup.

Terminal services can be run in one of two modes, Remoteadministration mode or application server mode.

Select Remote administration mode.

Select .

20. Networking Settings.

Setup reports that it is installing networking software that allows connection to othercomputers, networks and the internet.

21. Performing Final Tasks.

During the final stages of Setup four tasks are completed:

installation of Start menu items;

registration of components;


9/30

9

saving of settings;

removal any temporary files used.

22. Completing the Windows 2000 Setup Wizard

The final dialogue box states You have successfully installed

Windows 2000. If there is a CD in your drive,remove it. Then, to restart your computer, selectFinish. Select

Windows 2000 will then restart.

3.2. Post Installation configuration

1. Login as administrator with the password entered during install.

2. In the Windows 2000 Configure your server dialogue box, select I willconfigure this server later.

Select .

Deselect Show this screen at startup on the following page andclose the window.

3. Install the drivers appropriate to the hardware installed in the machine.

4. Patching and Securing Windows

2000 Server

4.1. Install Microsoft SP4 and Current Hotfixes

Microsoft Security Baseline Analyzer is available from:

http://www.microsoft.com/security/

This will check the installation against Microsofts known patch list.

4.2. Configure TCP/IP

1. Select Start -> Settings -> Control Panel -> Networkand Dial-up Connections

2. Highlight Local Area Connection and select Properties

3. Identification tab

Computer Name: Enter the name of the machine exactly the same as the DNSentry.

Workgroup: Enter a suitable workgroup name.

5. Installation of Microsoft

Internet Security and Acceleration

Server

These notes cover the installation of Microsoft Internet Security and AccelerationServer 2001 Standard Release and are based on a test installation.

For further information, please refer to the Microsoft ISA Server installation anddeployment guide at:

http://www.microsoft.com/technet/prodtechnol/isa/deploy/isaentin.mspx

1. Execute setup.exe located in d:\isa on the supplied ISA CD-ROM.

2. A dialogue box will appear confirming that setup for Internet Security andAcceleration Server (Standard Edition) has been started.


10/30

10

3. Setup presents the End User License Agreement. After reading the terms andconditions, select .

4. Select the Custom Installation option.

5. Select ISA ServicesandAdministration tools .

Only select the Add-in Services option if the H.323 Gatekeeperservice or Message screener are required. Either or both of theseservices can be selected using the button.

6. Setup offers three options for ISA server configuration; Firewall mode, Cachemode and Integrated mode. This guide is intended to cover the cachingoperations of ISA server. It therefore assumes the user has selected the Cache modeoption and has a separate firewall or is using router Access Control Lists (ACLS).

For more details about configuring ISA Server in integrated mode please see theMicrosoft ISA Server guide at:


7. Configuration of which drives should

be used for caching is largelyhardware dependant. Cache drivescan only be configured at this point ifthey have already been formattedwith the NTFS file system. The speedat which ISA server operates can beincreased greatly with the number ofhard discs in the system. The greaternumber of spindles the greater thethroughput. It is also advisable not tohave the cache discs in a Redundant

Array of Inexpensive Discs (RAID)

configuration. To configure the cachesizes, select and then .

Figure 2 MS specifying

8. Select the adapter upon which the internal network can be accessed and thenconstruct the Local Address Table (LAT) that defines the addresses that can accessthe internet through the ISA Server.

This is extremely important to stop the machine becoming an open proxy.

Select

Note: When creating a LAT, only include the IP addresses on the local netblock.Including any IP addresses on the interne, as well as the external interface of your ISA Server (if you have two network cards) could lead to further security issueswith the system.

9. ISA Server includes a Getting Started Wizard that is the recommended way ofstarting the initial configuration, however it is best to finish patching ISA server first.Deselect Start the ISA Server Getting Started Wizard

10. Setup should then report that Microsoft Internet Security and Acceleration ServerStandard Edition Setup was completed successfully.

Select

6. Patching of MicrosoftInternet Security and Acceleration Server

1. Download Service Pack 2 for ISA server from:


11/30

11

http://www.microsoft.com/isaserver/downloads/

2. Execute the downloaded executable, isasp2-ENU.exe and wait for the machine toreboot.

3. Keep up to date with essential security patches, either by joining the MicrosoftSecurity Bulletin mailing list or regularly reading another security list or web site.

