The mechanism that lies at the base of ISA Server's functionality is the operating system. ISA draws from Windows its base network and kernel functionality, and it cannot be installed without it. Consequently, the operating system installation is the first step in the creation of a new ISA Server.
As previously mentioned, ISA Server 2004 software requires an operating system to supply needed core functionality. Although Windows 2000 Server is supported, the operating system of choice for ISA Server 2004 is Windows Server 2003 Standard edition. The Windows Server 2003 operating system encompasses a myriad of new technologies and functionality, more than can be covered in this book. If additional reading on the capabilities of the operating system is desired, the recommended reference is Windows Server 2003 Unleashed, from SAMS Publishing (ISBN: 0672326167).
NOTE
It is highly recommended to install ISA Server 2004 on a clean, freshly-built operating system on a reformatted hard drive. If the server that will be used for ISA Server was previously running in a different capacity, the most secure and robust solution would be to completely reinstall the operating system using the procedure outlined in this section.
Installation of Windows Server 2003 is straightforward, and takes approximately 30 minutes to an hour to complete. The following step-by-step installation procedure illustrates the procedure for installation of standard Windows Server 2003 media. Many hardware manufacturers include special installation instructions and procedures that may vary from the procedure outlined here, but the concepts are roughly the same. To install Windows Server 2003 Standard edition, perform the following steps:
| 1. 
 | Insert the Windows Server 2003 Standard CD into the CD Drive. 
 | 
| 2. 
 | Power up the server and let it boot to the CD-ROM drive. If there is currently no operating system on the hard drive, it automatically boots into CD-ROM-based setup, as shown in Figure 2.2. 
 Figure 2.2. Running the CD-ROMbased Windows Server 2003 setup.
 
 
 | 
| 3. 
 | When prompted, press Enter to start setting up Windows. 
 | 
| 4. 
 | At the licensing agreement screen, read the license and then press F8 if you agree to the license agreement. 
 | 
| 5. 
 | Select the physical disk on which Windows will be installed. Choose between the available disks shown by using the up and down arrows. When selected, press Enter to install. 
 | 
| 6. 
 | At the next screen, choose Format the Partition Using the NTFS File System by selecting it and clicking Enter to continue. 
 | 
Following this step, Windows Server 2003 Setup begins formatting the hard drive and copying files to it. After a reboot and more automatic installation routines, the setup process continues with the Regional and Language Options screen as follows:
| 1. 
 | Review the regional and language options and click Next to continue. 
 | 
| 2. 
 | Enter a name and organization into the Personalization screen and click Next to continue. 
 | 
| 3. 
 | Enter the product key for Windows. This is typically on the CD case or part of the license agreement purchased from Microsoft. Click Next after the key is entered. 
 | 
| 4. 
 | Select which licensing mode will be used on the server, either Per Server or Per Device and click Next to continue. 
 | 
| 5. 
 | At the Computer Name and Administrator Password screen, enter a unique name for the server and type a cryptic password into the password fields, as shown in Figure 2.3. Click Next to continue. 
 Figure 2.3. Configuring the server name and Administrator password.
 
 
 | 
| 6. 
 | Check the Date and Time Zone settings and click Next to continue. 
 | 
The next screen to be displayed is where networking settings can be configured. Setup allows for automatic configuration (Typical Settings) or manual configuration (Custom Settings) options. Selecting Custom Settings allows for each installed Network Interface Card (NIC) to be configured with various options, such as Static IP addresses and custom protocols. Selecting Typical Settings bypasses these steps, although they can easily be set later.
| 1. 
 | To simplify the setup, select Typical Settings and click Next. Network settings should then be configured after the OS is installed. 
 | 
| 2. 
 | Select whether the server is to be a member of a domain or a workgroup member. For this demonstration, choose Workgroup. 
 | 
| 3. 
 | 
 | 
After more installation routines and reboots, setup is complete and the operating system can be logged into as the local Administrator and configure it for ISA Server 2004.
Each deployed ISA Server 2004 server has its network settings configured uniquely, to match the network or networks to which the server is connected. It is important to understand the implications of how the network configuration affects ISA Setup. For example, the sample ISA Server in Figure 2.4 illustrates how one ISA server that is connected to the Internet, an Internal network, and a Perimeter (DMZ) network is configured.
NOTE
It is often highly useful to rename the network cards' display names on a server to help identify them during troubleshooting. For example, naming a NIC Internal, External, or DMZ helps to identify to which network it is attached. In addition, it may also be useful to identify to which physical port on the server the NIC corresponds, with names such as External (top), Internal (bottom), DMZ (PCI).
ISA Firewall rules rely heavily on the unique network settings of the server itself, and the assumption is made throughout this book that these settings are properly configured. It is therefore extremely important to have each of the Network Interface Cards (NICs) set up with the proper IP addresses, gateways, and other settings in advance of installing ISA Server.
If the deployment of ISA Server will take advantage of the Message Screener component of ISA Server 2004, the SMTP Service must first be installed and configured on the server. The Message Screener service enables the ISA Server to act as an SMTP relay for inbound or outbound mail flow in an organization. ISA Server inspects the SMTP packets and filters messages based on preset criteria. This functionality allows for a base level of anti-spam and content filtering for mail messages.
The Message Screener service can be useful for organizations that currently have their email server directly connected to the Internet and want to move away from this insecure configuration. The ISA Server acts as a bastion host, sitting between the email server and the Internet clients, taking the brunt of the attacks and spam attempts.
CAUTION
The SMTP Service should be installed only if the Message Screener service will be utilized on the ISA Server itself. If it will not be used, it should not be enabled so as to reduce the attack surface of the ISA Server.
To install the SMTP Service on an ISA Server that will run the Message Screener service, perform the following procedure:
| 1. 
 | Log in as a local administrator, click Start, Control Panel, Add or Remove Programs. 
 | 
| 2. 
 | Click Add/Remove Windows Components. 
 | 
| 3. 
 | Select Application Server by clicking on the text. (Do not click the check box.) Click the Details button. 
 | 
| 4. 
 | Select Internet Information Services (IIS) by clicking on the text. (Do not click the check box.) Click the Details button. 
 | 
| 5. 
 | On the subcomponents screen, scroll down and then check the box next to SMTP Service, as shown in Figure 2.5. 
 Figure 2.5. Installing the SMTP Service.
 
