Microsoft ISA Server 2000 Configuration Notes

Version: Date: Author: 1.10 14th June 2004 Matthew Cook

Contents
1. Introduction 1.1 Background to the Bandwidth Management Advisory Service 1.2 Introduction to WWW Caching 1.3 Introduction to Microsoft ISA Server 2000 1.4 Formatting conventions Preparation 2.1 Resources needed to install Microsoft ISA Server 2000 2.2 Sizing for ISA Server Installation of Windows 2000 Server 3.1 Introduction 3.2 Installation 3.3 Post installation configuration Patching and Securing Windows 2000 Server 4.1 Install SP4 and Current Hotfixes 4.2 Configure TCP/IP Installation of Microsoft Internet Security and Acceleration Server Patching of Microsoft Internet Security and Acceleration Server Configuring Microsoft Internet Security and Acceleration Server Upgrading from Microsoft Proxy Server 2.0 Upgrading to ISA Server, Enterprise Edition

2.

3.

4.

5. 6. 7. 8. 9.

10. Optimising ISA Server 11. Logging 12. Useful Resources and URLs

1. Introduction
1.1 Background to the Bandwidth Management Advisory Service The United Kingdom Education and Research Networking Association (UKERNA), the organisation responsible for running JANET, the high speed academic and research computer network, has recently signed a contract with the University of Manchester to provide the JANET Bandwidth Management Advisory Service (BMAS) for the UK Higher and Further Education community. The Services primary task will be to advise Higher Education (HE) and Further Education (FE) organisations on how to maximise the efficiency of their connection to JANET, thereby facilitating the best possible levels of service for their users. The Service is operated by the University of Manchester and Loughborough University. This is a consortium that brings together a wealth of technical and user support expertise based on past experience in establishing and running a national web caching infrastructure a very popular and effective form of bandwidth management and an advisory service. We are currently witnessing significant growth in the use of JANET and the Internet for e-learning and teaching, videoconferencing and video streaming, remote collaboration and many other real-time applications. The remit of BMAS to provide advice on how best to use an organisations bandwidth allocation will help to identify, and hopefully resolve, some of the problems associated with increasing use of the above mentioned technologies. Work is currently underway to ensure that BMAS will be able to meet the challenge of delivering the best possible advisory service for these demanding environments in the coming months.
[George Neisser]

1.2 Introduction to World Wide Web (WWW) Caching Bandwidth m anagement encompasses many different techniques and technologies that help make best use of a bandwidth link. Caching is one of the oldest and most effective forms of bandwidth management and as such is widely used throughout many different types of establishments, including Internet Service providers (ISPs). In WWW terms, a cache is a place where temporary copies of objects are kept. Essentially, once the object pointed to by a Universal Resource Locator (URL) has been cached, subsequent requests for the URL will result in the cached copy being returned, and little or no extra network traffic. Caching is nothing new. Most modern computer systems use it in a number of places, to improve the performance of the main processor(s), speed up disk accesses and so on. Some components of the Internet have been caching for a long time, like the Domain Name System. The WWW has been a bit late to take up the idea, and it was not possibly catered for in its original design. As a result a great deal of WWW traffic is unnecessary, re-fetching from remote sites objects that someone else at ones own or a neighbouring site already has on their hard disk. As the Internet has become more and more popular, this repeated downloading of the same object has become a problem. Network links are getting clogged up, and popular sites often find their WWW server software or hardware is unable to cope with the volume of demand. Consequently, much work has been done (and is still being done) on retrofitting caching to the WWW design. Some WWW browsers implement their own caches on disk and/or in memory. These usually use schemes that are specific to the browser in question and not shared by multiple users. This is a bad thing for users if they are part of a large organisation. Ideally it should be possible to pool all the browsers' caches of one organisation together.
[from the Janet Web Caching Service Home Page] 3

1.3 Introduction to Microsoft ISA Server 2000 Microsoft Internet Security and Acceleration (ISA) Server 2000 is an Internet firewall and web cache that is capable of integrating into an existing Windows infrastructure. Further details and resources are available at: http://www.microsoft.com/isaserver/ Firewalls prevent unauthorised access to an internal network by examining and stopping unwanted traffic. They also control users access to Internet resources. Caching can improve network performance resulting in faster object retrieval. The cache will store and serve the most requested items from local storage and can be tuned to fetch and refresh items automatically when extra bandwidth is available. Microsoft ISA Server 2000 is a vast improvement over Microsoft Proxy Server 2.0 in terms of manageability and the fine granular controls available to control internet usage. The inclusion of policy based access controls can restrict access to certain web sites by using a number of rules: time of day; user name; IP address; content type; website address. There are various forms of caching, including: hierarchical caching - allowing one to setup a hierarchy of caches that requests can pass through, all with different or the same policy rule sets; reverse caching - with ISA Server accelerating the content of locale web or FTP server farms, improving the retrieval rate of objects; scheduled caching - where ISA Server will pre-download and refresh content.