7. Configuring Microsoft

Internet Security and Acceleration

Server

7.1 Introduction

After installation and patching, management of ISA server is through two menu items inthe Microsoft ISA Server program group in the start menu. Select Start->Programs->Microsoft ISA Server and the ISA Management console will load.This can also be accessed by adding an MMC snap-in.

Figure 3 The ISA Management Console

Microsoft has included a Getting Started Wizard to ease initial configuration ofISA Server. Clicking the Getting Started Wizard icon will present a set of eightconfiguration dialogues for the initial configuration.

In a change from the configuration for Microsoft Proxy Server 2.0, ISA Server relieson the creation and configuration of Rules and Policies. Rules are a series of statementsthat define a series of access controls to allow access to sites, content and protocols.Policy elements that can be defined include: Schedules, Destinations sets, Client AddressSets, Protocol Definitions, Content Groups and Dialup-entries.

The first items for configuration are the elements that allow fine granular control overaccess to the Internet. Select which elements control access to the Internet from a list ofUsers and Groups, Computer names or IP address, Schedules or Destination sets.


12/30

12

It is recommended to keep all options selected to allow future expansion and changes topolicy.

7.2 Schedules

The next option is to configure and add Schedules to help manage access to the

Internet via the ISA Server.Two schedules are already predefined;Weekends andWork hours. Alter theseby double clicking on the clock icons in the window, select the Schedule tab andmark the hours active or inactive.

Add further schedules by clicking the Create a Schedule icon which will allowschedules to be configured to allow different types of access for example during a lunchhour.

Figure 4 Configuring Schedules

Select the Configure Client Sets option. Client sets allow different levels ofaccess to be given to different ranges of IP addresses. It may be that the creation of aclient set for students and one for staff is satisfactory or perhaps an extra set for openaccess PCs is required.

7.3 Protocol rules

These allow the definition of which protocols can be used to access the internet. Forexample all open access PC labs could be restricted to HTTP only or only allow FileTransfer Protocol (FTP) to staff PCs. To create protocol rules, navigate a multi stagewizard.


13/30

13

Figure 5 Protocol Rules

The first dialogue box requires only the name of the protocol rule to be entered. Thesecond dialogue box confirms if the rule is to allow or deny use of the protocol.

Figure 6 Allow and Deny Rules

The next stage is to choose how to apply the rule and to which protocols to apply therule to.


14/30

14

Figure 7 Applying rules to protocols

After defining the protocols that form the rule, the powerful interaction between the rulesbeing defined and the elements that give fine granular control over access i.e.Users andGroups, Computer names or IP address, will be discovered.

The next dialogue box allows a schedule to be associated with this protocol rule, todefine at which time of day access is granted.


15/30

15

Figure 8 - Schedules

The next dialogue box allows further defining of the rule by applying restrictions tospecific computers, users and groups or leaving the rule to apply to any request.

Figure 9 Applying restrictions

The final dialogue screen will show a summary of the completed protocol rules that havebeen defined.

7.4 Destination sets

The Getting Started Wizards next configuration section is for DestinationSets. This allows grouping of machines on the Internet by either FullyQualified Domain Name (FQDN) or IP address.

Such lists could be used to restrict access to some websites at certain times of theday or to certain groups of users. A common usage is to restrict sites that teaching

staff would prefer students not to visit during teaching time. A list could be createdto include the machines providing the hotmail service, therefore student machinesaccessing the hotmail service during school hours could have their request refusedand logged.

If an ISDN or traditional dial-up link is used for a primary or backup connection for theISA server, the configuration is added in the Dial-Up configuration wizard. Thiswill for example, then allow the backup route to be brought up if the primary route fails.


16/30

16

Figure 10 The dial-up configuration wizard

Configuring Routing for Web Browser Applications allows the

routing of all the web traffic to be defined.

Configuration is in five tabs:

General;

Destinations;

Action; Cache;

Bridging.


17/30

17

Figure 11 Default rule properties

The Destinations tab allows the redirection of the destination traffic to anupstream proxy server or direct to the internet. Rules can be applied to the ISA Serverto allow staff traffic to go direct to the Internet, whilst student traffic is directed to acontent filter.

