Solutions Fast Track
Pre-installation considerations
The most important issues in server sizing for the ISA firewall is the link speed of the Internet connections.
The routing table on the ISA firewall must be properly configured before installation of the ISA firewall.
A split-DNS infrastructure will provide the best and most transparent name resolution solution for all organizations that require remote access to corporate resources.
Correct DNS configuration on the ISA firewall's network interfaces is a critical factor to optimize speed and accuracy of Internet access.
Consider whether you will use forward and reverse caching when planning the memory and disk requirements for your ISA firewall hardware.
MSDE and file-based logging store information on the ISA firewall itself. Plan adequate disk space to support these logs.
Performing a clean installation
You must install the IIS SMTP service on the server before installing the ISA firewall if you want to run the SMTP Message Screener on that machine,
The Internal Network is defined as the network with the core network services used by the ISA firewall, such as Active Directory, DNS, DHCP, and Certificate services.
If Firewall client encryption is enabled, only machines with the ISA 2004 version of the Firewall client are supported.
You will not need to restart the ISA firewall after installation is complete if any version of ISA has been installed on the same machine previously.
Default Post-install System Policy and Firewall Configuration
The Default Rule Access Rule blocks all traffic moving through the ISA firewall and is the only Access Rule enabled by the installation routine.
The default Network Rule between the Internal Network and the Internet is set to NAT.
Web caching is disabled by default after installation. It can be enabled by creating a cache drive.
Autodiscovery information publishing is disabled by default.
Performing an upgrade installation
Many features included with ISA Server 2000 are not included in ISA 2004, which may complicate upgrade and migration plans.
You can upgrade ISA Server 2000 versions to like versions of ISA 2004.
Single NIC ISA Firewall installation
Much of the ISA firewall's firewall functionality is lost in a single NIC configuration.
The single NIC ISA firewall configuration is a holdover from the old Proxy Server 2.0 days.
When installed in single NIC mode, the ISA firewall is able to protect itself effectively, but only secures HTTP, HTTPS, and FTP connections.
Firewall and SecureNAT clients are not supported by the single NIC ISA firewall.
Quick-Start Configuration for ISA Firewalls
The quick-start configuration in this chapter allows you to quickly install and configure a dual-NIC ISA firewall and get connected to the Internet as quickly as possible.
The quick-start configuration is not meant to be a comprehensive guide to ISA firewall configuration, security, and optimization. Think of it as a baseline configuration that you can use until you have a better understanding of how the ISA firewall works.
Hardening the ISA Firewall's Configuration and Operating System
You can enhance the security of the ISA firewall's base operating system by disabling services the ISA firewall's firewall services do not require.
You will need to enable some services on the ISA firewall in order to provide
ISA firewall Administrative roles can be assigned to users and groups to provide access to the firewall configuration and management components.