Tutorials

How to publish SBS 2008 using a Server 2003 with ISA 2006 SE - part 1

You will need to have access to the ISA Server 2006 Media, and I would suggest downloading ISA 2006 SP1 to an USB drive as well as the ISA Server Best Practices Analyzer. An updated version of the ISA Firewall Client which supports Windows Vista is available from Microsoft.com. Make sure you have the required drivers for your hardware.

REMEMBER THE IP ADDRESSES USED IN THIS ARTICLE ARE FOR EXAMPLE PURPOSES ONLY

Your network will be similar in design to this:

After we have finished the installation it will be more like this:

Install Windows Server 2003 on your server

The first task is to install the OS on your Windows Server 2003 computer, ill assume you know how to do this so no detailed explanation, but a few screen shots should help those who don’t.

Configure the network adapters on our Windows 2003 server

Once the OS is installed, make sure all your NICs are available – if they are not then install the drivers. We can statically assign the IP Address of your internal NIC.

1. Click Start > Run > in the run command box, enter ‘ncpa.cpl’ and click on OK
   
2. Right click the NIC that will be your internal interface, click on Rename and type ‘Internal’ repeat this process for the NIC that will be your external Interface but use the name ‘External’.
   
3. Now we will set the IP Address of your Internal NIC –Right click the Internal NIC; go to properties, then select ‘Internet Protocol (TCP/IP)’ and hit properties.
   
   
4. Set the IP address to 192.168.80.10, Subnet Mask to 255.255.255.0 and the Gateway to 192.168.80.2 (that is the IP address of your router) and finally we set the preferred DNS server to our SBS 2008 that runs on 192.168.80.5. Click ok and then close the network connections window.
   

Join the Windows 2003 Server to your SBS 2008 network

There are two schools of thought on the next stage – whether your ISA Server should be a member of the domain, I prefer to have mine in the domain so we can use the power of active directory groups to control Internet access there are pro’s and con’s of each method (the other being to have ISA in a separate domain, or in a workgroup) I am assuming you’ll be putting it into the domain. So with that in mind we need to join the computer to the SBS domain. We don’t use the /connectcomputer wizard to join servers to SBS domains anymore (indeed /connectcomputer has been removed in favor of http://connect for client workstations) instead we use the old fashioned way of joining your machine to the domain.

1. Click Start > Right click on ‘My Computer’ click properties.
   
2. In the system properties windows, Click on ‘Computer Name’ and then click on ‘Change’.
   
3. Click the radio button next to ‘Domain’ and enter your internal domain name. Click OK and when prompted, enter the credentials of an account that can join a machine to the domain.
   
4. When you are welcomed to the domain,
   
5. Reboot your server.
   

Install Scalable Networking Pack (SNP) and change the default gateway on the Internal Nic

Once rebooted, I would suggest you install all available Windows Updates, and make sure all the drivers you require are installed. – Remember we will have two NIC’s so make sure they are both installed correctly. If you do not wish to install the windows updates at this point make sure to disable the Scalable Networking Pack (SNP) (KB948496).

1. When you have logged on, Click Start > Run > type ncpa.cpl and click OK.
   
2. Right click the ‘internal’ NIC and go to properties, highlight TCP/IP and click on properties
   
3. Delete the IP address in the default gateway field and click OK.
   

This is the last step to prepare your server for the installation of ISA Server. At this point your server will be a member server in the domain, have a static IP valid on your internal network, it will NOT have any default gateway set on its internal NIC and it will be using the SBS Server as its preferred DNS Server.

Move your ISA 2006 server to the correct OU on your SBS 2008

1. From Administrative Tools open up ‘Active Directory Users and Computers’.
   
2. Expand your domain, expand ‘My Business’ Expand SBSComputers, Expand Client Computers, Select your ISA Server computer from the list, Right click this, and click Move.
   
3. In the Move dialogue box, drill down to find SBSServers and select to move the ISA Server into this OU.
   

This will ensure it is in the correct place in the SBS Console. Close Active Directory Users and Computers.

Export your certificates

For ISA to publish resources you need to create web listeners, to create a web listener using SSL, you first have to have the SSL Certificate installed on your ISA Server. To do that, you have to export if from your web server and make sure ISA Server trusts any issuing CA (Certificate Authority).