Workstation

Workstation

LAN
Proxy Server

SuperJANET4

Internet

Workstation

Workstation

Figure 1 A basic network configuration with a proxy server 1.4 Formatting Conventions

Text as seen on screen Courier New Text typed at the keyboard or option to be selected Courier New Bold
4

Menu Items, windows icons, tabs Important note

Arial Bold Italics

2. Preparation
2.1 Resources needed to install Microsoft ISA Server 2000 2.1.1 Hardware Microsoft recommends an Intel Pentium II 300Mhz processor, 20Mb of New Technology File System (NTFS) disc space and 256Mb RAM. The test system was an Intel Pentium II 450Mhz processor, 2Gb system disc, with two 4Gb Small Computer System Interface (SCSI) drives and 256Mb RAM for the cache. 2.1.2 Essential Software

Microsoft Windows 2000 (Minimum SP1) Microsoft ISA Server 2000 Service Packs and Patches. A 120 day evaluation copy of Microsoft ISA Server2000 is available for free download from: http://www.microsoft.com/isaserver/evaluation/trial/default.asp When using ISA Server in firewall or integrated mode, two network adapters are required. If hardware and software combinations different from those used to produce this guide are used, the dialogue boxes shown may appear slightly different to those shown here as being seen on the screen. For remote management and administration purposes, only the ISA Management plugin needs to be installed. This is a MultiMedia Card (MMC) snap-in, therefore an Operating System that supports MMC snap-ins is required. It is however recommended that Terminal Services in remote administration mode is installed on the server upon which ISA server is installed. 2.2. Sizing for ISA Server When installing ISA Server to use as a simple web cache (Forward caching) the number of clients accessing the internet at one time needs to be considered. The recommendations in Table 1 are Microsoft guidelines only. With the advent of faster machines, specifications will have to be adjusted accordingly.

Note: Setting up more than one ISA server needs an upgrade to ISA Server, Enterprise Edition. Number of users up to 500 500 - 1,000 more than 1,000 Table 1 Microsoft guidelines Machine 1 x Single PII 300Mhz 1 x Dual PIII 550Mhz 2 x Dual PIII 550Mhz RA M 256 256 256 Disc Storage 2 - 4Gb 10Gb 10Gb

3. Installation of Windows 2000 Server

This chapter is included to aid users installing Windows 2000 Server for the first time. Experienced users or users with a working system can skip this chapter. 3.1 Installation 1. Connect to a network drive with the Windows 2000 Server CD on and type winnt /B. Alternatively, boot the machine using the three floppies supplied and use a local CD-ROM drive. Setup reports that Setup is inspecting the computers hardware configuration. At this stage select F6 if a third party SCSI or mass storage driver needs to be installed. Windows 2000 Server Setup begins. Press ENTER to set up Windows 2000 now. Setup presents the Windows 2000 Licensing Agreement. Select PAGE DOWN to read the license agreement. Select F8=I agree or ESC=I do not agree. Windows 2000 then lists the partitions available for installation and allows the partition table to be edited. After creating a partition upon which to install Windows 2000 server, select ENTER to install into that partition. The cursor keys will move the horizontal selection bar up and down the bottom half of the screen. Select D to delete the highlighted partition after the subsequent confirmation screens. Select C to create a partition in the Unpartitioned space. After selecting the partition for installation, select the ENTER key. Windows then prompts for the filesystem type. Format the partition using the NTFS filesystem or
6

2. 3. 4. 5.

6.

7. 8.

9. 10. 11. 12.

13.

14.

15.

16.

17.

