Contents
Overview 1
Introducing ISA Server Enterprise Edition 2
Installing ISA Server in the Enterprise 7
Using Enterprise Policies and Array Policies 19
Managing Network Connections 25
Scaling ISA Server 36
Extending and Automating ISA Server
Functionality 42
Lab A: Configuring ISA Server for the
Enterprise 47
Review 58
Module 9:
Configuring ISA Server
for an Enterprise
Information in this document is subject to change without notice. The names of companies,
products, people, characters, and/or data mentioned herein are fictitious and are in no way intended
to represent any real individual, company, product, or event, unless otherwise noted. Complying
with all applicable copyright laws is the responsibility of the user. No part of this document may
be reproduced or transmitted in any form or by any means, electronic or mechanical, for any
purpose, without the express written permission of Microsoft Corporation. If, however, your only
means of access is electronic, permission to print one copy is hereby granted.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property.
2001 Microsoft Corporation. All rights reserved.
Microsoft, Active Directory, ActiveX, BackOffice, FrontPage, JScript, MS-DOS, NetMeeting,
Outlook, PowerPoint, Visual Basic, Visual C++, Visual Studio, Windows, Windows Media, and
Windows NT are either registered trademarks or trademarks of Microsoft Corporation in the
U.S.A. and/or other countries.
Other product and company names mentioned herein may be the trademarks of their respective
owners.
Module 9: Configuring ISA Server for an Enterprise i
Instructor Notes
This module provides students with the knowledge and skills to install and
configure Microsoft
®
Internet Security and Acceleration (ISA) Server 2000 in
an enterprise environment.
After completing this module, students will be able to:
Describe the use of ISA Server in an enterprise environment.
Install ISA Server in an enterprise environment.
Use enterprise and array policies.
Scale ISA Server.
Manage network connections.
Extend and automate ISA Server functionality.
Materials and Preparation
This section provides the materials and preparation tasks that you need to teach
this module.
Required Materials
To teach this module, you need the Microsoft PowerPoint
®
file 2159A_09.ppt.
Preparation Tasks
To prepare for this module, you should:
Read all of the materials for this module.
Complete the lab.
Study the review questions and prepare alternative answers to discuss.
Anticipate questions that students may ask. Write out the questions and
provide the answers.
Read “Firewall client application settings,” “Using Network Load
Balancing,” “Configuring Automatic Discovery,” “The Enterprise, Arrays,
and Stand-Alone Servers,” and “Cache Array and Routing Protocol” in
ISA Server Help.
Read the section “Network Load Balancing” in the Microsoft
Windows
®
2000 Server Resource Kit.
Read the white papers entitled “Network Load Balancing Technical
Overview” and “Cache Array Routing Protocol and Microsoft Proxy Server
2.0” under Additional Reading on the Trainer Materials compact disc.
Read Module 2, “Installing and Maintaining ISA Server,” and Module 3,
“Enabling Secure Internet Access,” in Course 2159A, Deploying and
Managing Microsoft Internet Security and Acceleration Server 2000.
Read Module 4, "Designing a Schema Policy," in Course 1561B, Designing
a Microsoft Windows 2000 Directory Services Infrastructure.
Read Module 12, "Managing Operations Masters," in Course 2154A,
Implementing and Administering Microsoft Windows 2000 Directory
Services.
Presentation:
75 Minutes
Lab:
30 Minutes
ii Module 9: Configuring ISA Server for an Enterprise
Module Strategy
Use the following strategy to present this module:
Introducing ISA Server Enterprise Edition
Explain that you can install ISA Server Enterprise Edition as a stand-alone
server or as an array member. Emphasize that if you choose not to apply an
enterprise policy to an array installation, the array administrator can create
any rule to allow or deny access.
Installing ISA Server in the Enterprise
Ensure that students understand the impact that modifying the schema has
on the entire Active Directory
™
directory service forest and that changes to
the schema are irreversible. Explain that when you promote a stand-alone
server, ISA Server may delete policy rules and publishing rules to ensure
that array policies are not more permissive than an applicable enterprise
policy.