The Action tab for the default rule has similar configuration options to thoseincluded in MicrosoftProxy Server 2.0. There are three options for processing requests:

Retrieving them directly from the specifieddestination - all objects not in the cache (if enabled) are fetched directlyfrom the source site;

Routing them to a specified upstream server - allobjects if not in the cache (if enabled) are fetched from an upstream server., whichcan be another web cache, or more commonly a content filtering service;

Redirecting them to a hosted site all objects not in the

cache (if enabled) are redirected to a hosted site, which is useful when combinedwith ISA Server rules to redirect requests for certain content to a set ofinformational pages.

Figure 12 Default rule properties - Actions

At this stage of configuration the Cache tab entries will be greyed out. The cachingfacilities in ISA Server can be configured later.

The Bridging tab allows configuration of how HyperText Transfer Protocol (HTTP)and Secure Sockets Layer (SSL) traffic are redirected. The default configuration is toredirect HTTP requests as HTTP and to redirect SSL requests as HTTP.

It is not recommended to redirect normal HTTP requests to the destination site as SSL,due to increased overheads and the risk of destination sites not supporting SSL.


18/30

18

If SSL content is not being allowed to pass directly through the cache without beingintercepted, then configuring SSL requests to be forwarded on from the ISA Server asSSL will keep the requests from the clients secure.

7.4 Caching policyThe final stage of the Getting Started Wizard is the configuration of the CachingPolicy.

Figure 13 Cache configuration properties

Double clicking on the Configure Cache Policy icon opens a dialogue box with fivetabs:

General,

HTTP;

FTP; Active Caching;

Advanced.


19/30

19

Figure 14 Cache configuration properties - HTTP

The first tab, General shows the total cache size configured for the server asconfigured at installation.

The HTTP tab allows HTTP caching to be enabled on the ISA Server. This is stronglyrecommended unless the ISA Server is acting as an upstream content filter withthird party software installed.

It is recommended that the default expiry setting is left as Normally, unless theexternal link is saturated, in which case trying to extend the life of cached objects may be

of benefit. This may be done at the expense of possibly providing stale content to users.

The FTP tab allows caching for FTP objects to be enabled on ISA Server. This isuseful for the small number of downloads linking to an FTP server from websites. Asfiles transferred via FTP are often quite large, then care must be taken to monitor thecache disc space. If more disc space is available, the Time to Live (TTL) can betweaked. For a site with approximately 500 users with average browsing habits and40Gb of cache space, the TTL can safely be configured to be to be several days.


20/30

20

Figure 15 - Cache Configuration Properties - FTP

Active caching can really benefit sites that have a permanent internetconnection that is heavily saturated during the day and under utilised during the eveningand night time.

Figure 16 - Cache Configuration Properties Active Caching

There are three options when active caching is enabled:

Frequently- ISA Server will frequently update the cached content to ensurethat items are up to date, refreshing the TTL to avoid client machines being servedstale content or having to wait for each request to be fetched from source.

Normal- ISA Server will balance the extra network traffic caused by activecaching against the risk of client machines being served stale content or having towait for each request to be fetched from source.

Less frequently- is the best option for sites with low bandwidth links. ISA

Server will be conservative over what content is fetched to refresh the cache content.The Advanced tab, contains more advanced configuration options, many of which areadvised to be left as the default.


21/30

21

Figure 17 Cache Configuration Properties Advanced

Do not cache objects larger than is a useful aid to avoid caching the 200Mbdownload that one user may download and no one else will. Most white papersrecommend sizes between 32Mb and 50Mb, although with increased file sizes andinexpensive discs becoming common place, this can be increased. A useful measurementis the size of the average Microsoft Windows Service Pack, which is something thatwill probably be wanted cached, as opposed to a 650Mb ISO image.

Therefore considering the number of patches usually downloaded by users that run in toseveral megabytes, increasing this figure will reduce the bandwidth demands of continuedretrieval from source.

Cache objects that have an unspecified last modification time andCache objects even if they have an HTTP status code of 200 arerecommended to be left as default.