 CAUTION When a subcomponent such as the SMTP Service is selected for installation, multiple additional components that are required for the SMTP Service to run are automatically selected. Do not try to uninstall these services, or the SMTP Service will fail to run. 
 | 
| 6. 
 | Click OK, OK, and then Next to begin installation. 
 | 
| 7. 
 | A prompt may appear asking for the Windows Server 2003 media. Insert it when prompted and click OK to continue. 
 | 
| 8. 
 | Click Finish at the completion window. 
 | 
The release of the long-delayed Service Pack 1 for Windows Server 2003 introduced a myriad of design and security improvements to the underlying architecture of Windows Server 2003. Because many of these improvements directly improve ISA Server 2004 security, it is highly recommended to take advantage of these improvements by installing the Service Pack and running the Security Configuration Wizard, which is made available through its installation.
NOTE
It is important to note that for ISA Server 2004 to run properly on Windows Server 2003 with SP1, it must be updated with ISA Server 2004 Standard edition Service Pack 1. The Enterprise edition does not have this limitation.
To update Windows Server 2003 with the service pack, obtain the SP1 media or download the Service Pack binaries from the following URL:
http://www.microsoft.com/windowsserver2003/downloads/servicepacks/sp1/default.mspx
After it is obtained, install the Service Pack by performing the following steps:
| 1. 
 | Start the installation by either double-clicking on the downloaded file or finding the update.exe file located with the Windows Server 2003 Service Pack 1 media (usually in the Update subdirectory). 
 | 
| 2. 
 | At the welcome screen, as shown in Figure 2.6, click Next to continue. 
 Figure 2.6. Updating Windows Server 2003 with Service Pack 1.
 
 
 | 
| 3. 
 | Read the licensing agreement and select I Agree if in agreement. Click Next to continue. 
 | 
| 4. 
 | Accept the defaults for the Uninstall directory and click Next to continue. 
 | 
| 5. 
 | The Service Pack then begins the installation process, which will take 1020 minutes to complete. Click Finish to end the Service Pack installation and reboot the server. 
 | 
In addition to the patches that were installed as part of the Service Pack, security updates and patches are constantly being released by Microsoft. It is highly advantageous to install the critical updates made available by Microsoft to the ISA Server, particularly when it is first being built. These patches can be manually downloaded and installed, or they can be automatically applied by using Windows Update, as detailed in the following procedure:
| 1. 
 | While logged in as an account with local Administrator privilege, click on Start, All Programs, Windows Update. 
 | 
| 2. 
 | Depending on the Internet Explorer security settings, Internet Explorer may display an information notice that indicates that Enhanced Security is turned on. Check the box labeled In the Future, Do Not Show This Message and click OK to continue. 
 | 
| 3. 
 | At this point, Windows Update may attempt to download and install the Windows Update control and may display a notification similar to the one shown in Figure 2.7. Click Install to allow the control to install. 
 Figure 2.7. Installing the Windows Update control.
 
 
 | 
| 4. 
 | Depending on the version of Windows Update currently available, the Windows Update site may prompt for installation of the latest version of Windows Update software. If this is the case, click Install Now when prompted. If not, proceed with the installation. 
 | 
The subsequent screen, shown in Figure 2.8, offers the option of performing an Express Install, which automatically chooses the critical security patches necessary and installs them, or a Custom Install, where the option to choose which particular patchescritical and non-criticalis offered. If more control over the patching process is required, then the Custom Install option is preferred. For a quick and easy update process, Express Install is the way to go. To continue with the installation, perform the following steps:
TIP
Running Windows Update on an ongoing basis as part of a maintenance plan is a wise idea for keeping the server up to date with the most recent patches and fixes. For production servers, however, it is advisable to initially test those patches in a lab environment when possible. In addition, although enabling Automatic Updates to perform this function may seem ideal, it is not recommended to automatically install any updates on a running server, particularly a security-based server.