Isa server 2006 guide

Microsoft ISA Server 2006 Evaluation Guide Walkthroughs
June 2006

ISA Server 2006 is the integrated edge security gateway that helps protect your
IT environment from Internet-based threats while providing your users with
fast and secure remote access to applications and data.

For more information, press only, contact:

Rapid Response Team
Waggener Edstrom
(503) 443-7070
rrt@wagged.com

This document supports a preliminary release of a software product that may be changed substantially prior to final
commercial release. This document is provided for informational purposes only and Microsoft makes no warranties, either
express or implied, in this document. Information in this document, including URL and other Internet Web site references,
is subject to change without notice. The entire risk of the use or the results from the use of this document remains with the
user. Unless otherwise noted, the companies, organizations, products, domain names, e-mail addresses, logos, people,
places, and events depicted in examples herein are fictitious. No association with any real company, organization,
product, domain name, e-mail address, logo, person, place, or event is intended or should be inferred. Complying with all
applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this
document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means
(electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission
of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering
subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the
furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual
property.

2006 Microsoft Corporation. All rights reserved.

Microsoft, Windows, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the
United States and/or other countries.

Walkthrough A: ISA Server 2006 Enterprise Edition Installation ......................................................... 4

Walkthrough B: Exploring ISA Server 2006 ............................................................................................. 8

Walkthrough B-1: Exploring the User Interface ........................................................................................ 8

Walkthrough B-2: Multiple Networks ........................................................................................................13

Walkthrough B-3: Single Rule Base .........................................................................................................20

Walkthrough B-4: Management and Monitoring......................................................................................27

Walkthrough C: Web Listener Wizard ....................................................................................................30

Walkthrough C-1: Creating a Web Listener with SSL ..............................................................................30

Walkthrough C-2: Creating a Web Listener without SSL .........................................................................32

Walkthrough D: Server Farm Wizard .....................................................................................................33

Walkthrough E: Publish Exchange Web Client Access ..........................................................................34

Walkthrough F: SharePoint Publishing Wizard .....................................................................................37

Walkthrough G: HTTP Compression Configuration .............................................................................39

Walkthrough H: DiffServ Configuration .................................................................................................41

Walkthrough I: Flood Resiliency Configuration ....................................................................................44

Walkthrough J: Caching Rules (Microsoft Update Cache Rule / BITS Configuration) .....................46

Walkthrough K: Remote Client VPN Connectivity ................................................................................49

Walkthrough K-1: Configuring ISA Server 2006 to Accept Incoming Client VPN Connections ..............49

Walkthrough L: Enterprise Management and High Availability .........................................................53

Walkthrough L-1: Exploring Enterprise Networks and Policies ..............................................................53

Walkthrough L-2: Configuring Network Load Balancing ........................................................................60

Walkthrough M: Branch Office VPN Connectivity Wizard ..................................................................68

WALKTHROUGH A: ISA SERVER 2006 ENTERPRISE
EDITION INSTALLATION
The following instructions show how to install Microsoft® Internet Security and Acceleration (ISA)
Server 2006 on an existing Microsoft Windows Server™ 2003 system. ISA Server 2006 can be
installed from the CD-ROM media, a local folder, or a network share point.
1. Insert the ISA Server 2006 Enterprise Edition evaluation CD into the CD/DVD drive. If
the Setup tool does not automatically open, double-click ISAAutorun.exe in the root
of the ISA Server 2006 CD-ROM media or the local directory or file share containing
the ISA Server 2006 installation files.
2. In the Microsoft Internet Security and Acceleration Server 2006 Setup window,
click the Install ISA Server 2006 icon. This starts the ISA Server 2006 installation
process.
3. Click the Next button on the Welcome to the Installation Wizard for Microsoft ISA
Server 2006 page.
4. Read the license agreement, and then select the I accept the terms in the license
agreement option on the License Agreement page. Click Next.
5. Enter a user name and organization name in the User name and Organization text
boxes. Information in the Serial Number text boxes appears automatically. Click
Next.
6. On the Setup Scenarios page, select the
Install both ISA Server services and
Configuration Storage server option. This
option will install the ISA Server services as
well as store the enterprise configuration. Click
Next. (See Figure A.1a.)
7. On the Component Selection page, click
Next.
8. On the Enterprise Installation Options page,
select the Create a new ISA Server
enterprise option. Click Next. (See
Figure A.1b.)

Figure A.1a

Figure A.1b
9. The New Enterprise Warning window warns against creating multiple enterprises,
which increases the difficulty in managing the array computers in the enterprise. Click
Next. (See Figure A.1c.)

Figure A.1c

10. Click Add to configure the ISA Server 2006 firewall with IP addresses representing
the Internal network on the Internal Network page. The Internal network contains the
trusted resources and Active Directory domain.
11. In the Addresses window, specify the Internal network by selecting Add Adapter.
Select Perimeter Connection and Internal Connection. (See Figure A.1d.) Click
OK. On the Addresses page, click OK.

Figure A.1d

12. The internal network addresses appear in Internal network address ranges. Click
Next.
Figure A.1e
13. In the Firewall Client Connections page,
specify whether you will allow legacy Firewall
clients to use non-encrypted connections
when connecting to the ISA Server computer.
(See Figure A.1e.) Click Next.
14. In the Services Warning page, information is
provided regarding services that will be
restarted during installation, as well as
services that will be disabled during
installation. (See Figure A.1f.) Click Next.

Figure A.1f

15. On the Ready to
Install the Program
page, click Install.
The ISA Server 2006
Enterprise Edition
installation process
proceeds.

16. The Installation Wizard Completed page appears when the ISA Server 2006
application completes the installation. Select the Invoke ISA Server Management
when wizard closes check box. Click Finish.

WALKTHROUGH B: EXPLORING ISA SERVER 2006

Note: This walkthrough assumes the use of a virtual computer called Florence configured
with Windows Server 2003 & ISA Server 2006.
Reviewers with ISA Server 2004 experience can bypass this walkthrough.

Walkthrough B-1: Exploring the User Interface
To explore the task pane
1. On the Florence ISA Server 2006 Enterprise Edition firewall array member, on the Start
menu, click All Programs, click Microsoft ISA Server, and then click ISA Server
Management. (See Figure B.1a.)
 ISA Server Management opens. All configuration of ISA Server is performed from
ISA Server Management.

Figure B.1a

2. In ISA Server Management, in the left pane, expand Arrays, expand ITALY, expand
Configuration, and then select Add-ins. (See Figure B.1b)
 Note that the Add-ins node is only used as an example to start the exploration of
the new user interface.
 The user interface of ISA Server Management consists of three main parts:
 Tree pane (or left pane) This pane contains a short list of nodes. The nodes
logically group related management or configuration settings.
 Details pane (or right pane) For each node in the left pane, the details pane
contains detailed information related to the node. The details pane may contain
several tabs. For example, in the Add-ins node, the details pane contains the
Application Filters tab and Web Filters tab.
 Task pane The task pane contains a Tasks tab with relevant commands for the
selected node in the tree pane, or for the configuration element in the details pane.
The task pane also contains a Help tab with context-sensitive Help for the selected
node or configuration element.

Figure B.1b

3. Drag the vertical divider between the tree pane (left) and the details pane, to make the
details pane area larger or smaller.
4. On the vertical divider between the details pane and the task pane, click the arrow button.
 The task pane closes to make a larger area of the screen available for the details
pane.
5. Click the arrow button again.
 The task pane opens again to allow access to the commands on the task pane.
6. Ensure that in the left pane, the Add-ins node is selected, and then in the details pane, on
the Application Filters tab, select (for example) RPC Filter.
 Notice that the available commands in the task pane change when
a configuration element (an application filter in this example) is
selected in the details pane.
7. In the details pane, right-click RPC Filter.
 A context menu appears with commands applicable to this
application filter. (Do not click a command on the menu.)
8. In the task pane, click the Help tab. (See Figure B.1c)
 The Help tab in the task pane provides context-sensitive Help
information related to the selected configuration element.

Figure B.1c
9. In the task pane, click the Tasks tab.
Figure B.1d
To explore the main nodes in ISA Server Management,
including the Networks, Firewall Policy, and
Monitoring nodes
1. In ISA Server Management, in the left pane, select
Configuration. (See Figure B.1d)
 ISA Server 2006 has two main areas
where you can control configuration:
Configuration node This node contains
all configuration settings that are relatively
static. This includes Networks
configuration, Cache configuration, Add-
ins (application filters and Web filters), and
General. You would typically not change
the configuration of those elements often.

Firewall Policy node This node contains a single list of all the access rules
(outgoing) and the publishing rules (incoming). These rules will change more often,
because they reflect the business rules and firewall access policy of a company.

2. In the left pane, select Networks. (See Figure B.1e.)
 Walkthrough B-2 explores the
Networks configuration.
 The Networks node contains the
configuration of all the networks
connected to ISA Server. Network
rules are defined between each
network. This includes networks
directly connected by network
adapters such as External,
Internal, and Perimeter, virtual
networks such as all the
VPN Clients and
Quarantined VPN Clients, and
special networks such as
Local Host.
F
Figure B.1e

 The initial configuration of the networks and the related firewall policy rules is done
by selecting a network template from the Templates tab in the task pane.
(Do not change the network template at this time.)

3. In the left pane, select Firewall Policy. (See Figure B.1f)
 The Firewall Policy node contains a list of all access rules and publishing rules.

