Training
Find Training
Manage My Learning
Training Options
Browse by Subject
Guide My Training
Certifications
Certification Overview
Browse by Subject
Browse by Name
Find an Exam
Prepare for an Exam
Register for an Exam
Books
Books Overview
New and Upcoming
Find Books
Where to Buy
Special Offers
What's New
Community
Learning Community
Member Sites
Worldwide Sites
Help and Support




 
Microsoft® Internet Security and Acceleration (ISA) Server 2000 Administrator's Pocket Consultant
Author Jason Ballard and Bud Ratliff
Pages 336
Disk N/A
Level Beg/Int
Published 06/18/2003
ISBN 9780735614420
ISBN-10 0-7356-1442-3
Price(USD) $29.99
To see this book's discounted price, select a reseller below.
 

More Information

About the Book
Table of Contents
Sample Chapter
Index
Related Series
Related Books
About the Author

Support: Book & CD

Rate this book
Barnes Noble Amazon Quantum Books

 

Chapter 11: Managing ISA Server and Windows Active Directory

Chapter 11  Managing ISA Server and Windows Active Directory

This chapter reviews the concept of stand-alone server and array implementations of Microsoft ISA Server, and then explains how to install and configure ISA Server arrays in Microsoft Windows domains. The first section focuses on requirements for stand-alone versus array members. The next section outlines how to create ISA Server arrays in a Microsoft Windows 2000 and Microsoft Windows Server 2003 Active Directory directory service environment. The last section explains how to implement ISA Server in alternative domain environments to provide other levels of security.

Stand-Alone Versus Array Members

As we explained in Chapter 1, "Overview of Microsoft ISA Server 2000 Administration," Microsoft ISA Server 2000 Standard Edition allows only the option of installing a stand-alone server, which you must administer on an individual basis. Microsoft ISA Server 2000 Enterprise Edition provides the option of installing an individual ISA server into what is known as an array, from which you can administer many ISA servers using a single policy.

NOTE

Even though you can install ISA Server 2000 Enterprise Edition as a stand-alone server, install the first ISA server as an array member to provide more flexibility, even if you'll have only one ISA server on your network.

Characteristics of a Stand-Alone ISA Server

You can install a stand-alone ISA server using either the Standard or Enterprise edition of ISA Server. Each stand-alone server has unique policies that you must administer on an individual basis; each server also stores its configuration information in the local registry (as compared to array members, which store ISA Server configuration data in Active Directory). Without Active Directory, you can use other products, such as Microsoft Application Center 2000, or write scripts to manage multiple stand-alone ISA servers; however, you'll need similar hardware and configurations (in the case of Application Center 2000), and additional effort to ensure standardization (in the case of scripts). You can promote a stand-alone server to an array member by following the steps provided in Chapter 2, "Installing and Configuring Microsoft ISA Server 2000."

Characteristics of an ISA Server Array Member

Installing an array member requires ISA Server 2000 Enterprise Edition and an implementation of the Active Directory, where all array data are stored. When you create an array, the name of the first server becomes the name of the array; you have no limit to the number of servers that can participate in the array.

TIP

You can rename an array using the ISA Management snap-in by right-clicking the array, selecting Properties, and then typing the new name in the Name field. Click OK to complete renaming the array.

An array utilizes enterprise-wide policies that you can easily distribute among multiple ISA servers, which helps provide valued fault tolerance capabilities for ISA Server. Enterprise and array policies are the focus of Chapter 12, "Using Enterprise and Array Policies."

Active Directory Interoperability

In general, most array configuration is stored within Active Directory, whereas a stand-alone server stores configuration information within the registry. There are, however, some exceptions in which data are stored on individual servers. These exceptions include:

  • Static filters

  • Cache content and activity logs

  • Generated reports (settings exist on all members, but the reports themselves are stored on one)

NOTE

When you back up ISA Server arrays, server-specific information isn't included.

Creating and Configuring ISA Server Arrays

Creating and configuring ISA Server arrays gives you the ability to better manage groups of ISA Server computers. You'll need to know the criteria required to install an array. This section describes those criteria and additional security requirements, and then provides detailed steps for installing and configuring arrays.