Format the partition using the FAT filesystem. It is strongly recommended all discs are partitioned as NTFS unless there are specific reasons not to, for example dual booting Operating Systems. An NTFS partition is needed for the caching discs. Windows setup will then format the disc using the file system type selected previously. The System will then Reboot Setup will continue and will report Windows 2000 Setup ... Please wait. Select <Next>. Wait while Setup detects and installs devices such as the keyboard and mouse. This will take several minutes. During this time, the screen may flicker for a few seconds. Select <Next>. Windows 2000 can be customised for different regions and languages. To change system or user locale settings, from English (United States) to English (United Kingdom) select <Customize> Select the English (United Kingdom) locale from the General tab and the English (United Kingdom) input language from the input locales tab. Setup uses the information provided by the user to personalise the Windows 2000 software. Type the full user name and the name of the company or organisation. Select <Next>.. Windows 2000 supports two licensing modes. Select the licensing mode required, either Per server or Per seat. Select <Next>. Computer Name and Administrator Password. Provide a name and an Administrative password for the computer. It is good practice to ensure the W indows name of the machine and DNS entry are the same. Select <Next> Windows 2000 Components. Add or remove components of Windows 2000. As this is a server install, only a minimal number of components are necessary. The following list is a recommendation. In the Accessories and Utilities category: deselect Accessibility Wizard. In the Accessories subcategory: select Calculator; deselect Character Map; deselect Clipboard Viewer; deselect Desktop Wallpaper; deselect Document Templates; deselect Mouse Pointers;
7

18.

19.

20.

21.

deselect Object Packager; deselect paint; select WordPad; deselect Communications; deselect Games. In the Multimedia subcategory: deselect CD Player; deselect Media Player; deselect Sample Sounds; deselect Sound Recorder; deselect Utopia Sound Scheme; select Volume Control; deselect Certificate Services category; deselect Indexing Service component; deselect Internet Information Services (IIS) category; deselect Management and Monitoring Tools category; deselect Message Queuing Services component; deselect Networking Services category; deselect Other Network File and Print Services category; deselect Remote Installation Services component; deselect Remote Storage component; deselect Script Debugger component; select Terminal Services component; deselect Windows Media Services category. Select <Next>. Date and Time Settings. Set the correct date, time and time zone for the computer. Select <Next>. Terminal Services Setup. Terminal services can be run in one of two modes, Remote administration mode or application server mode. Select Remote administration mode. Select <Next>. Networking Settings. Setup reports that it is installing networking software that allows connection to other computers, networks and the internet. Performing Final Tasks. During the final stages of Setup four tasks are completed: installation of Start menu items; registration of components;
8

22.

saving of settings; removal any temporary files used. Completing the Windows 2000 Setup Wizard The final dialogue box states You have successfully installed Windows 2000. If there is a CD in your drive, remove it. Then, to restart your computer, select Finish. Select <Finish> Windows 2000 will then restart.

3.2. Post Installation configuration 1. Login as administrator with the password entered during install. 2. In the Windows 2000 Configure your server dialogue box, select I will configure this server later. Select <Next>. Deselect Show this screen at startup on the following page and close the window. 3. Install the drivers appropriate to the hardware installed in the machine.

4. Patching and Securing Windows 2000 Server

4.1. Install Microsoft SP4 and Current Hotfixes Microsoft Security Baseline Analyzer is available from: http://www.microsoft.com/security/ This will check the installation against Microsofts known patch list. 4.2. Configure TCP/IP 1. Select Start -> Settings -> Control Panel -> Network and Dial-up Connections 2. Highlight Local Area Connection and select Properties 3. Identification tab Computer Name: Enter the name of the machine exactly the same as the DNS entry. Workgroup: Enter a suitable workgroup name.

5. Installation of Microsoft Internet Security and Acceleration Server

These notes cover the installation of Microsoft Internet Security and Acceleration Server 2001 Standard Release and are based on a test installation. For further information, please refer to the Microsoft ISA Server installation and deployment guide at: http://www.microsoft.com/technet/prodtechnol/isa/deploy/isaentin.mspx 1. Execute setup.exe located in d:\isa on the supplied ISA CD-ROM. 2. A dialogue box will appear confirming that setup for Internet Security and Acceleration Server (Standard Edition) has been started. <Continue>
9