Figure B.1f

4. If the task pane is closed, click the arrow button to open the task pane.
 The task pane for the Firewall Policy node contains an additional tab named
Toolbox. This tab has five sliding panes (Protocols, Users, Content Types,

Schedules, and Network Objects) that list all the rule elements that can be used in
the access rules and publishing rules.
 ISA Server 2006 Enterprise Edition rule elements are on the Toolbox tab in the
task pane, when the Firewall Policy node is selected.
5. In the task pane, on the Toolbox tab, click the Protocols heading, and then click
Common Protocols. (See Figure B.1g)
 The rule elements, such as protocol definitions, are selected when new access
rules or publishing rules are created.

Figure B.1g
6. In the task pane, on the Toolbox tab, click the Users heading, and then
click New. (See Figure B.1h)
 The New User Sets Wizard appears. A user set is a collection of
users (from Microsoft Windows®, LDAP, RADIUS, or SecurID)
and groups, defined together in a single set. You can apply an
access rule or publishing rule to one or more user sets. Figure B.1h
7. Click Cancel to close the New User Sets Wizard.
8. In the left pane, select Monitoring.
 Walkthrough B-4 explores the
Monitoring node.
 The Monitoring node has these
tabs (Dashboard, Alerts,
Sessions, Services,
Configuration, Reports,
Connectivity, and Logging) that
allow you to monitor, control,
investigate, troubleshoot, and
plan firewall operations.
 The Dashboard tab contains
summary boxes for the next five
tabs, and a running System
Performance monitor that
displays a graph of the current
allowed and blocked traffic rate.

Figure B.1i

9. On the Dashboard tab, use the scroll bar, or in the summary box headers, click the circles
with the two up arrows, to see the System Performance monitor. (See Figure B.1i)
 Currently the allowed and blocked traffic rate displayed in the System Performance
monitor is zero.
10. On the Dashboard tab, click the Sessions summary box header.
 The Sessions tab of the Monitoring node is displayed. This tab displays the client
sessions that are currently active on ISA Server. If you only want to see specific
sessions, you can filter the sessions list.
 Other tabs of the Monitoring node are explored in Walkthrough B-4.

To explore the export and import configuration commands
1. In ISA Server Management, in the left pane, right-click the ITALY array entry. (See
Figure B.1j)
 The context menu of the Array node
contains Export and Import
commands. These commands can
be used to export configuration
settings to an .xml file, and import
the settings later at this computer or
at another computer.
 The Export and Import commands
are present on the context menu of
almost all the nodes in the left pane.
This includes the Networks node,
the Firewall Policy node, and
individual rules and rule elements.

2. Close ISA Server Management.

Figure B.1j

Walkthrough B-2: Multiple Networks
To explore network rules

1. On the (Florence) ISA Server computer, on the Start menu, click All Programs, click
Microsoft ISA Server, and then click ISA Server Management.
2. In ISA Server Management, in the left pane, expand the ITALY array, expand
Configuration, and then select Networks.
 One of the most important changes in ISA Server 2006 and ISA Server 2004, in
comparison with ISA Server 2000, is the concept of multiple networks connected to
ISA Server, which are all treated similarly for configuration purposes.
 All firewall policy rules can be defined in terms of source network and
destination network (or destination computer for publishing rules).
3. In the details pane, on the (lower) Networks tab, right-click Internal, and then click
Properties.
4. In the Internal Properties dialog box, select the Addresses tab. (See Figure B.2a.)
 The IP addresses of the Internal network only define
what network interfaces are included in the network
named Internal. Other networks, such as Perimeter are
defined in a similar fashion. There is no equivalent to the
ISA Server 2000 local address table (LAT). The
application of firewall rules, Network Address Translation
(NAT), or routing of IP packets is configured separately.
5. Click Cancel to close the Internal Properties dialog box.
 Notice that the Perimeter network is defined as the
IP address range 23.1.1.0–23.1.1.255. The Local Host
network is defined as the ISA Server computer. All other
IP addresses belong to the External network.
The VPN Client and Quarantined VPN Clients networks
have dynamic membership, and contain connecting VPN
client computers.
Figure B.2a

6. On the Network Sets tab, right-click All Protected Networks
and then click Properties.
7. In the All Protected Networks Properties dialog box, select the
Networks tab. (See Figure B.2b.)
 Network sets are groupings of existing networks that can
be used in firewall policy rules. This makes it easy to
refer to all networks, or all related networks. You can
define additional network sets.
 The definition of the All Protected Networks network set
is all existing networks, except the External network.

Figure B.2b

8. Click Cancel to close the All Protected Networks Properties dialog box.
9. On the Start menu, click Control Panel, and then click Network Connections. (See
Figure B.2c.)
 The Network Connections menu (on the Start menu) shows that Server (your
server name) has three network adapters. To avoid confusion in these
walkthroughs, the network adapters on Florence are renamed from
Local Area Connection (plus #2 and #3) to External Connection,
Perimeter Connection, and Internal Connection.

Figure B.2c

10. Click Start to close the Start menu.

To define NAT or routing of IP packets

Note: For demonstration purposes, create and delete a new network rule.

1. In ISA Server Management, in the left pane, ensure that Networks is selected.
2. In the details pane, select the Network Rules tab. (See Figure B.2d.)

Figure B.2d

 Network rules define whether ISA Server will use
NAT (replace the client source address with an ISA
Server address) or Route (use client source address
in the request) for traffic between each pair of
networks or network sets, if the firewall policy allows
network traffic between these networks.
 As currently configured, your ISA Server uses Route
for all traffic between the ISA Server computer and
all networks, between the VPN networks and the
Internal network, and between the Perimeter
network and the External network.
ISA Server uses NAT for all traffic from the Internal

and VPN networks to the Perimeter network, and from the Internal and VPN networks to the
External network.
 Note that Route network rules automatically work in both directions. NAT network rules are
defined in one direction. If there is no network rule defined between two networks, ISA
Server 2006 does not allow traffic between those networks.

3. In the task pane, on the Tasks tab, click
Create a Network Rule.
4. On the Welcome to the New Network Rule Wizard page, in
the Network rule name text box, type
VPN Perimeter Access, and then click Next. (See
Figure B.2e.)
5. On the Network Traffic Sources page, click Add.
6. In the Add Network Entities dialog box, click Networks, click
VPN Clients, click Add, and then click Close to close the Add
Network Entities dialog box. (See Figure B.2f.)

Figure B.2e

Figure B.2f Figure B.2g

7. On the Network Traffic Sources page, click Next.
8. On the Network Traffic Destinations page, click Add.
9. In the Add Network Entities dialog box, click Networks, click Perimeter, click Add, and
then click Close to close the Add Network Entities dialog box. (See Figure B.2g.)
10. On the Network Traffic Destinations page, click Next.
11. On the Network Relationship page, select Route, and then click Next. (See Figure B.2h.)

Figure B.2h
12. On the Completing the New Network Rule Wizard page,
click Finish. (See Figure B.2i.)
 A new network rule is created. ISA Server 2006 will now
route IP packets from computers on the VPN Clients
network to the Perimeter network.
 In ISA Server 2006, the use of NAT or route between each
pair of networks is defined by network rules.
 Note that the new VPN Perimeter Access network rule is
only created for demonstration purposes. You will not apply
the new rule to ISA Server 2006.

. Figure B.2i
13. On the top of the details pane, click Discard to remove the
unsaved changes, such as the new VPN Perimeter Access
rule.
14. Click Yes to confirm that you want to discard the changes.
(See Figure B.2j.)

Figure B.2j
To explore network templates

1. In ISA Server Management, in the left pane, ensure that Networks is selected.
2. In the task pane, select the Templates tab.
 Network templates are predefined .xml files that contain
common network topologies. They can be used to configure
the network rules between networks and the firewall policy
rules. The graphic associated with each network template
helps you understand the selected network topology.
 ISA Server 2006 includes five network templates
(Edge Firewall, 3-Leg Perimeter, Front Firewall, Back Firewall
and Single Network Adapter).
3. On the Templates tab, click 3-Leg Perimeter. (See
Figure B.2k.)
Figure B.2k

 Note that 3-Leg Perimeter is already the current active network template on Florence. It
matches most closely the network topology of the walkthrough environment. For

demonstration purposes, this task explores the Network Template Wizard without changing
any settings.

4. In the Network Template Wizard dialog box, click Next. (See
Figure B.2l.)
 ISA Server allows you to export the current configuration to a
backup .xml file, which can be restored later.

Figure B.2l

5. On the Export the ISA Server Configuration page, click Next.
6. On the Internal Network IP Addresses page, click Next. (See Figure B.2m.)

Figure B.2m

7. On the Perimeter Network IP Addresses page, click Next. (See Figure B.2n.)
 Each network template contains one or more firewall policy rule sets. These firewall policies
allow you to start with a set of firewall policy rules that best matches your network and
corporate policy.

Figure B.2n

8. On the Select a Firewall Policy page, in the Select a firewall policy list box, select Block
Internet Access, allow access to network services on the Perimeter network. (See
Figure B.2o.)

Figure B.2o

9. In the Description list box, scroll to the end of the text to see a description of the firewall
policy rules that are created when this firewall policy is selected.
10. On the Select a Firewall Policy page, click Next.
11. On the Completing the Network Template Wizard page, click Cancel. (Do not click
Finish.)
 The network rules and firewall policy rules in ISA Server are not changed.
To explore client support settings

1. In ISA Server Management, in the left pane, ensure that Networks is
selected, and then in the details pane, select the Networks tab.
2. Right-click Internal, and then click Properties.
3. In the Internal Properties dialog box, select the Firewall Client tab.
(See Figure B.2p.)
 The Firewall Client tab specifies whether client computers on the
selected network (Internal) can access other networks such as the
Internet, through ISA Server 2006, by using the Firewall Client
software (port 1745).