Using Enterprise Policies and Array Policies
Emphasize that when you apply an enterprise policy to an array, ISA Server
deletes all of the previously defined array-level site and content rules and
protocol rules that allow access.
Managing Network Connections
Use the slide example to explain the use of routing rules for conditionally
routing requests. Explain that firewall chaining enables requests from
Firewall clients and SecureNAT clients to be routed to upstream servers.
Use the animated slide to explain automatic discovery. Explain that using
automatic discovery helps you to minimize the time spent troubleshooting
connection problems on the client computers. Emphasize that to use the
Dynamic Host Configuration Protocol (DHCP) protocol for automatic
discovery, you must ensure that there is a DHCP server with a valid scope
for each network segment that has ISA Server clients. Emphasize that to use
Domain Name System (DNS) for automatic discovery, you must ensure that
there is a Web Proxy AutoDiscovery Protocol (WPAD) entry for each DNS
domain that has ISA Server clients.
Scaling ISA Server
Explain that to use Cache Array Routing Protocol (CARP) and to use
Network Load Balancing efficiently, you must use ISA Server Enterprise
Edition. Explain that by using hash-based routing instead of queries to
determine the location of cached information, CARP becomes faster and
more efficient as more member servers are added to the array. For more
information about CARP, tell students to see the white paper “Cache Array
Routing Protocol and Microsoft Proxy Server 2.0” under Additional
Reading on the Student Materials compact disc. Mention that Network
Load Balancing is available with Microsoft Windows 2000 Advanced
Server only.
Extending and Automating ISA Server Functionality
Mention that you can gain benefits from using the extensibility and
automation features of ISA Server whether you use the Standard Edition or
the Enterprise Edition.
Module 9: Configuring ISA Server for an Enterprise iii
Customization Information
This section identifies the lab setup requirements for a module and the
configuration changes that occur on student computers during the labs. This
information is provided to assist you in replicating or customizing Microsoft
Official Curriculum (MOC) courseware.
The lab in this module is also dependent on the classroom
configuration that is specified in the Customization Information section at the
end of the Classroom Setup Guide for Course 2159A, Deploying and Managing
Microsoft Internet Security and Acceleration Server 2000.
Lab Setup
The following list describes the setup requirements for the lab in this module.
Setup Requirement 1
The lab in this module requires that ISA Server be installed on all ISA Server
computers. To prepare student computers to meet this requirement, perform one
of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Perform a full installation of ISA Server manually.
Setup Requirement 2
The lab in this module requires that the ISA Server administration tools be
installed on all ISA Server client computers. To prepare student computers to
meet this requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Install the ISA Server administration tools manually.
Setup Requirement 3
The lab in this module requires that the Firewall Client be installed on all
ISA Server client computers. To prepare student computers to meet this
requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Install the Firewall Client manually.
Important
iv Module 9: Configuring ISA Server for an Enterprise
Setup Requirement 4
The lab in this module requires that all ISA Server client computers be
configured to use the ISA Server computer’s Internet Protocol (IP) address on
the private network as their default gateway. To prepare student computers to
meet this requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Configure the default gateway manually.
Setup Requirement 5
The lab in this module requires that Microsoft Internet Explorer be configured
on all student computers to use the ISA Server computer as a Web Proxy
server. To prepare student computers to meet this requirement, perform one of
the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Configure Internet Explorer manually.
Setup Requirement 6
The lab in this module requires that Internet Information Services (IIS) be
configured on all ISA Server computers to use Transmission Control Protocol
(TCP) port 8008 for the default Web site. To prepare student computers to meet
this requirement, perform one of the following actions:
Complete Module 2, “Installing and Maintaining ISA Server,” in Course
2159A, Deploying and Managing Microsoft Internet Security and
Acceleration Server 2000.
Configure IIS manually.
Setup Requirement 7
The lab in this module requires a protocol rule on the ISA Server computer that
allows all members of the Domain Admins group to gain access to the Internet
by using any protocol. To prepare student computers to meet this requirement,
perform one of the following actions:
Complete Module 3, “Enabling Secure Internet Access,” in Course 2159A,
Deploying and Managing Microsoft Internet Security and Acceleration
Server 2000.