ISA Server Array Criteria

To use ISA Server arrays, you should understand the criteria for ISA Server arrays:

  • You must use ISA Server 2000 Enterprise Edition.

  • Active Directory must be installed on the network.

  • All array members must belong to the same Windows 2000 or Windows Server 2003 domain.

  • All array members must belong to the same site.

  • All array members must be installed in the same mode (cache, firewall, or integrated).

  • An array can contain one or more members.

  • You must install the same add-ins (such as application filters, Web filters, and so on) on all array members for consistent functionality.

Administrative Requirements for ISA Server Arrays

See Table 11-1 for a description of the administrative requirements to install or configure stand-alone servers and arrays.

Table 11-1  Administrative Requirements for Stand-Alone Servers and Array Members

ActionAdministrative Membership
Create stand-alone ISA serverAdministrators group on the local server (which should, of course, include Domain Admins)
Modify the Active Directory schema (by running the Enterprise Initialization tool)Enterprise Admins and Schema Admins group of the forest to which the servers belong
Promote an existing stand-alone ISA server to an array memberDomain Admin or Enterprise Admin for the domain or forest, or both, to which the server belongs

Creating the Array Environment

To prepare your ISA Server environment to support arrays, you'll need to ensure that you've completed the tasks we described in other places in this book:

  • Update the schema by using the Enterprise Initialization Tool. For information on this, see Chapter 2, "Running the Enterprise Initialization Tool."

  • Ensure that the schema extensions have been updated and replicated to all domain controllers. See Chapter 2, "Verifying Schema Extensions."

  • Configure enterprise policy settings. See Chapter 2, "Configuring Enterprise Policy Settings" and "Enterprise and Array Policies Explained," and Chapter 12, "Using Enterprise and Array Policies."

  • Promote any stand-alone servers into the array. See Chapter 2, "Promoting a Stand-Alone Server to an Array Member."

Creating a New Array

Once you've configured your environment, you might need to configure a new array to manage a set of ISA servers. To create a new array, follow these steps:

  1. Open the ISA Management console.

  2. In the left pane, right-click Servers And Arrays, click New, and then click Array.

  3. Type a name for the array and then click Next.

  4. On the Domain Name page, click the top drop-down list to select the site the server is a part of, click the bottom drop-down list to select the domain, and then click Next.

  5. On the Create Or Copy An Array page, you have the option to create a new array or copy an existing array. If you select Copy This Array, click the drop-down list to select the array to be copied, and then click Next.

    6. NOTE

    If you copy an existing array, after clicking Next the wizard is complete. Review the configuration and then click Finish.

  6. On the Enterprise Policy Settings page, you can define whether enterprise policies should be enabled for the array. The options are explained in Table 11-2.

    7. Table 11-2  Enterprise Policy Options

    OptionsExplanation
    Do Not Use Enterprise PolicySelect this option if you choose not to use an enterprise policy.
    Use Default Enterprise Policy SettingsSelect this option to use default values. If you choose this option, continue to Step 8.
    Use Custom Enterprise Policy SettingsSelect this option to specify custom values for an enterprise policy.
    Allow Array PolicyThis option is available when you choose Use Custom Enterprise Policy Settings.

    Click Next to continue.

  7. On the Array Policy Options At Enterprise Level page, if you choose to allow publishing rules to be created on the array or wish to force packet filtering on the array, select the respective check boxes and then click Next.

  8. On the Array Type page, select the mode (Cache, Firewall Only, or Integrated) to be used by the array member and then click Next.

    9. NOTE

    The mode must be the same for all members of the same array.

  9. Review the configuration and then click Finish.

Adding or Removing Array Members

When you add or remove array members, remember that the information stored in Active Directory must replicate to all other domain controllers in the domain. Be sure to back up your array configuration before you make changes to array membership; this easy step will save you a lot of time should anything go awry.

Backing Up and Restoring an Array Configuration

Backing up an array member is a process that's similar to backing up an ISA stand-alone server. Both types of backups use the procedures below and will be saved with a .bif file name extension. To back up an array, follow these steps:

  1. Open the ISA Management console.

  2. In the left pane, right-click your array and then click Back Up.

  3. In the Backup Array window, in the Store Backup Configuration In This Location field, type the full path and name for the backup file you're creating. You may type a description in the Comment field to provide any additional information you'd like to keep regarding the backup.