Figure B.2p

4. Select the Web Proxy tab. (See Figure B.2q)
 The Web Proxy tab specifies whether client computers on the selected network (Internal)
can access other networks through ISA Server 2006, by using a Web Proxy client such as a
Web browser (port 8080).

Figure B.2q

5. Click Cancel to close the Internal Properties dialog box.

Walkthrough B-3: Single Rule Base
To explore the single firewall policy rule list
 For demonstration purposes, in this walkthrough you will create an access rule with the
following attributes:
 Name: Allow Web traffic to Internet
 Applies to: HTTP
 From network: Internal
 To network: External

1. On the Florence computer, in ISA Server Management, in the
left pane, select Firewall Policy.
 ISA Server uses a single rule list for access rules and
publishing rules.
2. In the task pane, on the Tasks tab, click Create Array
Access Rule.
3. On the Welcome to the New Access Rule Wizard page, in
the Access rule name text box, type Allow Web traffic to
Internet, and then click Next. (See Figure B.3a.)

Figure B.3a

4. On the Rule Action page, select Allow, and then click Next.
(See Figure B.3b.)

Figure B.3b
5. On the Protocols page, in the This rule applies to list box,
select Selected protocols, and then click Add. (See
Figure B.3c.)

Figure B.3c

6. In the Add Protocols dialog box, click Web,
click HTTP, click Add, and then click Close to
close the Add Protocols dialog box. (See
Figure B.3d.)
7. On the Protocols page, click Next.
8. On the Access Rule Sources page, click Add.
9. In the Add Network Entities dialog box, click
Networks, click Internal, click Add, and then
click Close to close the Add Network Entities
dialog box. (See Figure B.3e.)

Figure B.3d Figure B.3e
10. On the Access Rule Sources page, click Next.
11. On the Access Rule Destinations page, click Add.
12. In the Add Network Entities dialog box, click Networks, click External,
click Add, and then click Close to close the Add Network Entities dialog
box. (See Figure B.3f.)

Figure B.3f
13. On the Access Rule Destinations page, click Next.
14. On the User Sets page, click Next. (See Figure B.3g.)

Figure B.3g

15. On the Completing the New Access Rule Wizard page, click Finish. (See Figure B.3h.)
 A new firewall policy rule is created that allows the HTTP
protocol from the Internal network to the External network
for all users. The External network represents the Internet.
 Note that the new rule has not been applied yet.

Figure B.3h

16. In the details pane, click Apply to apply the new rule. (See Figure B.3i.)
 Changes to the firewall policy rule list are not applied until you click Apply. This allows you
to apply multiple new rules or changes to the rules at the same time.

Figure B.3i

To add the HTTPS and FTP protocols to the Allow Web traffic to Internet access rule

1. In the task pane, on the Toolbox tab, in the Protocols pane, click Web.
 The Web protocol list opens. The list contains HTTPS and FTP.
2. Drag HTTPS from the Toolbox to HTTP in the Traffic column of the
Allow Web traffic to Internet access rule.
 The HTTPS protocol is added to the access rule.
 Notice that the Apply and Discard buttons are displayed again, to indicate that changes in
the firewall policy rule list have not been applied yet.
3. Drag FTP from the Toolbox to HTTP and HTTPS in the Traffic column of the Allow Web
traffic to Internet access rule. (See Figure B.3j.)
 The FTP protocol is added to the access rule.

Figure B.3j

4. Click the box with the minus-sign in front of the Allow Web traffic to Internet access rule
to display the access rule with multiple protocols on a single line.
 Instead of dragging protocols from the Toolbox to configure a firewall policy rule, you can
also right-click the rule, and select Properties, as is shown in the next task.

To explore the properties of the Allow Web traffic to Internet access rule
1. Right-click the Allow Web
traffic to Internet access rule,
and then click Properties. (See
Figure B.3k.)

2. In the Allow Web Traffic to
Internet Properties dialog box,
on the Protocols tab, click Add.
(See Figure B.3l.)

Figure B.3k Figure B.3l

3. In the Add Protocols dialog box, click
Common protocols. (See
Figure B.3m.)
 You can add any TCP and UDP
protocols to the access rule. You can
also add non-TCP and non-UDP
protocols, such as ICMP to the access
rule.
4. Click Close to close the Add Protocols
dialog box.
5. On the To tab, click Add. (See
Figure B.3n.)

Figure B.3m Figure B.3n

 Instead of applying the access rule to traffic to all destinations on the
External network, you can limit access to specific destinations by using any
of the these six network entities (Computers, Address Ranges, Subnets,
Domain Name Sets, URL Sets, and Computer Sets).
6. Click Close to close the Add Network Entities dialog box.
7. On the From tab, click Add.
8. In the Add Network Entities dialog box, click Networks. (See
Figure B.3o.)
 The Local Host network (representing the ISA Server computer) can be
used as the source network in an access rule.

Figure B.3o

9. Click Close to close the Add Network Entities dialog box.
10. Click Cancel to close the Allow Web Traffic to Internet Properties dialog box.
 An access rule can contain all the rule elements to define an outbound access policy for
any TCP, UDP, non-TCP, or non-UDP protocol, from any computer (including the ISA
Server computer), to any other computer. This combines the functionality of the ISA
Server 2000 Packet Filter rules, Protocol rules and Site and Content rules in a single rule
list.

To explore the HTTP protocol scanning features of the Allow Web traffic to
Internet access rule
 For demonstration purposes, you will configure the rule to block HTTP
traffic from MSN Messenger.
1. Right-click the Allow Web traffic to Internet access rule, and then
click Configure HTTP. (See Figure B.3p.)

Figure B.3p

2. In the Configure HTTP policy for rule dialog box, on the General tab, examine the HTTP
filter settings.
 ISA Server 2006 examines the contents of all HTTP traffic. This is called application-level
filtering, or content filtering. HTTP packets that do not meet the specifications on the
General tab are blocked.
 Many applications use HTTP as their transport protocol or even as their tunnel protocol,
because HTTP port 80 is configured to be allowed on most firewalls. Application level
filtering can block ill-formed or unwanted HTTP applications or content.
These settings, such as limiting the maximum URL length, would have blocked the
exploitation of vulnerabilities described in different Microsoft Security Bulletins, from
MS98-003 to MS03-007.
3. On the Signatures tab, click Add. (See Figure B.3q.)
4. In the Signature dialog box, enter the following information, and then click OK:
 Name: MSN Messenger traffic
 Search in: Request headers
 HTTP header: User-
Agent
 Signature: MSMSGS
5. Click OK to close the
Configure HTTP policy for
rule dialog box.
 The Allow Web traffic to
Internet access rule will allow
HTTP traffic from a Web
browser, but it will block HTTP
traffic from MSN Messenger.
(See Figure B.3r. )

Figure B.3q Figure B.3r
6. Click Apply to apply the changed rule.

To explore the System Policy Rules in the firewall policy

1. In the left pane, ensure that Firewall Policy
is selected.
2. In the task pane, on the Tasks tab, click
Show System Policy Rules. (See
Figure B.3s.)
 In the details pane, 34 predefined access
rules to or from the Local Host (ISA Server
computer) are shown. These are called the
System Policy Rules.

Figure B.3s

3. In the task pane, on the Tasks tab, click Edit System Policy. (See Figure B.3t.)
 The System Policy Editor dialog box appears. You can change most of the system policy
rules.

4. Click Cancel to close the System Policy Editor
dialog box.
5. In the task pane, on the Tasks tab, click Hide
System Policy Rules.

 Note that you generally do not need to change the
firewall system policy, because it contains all of
the basic rules and policy that govern the basic
operation of the server.

Figure B.3t
To delete the Allow Web traffic to Internet access rule

Note: This task is needed to avoid conflicts in a later lab exercise.

1. In the details pane, right-click Allow Web traffic to Internet, and then click Delete.
2. Click Yes to confirm that you want to delete the access rule.
 The access rule is deleted, but this change is not applied yet.
3. Click Apply to apply the deletion of the rule.

Walkthrough B-4: Management and Monitoring
To explore delegating administrative control by using role-based permissions from a single place

1. In ISA Server Management, in the left
pane, select Monitoring. (See
Figure B.4a.)
 The Monitoring node has tabs that allow
you to monitor, control, investigate,
troubleshoot, and plan firewall operations.
 On the first tab (Dashboard), all other
tabs except Logging are represented by a
summary box. By clicking the header of a
summary box, you can go to the
corresponding tab to see more details.

Figure B.4a

2. Select the Services tab. (See Figure B.4b.)
 The Services tab displays the status of
the Microsoft Firewall service and other
related services. If you enable ISA Server
for VPN connections, the
Routing and Remote Access service
status is also displayed.
 All incoming and outgoing network traffic
is handled by the Firewall service. For
performance reasons, the Web proxy
functionality is included in the Firewall
service.

Figure B.4b
 Notice that all members of the ISA Server 2006 Enterprise Edition array are represented in
the Services tab. This enables you to monitor service status on all array members,
regardless of their location, from a single point of management.

3. Select the Connectivity tab. (See
Figure B.4c.)
 The Connectivity tab allows you to define
connectivity verifiers. A connectivity verifier
periodically connects from ISA Server to a
computer that you specify, to test current
connectivity by using either an HTTP GET
request, a Ping request, or by attempting to
establish a TCP connection to a port that
you specify. This helps with troubleshooting
client connectivity problems.

Figure B.4c

4. Select the Logging tab. (See Figure B.4d.)
 The Logging tab is used to configure the
Firewall log files, and to view the contents of
the log files online.

Figure B.4d

5. In the task pane, on the Tasks tab, click Configure Firewall Logging.
(See Figure B.4e.)
 Logging supports three log storage formats: File (*.w3c, text), SQL
Database (ODBC), or MSDE Database (*.mdf, SQL Desktop Engine).