Create the rule manually.
Setup Requirement 8
The lab in this module requires that packet filtering be enabled on the
ISA Server computer. To prepare student computers to meet this requirement,
perform one of the following actions:
Complete Module 6, “Configuring the Firewall,” in Course 2159A,
Deploying and Managing Microsoft Internet Security and Acceleration
Server 2000.
Enable packet filtering manually.
Module 9: Configuring ISA Server for an Enterprise v
Lab Results
Performing the lab in this module introduces the following configuration
changes:
DHCP on the second computer in each student computer pair has DHCP
option 252 enabled.
DNS for the student computer zones has a WPAD entry added.
The Active Directory schema update for ISA Server is installed.
The stand-alone ISA Server computer is promoted to an array.
An enterprise policy is created.
Module 9: Configuring ISA Server for an Enterprise 1
Overview
Introducing ISA Server Enterprise Edition
Installing ISA Server in the Enterprise
Using Enterprise Policies and Array Policies
Managing Network Connections
Scaling ISA Server
Extending and Automating ISA Server Functionality
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Microsoft
®
Internet Security and Acceleration (ISA) Server 2000 provides
many features to support an enterprise-wide deployment. Some of these features
are available in only the Enterprise Edition of ISA Server. The security,
caching, management, performance, and extensibility capabilities of ISA Server
are the same in both the Standard Edition and the Enterprise Edition. The
Standard Edition, however, is limited to a stand-alone server, a local policy
only, and computers with up to four processors. For large-scale deployments,
server array support, multi-level policy, and computers with more than four
processors, you must use the ISA Server Enterprise Edition.
After completing this module, you will be able to:
Describe the use of ISA Server in an enterprise environment.
Install ISA Server in an enterprise environment.
Use enterprise and array policies.
Scale ISA Server.
Manage network connections.
Extend and automate ISA Server functionality.
Topic Objective
To provide an overview of
the module topics and
objectives.
Lead-in
In this module, you will learn
about configuring
ISA Server in an enterprise
environment.
2 Module 9: Configuring ISA Server for an Enterprise
Introducing ISA Server Enterprise Edition
Benefits of ISA Server Enterprise Edition
Using ISA Server Enterprise Edition
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
There are many benefits for an organization to deploy ISA Server Enterprise
Edition in an enterprise environment. When you deploy ISA Server Enterprise
Edition, you must select an installation configuration and a policy
configuration.
Topic Objective
To introduce ISA Server
Enterprise Edition.
Lead-in
There are many benefits for
an organization to deploy
ISA Server Enterprise
Edition in an enterprise
environment.
Module 9: Configuring ISA Server for an Enterprise 3
Benefits of ISA Server Enterprise Edition
Scalability
Scalability
Scales ISA Server functionality by using arrays,
symmetric multiprocessing, Network Load Balancing,
and CARP.
Scales ISA Server functionality by using arrays,
symmetric multiprocessing, Network Load Balancing,
and CARP.
Distributed and
Hierarchical
Caching
Distributed and
Hierarchical
Caching
Enhances caching performance and fault tolerance.
Enhances caching performance and fault tolerance.
Active Directory
Active Directory
Tiered Policy
Tiered Policy
Contains configuration and policy information and
used to apply access controls to users and groups.
Contains configuration and policy information and
used to apply access controls to users and groups.
Enables you to create policies at both the array and
enterprise level.
Enables you to create policies at both the array and
enterprise level.
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
ISA Server Enterprise Edition offers several benefits to organizations that want
fast, secure, and manageable Internet connectivity in an enterprise environment.
Scalability
ISA Server Enterprise Edition provides scalability by using arrays, enhanced
symmetric multiprocessing support, the Network Load Balancing feature of
Microsoft Windows
®
2000 Advanced Server, and the Cache Array Routing
Protocol (CARP) protocol.