1. From Administrative tools open IIS manager. Click on your SBSServers and in the details pane go to Server Certificates.
   
2. Find the certificate named ‘remote.domain.com’ (where domain.com is your public domain name). Select this and in the task pane click Export.
   
3. This will also export the Private Key (in .pfx format) which is essential for ISA Server. You must enter a path and a password. Save this to USB Drive, or network share – something you can access from the ISA Server.
   
4. Next find the Certificate in the list that has ‘CA’ at the end of it. This is your networks root certificate. We don’t need to export the private key of this certificate, so double click this, go to the details tab. Click copy to file. Follow the wizard and save in .cer format.
   
   
   
   
   
   
   
   

Install the CA root certificate into the Default Domain Policy

Now we are going to install the CA root certificate into the Default Domain Policy – so that all of your client workstations trust any certificate issued by the SBS Server.

1. From Administrative Tools, open up Group Policy Management.
   
2. Expand Domains and find your ‘Default Domain Policy’, right click this and click Edit.
   
3. Select Policies, then expand ‘Computer Configuration, Windows Settings, and Security Settings’, Scroll down to ‘Public Key Policies’ and find ‘Trusted Root Certification Authorities’ In the details pane, right click, and click ‘Import’.
   
4. Find the .cer file we just exported, and import this.
   
   
   
   
5. After you have successfully imported the certificate you can check in the settings if the certificate is really imported. Close the ‘Group Policy Editor’, and close all other open windows.
   

Install ISA 2006 on your Windows 2003 server

1. Put your ISA CD (or find your install media) and double click ‘setup.exe’, Click ‘Install ISA Server 2006’
   
2. Setup is started.
   
3. Click Next.
   
4. Accept the terms and click Next.
   
5. Fill in your serial number and click Next.
   
6. Follow the wizard through – the typical install will install both the management tools and ISA Server itself.
   
7. Leave all default and click Next.
   
8. Click Add.
   
9. Click Add adapter. That will automatically insert the correct range for you.
   
10. Choose the Internal adapter.
    
11. Make sure it starts at .0 and ends at .255.
    
12. Click Next.
    
13. Do not click the box to ‘allow non-encrypted firewall client session’. Click next – setup should now complete for you.
    
14. You are informed that some services will be restarted during the installation.
    
15. Click install.
    

I would suggest a reboot at this point but it may not be required, or suggested by ISA Setup. You can then go ahead and install SP1 for ISA 2006, and the ISA BPA (Best Practices Analyser)

You should be aware that ISA Server should be deployed as securely as possible – this means hardening the Windows Infrastructure by disabling unnecessary services and applications. Excellent advice on this subject can be found on Microsoft Technet –http://technet.microsoft.com/en-us/library/bb898433.aspx.

Configure ISA Server 2006 to use the second Network Adapter

At this point in time, Your ISA Server will have two NICs one is correctly configured for your internal network, the other is showing as unplugged. We need to configure this interface before plugging the cable in.

1. Open up network connections (Start > Run ncpa.cpl) right click your external network adapter, go to properties. Un-tick everything except Internet Protocol (TCP/IP) and then select TCP/IP and go to properties.
   
2. Set the IP address to 192.168.178.10, the Subnet Mask to 255.255.255.0 and the default gateway points to the new IP address of your router 192.168.178.1. Notice that we have changed the IP address of our router from 192.168.80.2 to 192.168.178.1 because you cannot have the External IP address of your ISA server in the same range as your Internal range.
   
3. Click Advanced, go to the DNS tab. Un-tick ‘Register this connections address in DNS’. Un-tick ‘Append Parent suffixes’.
   
4. Go to wins tab, Un-tick ‘Enable LMHOSTS Lookup and set NetBIOS’ to ‘Disabled’. Click ‘OK’ to accept this configuration.
   

To visit the Windows Update website after the installation of ISA Server you must enter Proxy Server information into Internet Explorer. (Proxy server address is the internal IP of your ISA Server and by default the port number is 8080)

Reconfigure your router

We started with our router in the same network as the SBS 2008 server. Now that we have added the ISA 2006 server to our network we need to reconfigure the router to the network we set on our external network adapter on the ISA 2006 server. In our case that was 192.168.178.x.