Figure B.4e

6. Click Cancel to close the Firewall Logging Properties dialog box.
 The tab has an online mode that allows you to see the log entries from the ISA Server 2006
log files on the screen, immediately after they are written to the log files. If you want to limit
the log entries that are displayed, you can create a filter. (To do so, click Edit Filter in the
Tasks tab, where you can modify or create new filters for the log viewer, as well as start the
query process to bring back updated results.)

7. Close ISA Server Management.

WALKTHROUGH C: WEB LISTENER WIZARD

Note: Note: This walkthrough assumes the use of a virtual computer called Florence
configured with Windows Server 2003 & ISA Server 2006.
The certificates required have been preinstalled.

Walkthrough C-1: Creating a Web Listener with SSL

1. In ISA Server Management, in the left pane,
expand Arrays, expand ITALY, and click Firewall
Policy.
2. On the Toolbox tab, click Network Objects, click
New and then select Web Listeners.
3. In the Web listener name text box, type OWA
SSL. Click Next. (See Figure C.1a.)
4. Select Require SSL secured connections with
clients. Click Next. (See Figure C.1b.)

Figure C.1a
5. On the Web Listener IP Addresses page, select External. (See Figure C.1c.)
6. Note that a check box enables or disables HTTP compression for this listener.

Figure C.1b Figure C.1c

Figure C.1d
7. Click the Select IP Addresses button. The
External Network Listener IP Selection page
provides for further granularity in applying the
listener settings. Click Cancel. Click Next. (See
Figure C.1d.)

Figure C.1e
8. On the Listener SSL Certificates page, ensure
that Use a Single certificate for this Web
Listener is selected and click Select Certificate.
(See Figure C.1e.)
 Note that ISA Server 2006 allows for different
certificates to be assigned to each IP address
associated with this Web listener.

Figure C.1f
 Note that you can only do the next step, if the
Florence server already contains certificates.
9. On the Select Certificate page, select the
mail.contoso.com (issued by Florence)
certificate from the list and click Select. On the
Listener SSL Certificates page, select Next.
(See Figure C.1f.)
10. On the Authentication Settings page, click
the arrow to the right of the drop-down box
and view the choices. Select HTTP
Authentication. Select the Integrated check
box. Notice that Active Directory (Windows) is
automatically selected. Click Next. (See
Figure C.1g.)
11. On the Single Sign On Settings page, click Next. (See Figure C.1h.)
 Note that single sign on is only available when using HTML authentication.
Figure C.1h Figure C.1g

12. Click Finish.

Walkthrough C-2: Creating a Web Listener without SSL
1. On the Toolbox tab, click Network Objects, click New, and then select Web Listeners.
2. In the Web Listener name text box, type HTTP. Click Next.
Figure C.2a
3. Select Do not require SSL secured
connections with clients. Click Next. (See
Figure C.2a.)
4. On the Authentication Settings page, ensure
that HTTP Authentication is selected and
select Basic. Ensure that Active Directory
(Windows) is selected. (See Figure C.2b.)

Figure C.2b

5. On the Single Sign On Settings page,
click Next.
6. On the Completing the New Web
Listener Wizard page, click Finish.
7. Click Apply to apply the changes to the
configuration, and then click OK to
acknowledge completion.

WALKTHROUGH D: SERVER FARM WIZARD

Management.

expand Arrays, expand ITALY, and click Firewall
Policy.
3. On the Toolbox tab, click Network Objects, click
New, and then select Server Farm.
4. On the Welcome page, in the Server Farm name
text box, type Exchange OWA. Click Next.
5. On the Servers page, click Add. In the Computer
name or IP address box, type
OWA01.contoso.com. Click OK. (See
Figure D.1a.)

Figure D.1a

6. Click Add. In the Computer name or IP address
box, type OWA02.contoso.com. Click OK.
7. Click Next. On the Connectivity Monitoring
page, select the method used to monitor the status
of each server in the server farm (See
Figure D.1b.), select Send an HTTP/HTTPS
"GET" request to the following URL and type
http://*/.
8. Click Next, and then click Finish. The Enable
HTTP Connectivity Verification box appears.
Select Yes to enable the "Allow HTTP/HTTPS
requests from ISA Server to selected servers for
connectivity verifiers" system policy. Click Apply
to apply the changes to configuration. (See
Figure D.1c.)
Figure D.1b
Figure D.1c

WALKTHROUGH E: PUBLISH EXCHANGE WEB CLIENT
ACCESS

This walkthrough assumes that Walkthroughs C and D have been completed.

Figure E.1a
1. On the Florence ISA Server 2006 Enterprise Edition firewall array
member, on the Start menu, click All Programs, click
2. In ISA Server Management, in the left pane, expand Arrays, expand
ITALY, and then click Firewall Policy.
3. On the Tasks tab, click Publish Exchange Web Client Access.
4. On the Welcome to the New Exchange Publishing Rule Wizard
page, type OWA, and then click Next. (See Figure E.1a.)
5. On the Select Services page, click the down arrow to the right of the
drop-down box, review the options, and ensure that Exchange Server 2003 is selected.
Confirm that Outlook Web Access is selected and click Next. (See Figure E.1b.)

6. On the Publishing Type page, select
Publish a server farm of load-balanced
Web servers. Click Next. (See
Figure E.1c.)

Figure E.1c

Figure E.1b

Figure E.1d

7. On the Internal Publishing Details page, in the Internal site
name text box, type OWA Client Access. Click to select the ISA
Server will use SSL to connect to this Exchange site
(recommended) check box. Click Next. (See Figure E.1d.)
8. On the Specify Server Farm page, select Exchange OWA from
the drop-down list. Click Next.

Figure E.1e

9. On the Public Name Details page, in the
Public name text box, type
mail.contoso.com. Click Next. (See
Figure E.1f.)

Figure E.1f Figure E.1g

10. On the Select Web Listener page, select OWA
SSL from the drop-down list. Click Next. (See
Figure E.1g.)

11. On the Authentication Delegation page, click the
arrow next to the drop-down list. Select No
delegation – allow end-to-end authentication.
Click Next. (See Figure E.1h.)

Figure E.1h

Figure E.1i
12. On the User Sets page, click Next.
13. On the Completing the New Exchange Publishing
Rule Wizard, click Finish.

Figure E.1j

14. In ISA Server Management, click Apply.
Click OK. (See Figure E.1k.)
15. A new access rule called OWA now exists
in the firewall policy rules for the array. (See
Figure E.1l.)

Figure E.1k

Figure E.1l

WALKTHROUGH F: SHAREPOINT PUBLISHING WIZARD


1. On the Florence ISA Server 2006 Enterprise Edition firewall array member,
on the Start menu, click All Programs, click Microsoft ISA Server, and
then click ISA Server Management.
2. In ISA Server Management, in the left pane, expand Arrays, expand
ITALY, and then click Firewall Policy.
3. On the Tasks tab, click Publish SharePoint Sites. (See Figure F.1a.)
4. On the Welcome to the SharePoint Publishing Rule Wizard page, type
Sharepoint Site (See Figure F.1b.). Click Next.

Figure F.1b

Figure F.1a

5. On the Publishing Type page, select
Publish a single web site or an external
load balancer. Click Next. (See Figure F.1c)
 Note that the wizard would also allow for:
 Publishing a server farm of load-balanced
servers.
 Publishing multiple Web sites.

Figure F.1c

6. On the Internal Publishing Details page, in the Internal
site name text box, type Sharepoint.contoso.com.
Select the ISA Server will use SSL to connect to this
SharePoint site (recommended) check box. Click Next.
(See Figure F.1d.)

Figure F.1d

Figure F.1e
7. On the Public Name Details page, in the Public
Name text box, type Sharepoint.contoso.com. Click
Next. (See Figure F.1e.)
8. On the Select Web Listener page, from the Web
listener drop-down list, select HTTP. Click Next. (See
Figure F.1f.)
Figure F.1f

9. On the Authentication Delegation page,
from the drop-down list, select Negotiate
(Kerberos/NTLM) as the method used by
ISA Server to delegate client credentials to
the published Web site. (See Figure F.1g.)

10. On the User Sets page, click Next.

11. On the Completing the New SharePoint
Publishing Rule Wizard page, click Finish. A
dialog box appears indicating that to complete the
configuration of this SharePoint publishing rule,
additional configuration may be needed.

12. Click OK.

13. Click Apply, and then click OK to acknowledge
the changes have been saved.

Figure F.1g

WALKTHROUGH G: HTTP COMPRESSION CONFIGURATION


Management.

expand ITALY, expand Configuration, and
click General. (See Figure G.1a.)

Figure G.1a

3. In the details pane, under Global HTTP Policy Settings, click Define HTTP Compression
Preferences. Ensure that the Enable HTTP compression check box is selected (See
Figure G.1b.).

Figure G.1b Figure G.1c

4. Click the Return Compressed Data tab. Click Add to specify the network objects for which
compression data should be provided (for example, a particular network or a set of
computers).
 The Request Compressed Data tab is used to specify the network objects from which
compressed data should be requested.

 The following steps show how to create a computer set that includes all branch office ISA
Server computers.
5. On the Add Network Entities page, click New and select Computer Set. In the Name box,
type Branch Office ISA Servers, click Add and select Computer. (See Figure G.1c.)
6. In the Name box, type Berlin ISA Server and in the Computer IP Address box, enter
39.1.1.8. Click OK.
7. In the Name box, type New York ISA Server and in the
Computer IP Address box, enter 39.1.1.9. Click OK. Click
OK again. (See Figure G.1d.)
8. On the Add Network Entities page, expand Computer
Sets, select Branch Office ISA Servers, and click Add.
Click Close. (See Figure G.1e.)