Arrays
ISA Server Enterprise Edition uses arrays to manage a group of ISA Server
computers as a single, logical entity. Array installations increase performance
and bandwidth savings by distributing client requests between multiple
ISA Server computers. In addition, because the load is distributed across all of
the servers in the array, you can achieve good performance even with moderate
hardware. Arrays also provide fault tolerance. Moreover, because the array
members share the same configuration, management and administration is
simplified.
Symmetric Multiprocessing
ISA Server uses Windows 2000 symmetrical multiprocessing (SMP) to
improve performance on computers with multiple processors. ISA Server
Enterprise Edition uses the SMP capabilities of Windows 2000 Advanced
Server, which supports up to 8 processors, and Microsoft Windows 2000
Datacenter Server, which supports up to 32 processors.
Topic Objective
To describe the benefits of
ISA Server Enterprise
Edition.
Lead-in
ISA Server Enterprise
Edition offers several
benefits to organizations
that want fast, secure, and
manageable Internet
connectivity in an enterprise
environment.
4 Module 9: Configuring ISA Server for an Enterprise
Network Load Balancing
ISA Server Enterprise Edition efficiently uses Network Load Balancing, which
is available in Windows 2000 Advanced Server and Windows 2000 Datacenter
Server, to provide fault tolerance, high availability, efficiency, and performance
through the clustering of multiple ISA Server computers. You can use Network
Load Balancing to make multiple ISA Server computers respond to a single
Internet Protocol (IP) address, which provides load balancing and fault
tolerance for publishing internal resources to the Internet.
CARP
ISA Server Enterprise Edition uses CARP to provide scaling and efficiency
when deploying an array of ISA Server computers as forward and reverse
caching servers. CARP eliminates the duplication of content among array
members and automatically adjusts to additions or deletions of servers in the
array.
Distributed and Hierarchical Caching
ISA Server Enterprise Edition uses CARP to perform distributed caching
among an array of ISA Server computers to enhance the caching performance
and the fault tolerance if an ISA Server computer becomes unavailable.
In addition, ISA Server supports hierarchical, or chained, caching. Chained
caching is a hierarchical connection between individual ISA Server computers
or arrays of ISA Server computers. Chained caching enables caching to take
place closer to the users. Client requests are sent upstream through the chain of
cache servers until the requested object is found. When the object is located on
an upstream server, it is cached in both the upstream server’s cache and the
downstream server's cache. Both the Standard Edition and the Enterprise
Edition support hierarchical caching.
Active Directory
ISA Server stores configuration and policy information of arrays in the
Active Directory
™
directory service. Active Directory provides a central point
for storing and gaining access to ISA Server policies and configuration settings.
In addition, both the Standard Edition and the Enterprise Edition can apply
access controls by using user accounts and groups that are defined in
Active Directory.
Tiered Policy
ISA Server Enterprise Edition supports a tiered policy, which enables you to
create access policies at both the enterprise level and the array level. You can
set a centralized enterprise policy that unconditionally applies to all of the
arrays in the enterprise, or you can set an enterprise policy that administrators
can augment at the array level.
Module 9: Configuring ISA Server for an Enterprise 5
Using ISA Server Enterprise Edition
ISA Management
Action View
Configure enterprise
Internet Securi ty and Acceleration Server
T
ree
You can create one or more enterprise p olicies that can be applied to arrays. At the enterprise level, you
control whether addition al rules can be created at the array level.
Use this taskpad to configure h ow the ent erprise policy affects the array policy.
Servers and Arrays:
Array Description Type Mode Created Applied Enterprise Po
LONDON Array Integrated 1/4/2001 7:19… Enterprise Policy 1
PERTH Array Integrated 1/4/2001 7:52… Enterprise Policy 1
VANCOUVER Array Integrated 1/4/2001 7:33… Enterprise Policy 1
Welcome Servers and Arrays Enterprise Backup Monitoring Help
Configure Enterprise
Policies
Configure Enterprise
Policy Default Settings
Set Enterprise Policy for
the Selected Array
Set Defaults…
Back Up…
Restore…
View
Refresh
Export List…
Properties
Help
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
You can install ISA Server Enterprise Edition as a stand-alone server or as an
array member. When you install ISA Server as an array member, you can select
a policy configuration that meets the needs of your organization.