3. Setup presents the End User License Agreement. After reading the terms and conditions, select <I Agree>. 4. Select the Custom Installation option. 5. Select ISA Services and Administration tools. Only select the Add-in Services option if the H.323 Gatekeeper service or Message screener are required. Either or both of these services can be selected using the <Change Option> button. 6. Setup offers three options for ISA server configuration; Firewall mode, Cache mode and Integrated mode. This guide is intended to cover the caching operations of ISA server. It therefore assumes the user has selected the Cache mode option and has a separate firewall or is using router Access Control Lists (ACLS). For more details about configuring ISA Server in integrated mode please see the Microsoft ISA Server guide at: http://www.microsoft.com/technet/prodtechnol/isa/deploy/isaentin.mspx 7. Configuration of which drives should be used for caching is largely hardware dependant. Cache drives can only be configured at this point if they have already been formatted with the NTFS file system. The speed at which ISA server operates can be increased greatly with the number of hard discs in the system. The greater number of spindles the greater the throughput. It is also advisable not to have the cache discs in a Redundant Array of Inexpensive Discs (RAID) configuration. To configure the cache sizes, select <Set> and then <OK>. Figure 2 MS specifying 8. Select the adapter upon which the internal network can be accessed and then construct the Local Address Table (LAT) that defines the addresses that can access the internet through the ISA Server. This is extremely important to stop the machine becoming an open proxy. Select <OK> Note: When creating a LAT, only include the IP addresses on the local netblock. Including any IP addresses on the interne, as well as the external interface of your ISA Server (if you have two network cards) could lead to further security issues with the system. 9. ISA Server includes a Getting Started Wizard that is the recommended way of starting the initial configuration, however it is best to finish patching ISA server first. Deselect Start the ISA Server G etting Started Wizard <OK> 10. Setup should then report that Microsoft Internet Security and Acceleration Server Standard Edition Setup was completed successfully. Select <OK>

6. Patching of MicrosoftInternet Security and Acceleration Server

1. Download Service Pack 2 for ISA server from:
10

http://www.microsoft.com/isaserver/downloads/ 2. Execute the downloaded executable, isasp2-ENU.exe and wait for the machine to reboot. 3. Keep up to date with essential security patches, either by joining the Microsoft Security Bulletin mailing list or regularly reading another security list or web site.

7. Configuring Microsoft Internet Security and Acceleration Server

7.1 Introduction After installation and patching, management of ISA server is through two menu items in the Microsoft ISA Server program group in the start menu. Select Start>Programs->Microsoft ISA Server and the ISA Management console will load. This can also be accessed by adding an MMC snap-in.

Figure 3 The ISA Management Console Microsoft has included a Getting Started Wizard to ease initial configuration of ISA Server. Clicking the Getting Started Wizard icon will present a set of eight configuration dialogues for the initial configuration. In a change from the configuration for Microsoft Proxy Server 2.0, ISA Server relies on the creation and configuration of Rules and Policies. Rules are a series of statements that define a series of access controls to allow access to sites, content and protocols. Policy elements that can be defined include: Schedules, Destinations sets, Client Address Sets, Protocol Definitions, Content Groups and Dialup-entries. The first items for configuration are the elements that allow fine granular control over access to the Internet. Select which elements control access to the Internet from a list of Users and Groups, Computer names or IP address, Schedules or Destination sets.
11

It is recommended to keep all options selected to allow future expansion and changes to policy. 7.2 Schedules

The next option is to configure and add Schedules to help manage access to the Internet via the ISA Server. Two schedules are already predefined; Weekends and Work hours. Alter these by double clicking on the clock icons in the window, select the Schedule tab and mark the hours active or inactive. Add further schedules by clicking the Create a Schedule icon which will allow schedules to be configured to allow different types of access for example during a lunch hour.

Figure 4 Configuring Schedules Select the Configure Client Sets option. Client sets allow different levels of access to be given to different ranges of IP addresses. It may be that the creation of a client set for students and one for staff is satisfactory or perhaps an extra set for open access PCs is required. 7.3 Protocol rules These allow the definition of which protocols can be used to access the internet. For example all open access PC labs could be restricted to HTTP only or only allow File Transfer Protocol (FTP) to staff PCs. To create protocol rules, navigate a multi stage wizard.

12

Figure 5 Protocol Rules The first dialogue box requires only the name of the protocol rule to be entered. The second dialogue box confirms if the rule is to allow or deny use of the protocol.

Figure 6 Allow and Deny Rules The next stage is to choose how to apply the rule and to which protocols to apply the rule to.