Figure G.1d

Figure G.1e

 The Add Network Entities page also allows exceptions to be
specified.

Figure G.1f

9. Click the Content Types button. Specify the content groups for which compression should
occur. Click OK. (see Figure G.1f.)

10. Click OK. Click Apply.

WALKTHROUGH H: DIFFSERV CONFIGURATION


Management.

2. In ISA Server
Management, in the left
pane, expand ITALY,
expand Configuration,
and click General. (See
Figure H.1a.)

Figure H.1a

3. In the details pane, under Global HTTP Policy Settings, click Specify QoS Preferences.
Click the Enable network traffic prioritization according to
Diffserv (Quality of Service) bits. (See Figure H.1b.)
 ISA Server 2006 can mark the IP Diffserv (Quality of Service bits
according to URL or domain name) for prioritization of traffic on
specified networks. For HTTP traffic, specify a URL. For HTTPS
traffic, specify domain names.

4. Click the Priorities tab. To add a priority, click Add. In the Add
Priority dialog box, in the Priority name text box, type Gold. In the
DiffServ bits text box, type 010110. (see Figure H.1c.)

Figure H.1b

Figure H.1c

5. Select the Apply a size limit to this priority check box. In the Size limit (bytes) text box,
type 1500.

 Traffic assigned with this priority that is smaller than 1,500 bytes will have priority over traffic
assigned to this same priority that is 1,500 bytes or larger.

6. Click OK. To add another priority, click Add. In the Add Priority dialog box, in the Priority
Name text box, type Silver. In the DiffServ bits text box, type 100001. Click OK.

 Note the Allow special handling of request and response headers according to this
priority (applies to the first packet only) check box. When this check box is selected, the
first packet of each network session is handled according to the selected priority.

7. Click the URLs tab. Click Add. In
the URL name box, type
www.contoso.com/*. From the
Priority drop-down list, select
Gold. Click OK. Click Add. In the
URL name box, type
www.microsoft.com/isaserver/*.
From the Priority drop-down list,
select Silver. (See Figure H.1d.)

 Traffic associated with URLs
assigned to Gold will be given
priority over those assigned to
Silver.

Figure H.1d

8. Click OK. Click the Domains tab. Click Add. Use this tab to
specify priority based on domain name, following the same
steps used for URLs. Click Cancel.
9. Click the Networks tab. Select the networks for which
Diffserv prioritization should be enabled. (See Figure H.1e.)
10. Click OK.

Figure H.1e

WALKTHROUGH I: FLOOD RESILIENCY CONFIGURATION


Management.

2. In ISA Server Management, in the left pane, expand ITALY, expand Configuration, and click
General.

3. In the details pane, under Additional Security Policy, click Configure Flood Mitigation
Settings. (See Figure I.1a.)

Figure I.1a

4. On the Flood Mitigation page, ensure that the Enable mitigation for flood attacks and
worm propagation check box is selected. Next to each option, such as TCP connect
requests per minute, per IP address click the Configure button to open the configuration
page and view the potential settings and mitigation descriptions for each. Click Cancel to
close each configuration page. (See Figure I.1b.)

Figure I.1b

5. Click the IP Exceptions tab. Click Add.
Select the computer sets for which
these custom limits should be applied
and click Add. Click OK. (See
Figure I.1c.)

Figure I.1c

WALKTHROUGH J: CACHING RULES (MICROSOFT
UPDATE CACHE RULE / BITS CONFIGURATION)


Management.
2. In ISA Server Management, in the left pane, expand Arrays, expand ITALY, expand
Configuration, and click Cache. On the Tasks tab, click Define Cache Drives (enable
caching). On the Cache Drives tab, in the Maximum cache size (MB) text box, type
1000. Click OK. (See Figure J.1a.)

Figure J.1a

3. Click the Cache Rules tab. Double-click the built-in cache rule Microsoft Update Cache
Rule. (See Figure J.1b.)
Figure J.1b

4. Click the To tab. Select Microsoft Update Domain Name Set and click Edit. Examine
the domain name in this set (*.windowsupdate.com). Click Cancel. (See Figure J.1c.)

Figure J.1c

5. Click the Cache Store and Retrieval tab.
Investigate the options available. (See
Figure J.1d.)

6. Click the HTTP tab. Notice that HTTP caching is
enabled. Review the available settings and their
defaults. (See Figure J.1e.)

Figure J.1d

Figure J.1e

7. Click the FTP tab and review the settings (See Figure J.1f.).

Figure J.1f

8. Click the Advanced tab. Review the settings. (See Figure J.1g.)

 Notice the Enable caching of content received through the Background Intelligent
Transfer Service (BITS) check box. BITS caching is enabled on a per-cache rule basis.

Figure J.1g

WALKTHROUGH K: REMOTE CLIENT VPN CONNECTIVITY

Note: This walkthrough assumes the use of 2 virtual computers called Florence and Firenze

Walkthrough K-1: Configuring ISA Server 2006 to Accept
Incoming Client VPN Connections
To examine the status of the Routing and Remote Access service
1. On the Florence computer, on the Start menu, click Administrative Tools, and then click
Routing and Remote Access.
In Routing and Remote Access, select FLORENCE (local).
 The Routing and Remote Access service is not started yet, and the service is not
configured. ISA Server uses the Routing and Remote Access service to handle VPN
connections, after the VPN connection is approved.
 Note that all VPN configuration (except remote access dial-in permission for users and
groups) is done through ISA Server Management.

To use ISA Server Management to configure VPN address ranges
 Note that the Florence IP address range is 10.3.1.1–10.3.1.100.
1. On the Start menu, click All Programs, click Microsoft ISA Server, and then click, ISA
Server Management.
2. In ISA Server Management, expand Arrays, expand ITALY, and then select
Virtual Private Networks (VPN).
3. In the task pane, on the Tasks tab, click Define Address Assignments.
 Note that in ISA Server 2006 Enterprise Edition, the use of a Dynamic Host Configuration
Protocol (DHCP) server to assign IP addresses to VPN clients is limited to arrays with only
a single ISA Server computer. This is to avoid intra-array traffic and required routing table
updates on each array member when a VPN client connects.
 In an array with more than one ISA Server computer, you must first define static IP ranges
per server, before you can enable VPN access.
4. In the Virtual Private Networks (VPN) Properties dialog box, on the
Address Assignment tab, click Add.
5. In the Server IP Address Range Properties dialog box, complete the following
information:
 Select the server: Florence
 Start address: 10.3.1.1
 End address: 10.3.1.100
 This IP address range allows for a maximum of:
 One destination VPN IP address on Florence (10.3.1.1).
 99 VPN client addresses (10.3.1.2-10.3.1.100).
6. In the Virtual Private Networks (VPN) Properties dialog box, on the
Address Assignment tab, click Add.
7. In the Server IP Address Range Properties dialog box, complete the following
information:
 Select the server: Firenze

8. Click OK to close the Virtual Private Networks (VPN) Properties dialog box.

To enable and configure VPN client access
 This procedure configures a VPN for PPTP and for a maximum of 99 clients.
Figure K.1a
1. On the Tasks tab, click Configure VPN Client Access.
2. In the VPN Client Properties dialog box, on the General tab,
click the Enable VPN client access check box. In the
Maximum number of VPN clients allowed text box, type
99. (See Figure K.1a.)
3. On the Protocols tab, ensure that only Enable PPTP is
selected.
4. Click OK to close the VPN Clients Properties dialog box.

 Note that the VPN configuration is not applied yet.

To examine the VPN connection settings
1) In the left pane, right-click Virtual Private Networks (VPN), and
then click Properties.
 You can also access the Virtual Private Networks (VPN)
Properties dialog box from the task pane.
2) In the Virtual Private Networks (VPN) Properties dialog box,
select the Access Networks tab. (See Figure K.1b.)
 ISA Server is currently configured to only accept incoming VPN
connections from the External network.
3) Select the Authentication tab.
 ISA Server is currently configured to allow only MS CHAPv2
authentication for incoming VPN connections.
4) Click OK to close the Virtual Private Networks (VPN)
Properties dialog box.

Figure K.1b

To examine the VPN access rule
1) In the left pane, select Firewall Policy (ITALY).
2) In the task pane, on the Tasks tab, click Show System Policy Rules.
3) In the details pane, select the Allow VPN client traffic to ISA Server system policy rule
(rule 13). (See Figure K.1c.)

Figure K.1c

 This system policy rule allows the PPTP protocol from the External network to the Local
Host network (ISA Server).
 If the L2TP over IPsec VPN protocol is enabled as well for VPN client access, this rule is
extended with the required L2TP over IPsec protocols, such as Internet Key Exchange
(IKE), Internet Protocol security (IPsec), and Layer Two Tunneling Protocol (L2TP).
If additional networks are enabled on the Access Networks tab of the Virtual Private
Networks (VPN) Properties dialog box, this rule is extended with those networks.

4) In the task pane, on the Tasks tab, click Hide System Policy Rules.

5) In ISA Server Management, click Apply to apply the VPN configuration, and then click OK.
 This step configures and enables VPN connections on ISA Server, and configures and
starts the Routing and Remote Access service on the ISA Server computer.

Note: Before you do the next task, wait 30 seconds for ISA Server to configure
and start the Routing and Remote Access service.