Selecting an Installation Configuration
When you install ISA Server Enterprise Edition as a stand-alone server, the
computer does not have to belong to a Windows 2000 domain. ISA Server
stores the configuration information for the stand-alone server in the registry.
Stand-alone servers do not use array policies or enterprise policies.
When you install ISA Server as an array member, the computer must be a
member of a Windows 2000 domain. ISA Server Enterprise Edition stores
configuration information for arrays in Active Directory. You can apply an
enterprise policy to an array, which allows you to centralize management for
multiple arrays in your enterprise.
Topic Objective
To describe the topics
related to using ISA Server
Enterprise Edition.
Lead-in
ISA Server Enterprise
Edition can be installed as a
stand-alone server or as an
array member.
Key Point
You can install ISA Server
Enterprise Edition as a
stand-alone server or as an
array member. When you
install ISA Server as an
array member, you can
select a policy configuration
that meets the needs of your
organization.
6 Module 9: Configuring ISA Server for an Enterprise
Selecting a Policy Configuration
When you set up ISA Server in an enterprise configuration, you must select a
policy configuration to apply to the arrays in the domain. You can use
enterprise policies, which apply a centralized policy to arrays, or you can use
array policies, which apply a policy to only the ISA Server computer in one
array. Each type of policy includes the following:
Enterprise Policy. Includes site and content rules and protocol rules. You
can create one or more enterprise policies. In addition, you can configure an
enterprise policy to permit an array policy to augment the enterprise policy.
This configuration enables administrators at branch offices and specific
departments in an organization to use enterprise policies and be able to
configure rules at the array level that further restrict an access policy.
Array Policy. Includes site and content rules, protocol rules, IP packet
filters, Web publishing rules, routing rules, and server publishing rules. You
select an array policy to apply a unique array policy to each array in the
enterprise. For example, you can allow unlimited access to the Internet for
the clients that use one array and then place restrictions on the clients that
use another array.
If you choose not to apply an enterprise policy to an array
installation, the array administrator can create any rule to allow or deny access.
When you apply enterprise policies, array policies can create additional
restrictions over the enterprise policies. However, an array policy can never
allow any type of access that an enterprise policy does not first allow.
Key Points
If you choose not to apply
an enterprise policy to an
array installation, the array
administrator can create any
rule to allow or deny access.
When you enforce
enterprise policies, an array
policy can never allow any
type of access that an
enterprise policy does not
first allow.
Important
Module 9: Configuring ISA Server for an Enterprise 7
Installing ISA Server in the Enterprise
Installing ISA Server Schema in Active Directory
Using Arrays
Installing ISA Server in an Array
Creating and Deleting Arrays in ISA Management
Promoting a Stand-Alone Server
Maintaining Enterprise Configurations
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Before you can set up ISA Server Enterprise Edition as an array member, the
ISA Server schema must be installed in Active Directory. ISA Server includes
an Enterprise Initialization utility that you can use to install the ISA Server
schema in Active Directory. You can also promote stand-alone servers to array
members. When you modify an array, it is recommended that you back up the
configuration information.
Topic Objective
To present the topics related
to installing ISA Server in
the enterprise.
Lead-in
Before you can set up
ISA Server as an array
member, the ISA Server
schema must be installed in
Active Directory.
8 Module 9: Configuring ISA Server for an Enterprise
Installing ISA Server Schema in Active Directory
Select an option
to configure
enterprise policy.
OK Cancel
Specify how to apply the enterprise policy at the array level. After
installation, you can modify these settings for any array in the enterprise.
When applying enterprise policy:
Use array policy only
Use this enterprise policy:
ISA Enterprise Initialization
Enterprise Policy 1
Also allow array-level access policy rules that restrict enterprise policy
Allow publishing rules
Force packet filtering on the array
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Before you can set up ISA Server as an array member, you must install the
ISA Server schema in Active Directory. Installing the ISA Server schema adds
new object classes and attributes to Active Directory.