13

Figure 7 Applying rules to protocols After defining the protocols that form the rule, the powerful interaction between the rules being defined and the elements that give fine granular control over access i.e. Users and Groups, Computer names or IP address, will be discovered. The next dialogue box allows a schedule to be associated with this protocol rule, to define at which time of day access is granted.

14

Figure 8 - Schedules The next dialogue box allows further defining of the rule by applying restrictions to specific computers, users and groups or leaving the rule to apply to any request.

Figure 9 Applying restrictions The final dialogue screen will show a summary of the completed protocol rules that have been defined. 7.4 Destination sets The Getting Started Wizards next configuration section is for Destination Sets. This allows grouping of machines on the Internet by either Fully Qualified Domain Name (FQDN) or IP address. Such lists could be used to restrict access to some websites at certain times of the day or to certain groups of users. A common usage is to restrict sites that teaching staff would prefer students not to visit during teaching time. A list could be created to include the machines providing the hotmail service, therefore student machines accessing the hotmail service during school hours could have their request refused and logged. If an ISDN or traditional dial-up link is used for a primary or backup connection for the ISA server, the configuration is added in the Dial-Up configuration wizard. This will for example, then allow the backup route to be brought up if the primary route fails.

15

Figure 10 The dial-up configuration wizard Configuring Routing for Web Browser Applications allows the routing of all the web traffic to be defined. Configuration is in five tabs: General; Destinations; Action; Cache; Bridging.

16

Figure 11 Default rule properties The Destinations tab allows the redirection of the destination traffic to an upstream proxy server or direct to the internet. Rules can be applied to the ISA Server to allow staff traffic to go direct to the Internet, whilst student traffic is directed to a content filter. The Action tab for the default rule has similar configuration options to those included in MicrosoftProxy Server 2.0. There are three options for processing requests: Retrieving them directly from the specified destination - all objects not in the cache (if enabled) are fetched directly from the source site; Routing them to a specified upstream server - all objects if not in the cache (if enabled) are fetched from an upstream server., which can be another web cache, or more commonly a content filtering service; Redirecting them to a hosted site all objects not in the cache (if enabled) are redirected to a hosted site, which is useful when combined with ISA Server rules to redirect requests for certain content to a set of informational pages.

Figure 12 Default rule properties - Actions At this stage of configuration the Cache tab entries will be greyed out. The caching facilities in ISA Server can be configured later. The Bridging tab allows configuration of how HyperText Transfer Protocol (HTTP) and Secure Sockets Layer (SSL) traffic are redirected. The default configuration is to redirect HTTP requests as HTTP and to redirect SSL requests as HTTP. It is not recommended to redirect normal HTTP requests to the destination site as SSL, due to increased overheads and the risk of destination sites not supporting SSL.

17

If SSL content is not being allowed to pass directly through the cache without being intercepted, then configuring SSL requests to be forwarded on from the ISA Server as SSL will keep the requests from the clients secure.

7.4 Caching policy The final stage of the Getting Started Wizard is the configuration of the Caching Policy.

Figure 13 Cache configuration properties

Double clicking on the Configure Cache Policy icon opens a dialogue box with five tabs: General, HTTP; FTP; Active Caching; Advanced.

18

Figure 14 Cache configuration properties - HTTP The first tab, General shows the total cache size configured for the server as configured at installation. The HTTP tab allows HTTP caching to be enabled on the ISA Server. This is strongly recommended unless the ISA Server is acting as an upstream content filter with third party software installed. It is recommended that the default expiry setting is left as Normally, unless the external link is saturated, in which case trying to extend the life of cached objects may be of benefit. This may be done at the expense of possibly providing stale content to users. The FTP tab allows caching for FTP objects to be enabled on ISA Server. This is useful for the small number of downloads linking to an FTP server from websites. As files transferred via FTP are often quite large, then care must be taken to monitor the cache disc space. If more disc space is available, the Time to Live (TTL) can be tweaked. For a site with approximately 500 users with average browsing habits and 40Gb of cache space, the TTL can safely be configured to be to be several days.

19

Figure 15 - Cache Configuration Properties - FTP Active caching can really benefit sites that have a permanent internet connection that is heavily saturated during the day and under utilised during the evening and night time.