Cache dynamic content is an excellent method of ensuring content gets cachedwhere sites insist on marking static content as dynamic, or use obfuscated ways ofserving pages via PHP Nuke and similar. The downside of caching dynamic contentresults from poorly written e-commerce sites where pages may get cached that containuser personal details.

ISA Server keeps content in RAM as well as on disc to speed up delivery of content toclients. The maximum size of URL cached in memory setting should be set according tothe memory available in the machine. The recommended setting is12800 bytes for every256Mb of memory available.

ISA Server can ignore some expired object rules if the original site cannot bereached. It is recommended to leave the configuration as per default to allow pages tocontinue to be served during a extended outage of a remote web server even if thecontent is stale. Stale content is usually better than no content at all!

Set the Percentage of free memory to 75%. This seems to be the optimumconfiguration after testing various settings whilst monitoring machine performance usingperformance monitor. Results may, however, vary from site to site.

Select Exit the Getting Started Wizard. This completes enough configuration toget ISA Server up and running as a web cache.


22/30

22

7.5 Further Configuration

For further configuration, links to the dialogue boxes can be reached via the consolehierarchy on the left of the administration tool or via the task pads in the right hand pane.

Three of the main day-to-day tasks available from the Task pad are: Serversand Arrays, Backup andMonitoring.

Servers and Arrays lists the servers in the array which can be managed, alongwith further details, descriptions, type, mode, date created and uptime. The ConnectTo and Disconnect From icons allow configuration of remote machines and arrays.

Figure 18 Task pad Configure Servers and Arrays

Selecting Configure Servers and Arrays, allows changes and additions to bemade to the settings added in the Getting Started Wizard.

The three options; Configure Access Policy, Configure NetworkConnectionand Configure Cache were covered in the GettingStarted Wizard.

Configure Publishing Policy for forward caching is not covered in thisguide. For more information on this subject see the Microsoft ISA Server guide at:

http://www.microsoft.com/isaserver/


23/30

23

Figure 19 Set configuration

The second option from the main welcome Task Pad in the administration toolisBackup. It is strongly recommended that you backup the Server configuration afterany changes have been made or before any upgrade or patching operations.

After selecting the Back Up Selected Server orArrayConfiguration option, a dialogue box is presented.

Figure 20 Task pad Back up and Restore

This allows the storage of all configuration details to be stored in a file in a directory onthe local machine, or better still on a remote system as backup. Enter a suitable localpath or Universal Naming Convention (UNC) address.


24/30

24

The Comment field is useful to record the changes made, on which date and whomade them.

Figure 21 Back up array dialogue box

The third option from the main welcome Task Pad in the administration tool is formonitoring. Common monitoring tasks for the purpose of trouble shooting and

performance monitoring are available from three options:

Monitor Alerts;

Monitor Servers;

Services and Monitor Sessions.

Figure 22 Task Pad Monitor Servers and Arrays.

SelectingMonitoring Alerts will display the alerts that are written to the EventViewer. Issues such as the ISA Server services failing to be started can be diagnosedfrom this Task Pad.


25/30

25

Figure 23 Monitor Alerts

SelectingMonitoring Servers and Services shows the system servicesassociated with ISA Server and their current status. Services can be started and stoppedas required for maintenance and trouble shooting purposes.

Figure 24 Monitor Servers and Services

The most useful Monitoring Task pad, Sessions, is used for monitoring thesessions of all active client sessions that are using the Microsoft ISA Server. Before


26/30

26

stopping services for maintenance, the number of users using the service can be checked.Sessions can also be disconnected and therefore moved to another server in the array.The Task Pad can also be used to just check the load on the ISA Server at any time.

Figure 25 Monitor Sessions

8. Upgrading from Microsoft Proxy Server 2.0

Many Microsoftproducts support migration to newer versions with varying degrees ofsuccess. Microsoft ISA server supports a migration from MicrosoftProxy Server 2.0running on Windows NT 4.0 or Windows 2000. For the purposes of this guide, amigration from MicrosoftProxy Server 2.0 running on Windows NT 4.0 SP6a toISA server standard edition on Windows 2000 was completed.

This information is based on the Microsoft whitepaper at:


Microsoft gives several reasons for upgrading to ISA server, although one of the mainreasons of security patch support for older products seems to have been omitted.