Applying a schema change to Active Directory is a major operation
that normally requires planning. Because Active Directory does not support
deletion of schema objects, the enterprise initialization process is irreversible.
For more information about schema changes to Active Directory, see Module 4,
"Designing a Schema Policy," in Course 1561B, Designing a Microsoft
Windows 2000 Directory Services Infrastructure.
Using the Enterprise Initialization Utility
ISA Server includes an Enterprise Initialization utility that you can use to
install the ISA Server schema in Active Directory. After you install the
ISA Server schema, all subsequent ISA Server installations to computers in the
Active Directory forest can use the ISA Server schema. You do not have to
install the schema again.
To install the ISA Server schema in Active Directory, you must be
an administrator on the local computer. In addition, you must be a member of
the Enterprise Admins group and the Schema Admins group. In addition, the
domain controller that holds the schema master role for your Active Directory
forest must be available. For more information about operation master roles, see
Module 12, "Managing Operations Masters," in Course 2154A, Implementing
and Administering Microsoft Windows 2000 Directory Services.
Topic Objective
To describe the procedure
that you use to install
ISA Server schema in
Active Directory.
Lead-in
Before you can set up
ISA Server as an array
member, you must install
the ISA Server schema in
Active Directory.
Key Points
Applying a schema change
to Active Directory is a
major operation that
normally requires planning.
Because Active Directory
does not support deletion of
schema objects, the
enterprise initialization
process is irreversible.
Caution
Delivery Tip
Ensure that students
understand the impact that
modifying the schema has
on the entire
Active Directory forest and
that changes to the schema
are irreversible.
Important
Module 9: Configuring ISA Server for an Enterprise 9
Initializing the Enterprise
To initialize the enterprise by installing the ISA Server schema:
1. At a command prompt, type path\isa\i386\msisaent.exe (where path is the
location of the ISA Server installation files). The location can be the root
folder of the ISA Server CD-ROM or a shared folder on your network that
contains the ISA Server files.
2. In the ISA Enterprise Initialization Tool dialog box, click Yes to
acknowledge that the schema installation is not reversible.
3. In the ISA Enterprise Initialization dialog box, select one of the following
policy options:
• Use array policy only. Allows the array administrator to create rules for
allowing or denying access at the array level. ISA Server does not apply
enterprise policy to the array.
• Use this enterprise policy. Creates an enterprise policy with the name
that you type. You can modify the policy and add additional enterprise
policies after you have installed ISA Server.
4. If you select to use an enterprise policy, in the ISA Enterprise
Initialization dialog box, select one or more of the following options, and
then click OK twice.
To Do this
Allow array administrators to create
array policies that further restrict an
enterprise policy
Select the Allow array-level access
rules that restrict enterprise policies
check box.
Allow administrators to create
publishing rules
Select the Allow publishing rules check
box.
Enforce packet filtering on all arrays Ensure that the Force packet filtering
on the array check box is selected.
Because of Active Directory replication latency, there may be a delay
until the schema changes are applied to all domain controllers in your
organization.
Note
10 Module 9: Configuring ISA Server for an Enterprise
Using Arrays
Guidelines for Setting Up Arrays
Configuration Settings for Arrays
Permissions Required for Adding Arrays
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
Before you set up an array, consider the following guidelines, configuration
settings, and permissions required for adding arrays.
Guidelines for Setting Up Arrays
The guidelines for setting up arrays are as follows:
All of the array members must be in the same Windows 2000 domain and
on the same site.
All of the array members should use the same installation mode: Cache
mode, Firewall mode, or Integrated mode.
All of the array members should have the same set of extensions installed.
Configuration Settings for Arrays
Array members have the following configuration settings:
Policy configuration. Policy configuration for arrays includes all access
policy rules, publishing rules, and bandwidth rules. Similarly, the cache
policies are centrally configured at the array level, and the cache policy and
scheduled content download jobs apply to all computers in an array.
Alert configuration. Alerts can be configured for each server in the array or
for all of the servers in the array.
Reports. Reports display information about the activity on all of the
ISA Server computers in the array. The report data is stored in a database on
a computer and in a directory that you specify. By default, the report data is
stored on the ISA Server computer on which you configure the report jobs.
