This guide describes how a small company with fewer than 255 workstations on an existing windows-based network can connect the computer to the Internet by using the Microsoft Internet Security Acceleration (ISA) Firewall secure service.
1. Configure Network Connections
ISA firewall requires a computer equipped with two network adapters. One of the adapters needs to be connected to the internal network. Connect another adapter to your Internet service provider (ISP). Your ISP can help you establish the connection. A firewall acts as a security barrier between an enterprise Intranet and the Internet by preventing other people on the Internet from accessing confidential information on the internal network or on your computer.
ISA can be installed on a stand-alone computer, on a Windows NT domain member computer, or on a computer that is a member of a Windows desktop Active Directory domain. To achieve maximum security, you should run ISA Server on a stand-alone computer.
The configuration of a network adapter involves setting up an external interface to connect to the Internet and an internal interface for connecting to a windows-based network. Your ISP should provide a static IP address, subnet mask, default gateway, and one or more DNS servers. Enter this information in the TCP/IP settings of the NIC that is connected to the ISP. Some ISPs are willing to use Dynamic Host Configuration Protocol (DHCP) to specify this information, which is also possible.
Configure the server's network adapter
Right-click the network place on your desktop, and then click Properties.
Right-click your Internet connection, click Rename, and then type an Internet connection. This will help you remember which NIC is connected to the Internet.
Right-click the Internet connection, and then click Properties.
On the General tab, click to select the check box to display the icon in the taskbar when connected. When the interface transmits data, the small icon on the taskbar flashes.
Clear the File and Printer Sharing check boxes for Microsoft network clients and Microsoft Networks. ISA Server blocks These protocols automatically by clearing these check boxes, allowing you to save memory.
Double-click Internet Protocol (TCP/IP), and then perform one of the following steps:
If your ISP uses DHCP to assign IP addresses, in the Internet Protocol (TCP/IP) Properties dialog box, click to select the Automatically obtain IP address and automatically obtain the DNS server address check box.
If you need to manually enter the IP address information for your ISP, in the Internet Protocol (TCP/IP) Properties dialog box, click to select the Meng. IP address, and then type the address, subnet mask, and default gateway information provided by your ISP. Click to select Use the following DNS server address, and then type the name of one or more DNS servers provided by your ISP.
Click Advanced, and then click the DNS tab. Click to clear the Register this connection's address check box in DNS.
Note: You need to type a permanent address and corresponding subnet mask for the internal network on the internal adapter (do not use DHCP on this interface). Leave the default gateway blank. The ISA Server computer requires only one default gateway: Configure it on the external interface. Configuring a default gateway on an internal adapter can cause an ISA failure.
Configure an internal interface to connect to a network
Right-click the Network Neighborhood, and then click Properties. Right-click the local Area Connection (LAN), click Rename, and then type the LAN.
Right-click the local area network, and then click Properties.
On the General tab, click to select the check box to display the icon in the taskbar when connected.
If unchecked, click to select the File and Printer Sharing check boxes for Microsoft network clients and Microsoft Networks.
Double-click Internet Protocol (TCP/IP), and then select the use the following IP address check box.
In the IP address, enter an internal IP address and subnet mask that conforms to the internal network address orchestration. Leave the default gateway blank. In the preferred DNS server, type the IP address of one or more DNS servers for the network.
Note: For small networks with fewer than 255 computers, if you use the Windows 2000 default TCP/IP configuration and the network does not have a DNS server, the computer relies on automatic private IP address assignment (APIPA). You should migrate from APIPA and start using static addresses on the client workstation. Each computer in the network requires a unique IP address. If you configure the internal interface of ISA Server, you need to type a static address, so use the address 192.168.0.254, and the subnet mask 255.255.255.0. Leave the Default gateway box blank. Type the ISP's DNS server in the DNS server field.
Now, configure the static address on each client computer:
On the first computer, use the address 192.168.0.1, the subnet mask is 255.255.255.0, and the default gateway is 192.168.0.254. For DNS, enter one (or more) DNS servers for your ISP.
On the second computer, use the address 192.168.0.2, and then use the same values that were used in the previous step. Except for addresses, the values are the same, but increment the address value for each additional computer. Maintains a list that indicates which computers are using which addresses.