A multilayer firewall that features stateful inspection, broad application support, andintegrated intrusion detection. Stateful inspection firewalls inspect more than just thepacket header, they also track the connections across the firewall interfaces.Therefore allowing for greater control.

Integrated Virtual Private Networking.

System Hardening.

RAM caching and optimised cache store, including scheduled content download.

Unified management console, including graphical taskpads and wizards for common

tasks.

Transparency for all clients.


27/30

27

Advanced monitoring features, including customisable alerts, detailed logging andreporting

Extensible platform with a Software Development kit.

Before you start the upgrade process, Microsoft warn of several issues:

Upgrading from Microsoft Proxy Server 1, Back Office server 4.0 or SmallBusiness Server 4.0 is not supported.

There is no automatic option to return to Microsoft Proxy Server 2.0 once theupgrade to ISA server has been started.

ISA Server does not support the legacy IPX protocol.

As ISA Server cannot run under Windows NT 4.0, an Operating System upgradealso has to be preformed.

To do this:

Firstly shutdown any running applications and stop the following services, wspsrv,mspadmin and w3svc, either using the net stop command or from the

services applet in control panel.Insert the Windows 2000 CD-ROMand start the upgrade procedure. During theupgrade there may be warnings about compatibility issues between Microsoft ProxyServer 2.0 and Windows 2000. These can be ignored for the sake of this upgrade.

After Windows 2000 has been installed, ensure that the operating system has the latestservice pack installed and all the relevant post service pack hot fixes have been applied.

Running the ISA server upgrade option from the install CD-ROM follows the sameinstallation routine that is covered in section 4 with a few exceptions. Most MicrosoftProxy Server 2.0 rules, network settings, monitoring configurationandcache configuration will be migrated across.

It is recommended that a backup is taken of cache logs before the system ismigrated, as during testing, the old Microsoft Proxy Server 2.0 logs will beremoved during the upgrade process.

Microsoft Proxy Server 2.0 listens for HTTP requests on port 80, and ISA serverlistens on port 8080. You can either change the port that ISA server listens on back to80 or update all the clients manually or through a proxy.pac file.

NB: All cached content on the system will be lost during the upgrade, so initialperformance may be worse on the new system even after hardware and orsoftware upgrades until the cache can be re-populated.

Socks configuration from Microsoft Proxy Server 2 cannot be migrated andSocks rules must be re-entered.

Microsoft

lists how the Rules and Policies will be migrated.

Microsoft Proxy Server 2.0 ISA Server

Domain filters Site and content rulesWinsock permission settings Protocol rules

Publishing properties Web publishing rules


28/30

28

Static packet filters Open or blocked IP packet filters

Web proxy routing rules Routing rules

Figure 26 Microsoft Rules and Policies migration table

Additional configuration settings, including local address tables, automatic dialsettings, alerts, log settings and client configurations, are also copied.

It is recommended to allow two days for a full backup, archive, upgrade andconfiguration of a migration from Microsoft Proxy Server 2.0 running onWindows NT 4.0 to ISA Server running on Windows 2000.

Unless a lot of time has been invested in very specific configuration of the rules withinMicrosoft and so retaining the configuration is desirable, it may be more effective tostart from scratch with a fresh install of Windows 2000 and ISA server.

9. Upgrading to ISA Server, Enterprise Edition

Microsoft recommends upgrading to Enterprise Edition of ISA server for threereasons:

it can be deployed in multi-server arrays for better scalability, performance, faulttolerance, and centralized management;

it supports two levels of policy management, array policy that can be applied to anentire array of servers and enterprise policy that can be applied to all the arrays inthe organisation.

there is no restriction on the number of processors on the ISA Server computer(standard edition is restricted to four processors).

There are four stages to upgrading from Standard to Enterprise version of ISA Server.

1. Backup the existing ISA Server Standard edition policy.

2. Run Setup from the ISA Server Enterprise edition CDROM, this will upgrade theinstallation to Enterprise edition in a stand-alone configuration.

3. Run theISA Server Enterprise Edition Initializationprogramif you wish to install the ISA Server array schema in to Active Directory.