Figure 16 - Cache Configuration Properties Active Caching There are three options when active caching is enabled: Frequently- ISA Server will frequently update the cached content to ensure that items are up to date, refreshing the TTL to avoid client machines being served stale content or having to wait for each request to be fetched from source. Normal- ISA Server will balance the extra network traffic caused by active caching against the risk of client machines being served stale content or having to wait for each request to be fetched from source. Less frequently- is the best option for sites with low bandwidth links. ISA Server will be conservative over what content is fetched to refresh the cache content. The Advanced tab, contains more advanced configuration options, many of which are advised to be left as the default.

20

Figure 17 Cache Configuration Properties Advanced Do not cache objects larger than is a useful aid to avoid caching the 200Mb download that one user may download and no one else will. Most white papers recommend sizes between 32Mb and 50Mb, although with increased file sizes and inexpensive discs becoming common place, this can be increased. A useful measurement is the size of the average Microsoft Windows Service Pack, which is something that will probably be wanted cached, as opposed to a 650Mb ISO image. Therefore considering the number of patches usually downloaded by users that run in to several megabytes, increasing this figure will reduce the bandwidth demands of continued retrieval from source. Cache objects that have an unspecified last modification time and Cache objects even if they have an HTTP status code of 200 are recommended to be left as default. Cache dynamic content is an excellent method of ensuring content gets cached where sites insist on marking static content as dynamic, or use obfuscated ways of serving pages via PHP Nuke and similar. The downside of caching dynamic content results from poorly written e-commerce sites where pages may get cached that contain user personal details. ISA Server keeps content in RAM as well as on disc to speed up delivery of content to clients. The maximum size of URL cached in memory setting should be set according to the memory available in the machine. The recommended setting is12800 bytes for every 256Mb of memory available. ISA Server can ignore some expired object rules if the original site cannot be reached. It is recommended to leave the configuration as per default to allow pages to continue to be served during a extended outage of a remote web server even if the content is stale. Stale content is usually better than no content at all! Set the Percentage of free memory to 75%. This seems to be the optimum configuration after testing various settings whilst monitoring machine performance using performance monitor. Results may, however, vary from site to site. Select Exit the Getting Started Wizard. This completes enough configuration to get ISA Server up and running as a web cache.
21

7.5 Further Configuration For further configuration, links to the dialogue boxes can be reached via the console hierarchy on the left of the administration tool or via the task pads in the right hand pane. Three of the main day-to-day tasks available from the Task pad are: Servers and Arrays, Backup and Monitoring. Servers and Arrays lists the servers in the array which can be managed, along with further details, descriptions, type, mode, date created and uptime. The Connect To and Disconnect From icons allow configuration of remote machines and arrays.

Figure 18 Task pad Configure Servers and Arrays Selecting Configure Servers and Arrays, allows changes and additions to be made to the settings added in the Getting Started Wizard. The three options; Configure Access Policy, Configure Network Connection and Configure Cache were covered in the Getting Started Wizard. Configure Publishing Policy for forward caching is not covered in this guide. For more information on this subject see the Microsoft ISA Server guide at: http://www.microsoft.com/isaserver/

22

Figure 19 Set configuration The second option from the main welcome Task Pad in the administration tool is Backup. It is strongly recommended that you backup the Server configuration after any changes have been made or before any upgrade or patching operations. After selecting the Back Up Selected Server or Array Configuration option, a dialogue box is presented.

Figure 20 Task pad Back up and Restore This allows the storage of all configuration details to be stored in a file in a directory on the local machine, or better still on a remote system as backup. Enter a suitable local path or Universal Naming Convention (UNC) address.
23

The Comment field is useful to record the changes made, on which date and who made them. Figure 21 Back up array dialogue box

The third option from the main welcome Task Pad in the administration tool is for monitoring. Common monitoring tasks for the purpose of trouble shooting and performance monitoring are available from three options: Monitor Alerts; Monitor Servers; Services and Monitor Sessions.

Figure 22 Task Pad Monitor Servers and Arrays. Selecting Monitoring Alerts will display the alerts that are written to the Event Viewer. Issues such as the ISA Server services failing to be started can be diagnosed from this Task Pad.

24

Figure 23 Monitor Alerts Selecting Monitoring Servers and Services shows the system services associated with ISA Server and their current status. Services can be started and stopped as required for maintenance and trouble shooting purposes.

Figure 24 Monitor Servers and Services The most useful Monitoring Task pad, Sessions, is used for monitoring the sessions of all active client sessions that are using the Microsoft ISA Server. Before
25

stopping services for maintenance, the number of users using the service can be checked. Sessions can also be disconnected and therefore moved to another server in the array. The Task Pad can also be used to just check the load on the ISA Server at any time.