To examine the Routing and Remote Access service
1) In Routing and Remote Access, in the left pane, right-click FLORENCE (local), and then
click Refresh, if necessary.
 The user interface is updated to show that Routing and Remote Access is configured and
started.
2) Right-click FLORENCE (local), and then click Properties.
3) In the FLORENCE (local) Properties dialog box, select the IP tab.
 ISA Server has configured the Routing and Remote Access service to use a static address
pool of IP addresses.
4) Click Cancel to close the FLORENCE (local) Properties dialog box.
5) Expand FLORENCE (local), and then select Remote Access Policies.
6) In the details pane, right-click the ISA Server Default Policy remote access policy, and
then click Properties.
 ISA Server has added a new remote access policy:
 The policy is first in the list, and applies to all incoming remote access connections (Day-
And-Time-Restrictions matches
7x "00:00-24:00").
 The associated profile specifies the authentication methods allowed for the connections.

 Unless individual access permissions are specified in the user profile (performed in the
following procedure), remote access is denied.
7) Click Cancel to close the ISA Server Default Policy Properties dialog box.
8) In the left pane, select IP Routing. In the details pane, right-click Static Routes, and then
click Show IP Routing Table.
 On the Florence computer, ISA Server has added routes for the VPN address range on
Firenze (10.3.1.101–10.3.1.200).
9) Close the FLORENCE - IP Routing Table window.
10) Close Routing and Remote Access.

To configure the user profile of the Admin account so that it is allowed to dial in

1) On the Start menu, click Administrative Tools, and then click
Computer Management.
2) In Computer Management, in the left pane, expand
Local Users and Groups, and then select Users.
3) In the details pane, right-click Admin, and then click Properties.
4) In the Administrator Properties dialog box, on the Dial-in tab,
select Allow access, and then click OK. (See Figure K.1d.)
5) Close Computer Management.
 Note that in this procedure, a local administrator account is used
to create the VPN connection. Normally, domain user accounts
are used to create the VPN connection.

F
igure K.1d

Note: ISA Server now accepts incoming VPN connections from client computers on the External
network. Those client computers will then automatically be placed in the VPN Clients network.
Access rules should be created to determine which resources VPN clients will be given access to.

WALKTHROUGH L: ENTERPRISE MANAGEMENT AND
HIGH AVAILABILITY

Walkthrough L-1: Exploring Enterprise Networks and Policies
By grouping ISA Server 2006 Enterprise Edition computers into arrays, you can centrally manage
network policy for the entire enterprise. You can select a centralized enterprise policy that applies
to all arrays in the enterprise or a more flexible policy where each array administrator can define a
local policy. The centralized administration can mean greater security. All the administrative tasks
can be performed from one computer and the configuration is applied to all, ensuring that all the
servers have the same access policies configured. This is particularly useful in large
organizations, where arrays can include many ISA Server computers.

In this walkthrough, you will create an enterprise policy, and apply this policy to multiple
ISA Server arrays.

Note: This walkthrough assumes the use of 2 virtual computers called Florence and Firenze

In the following procedure, you will examine the four components of the firewall policy rule list on
the Florence computer:
 System policy rules
 Enterprise rules (before)
 Array-level rules
 Enterprise rules (after)
To examine firewall policies
1) On the Florence computer, on the Start menu, click All Programs, click
2) In the left pane, expand Arrays, expand ITALY, and then select Firewall Policy (ITALY).
 You create firewall policy rules to define what network traffic is allowed to go into or out
of your network.
 The firewall policy rules that you create can be in three locations:
 Enterprise Policy Rules (before) Rules are processed before the array-level
firewall policy rules.
 Firewall Policy Rules (array) Array-level rules.
 Enterprise Policy Rules (after) Rules are processed after the array-level firewall
policy rules.
 Only the Firewall Policy Rules (array) are created and managed at the array level. The
Enterprise Policy Rules (before) and Enterprise Policy Rules (after) are created and
managed at the enterprise level in an enterprise policy, which is assigned to the array.
3) In the task pane, on the Tasks tab, click Show System Policy Rules. (See Figure L.1a.)
 In the details pane, 34 predefined access rules to or from the Local Host network (ISA
Server computers) are shown. Enabled system policy rules are always active, even if
they are not shown.
 The effective firewall policy is always the combination of the following rules in order:
 System policy rules

 Enterprise policy rules (before)
 Array-level rules
 Enterprise policy rules (after)
 The Default rule (deny all traffic) (This rule is always listed last.)

Figure L.1a
4) On the Tasks tab, click Hide System Policy Rules.

To create a new enterprise policy
1) In the left pane, expand Enterprise, expand Enterprise Policies, and then select
Enterprise Policies.
 An ISA Server enterprise administrator can create one or more enterprise policies, and
assign an enterprise policy to one or more arrays. Initially only the Default Policy
enterprise policy exists. You cannot modify Default Policy.
2) In the task pane, on the Tasks tab, click
Create New Enterprise Policy.
3) On the Welcome to the New Enterprise Policy
Wizard page, in the Enterprise policy name
text box, type Company Enterprise Policy, and
then click Next. (See Figure L.1b.)
4) On the Completing the New Enterprise Policy
Wizard page, click Finish.
 A new enterprise policy named Company
Enterprise Policy is created.
 The enterprise policy is not assigned to an
array yet.

Figure L.1b
5) In the left pane, select Company Enterprise Policy.

 All enterprise policies (including Default Policy) always contain the Default rule, which is
always listed last. The Default rule denies all network traffic.

To create an enterprise network
1) In the left pane, select Enterprise Networks.
ISA Server 2006 Enterprise Edition has four predefined enterprise networks.
These four networks always map to the array-level network with the same name. They
do not define any IP address ranges at the enterprise level. Instead the predefined
enterprise networks act as placeholders for use in enterprise-level firewall policy
rules.
Note that ISA Server does not have a predefined enterprise network for the Internal
network. In this procedure, you will create a new custom enterprise network for the
Internal network.
2) In the task pane, on the Tasks tab, click Create a New Network.
3) The Welcome to the New Network Wizard page, in the Network name text box, type
All Internal Networks, and then click Next.
Custom enterprise networks are different, in that they define IP address ranges.
4) On the Network Addresses page, click Add Range.
5) In the IP Address Range Properties dialog box, complete the following information, and
then click OK:
10.1.1.0–10.1.1.255 is the IP address range of the Internal network for the ITALY array.
6) On the Network Addresses page, click Add Range again.
7) In the IP Address Range Properties dialog box, complete the following information, and
then click OK:
10.4.1.0–10.4.1.255 is the IP address
range of the Internal network for the
PORTUGAL array.
8) On the Network Addresses page, click
Next. (See Figure L.1c.)
9) On the Completing the New Network
A new enterprise network named All
Internal Networks is created.
Note that for ease of management,
when you have a large number of
networks, you can create an
enterprise network set, which groups
multiple existing enterprise networks.
Figure L.1c

To create a new access rule in Company Enterprise Policy
1) In the left pane, select Company Enterprise Policy, and then in the details pane, select
Default rule.
2) In the task pane, on the Tasks tab, click Create Enterprise Access Rule.

Note that you cannot create publishing rules in an enterprise policy. An enterprise policy
only contains access rules.
Note that system policy rules are only defined at the array level.
3) On the Welcome to the New Access Rule Wizard page, in the Access rule name text
box, type Baseline - Allow HTTP traffic to Internet, and then click Next. (See
Figure L.1d.)

4) On the Rule Action page, select Allow, and then
click Next.
5) On the Protocols page, in the This rule applies
to list box, select Selected protocols, and then
click Add.
6) In the Add Protocols dialog box, click Web, click
HTTP, click Add, and then click Close to close the
Add Protocols dialog box.
7) On the Protocols page, click Next.
8) On the Access Rule Sources page, click Add.

Figure L.1d

9) In the Add Network Entities dialog box, click Enterprise Networks, click All Internal
Networks, click Add, and then click Close to close the Add Network Entities dialog box.
(See Figure L.1e.)
All internal networks represent the internal
networks of ITALY and PORTUGAL.
10) On the Access Rule Sources page, click Next.
11) On the Access Rule Destinations page, click Add.
12) In the Add Network Entities dialog box, click Enterprise Networks,
click External, click Add, and then click Close to close the Add
Network Entities dialog box.
The external enterprise network maps to the External network in
each array.
13) On the Access Rule Destinations page, click Next.
14) On the User Sets page, click Next.
15) On the Completing the New Access Rule Wizard page, click Finish.
A new enterprise access rule is created that allows the HTTP
protocol from all internal networks to the External network for all
users.
Note that the new access rule is listed in the enterprise policy rules Figure L.1e
section that is after the Array Firewall Policy section. When this
enterprise policy is applied to an array, the array administrators
can override this enterprise access rule with an array access rule
that is listed earlier.

To assign the Company Enterprise Policy to the ITALY array

1) In the left pane, right-click ITALY, and then click Properties.
2) In the ITALY Properties dialog box, select the Policy Settings tab.
Currently the Default Policy enterprise policy is assigned to the ITALY array.
Compare:
 ISA Server 2006 Enterprise Edition An array always has an assigned enterprise
policy.
 ISA Server 2000 Enterprise Edition You can create an array that does not use an
enterprise policy.
Note that because you cannot modify the Default Policy enterprise policy, which only
contains the Default rule, assigning Default Policy to an array is very similar to the
ISA Server 2000 array-only configuration.
3) In the Enterprise policy list box, select Company Enterprise Policy.
The Company Enterprise Policy is assigned to the ITALY array.
Note that you can specify what types of rules the array administrator can create for the
array firewall policy.
4) Click OK to close the ITALY Properties dialog box.