When you are prompted, restart your computer.
2. Install ISA Server Standard Edition
If you did not install Windows Service Pack 1 (SP1) and the hotfix that you obtained from the Microsoft ISA Server Standard Edition CD, you should install it now.
ISA Installer raises a series of questions.
Using the ISA Server Setup Wizard (ISA Server Setup Wizard), on the Welcome (Welcome) screen, click Continue (Continue). Type the product's identification number in the appropriate box. You can find the number on the back of the CD case.
Please read the license agreement and click I Agree (Agree).
Click Typical installation (typical installation) as the installation type. This installs the ISA services and administration tools. Then choose Install Mode: firewall, proxy server, Integrated mode. ISA stops related services on the computer.
Configure the Local Address Table (LAT) for ISA. Configuring the LAT requires careful consideration. Gives you two choices: Build the LAT or use the Setup Wizard. Make a choice based on the following conditions:
If you know the subnet used by your internal network, enter it here. Caution: Do not click the Construct Table button! If clicked, the LAT information entered will be overwritten.
If you do not know your local subnet, click the Construct table (CREATE TABLE) button. The ISA Setup Wizard (ISA Setup Wizard) determines the local subnet based on the computer's routing table.
If unchecked, click to select the Add the following private ranges (add the following private range) check box.
If it is not selected, click to select Add address ranges based on the Windows Routing table (add a range of addresses based on the Windows 2000 routing table).
Click to clear the check box that contains the subnet that corresponds to the external (Internet) interface of the server.
Click to select the check box that contains the subnet that corresponds to the internal (LAN) interface of the server.
When Setup completes, start the Administrator Getting Started wizard, and then read the next section before completing the wizard.
3. Configure ISA Server to allow customers to access the Internet
The status of ISA Server after installation will block traffic to and from the Internet. This is a good thing! Remember that you are setting up a firewall. The main function of a firewall is to act as a checkpoint between two networks. ISA Server's behavior is to block any content that is not explicitly allowed through policy.
Configuring the status of ISA after installation
The following two components of the access policy must be configured so that clients can access the Internet:
At least one site and content rule must be configured in which to specify which sites users can access and what types of content they can retrieve.
At least one protocol rule must be configured to specify which types of traffic are allowed through ISA Server.
After the installation is complete, ISA creates a default site and content rule that allows all clients to access all content on all sites at all times. But this is not enough for users who want to start surfing the Internet: There are no protocol rules defined. Without it, traffic through ISA will not be allowed.
Getting Started Wizard
In the Getting Started Wizard (Getting Started wizard), click Configure Protocol Rules (Configure protocol rules). The list of protocol rules is displayed in the Microsoft Management Console (MMC).
Click Create a Protocol rule (creating protocol rules). Type a name, such as "all protocols."
Click Allow (Allow) for the action of the rule (this is the default value).
Click All IP traffic (for all IP traffic) as a list of protocols (this is the default value).
Click Always (Always) (this is the default) as a schedule.
Click any request (which is the default) as the client type.
Click Finish (complete).
Create a policy for how users connect to the Internet
The role of ISA Server is much more than allowing all clients to access all content on all sites at all times, using all (defined) protocols. In ISA, you can create access policies that define exactly how users access the Internet.
ISA access policy consists of the following three elements:
Site and Content Rules
IP Packet Filters
These rules are also made up of the following policy elements:
Client Address Collection
Definition of the Agreement
Before attempting to use ISA policy to define complex content, you should understand some dependencies. The following table describes which policy elements belong to which policy rules:
Site and Content Rule protocol rules
Definition of target Set protocol
Content Group Planning
Scheduled Client Address Collection
Client Address Collection
Accessing the Internet from an ISA computer
What happens when you access the Internet from the ISA computer itself? The protocol rules, site, and content rules that are created apply only to clients that follow the ISA Server, and ISA creates a dynamic packet filter for the connection request whenever the client wants to access the Internet, as long as the rule allows the request. However, if you want to access the Internet on an ISA computer, you must create a static packet filter according to the type of traffic that will be generated.
This column more highlights: http://www.bianceng.cnhttp://www.bianceng.cn/Network/Firewall/