    4. NOTE

    Although the ISA Help file states that the path should be a local NTFS drive, you can create a backup file and store it on a remote computer on the network.

  4. Click OK to complete. Click OK again when the Backup Array dialog box notifies you that the array data has been successfully backed up.

To restore an array configuration, follow these steps:

  1. Open the ISA Management console.

  2. In the left pane, right-click your array and then click Restore.

  3. When prompted to confirm the replacement of the existing configuration as shown in Figure 11-1, click Yes.

    4. Click to view graphic
    Click to view graphic

    Figure 11-1  Restoring an array configuration with a previous backup file overwrites the existing configuration.

  4. In the Restore Array dialog box, in the Restore Array Configuration From The Following Backup (.BIF) File field, type the full path for the backup file and then click OK.

    5. NOTE

    The backup file selected must be the backup file for the same array you're planning to restore. You can't use a backup file from a different array during a restore, nor can you restore an array to a stand-alone server.

  5. Click OK. Click OK at the Restore Array dialog box to verify the backup file selected and to complete the restore. Click OK again when you're notified that the array data has been restored successfully.

Removing an Array Member

When you delete all servers from an array, the last server deleted removes the array itself. To remove an ISA server from an array, follow these steps:

  1. Open the ISA Management console.

  2. In the left pane, expand your ISA server node and then click Computers.

  3. In the right pane, right-click the ISA server to be removed from the array and click Delete.

  4. Click Yes to confirm the deletion as shown in Figure 11-2.

Click to view graphic
Click to view graphic

Figure 11-2  When you remove an ISA server from an array, you're asked to confirm the deletion.

Adding an Array Member

To add a server to an array, you must either install or reinstall ISA Server, as joining an existing array is an option available during initial ISA Server installation. Remember that the mode—cache, firewall, or integrated—of the server joining the array must match that of the other array members.

Moving an ISA Array Member to a Different Array

To move a server to a different array, you must uninstall and then reinstall ISA Server, as joining a different array is an available option during initial ISA Server installation (as long as you've run the enterprise initialization tool and multiple arrays are already configured). Follow the steps shown in Chapter 2 to uninstall and then install a new ISA server.

Configuring Array Permissions

To grant additional administrators the permissions to manage an array, follow these steps:

  1. Open the ISA Management console.

  2. In the left pane, right-click the array and then click Properties.

  3. Click the Security tab.

  4. Click Add to grant a new user or group permissions to manage the array and then the appropriate permissions. Click Remove to deny a user or group the permissions to manage the array.

  5. Click OK to complete.

ISA Server 2000 and Domain Integration

Environments in which companies haven't yet implemented the use of Active Directory, or in which separate forests must share resources, present special considerations for ISA Server implementations. You'll have several options available to you; however, in all designs the members of an ISA Server array must reside within the same domain and be a part of the same physical site.

Managing a Multidomain Configuration and Trust Relationships

The ISA Server implementations we've shown so far were installed into an existing domain; ISA Server is flexible enough to also reside in a domain created specifically for ISA servers. Usually, you'll need to install ISA Server into its own domain when ISA Server can't be integrated with Active Directory or where ISA Server must accommodate clients from different Windows domains.

ISA Server and Windows NT 4.0 domains

ISA Server can be a member of a Microsoft Windows NT 4.0 domain but can only be installed in stand-alone mode. The reason, as noted earlier, is because ISA Server is dependent upon Active Directory for establishing an ISA Server array. If you need an ISA Server array and your company's domain is still operating with Windows NT 4.0, you have the choice of upgrading your Windows NT 4.0 domain to a Windows 2000 or Windows Server 2003 domain or creating a new Windows 2000 or Windows Server 2003 domain.