To assign the Company Enterprise Policy to the PORTUGAL array

1) In the left pane, right-click PORTUGAL, and then click Properties.
2) In the PORTUGAL Properties dialog box, select the Policy Settings tab.
Currently the Default Policy enterprise policy is assigned to the PORTUGAL array.
3) In the Enterprise policy list box, select Company Enterprise Policy.
The Company Enterprise Policy is assigned to the PORTUGAL array.
4) Click OK to close the PORTUGAL Properties dialog box.
5) In the left pane, collapse the PORTUGAL node.
The PORTUGAL node is not used in later walkthroughs.

To create a new enterprise protocol definition
1) In the left pane, select Enterprise Policies.
2) In the task pane, on the Toolbox tab, in the Protocols section, on the New menu, click
Protocol.
3) On the Welcome to the New Protocol Definition
Wizard page, in the Protocol definition name
text box, type Attack Ports, and then click Next.
(See Figure L.1f.)
You will use the Attack Ports protocol
definition in a new enterprise access rule.
4) On the Primary Connection Information page,
click New.
5) In the New/Edit Protocol Connection dialog box,
complete the following information, and then click
OK:
 Protocol type: TCP

 Direction: Outbound
 From: 12345
 To: 12345
TCP port 12345 is used by many Trojan horse Figure L.1f
applications.
6) On the Primary Connection Information page, click New.
7) In the New/Edit Protocol Connection dialog box, complete the following information, and
then click OK:
 Protocol type: TCP
 Direction: Outbound
 From: 31337
 To: 31337
TCP port 31337 is also used by Trojan horse
applications.
8) On the Primary Connection Information page,
click Next. (See Figure L.1g.)
9) On the Secondary Connections page, click Next.
10) On the Completing the New Protocol Definition
A new enterprise protocol definition is created
which defines ports used by Trojan horse
applications.
Note that the new enterprise protocol definition
can be used in access rules in all enterprise
policies, and in the array firewall policy of all
arrays.
Figure L.1g

To create a new access rule in the Company Enterprise Policy

1) In the left pane, select Company Enterprise Policy, and then in the details pane, select
Baseline - Allow HTTP traffic to Internet
The new rule will be placed before the
selected rule.
2) In the task pane, on the Tasks tab, click Create
Enterprise Access Rule.
3) On the Welcome to the New Access Rule
Wizard page, in the Access rule name text box,
type Block - Trojan horse traffic, and then click
Next. (See Figure L.1h.)
4) On the Rule Action page, select Deny, and then
click Next.
5) On the Protocols page, in the This rule applies
to list box, select Selected protocols, and then
click Add.
6) In the Add Protocols dialog box, click User-
Defined, click Attack Ports, click Add, Figure L.1h
and then click Close to close the Add Protocols dialog box.

9) In the Add Network Entities dialog box, click Enterprise Networks, click All Internal
Networks, click Add, and then click Close to close the Add Network Entities dialog box.
12) In the Add Network Entities dialog box, click Enterprise Networks, click External, click
Add, and then click Close to close the Add Network Entities dialog box.
A new enterprise access rule is created that denies certain network traffic from all
internal networks to the External network for all users.
16) Right-click Block - Trojan horse traffic, and then click Move Up. (See Figure L.1i.)
The access rule is now listed in the enterprise policy rules section that is before the
Array Firewall Policy section. Array administrators cannot override this enterprise
access rule in an array access rule.
Note that by default, ISA Server blocks network traffic on all ports on the Internal
network. The Block - Trojan horse traffic enterprise access rule prevents unintended
access when an array administrator creates an array access rule that allows access
to all protocols.

Figure L.1i

To assign the Default Policy to the ITALY array

2) In the ITALY Properties dialog box, select the Policy Settings tab.
3) In the Enterprise policy text box, select Default Policy, and then click OK.
The Default Policy enterprise policy is assigned to the ITALY array.
Note that the firewall policy no longer contains the two enterprise access rules from the
Company Enterprise Policy.

5) Click Apply to save the change, and then click OK. Wait until the Configuration Storage
server status is Synced.

Walkthrough L-2: Configuring Network Load Balancing
ISA Server 2006 Enterprise Edition introduces a multi-networking model, which allows you to
configure how policy should be applied between multiple networks. With this multi-networking
model, ISA Server integrates Network Load Balancing (NLB) functionality, so that you can
balance the load across all the array members on one or more networks.

You can use ISA Server to configure and manage the NLB functionality of Microsoft
Windows Server 2003 running on ISA Server arrays. When you configure NLB through ISA
Server, NLB is integrated with ISA Server functionality. This provides important functionality that
is not available in Windows NLB alone.

In addition, ISA Server monitors NLB configuration, and discontinues NLB on a particular
computer as necessitated by its status. This prevents the continued functioning of NLB when
the state of the computer does not allow the passage of traffic. For example, if there is a failure
of the network adapter on the computer, or if you stop the Microsoft Firewall service, ISA Server
stops NLB-directed traffic from passing through that computer. When the issue is resolved, ISA
Server will again allow traffic to pass through that computer.

Note: This walkthrough requires you to set up four computers (using your virtual computer images):
the Florence and Firenze ISA Server computers, the domain controller, Denver, and the client
computer, Istanbul.

To enable NLB integration on the Florence computer

1) On the Start menu, click All Programs, click Microsoft ISA Server, and then click
ISA Server Management.
2) In ISA Server Management, expand Arrays, expand ITALY, expand
Configuration, and then in the left pane, select Networks.
3) In the details pane, select the Networks tab.
Enable Network Load Balancing Integration. (See Figure L.2a.)
Enabling NLB integration results in the following two actions:
 ISA Server controls the NLB driver and adds additional
functionality, such as alerting the NLB driver when any ISA
Server service fails and providing support for handling network
traffic when NLB is enabled on multiple networks on the array.
 ISA Server manages the configuration of NLB, and overrides
any manual NLB changes you may make outside of ISA Server.

Figure L.2a
5) On the Network Load Balancing Wizard page, click Next.
6) On the Select Load Balanced Networks page, do not select any network, and then click
Next.

In this procedure, the wizard is only used to enable NLB integration. After the wizard is
completed, you will enable NLB on the networks separately.
7) On the Completing the Network Load Balancing Integration Wizard page, click Finish.
A message box appears, explaining that the name you specify for the Configuration
Storage server should resolve to the intra-array IP address. This only applies if the
Configuration Storage server is installed on an array member, and NLB is enabled.
8) Click OK to close the message box.
10) In the ITALY Properties dialog box, select the Configuration Storage tab.
The array uses the name Florence to specify the Configuration Storage server on the
Florence computer. Both the Florence and Firenze computers use a Hosts file to
resolve the name Florence to the intra-array IP address of Florence (23.1.1.1). This
means that the array meets the requirement explained in the message box after you
enabled NLB integration.
11) Click Cancel to close the ITALY Properties dialog box.

To enable NLB on the Internal network

1) In the left pane, select Networks, and
in the details pane, on the Networks
tab, right-click Internal, and then click
Properties. (See Figure L.2b.)
2) In the Internal Properties dialog box,
on the CARP tab, ensure that CARP is
not enabled on this network.
ISA Server supports the use of
both CARP and NLB on the
same network, but in this
procedure, you will use only NLB.

Figure L.2b

3) On the NLB tab, do the following,
and then click OK: (See Figure L.2c)
 Select Enable load balancing on this network.
 Type 10.1.1.3 in the Virtual IP box.
 Type 255.255.255.0 in the Mask box.
The NLB virtual IP address is used on both array members. The
address must be in the same IP subnet as the dedicated IP
addresses on Florence (10.1.1.1) and Firenze (10.1.1.2).
Figure L.2c

To examine the status of the NLB service on the Monitoring node on the Services tab

1) In the left pane, select Monitoring, and then in the details pane, select the Services tab.
When NLB integration is enabled, ISA Server displays the status of the Network Load
Balancing service on the Services tab. This is not a real Windows service, but
represents the NLB network driver.
Because you have not applied the configuration changes yet, the current status of the
Network Load Balancing service is Unavailable.
2) Do not click Apply yet to save the changes.

To apply the changes and restart the Microsoft Firewall service

1) In ISA Server Management, click Apply to save the changes.
2) In the ISA Server Warning dialog box, change the current selection, select
Save the changes and restart the services, and then click OK.
3) Click OK to close the Saving Configuration Changes dialog box.
4) Wait until the Configuration Storage server status is Synced, and the NLB status is
Running. This may take 5 to 10 minutes.
After Florence and Firenze have received the new configuration, ISA Server enables
and configures NLB on both computers. The NLB status Configuring means that the
NLB driver is still converging the computers to a consistent state.
Note that instead of waiting 5 to 10 minutes for NLB to converge, and display the status
Running, you can continue with the next procedures.

To create a new access rule
1) In the details pane, select the first rule in the Firewall Policy Rules list to indicate where
the new rule is added to the rule list.
Create Array Access Rule.
3) On the Welcome to the New Access Rule
Wizard page, in the Access rule name text box,
type Allow Web access (NLB), and then click
Next. (See Figure L.2d.)
4) On the Rule Action page, select Allow, and then
click Next.
5) On the Protocols page, in the
This rule applies to list box, select
Selected protocols, and then click Add.
6) In the Add Protocols dialog box, click Common
Protocols, click HTTP, click Add, and then click
Close to close the Add Protocols dialog box. Figure L.2d
9) In the Add Network Entities dialog box, click Networks, click Internal, click Add, and then
click Close to close the Add Network Entities dialog box.

12) In the Add Network Entities dialog box, click Networks, click External, click Add, and
then click Close to close the Add Network Entities dialog box.
A new firewall policy rule is created that allows the HTTP protocol from the Internal
network to the External network.
16) Click Apply to apply the new rule, and then click OK. Wait until the Configuration Storage
server status is Synced, and the NLB status is Running.