It is impossible for us to write a manual for each router on this subject. If you need help to reconfigure your router this site may be of any help to you:

PortForward.com - Free Help Setting up Your Router or Firewall:
http://portforward.com/default.htm

Connect your External network adapter to the router

Un-patch your router from your network Switch, and patch it directly into the external Interface of your ISA Server. From your ISA Server You will now see your external NIC has gone live. You will have no Internet connectivity at this point. We must create rules for DNS Traffic to be allowed out of the network from the SBS Server before the Internet Connection will start to work.

1. In ISA Management – Right click Firewall Policy – Click New> Access Rule> Name your Rule ‘SBS – DNS Out’ and click ‘Next’.
   
2. Name the rule and click next.
   
3. Click next
   
4. Choose selected protocols and click Add
   
5. Highlight DNS and click add.
   
6. Click close.
   
7. Click next
   
8. Click ‘Next’, Click Add Click New – Computer > Name the Computer Object (this will represent your SBS Server) Enter the IP of your SBS Server, click OK to finish creating the computer object, then expand ‘Computers’ select the computer object that represents your SBS Server, click Add and then click close.
   
   
   
   
   
   
9. You can be specific about where you allow dns queries to be sent to, by creating computer objects with the ip address of your preferred external dns server – or an address range etc
   
10. Click next
    
11. Accept All Users and click Next
    
12. Click Finish
    
13. Click Apply to accept the changes.
    

We will also create another Access rule to allow HTTP, HTTPS, and FTP to the domain name set – System Policy Allowed Sites (this includes Microsoft.com) we will allow traffic from Our SBS Computer Object to this domain name set for all users. The process for this is very similar to the rule we have just created so I won’t provide screen shots.

Right click the firewall policy, click New Access Rule. Name your Rule SBS Server Web Traffic Rule click Next >On the Rule Action Page select Allow, click next > On the Protocols page click Add, expand web, and click on HTTP, click Add, click on HTTPS and click on add, click on FTP and click on Add. Click Close and then click Next > On the Sources page – click Add, Expand Computers, Select the SBS Server Computer Object and click Add. Click Close and then click Next > On the destinations page, click Add, expand Domain Name Sets, click on System Policy allowed sites, and click Add. Click Close and click Next > Accept the default of All Users, and click next > Click Finish.

Install our SBS Remote PFX certificate to the ISA Server

We can also now go ahead and install our SBS Remote PFX certificate to the ISA Server.

1. Click on Start, then Run, type MMC and click OK.
   
2. Click File, add/remove snap in click Add, find ‘Certificates’ and click add when prompted select ‘computer account’ then click next, accept (local Computer) and click Finish.
   
   
   
   
   
   
   
3. Click close and then click Ok to return to your mmc. Expand Certificates, and click ‘personal’ right click in the details pane, and click import, find your pfx file from earlier, select this and click ok, click next, enter your password and choose to mark the ‘private key as exportable’ (this allows for ISA server backups) click next, accept the defaults for the remaining questions and finish the import wizard.
   
   
   
   
   
   
4. We can verify successful installation by double clicking the certificate and looking on the certificate path tab, there shouldn’t be any red crosses visible. If there are make sure you added the CA certificate to the default domain policy – and that the ISA Server computer has refreshed its group policy (gpupdate /force from a CMD window will do the trick)
   

Run the 'Connect to the Internet' wizard on your SBS 2008

You’re not superstitious are you? Back on the SBS box, we can now run the ‘Connect to internet wizard’.

1. Open the SBS console; go to ‘network’ then ‘connectivity’, click on ‘connect to internet’
   
2. Click Next
   
3. The Router IP address is this case the local IP address of your ISA server. Make sure you fill in the correct IP address for the server. We have seen issues where the wizard tries to change this and we don't want that to happen.
   
   
4. Again we are informed that our router (the ISA Server 2006) cannot be found. Click Yes to continue without further detecting the router.
   
5. Once the correct IP addresses are filled in click Next
   
6. Click Finish
   

You should now be able to browse the Internet from your SBS 2008 server. Make sure you set Internet Explorer to use the ISA 2006 Proxy in the connection settings.