Figure 25 Monitor Sessions

8. Upgrading from Microsoft Proxy Server 2.0

Many Microsoftproducts support migration to newer versions with varying degrees of success. Microsoft ISA server supports a migration from MicrosoftProxy Server 2.0 running on Windows NT 4.0 or Windows 2000. For the purposes of this guide, a migration from MicrosoftProxy Server 2.0 running on Windows NT 4.0 SP6a to ISA server standard edition on Windows 2000 was completed. This information is based on the Microsoft whitepaper at: http://www.microsoft.com/technet/prodtechnol/isa/deploy/isaentin.mspx Microsoft gives several reasons for upgrading to ISA server, although one of the main reasons of security patch support for older products seems to have been omitted. A multilayer firewall that features stateful inspection, broad application support, and integrated intrusion detection. Stateful inspection firewalls inspect more than just the packet header, they also track the connections across the firewall interfaces. Therefore allowing for greater control. Integrated Virtual Private Networking. System Hardening. RAM caching and optimised cache store, including scheduled content download. Unified management console, including graphical taskpads and wizards for common tasks. Transparency for all clients.
26

Advanced monitoring features, including customisable alerts, detailed logging and reporting Extensible platform with a Software Development kit. Before you start the upgrade process, Microsoft warn of several issues: Upgrading from Microsoft Proxy Server 1, Back Office server 4.0 or Small Business Server 4.0 is not supported. There is no automatic option to return to Microsoft Proxy Server 2.0 once the upgrade to ISA server has been started. ISA Server does not support the legacy IPX protocol. As ISA Server cannot run under Windows NT 4.0, an Operating System upgrade also has to be preformed. To do this: Firstly shutdown any running applications and stop the following services, wspsrv, mspadmin and w3svc, either using the net stop command or from the services applet in control panel. Insert the Windows 2000 CD-ROM and start the upgrade procedure. During the upgrade there may be warnings about compatibility issues between Microsoft Proxy Server 2.0 and Windows 2000. These can be ignored for the sake of this upgrade. After Windows 2000 has been installed, ensure that the operating system has the latest service pack installed and all the relevant post service pack hot fixes have been applied. Running the ISA server upgrade option from the install CD-ROM follows the same installation routine that is covered in section 4 with a few exceptions. Most Microsoft Proxy Server 2.0 rules, network settings, monitoring configuration and cache configuration will be migrated across. It is recommended that a backup is taken of cache logs before the system is migrated, as during testing, the old Microsoft Proxy Server 2.0 logs will be removed during the upgrade process. Microsoft Proxy Server 2.0 listens for HTTP requests on port 80, and ISA server listens on port 8080. You can either change the port that ISA server listens on back to 80 or update all the clients manually or through a proxy.pac file. NB: All cached content on the system will be lost during the upgrade, so initial performance may be worse on the new system even after hardware and or software upgrades until the cache can be re-populated. Socks configuration from Microsoft Proxy Server 2 cannot be migrated and Socks rules must be re-entered. Microsoft lists how the Rules and Policies will be migrated.

Microsoft Proxy Server 2.0 Domain filters Winsock permission settings Publishing properties

ISA Server Site and content rules Protocol rules Web publishing rules
27

Static packet filters Web proxy routing rules

Open or blocked IP packet filters Routing rules

Figure 26 Microsoft Rules and Policies migration table Additional configuration settings, including local address tables, automatic dial settings, alerts, log settings and client configurations, are also copied. It is recommended to allow two days for a full backup, archive, upgrade and configuration of a migration from Microsoft Proxy Server 2.0 running on Windows NT 4.0 to ISA Server running on Windows 2000. Unless a lot of time has been invested in very specific configuration of the rules within Microsoft and so retaining the configuration is desirable, it may be more effective to start from scratch with a fresh install of Windows 2000 and ISA server.