Upgrading Your Windows NT 4.0 Domain

If you haven't already done so, you probably have plans to upgrade your Windows NT 4.0 domain to a Windows 2000 or Windows Server 2003 domain. If you don't have plans to upgrade, we would recommend doing so soon, as support for Windows NT 4.0 is near its end. This option gives you the opportunity to upgrade your infrastructure and the ability to promote a stand-alone ISA server to an array member, once you've modified the schema by running the enterprise initialization tool. For links to articles on upgrading your domain, see "Additional Resources" at the end of this chapter.

Creating a New Windows 2000 or Windows Server 2003 Domain

If your company has no plans to upgrade the Windows NT 4.0 domain to Windows 2000 or Windows Server 2003, you can create a new domain for the sole purpose of hosting ISA Server. The ISA server will be a member of the new domain, and you'll need to configure a trust relationship in which the new domain trusts the existing Windows NT 4.0 domain, as shown in Figure 11-3. Creating this trust allows the users in the NT 4.0 domain the capability to authenticate to the ISA server for outbound access.

Click to view graphic
Click to view graphic

Figure 11-3  The Windows 2000 and the Windows Server 2003 domains trust the Windows NT 4.0 domain so that its clients can use ISA Server services.

ISA Server and Windows 2000 and Windows Server 2003 Domains

When ISA Server is a member of Windows 2000 or Windows Server 2003 domains, you have the most options for configuring the ISA server as a stand-alone server or an array member.

ISA Server in a Single Domain

In a single domain environment, you can either join the ISA server to the existing domain and then configure it as an array member or create a new domain specifically for the ISA server. Creating a new domain in the existing forest provides an additional level of security, as a domain is, by definition, a security boundary. Because Windows 2000 or Windows Server 2003 implement two-way transitive trusts between all domains in a forest, creating a new domain automatically establishes the necessary trusts for the users to be authenticated during outbound access

To provide another level of security, you could create a new domain in a separate forest; this would require you to manually configure an implicit, one-way trust, which helps to ensure that only specified personnel are granted rights to administer ISA Server in the new domain. In Windows Server 2003, you could easily use a new feature known as a two-way forest trust to establish the trust between the two domains in different forests. For more information, see the "Additional Resources" section at the end of this chapter.

ISA Server in Multiple Domains with Trusts

If you're using ISA Server in a multiple domain environment, trust relationships are key. If you place an ISA server within a domain in a Windows 2000 or Windows Server 2003 forest, you must establish implicit two-way trusts between each domain. If you want to place ISA Server within a new domain outside your existing forest, there's no implicit trust between two domains in separate forests. You'll need to create an explicit one-way trust from the domain that ISA Server is in, trusting the domain in the other forest where your users and computer accounts reside. The benefit of creating an ISA server in an isolated forest is security. But with the added security comes additional management of both establishing explicit trusts and connecting to the ISA server.

MORE INFO

For detailed step-by-step explanations of trust administration, see Microsoft Windows 2000 Administrator's Pocket Consultant or Microsoft Windows Server 2003 Administrator's Pocket Consultant, both published by Microsoft Press and written by William R. Stanek.

Additional Resources

  • "Upgrading Windows NT 4.0 Domains to Windows Server 2003" in the Windows Server 2003 Resource Kit at http://www.microsoft.com/technet/prodtechnol/windowsserver2003/evaluate/cpp/reskit/adsec/part1/rkpdswnt.asp.

  • There are several relevant articles in the Microsoft Knowledge Base. You can find them by going to http://support.microsoft.com/?kbid=article number (insert the correct number at the end of the URL).

    • Article 296480,"HOW TO: Upgrade a Windows NT4.0-Based PDC to a Windows 2000-Based Domain Controller"

    • Article 295654, "Windows 2000 Server Cannot Join Existing ISA Array"

    • Article 296657, 'The Computer Cannot Join an Array' Error Message and Error Code 0x8007203a Logged When You Try to Install ISA Server 2000 Enterprise Edition"

    • Article 323774, "ISA Server Services Are Unavailable for an Array Partner"

    • Article 284761, "Error Message 'Could Not Register Smtpfltr.dll' Occurs When You Attempt to Install ISA Server in an Array"

    • Article KB288214, "The ISA Server Array Configuration Cannot Be Restored"


Last Updated: June 19, 2003
Top of Page