This is one way operation that cannot be undone. If you are using ISA Server in stand-alone configuration you can ignore this stage.

Figure 27 ISA Server Initialisation Tool

4. If not running in stand-alone mode the server needs to be promoted to an arraymember. Select the machine to promote in the console tree of ISA Management, rightclick and select promote.

10. Optimising ISA Server and Troubleshooting

10.1. Managing bandwidth on low bandwidth links


29/30

29

If the bandwidth of an external link is saturated with traffic from Microsoft ISA Server;bandwidth for other applications can be increased by restricting the bandwidth forcertain requests via the Microsoft ISA Server.

The bandwidth rule wizard allows rules to be created to limit the bandwidthavailable to requests matching the familiar rule set available in Microsoft ISA Server.

The bandwidth rule is then given a specific priority against the default bandwidth rule.

Further information is available at:

http://support.microsoft.com/default.aspx?scid=kb;en-us;302875

10.2. Screensavers

Careful consideration to screensaver selection can reduce processor utilisation by asmuch as 50%. Open GL and 3D screensaver cause a lot of processor utilisation, thusrestricting processor time to network services, such as a Proxy Server. It isrecommended a simple textual screen saver like Marquee will remind people themachine is powered, but will not drain processor resources.

Even the text screensaver uses up resources. It is far better to use the 'blank-screen'screensaver and stick a Post-it note on the monitor.

10.3. Background Processes

Background processes on machines consume CPU cycles and can cause latency whenprocessing web requests. It is recommended that processes like; SETI@Home andDNETC are removed.

10.4. Cache initalisation errors

One of the frequent errors encountered after installation is Cache initialisation failure orCache container initialisation error. This occurs when the rest of a partition where

Microsoft

ISA Server is installed has been allocated to be used as a cache.http://support.microsoft.com/?kbid=284550

11. Logging

11.1. Logging in Microsoft ISA Server

When debugging problems in any piece of software, logging is an essential part of theprocess. Microsoft ISA server stores various logs for the purpose of debugging as wellas traceability.

The logs are accessed from the Microsoft

ISA Server MMC tool. Expand theMonitoring Configuration to show the configuration options and the logs available.

The Monitoring Configuration section is split into three sections;Alerts,Logs andReport Jobs.

Alerts These are primarily concerned with the Firewall element of ISA Serverand produce an e-mail alert for the system administrator, send a pop-up or evenstart a program or script. Although the pre-defined alerts are biased towards thefirewall elements, there are several caching related alerts and always the opportunityto create ones own.

Logs Three elements of ISA Server are recorded and configured here. What isrecorded for Packet filters, Firewall service and Web Proxy service can be

configured.


30/30

Report Jobs Reports allow details to be extracted from the logging toproduce only the information required for logging tasks. Reports can be created forvarious events and then retrieved as and when required.

TheMonitoring section in the Microsoft ISA Server MMC tool allows forthe reports and monitoring configured earlier to be viewed. There are four sections

available:Alerts Any current alerts can be viewed in this window and reset.

Services Any Windows services associated with Microsoft ISA Servercan be started and stopped along with information on the current status.

Sessions All active sessions are displayed in this window with an option todisconnect any as required.

Reports Any reports configured previously are displayed here in two sections;Summary and Web Usage.

11.2. Logging to an alternative location

For large scale installations, logging to an alternative location might be a desirablealternative to logging internally. If advanced reporting tools are going to be developed,Structured Query |Language (SQL) queries might be an easier method of data extractionthan currently available. Further information is available at:

http://www.isaserver.org/tutorials/How_to_setup_SQL_Logging_in_ISA_Server.html

12. Useful Resources and URLS

Microsofts homepage for ISA Server. Useful documentation, security announcements,patches and white papers.

http://www.microsoft.com/isaserver/

A comprehensive resource of articles, reviews and advice for running ISA Server.

http://www.isaserver.org/

Configuration details for ISA Server, including commercial security and configurationpackages.

http://www.indepth-tech.com/ISAServer/

Copyright

Screen shots reprinted by permission from Microsoft Corporation.

Date post:	06-Apr-2018
Category:	Documents
Upload:	zahid-mehboob
View:	217 times
Download:	0 times

Isa Guide Review

Documents