9. Upgrading to ISA Server, Enterprise Edition

Microsoft recommends upgrading to Enterprise Edition of ISA server for three reasons: it can be deployed in multi-server arrays for better scalability, performance, fault tolerance, and centralized management; it supports two levels of policy management, array policy that can be applied to an entire array of servers and enterprise policy that can be applied to all the arrays in the organisation. there is no restriction on the number of processors on the ISA Server computer (standard edition is restricted to four processors). There are four stages to upgrading from Standard to Enterprise version of ISA Server. 1. Backup the existing ISA Server Standard edition policy. 2. Run Setup from the ISA Server Enterprise edition CDROM, this will upgrade the installation to Enterprise edition in a stand-alone configuration. 3. Run the ISA Server Enterprise Edition Initialization program if you wish to install the ISA Server array schema in to Active Directory. This is one way operation that cannot be undone. If you are using ISA Server in standalone configuration you can ignore this stage.

Figure 27 ISA Server Initialisation Tool 4. If not running in stand-alone mode the server needs to be promoted to an array member. Select the machine to promote in the console tree of ISA Management, right click and select promote.

10. Optimising ISA Server and Troubleshooting

10.1. Managing bandwidth on low bandwidth links
28

If the bandwidth of an external link is saturated with traffic from Microsoft ISA Server; bandwidth for other applications can be increased by restricting the bandwidth for certain requests via the Microsoft ISA Server. The bandwidth rule wizard allows rules to be created to limit the bandwidth available to requests matching the familiar rule set available in Microsoft ISA Server. The bandwidth rule is then given a specific priority against the default bandwidth rule. Further information is available at: http://support.microsoft.com/default.aspx?scid=kb;en-us;302875 10.2. Screensavers Careful consideration to screensaver selection can reduce processor utilisation by as much as 50%. Open GL and 3D screensaver cause a lot of processor utilisation, thus restricting processor time to network services, such as a Proxy Server. It is recommended a simple textual screen saver like Marquee will remind people the machine is powered, but will not drain processor resources. Even the text screensaver uses up resources. It is far better to use the 'blank-screen' screensaver and stick a Post-it note on the monitor. 10.3. Background Processes Background processes on machines consume CPU cycles and can cause latency when processing web requests. It is recommended that processes like; SETI@Home and DNETC are removed. 10.4. Cache initalisation errors One of the frequent errors encountered after installation is Cache initialisation failure or Cache container initialisation error. This occurs when the rest of a partition where Microsoft ISA Server is installed has been allocated to be used as a cache. http://support.microsoft.com/?kbid=284550

11. Logging
11.1. Logging in Microsoft ISA Server When debugging problems in any piece of software, logging is an essential part of the process. Microsoft ISA server stores various logs for the purpose of debugging as well as traceability. The logs are accessed from the Microsoft ISA Server MMC tool. Expand the Monitoring Configuration to show the configuration options and the logs available. The Monitoring Configuration section is split into three sections; Alerts, Logs and Report Jobs. Alerts These are primarily concerned with the Firewall element of ISA Server and produce an e-mail alert for the system administrator, send a pop-up or even start a program or script. Although the pre-defined alerts are biased towards the firewall elements, there are several caching related alerts and always the opportunity to create ones own. Logs Three elements of ISA Server are recorded and configured here. What is recorded for Packet filters, Firewall service and Web Proxy service can be configured.

29

Report Jobs Reports allow details to be extracted from the logging to produce only the information required for logging tasks. Reports can be created for various events and then retrieved as and when required. The Monitoring section in the Microsoft ISA Server MMC tool allows for the reports and monitoring configured earlier to be viewed. There are four sections available: Alerts Any current alerts can be viewed in this window and reset. Services Any Windows services associated with Microsoft ISA Server can be started and stopped along with information on the current status. Sessions All active sessions are displayed in this window with an option to disconnect any as required. Reports Any reports configured previously are displayed here in two sections; Summary and Web Usage. 11.2. Logging to an alternative location For large scale installations, logging to an alternative location might be a desirable alternative to logging internally. If advanced reporting tools are going to be developed, Structured Query |Language (SQL) queries might be an easier method of data extraction than currently available. Further information is available at: http://www.isaserver.org/tutorials/How_to_setup_SQL_Logging_in_ISA_Server.html

12. Useful Resources and URLS

Microsofts homepage for ISA Server. Useful documentation, security announcements, patches and white papers. http://www.microsoft.com/isaserver/ A comprehensive resource of articles, reviews and advice for running ISA Server. http://www.isaserver.org/ Configuration details for ISA Server, including commercial security and configuration packages. http://www.indepth-tech.com/ISAServer/

Copyright
Screen shots reprinted by permission from Microsoft Corporation.

30