To connect to http://istanbul.fabrikam.com/web.asp using the Denver computer
 In this procedure, you use proxy server addresses: 10.1.1.1:8080 and 10.1.1.3:8080

1) On the Denver computer, open Internet
Explorer. In the Address box, type
http://istanbul.fabrikam.com/web.asp,
and then press Enter. (See Figure L.2e.)
The Web server information demo page
for Istanbul appears. The Web server
reports that the Web request was
sent through Florence (39.1.1.1).
2) On the Tools menu, click Internet
Options.
3) In the Internet Options dialog box, on the
Connections tab, click LAN Settings.
Note that currently Internet Explorer is
still using IP address 10.1.1.1
(Florence) as the proxy server
address. This means that all Web Figure L.2e
proxy traffic uses Florence.
After you have enabled NLB, you should ensure that all client computers use the NLB
virtual IP address as the proxy server address (for Web Proxy clients and Firewall
clients), or as the default gateway (for SecureNAT clients).
4) In the Local Area Network (LAN) Settings dialog box, do the following, and then click OK:
 Select Use a proxy server for your LAN.
 Type 10.1.1.3 in the Address box.
 Type 8080 in the Port box.
 Select Bypass proxy server for local addresses.
5) Click OK to close the Internet Options dialog box.

6) On the toolbar, click the Refresh button.
(See Figure L.2f.)
The Web page reports that the Web
request was sent through Firenze
(39.1.1.2). The NLB process assigns
the Web proxy connection from
10.1.1.5 to Firenze.
7) Close Internet Explorer.

Figure L.2f

Note: In the following tasks, you will enable NLB on the External network. This allows you to load
balance incoming connections to published servers on your network.

To enable NLB on the External network using the Florence computer
1) On the Florence computer, in ISA Server Management, in the left pane, select Networks.
2) In the details pane, on the Networks tab, right-click External,
and then click Properties.
3) In the External Properties dialog box, on the NLB tab, complete
the following information, and then click OK: (See Figure L.2g.)
 Select Enable load balancing on this network.
 Type 39.1.1.3 in the Virtual IP box.
 Type 255.255.255.0 in the Mask box.
4) In the task pane, on the Tasks tab, click Configure Load
Balanced Networks.
Instead of using the properties dialog box of a network to
enable NLB on that network, you can also use the Network
Load Balancing Wizard.
5) Click Apply to apply the changes, and then click OK. Wait until
the Configuration Storage server status is Synced, and the NLB
status is Running.
6) In the left pane, right-click Firewall Policy (ITALY), and then click
Refresh. Figure L.2g
This step ensures that ISA Server Management rereads the
IP addresses from the network adapters.

To create a new Web listener
2) In the task pane, on the Toolbox tab, in the Network Objects section, right-click
Web Listeners, and then click New Web Listener.
3) On the Welcome to the New Web Listener Definition Wizard page, in the
Web listener name text box, type External Web 80 NLB, and then click Next.

4) On the IP Addresses page, select the External check box, and then click Address.
Instead of listening on dedicated IP addresses (39.1.1.1 and 39.1.1.2), we recommend
only listening on the virtual IP address.

Note that if you did not refresh ISA Server Management in the previous procedure, it is
possible that 39.1.1.3 is not listed as virtual IP address yet.
5) In the External Network Listener IP Selection
dialog box, select the Specified IP addresses
on the ISA Server computer in the selected
network option, and then in the
Available IP Addresses list, select 39.1.1.3,
and click Add. (See Figure L.2h.)
6) Click OK to close the External Network
Listener IP Selection dialog box.
The Web listener will only listen on IP
address 39.1.1.3, on the External
network.
7) On the IP Addresses page, click Next.
8) On the Port Specification page, ensure that
the HTTP port text box displays 80, and then
click Next.
9) On the Completing the New Web Listener Wizard Figure L.2h
page, click Finish.
A new Web listener (port 80 on IP address 39.1.1.3) with the name
External Web 80 NLB is created.

To create a new Web publishing rule

1) In the details pane, select the first rule in the Firewall Policy Rules list to indicate where
the new rule is added to the rule list.
Publish a Web Server.
3) On the Welcome to the New Web Publishing Rule
Wizard page, in the Web publishing rule name text
box, type Web Home Page NLB, and then click Next.
4) On the Select Rule Action page, select Allow, and
then click Next.
5) On the Define Website to Publish page, complete
the following information, and then click Next: (See
Figure L.2i.)
 Computer name or IP address:
denver.contoso.com
 Forward the original host header: disable (default)
 Path: (leave empty) Figure L.2i
6) On the Public Name Details page, complete the following information, and then click Next:
(See Figure L.2j.)
 Accept requests for: This domain name (type below):
 Public name: shop.contoso.com
 Path: (leave empty)
On Istanbul (Internet), the name shop.contoso.com must resolve to 39.1.1.3.

Figure L.2j

7) On the Select Web Listener page, in the Web
listener list box, select External Web 80 NLB, and
then click Next. (See Figure L.2k.)
9) On the Completing the New Web Publishing Rule
A new Web publishing rule is created that
publishes the Web site at denver.contoso.com
(10.1.1.5) as shop.contoso.com on the External
network on virtual IP address 39.1.1.3.
10) Click Apply to apply the new rule, and then click OK.
Wait until the Configuration Storage server status is
Synced, and the NLB status is Running.

Figure L.2k

To verify the IP address of shop.contoso.com, and then connect to http://shop.contoso.com/web.asp
using the Istanbul computer

0) On the Istanbul computer, open a Command Prompt window.
1) At the command prompt, type ping shop.contoso.com, and the press Enter.
In the Hosts file on Istanbul, shop.contoso.com is already defined as 39.1.1.3.
Note that depending on firewall policy rules that you may have created in earlier
walkthroughs, you may receive replies on the ping requests to 39.1.1.3.
2) Open Internet Explorer. In the Address box, type http://shop.contoso.com/web.asp, and
then press Enter. (See Figure L.2l.)
The Web server Information demo page on Denver appears. The Web server reports
that the Web request was sent through Florence.
The NLB process assigns the Web connection from Istanbul (39.1.1.7) to Florence.
Note that because ISA Server blocks unsolicited network traffic on all networks, the
request and reply must go through the same ISA Server computer.
When ISA Server sends the Web request to Denver (10.1.1.5), it replaces the client
address (39.1.1.7) in the network packet with its own dedicated IP address (10.1.1.1)

on the Internal network. When Denver replies, it sends the reply back to the client IP
address (10.1.1.1), which is automatically the correct ISA Server computer.

Figure L.2l

3) Close Internet Explorer.

WALKTHROUGH M: BRANCH OFFICE VPN CONNECTIVITY
WIZARD

1) On the Florence ISA Server 2006 computer, from
the C:Program FilesMicrosoft ISA Server folder, run
appcfgwzd.exe to open the ISA Server Branch
Office VPN Connectivity Wizard (See Figure M.1a.).
Click Next.
2) On the Configuration Settings Source page, select
Manually, and click Next (See Figure M.1b.).
Note that the wizard allows for the use of answer
files.
Figure M.1b

Figure M.1a

4) On the Connection Type page,
ensure that IP Security protocol
(IPsec) tunnel mode is selected,
and click Next (See Figure M.1c.)

Figure M.1c

5) On the IP Connection Settings page, in the
Network name text box, type Berlin. In the Remote
VPN gateway IP address box, enter 39.1.1.8. In the
Local VPN gateway IP address box, enter
39.1.1.1. (See Figure M.1d.)

Figure M.1d

6) On the Remote Site VPN IP Addresses page, click Add Range. Specify 10.2.1.100
through 10.2.1.200 as the range, and click OK. Click Next. (See Figure M.1e.)
7) On the IPSec Authentication page, select Use a server certificate for authentication,
and click Next. (See Figure M.1f.)

Figure M.1e Figure M.1f

8) On the IPsec Certificate page, click Use existing certificate. Click Browse, select
Florence, and click Select. Click Next. (See Figure M.1g.).

Note that you cannot do the remainder of the steps in this exercise, if the Florence
server does not have the correct certificates loaded.
Figure M.1g

Figure M.1h
9) On the Ready to Configure the VPN Connection
page, click Next. (See Figure M.1h.)

10) The Creating VPN Connection page appears,
indicating that VPN settings are being applied. Upon
completion, click Next. (See Figure M.1i.)

11) On the Join Remote Domain page, select Remain in
a workgroup (See Figure M.1j.)

12) On the Locate Configuration Storage Server page,
in the Configuration Storage Server text box, type
Florence. Ensure that Connect using the
credentials of the logged on user is selected. Click
Next. (See Figure M.1k.)

13) On the Array Membership page, select Join an existing array and click Next (See
Figure M.1l.)

Figure M.1i Figure M.1j

Figure M.1k Figure M.1l

14) On the Join Existing Array page, click Browse, select ITALY, click OK and then click
Next. (See Figure M.1m.)

Figure M.1m

15) On the Configuration Storage Server Authentication Options page, ensure Windows
Authentication is selected, and click Next. A warning box appears to inform you that
Windows Authentication cannot be used when ISA Server is in a workgroup. Click OK to
acknowledge the warning. Select Authentication over SSL encrypted channel. Click
Next. (See Figure M.1n.)

Figure M.1n

16) On the Ready to configure the ISA Server page, verify the configuration, and then click
Next. (See Figure M.1o.)
17) The Configuring the ISA Server page appears. Upon completion of the configuration, click
Next. (See Figure M.1p.)

Figure M.1o Figure M.1p

Isa server 2006 guide

More Related Content

What's hot (20)

Similar to Isa server 2006 guide (20)

Recently uploaded (20)

Isa server 2006 guide