Topic Objective
To identify the topics related
to using arrays.
Lead-in
Before you set up an array,
consider the following
guidelines, configuration
settings, and required
permissions.
Module 9: Configuring ISA Server for an Enterprise 11
Cache. Disk space for caching is allocated separately on each ISA Server
computer according to the amount that you specify when you install or
reconfigure the cache. However, all of the cache configuration properties
are common for all of the servers in an array. These properties include the
Hypertext Transfer Protocol (HTTP) protocol caching properties, the File
Transfer Protocol (FTP) protocol caching properties, and the CARP
protocol properties.
Permissions Required for Adding Arrays
By default, the members of the Domain Admins group for the domain and the
members of the Enterprise Admins group for the Active Directory forest can
create new arrays. Only the members of the Enterprise Admins group are
prompted to configure how the enterprise policies apply to the array because
only the members of this group have the required permissions to administer
enterprise policies. When a user who is not a member of the Enterprise Admins
group creates an array, the default enterprise policy automatically applies to the
array.
12 Module 9: Configuring ISA Server for an Enterprise
Installing ISA Server in an Array
Run Setup
Run Setup
Install ISA Server as an Array
Install ISA Server as an Array
Create and Name Array
Create and Name Array
Select an Enterprise Policy Setting
Select an Enterprise Policy Setting
Select Custom Policy Settings
Select Custom Policy Settings
Finish
Finish
Finish
Start
Start
Start
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
When you install the first ISA Server computer after importing the ISA Server
schema into Active Directory, the setup program provides you with additional
choices that are not available before you modify the schema. After you set up
the first ISA Server computer in an array, when you install additional array
members, these array members automatically retrieve most of the configuration
information from Active Directory.
Installing the First ISA Server Computer
To install ISA Server on the first computer in an array:
1. Start the Microsoft Internet Security and Acceleration Server Enterprise
Edition Setup program, and choose whether to perform a typical, custom, or
full installation.
2. In the Microsoft ISA Server Setup dialog box, click Yes to install
ISA Server as an array member.
3. If the domain already contains arrays, in the Microsoft ISA Server Setup
dialog box, click New.
4. In the New Array dialog box, type a name for the array that you are
creating, and then click OK.
5. In the Configure enterprise policy setting dialog box, select one of the
following options:
• Use default enterprise policy settings. The array will use the default
enterprise policy settings. These settings are normally the policy settings
that you configured when you imported the ISA Server schema.
• Use custom enterprise policy settings. The array will not use the
default enterprise policy settings.
Topic Objective
To describe the key steps to
perform when you install the
first ISA Server computer in
an array.
Lead-in
When you install the first
ISA Server computer after
importing the ISA Server
schema into
Active Directory, the setup
program provides you with
additional choices that are
not available before you
modify the schema.
Module 9: Configuring ISA Server for an Enterprise 13
6. If you chose to use a custom enterprise policy, select the appropriate policy
option and settings, and then click Continue.
7. In the Microsoft ISA Server Setup dialog box, select the installation mode,
and then configure the cache settings and the Local Address Table (LAT) as
you would for a stand-alone server.
Installing Additional Array Members
When you install additional members of an array, the new members retrieve the
existing array configuration from Active Directory.
To install additional array members:
1. Start the Microsoft Internet Security and Acceleration Server Enterprise
Edition Setup program, and choose whether to perform a typical, custom, or
full installation.
2. In the Internet Security and Acceleration Server Setup dialog box, click
Yes to install ISA Server on an array member.
3. In the Microsoft ISA Server Setup dialog box, click the array that you
want to add the computer to, click OK, and then configure the cache
settings as you would for a stand-alone server.
14 Module 9: Configuring ISA Server for an Enterprise
Creating and Deleting Arrays in ISA Management
Creating New Arrays
Deleting Arrays
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
You can create a new array before installing ISA Server on the first computer in
the array, which allows you to configure the array before you install ISA Server
on the first computer in the array. When you create a new array, you can create
a new configuration or you can copy a configuration from another array. After
you have created an array, computers can join the array when you install
ISA Server or when you promote a stand-alone server to an array member.
