Performing a Single NIC Installation (Unihomed ISA Firewall)
This ISA firewall software can be installed on a machine with a single network interface card. This is done to simulate the Proxy Server 2.0 configuration or the ISA Server 2000 caching-only mode. This 2004 ISA firewall does not have a caching-only mode, but you can strip away a significant level of firewall functionality from the ISA firewall when you install it in single-NIC mode.
When the ISA firewall is installed in single-NIC mode, you lose:
Support for Firewall clients
Support for full SecureNAT client security and functionality
Server Publishing Rules
All protocols except HTTP, HTTPS and HTTP-tunneled (Web proxied) FTP
Remote Access VPN
Site-to-Site VPN
Multi-networking functionality (the entire IPv4 address space is the same network)
Application-layer inspection except for HTTP
While this caponized version of the ISA firewall retains only a fraction of its ability to act as a network firewall protecting hosts on your corporate network, it does keep full firewall functionality when it comes to protecting itself. The ISA firewall will not be directly accessible to any host, external or internal, unless you enable system policy rules to allow access.
The NIC configuration on the unihomed ISA firewall should set the default gateway as the IP address of any current gateway on the network that allows the unihomed ISA firewall access to the Internet. All other non-local routes need to be configured in the unihomed ISA firewall's routing table.
If you only require a Web Proxy service to perform both forward and reverse proxy, then you can install the ISA firewall on a single NIC machine. The installation process differs a bit from what you find when the ISA firewall is installed on a multi-NIC machine.
Perform the following steps to install the ISA firewall software on a single-NIC machine:
Insert the ISA Server 2004 installation CD into the CD-ROM drive or connect to a network share point hosting the ISA Server 2004 installation files. If the installation routine does not start automatically, double-click the isaautorun.exe file in the root of the installation files folder tree.
On the Microsoft Internet Security and Acceleration Server 2004 page, click Review Release Notes, and read the release notes. The release notes contain very important and topical information regarding changes in basic firewall software functionality. This information may not be included in the Help file or elsewhere, so we highly recommend that you read it here. After reviewing the release notes, click Read Setup and Feature Guide. You may want to read the guide now, just review the major topics covered in the guide, or print it out. Click Install ISA Server 2004.
Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2004 page.
Select I accept the terms in the license agreement option on the License Agreement page. Click Next.
On the Customer Information page, enter your name and the name of your organization in the User Name and Organization text boxes. Enter your serial number in the Product Serial Number text box. If you installed an evaluation copy of the ISA firewall software and now are installing a licensed version, backup your configuration using the ISA firewall's integrated backup tool, and uninstall the evaluation version. Restart the installation of the licensed version of the ISA firewall software. Click Next.
On the Setup Type page, click the Custom option.
On the Custom Setup page you'll notice that the Firewall Services, Advanced Logging, and ISA Server Management options are selected by default. While you can install the Firewall Client share, keep in mind that the unihomed ISA firewall does not support Firewall or SecureNAT clients. The only client type supported is the Web Proxy client. However, if you have full service ISA firewalls on your network, you can install the Firewall client share on this machine and allow network clients to download the Firewall client software from the unihomed ISA firewall. There is no point to installing the SMTP message screener on the unihomed ISA firewall since this mode does not support Server Publishing Rules. Click Next.
On the Internal Network page click Add. On the address ranges for internal network page, click Select Network Adapter, as shown in Figure 6.13.

Figure 6.13: The Internal Network Definition on the Unihomed ISA Firewall
On the Select Network Adapter page, Add the following private ranges and Add address ranges based on the Windows Routing Table are selected. While you don't have to do anything is this checkbox, we recommend that you remove the checkmark from the Add the following private ranges option and put a checkmark in the box next to the single NIC installed on the unihomed ISA firewall. Click OK.
Click OK in the Setup Message dialog box informing you that the Internal Network was defined based on the routing table. This dialog box really doesn't apply to the unihomed ISA firewall, since all IP addresses in the IPv4 address range (except for the local host network ID) are included in the definition of the Internal Network. The reason why the local host network ID is not included is that this address is included in the Local Host Network definition.
In the Internal network address range dialog box (Figure 6.13), you'll see that all IP addresses are included in the definition of the Internal network. Click OK.
Click Next on the Internal Network page.
Click Next on the Firewall Client Connection Settings page. These settings don't mean anything because Firewall clients are not supported by the unihomed ISA firewall.
Click Next on the Services page.
Click Install on the Ready to Install the Program page.
Put a checkmark in the Invoke ISA Server Management when the wizard closes checkbox, and click Finish.
There are some significant limitations to the single NIC ISA firewall because there is no External network, there is lack of Firewall client support, and other factors. We discuss some of the implications of the unihomed ISA firewall and Access Policy related to this configuration in Chapter 7.