You must be a member of the Domain Admins group or the
Enterprise Admins group to create an array. You must be a member of the
Enterprise Admins group to configure how the enterprise policies apply.
Creating New Arrays
To create a new array:
1. In ISA Management, in the console tree, right-click Servers and Arrays,
point to New, and then click Array.
2. In the New Array Wizard, type a name for the array, and then click Next.
3. On the Domain Name page, select the site and domain in which to create
the new array, and then click Next.
4. On the Create or Copy an Array page, select one of the following options:
If you are Then
Creating a new configuration Click Create a new array, and then click Next.
Copying a configuration Click Copy this array, select the array to copy
from the list, click Next, and then click Finish.
Topic Objective
To describe the procedures
that you use to create and
delete new arrays in ISA
Management.
Lead-in
You can create a new array
before installing ISA Server
on the first computer in the
array, which allows you to
configure the array before
you install ISA Server on the
first computer in the array.
Important
Module 9: Configuring ISA Server for an Enterprise 15
You perform the following steps only when you are creating an array
with a new configuration.
5. On the Enterprise policy settings page, select one of the following options,
and then click Next:
• Do not use enterprise policy.
• Use default enterprise policy settings.
• Use custom enterprise policy settings. Use this option to specify an
enterprise policy. You can also select the Allow array policy check box.
6. On the Array type page, select one of the following options, and then click
Next:
• Cache only
• Firewall only
• Integrated
7. On the Array Global Policy Options page, select one or both of the
following options, and then click Next:
• Allow publishing rules to be created on the array
• Force packet filtering on the array
8. On the Completing the New Array Wizard page, review your choices, and
then click Finish.
Deleting Arrays
You can delete an array in ISA Management after you uninstall ISA Server
from all array members.
To delete an array:
• In ISA Management, in the console tree, right-click the appropriate array,
and then click Delete.
If you accidentally delete an array that has members, you must
re-create the array, uninstall ISA Server on each of the members, re-create each
array member, and then reinstall ISA Server on all array members.
Note
Caution
16 Module 9: Configuring ISA Server for an Enterprise
Promoting a Stand-Alone Server
Migrating Policy Settings
Promoting a Stand-Alone Server
*****************************
ILLEGAL FOR NON
-
TRAINER USE
******************************
After you initialize the enterprise, you can promote stand-alone servers to array
members. After promoting a stand-alone server to an array, by default, the name
of the array is the same as the name of the server. You can rename the array in
ISA Management.
You can promote stand-alone servers that belong to a Windows 2000
domain only. You cannot reverse the promotion without uninstalling
ISA Server.
Migrating Policy Settings
When you promote a stand-alone server to an array, the new array adopts the
default enterprise policy settings or another enterprise policy that you select.
Because array policies cannot be more permissive than enterprise policies,
depending on the default enterprise policy settings, ISA Server may delete some
of the existing array policy rules as follows.
If default enterprises settings Then ISA Server
Are enterprise policy only Deletes all of the array policy rules.
Are enterprise policy and array policy Deletes all of the array policy rules that allow
access.
Disallow publishing Deletes the publishing rules that are defined
for the array.
Topic Objective
To identify the topics related
to promoting a stand-alone
server.
Lead-in
After you initialize the
enterprise, you can promote
stand-alone servers to array
members.
Delivery Tip
Explain that ISA Server may
delete policy rules and
publishing rules to ensure
that array policies are not
more permissive than an
applicable enterprise policy.
Note
Module 9: Configuring ISA Server for an Enterprise 17
Promoting a Stand-Alone Server
To promote a stand-alone server:
1. In ISA Management, in the console tree, right-click the server, and then
click Promote.
2. Click Yes to verify that you want the ISA Server to become an array
member.
3. If you are not a member of the Enterprise Admins group, click Yes to
confirm that the default enterprise policy will be applied to the array.
–or–
If you are a member of the Enterprise Admins group, in the Set Global
Policy dialog box, select the appropriate policy options and settings, and
then click OK.