This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index of this series at Getting started with Microsoft ISA Server 2006, Part 1: Introduction.

Block Windows Live Messenger

From Part 11: HTTP Filtering, you learn about HTTP filtering concept. Now let’s apply it with a real world example, Windows Live Messenger. On this post, I show you how to block Windows Live Messenger on ISA Server 2006.

Windows Live Messenger is a popular instant messaging application, many people using it regularly. But sometimes, people use it at work place and unintentionally receive a file containing virus. Then, they execute it, so the virus spread on the network. Therefore, it is a task of an IT staff to secure the system and prevent this issue. The best and effective solution is to enforce strictly firewall policy. But sometimes, you cannot do that. For example, users on research department want access to any websites (HTTP) because they do not know what websites they want to access until they need. Then, you have to create an access rule to allow HTTP to from Internal to External for these users. Now they can use Windows Live Messenger because Windows Live Messenger communicates with its servers through either of these ports:

• MSN Messenger protocol (TCP: 1863).
• HTTP protocol (TCP: 80).

If you block only MSN Messenger protocol, users still can use Windows Live Messenger through HTTP protocol. Now what should you do? Block HTTP protocol? Doing that will also block users to access websites so you cannot do that. Here it comes, HTTP filtering. You can block only Windows Live Messenger on ISA Server without blocking the HTTP protocol if you know the signature. HTTP header is also the signature.

So what is the signature of Windows Live Messenger? I have sniffed HTTP packets while I signing to Windows Live Messenger. Here are the signature and protocol port of Windows Live Messenger:

• The client communicates with the server of Windows Live Messenger using TCP outbound port 1863.
  
• While the client requesting information from the server (request header), one signature of it is User-Agent: Windows Live Messenger.
  

Now I show you how to configure to block Windows Live Messenger on ISA Server 2006.

Step-by-step

1. Create an access rule to block TCP outbound port 1863. ISA Server 2006 already has pre-defined this port as MSN Messenger protocol. I am not going to show detail steps on creating an access rule. You can review them at Part 7: Create DNS Lookup Rule and Part 8: Create Web Access Rule.
   • Rule Name: Block Windows Live Messenger
   • Action: Deny
   • Protocol: MSN Messenger
   • From: Internal
   • To: External
   • Condition: All Users

   

2. Next, configure HTTP filtering to block the signature of Windows Live Messenger. Right click on “Allow HTTP, HTTPS for Linglom” and select Configure HTTP.
   Note: This menu option available on an access rule that contains HTTP protocol only.
   
3. On Configure HTTP policy for rule, click on Signatures tab and click Add.
   
4. On Signature, enter these information below to block Windows Live Messenger and then click OK.
   • Name: Blocks Windows Live Messenger or any name as you want.
   • Search in: Request headers
   • HTTP header: User-Agent:
   • Signature: Windows Live Messenger

   Note: Don’t forget semi-colon (:) after User-Agent text.
   

5. Back to Configure HTTP policy for rule, you see the signature has been created for this rule. You also can disable the signature by un-check it. On this example, leave it as checked to enable the signature. Click OK.
   
6. Don’t forget to click Apply to update the configuration.
   
7. Let’s try to sign in Windows Live Messenger on the client computer, you see that I cannot sign in any more.
   

Summary

Now You have reach the end of Getting started with Microsoft ISA Server 2006 series. This series contains 12 parts: it gives you an introduction of ISA Server 2006, how to install and configure ISA Server 2006 on simple environment, how to create an access rule, and how to use some useful features on ISA Server 2006. I hope you get what you want on this series. If you have any comment or suggestion, feel free to leave it below.

Related posts:

1. Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter
2. Getting started with Microsoft ISA Server 2006, Part 11: HTTP Filtering
3. Getting started with Microsoft ISA Server 2006, Part 1: Introduction

This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index of this series at Getting started with Microsoft ISA Server 2006, Part 1: Introduction.

HTTP Filtering

From Part 10: Logging, you learn how to configure and use logging on ISA Server 2006. Now, you will learn about HTTP filtering.

Have you ever want to block users using MSN or Yahoo messenger, or deny them to using free email services, or block them to post anything on web boards, or block them to use bit-torrent to download files? This post will answer these questions with Microsoft ISA Server 2006.

HTTP traffic is a data packet using HTTP protocol on the network which is used by most applications. On each packet of HTTP traffic, there is a header which contains information about server and client that are communicating each other at the time. These header information are such as:

• Request Methods. For example, GET, POST, CONNECT.
• User-Agent, such as Mozilla/4.0, Mozilla/5.0, Firefox
• Content-Type. The mime type of the body of the request, such as application/x-www-form-urlencoded, application/xml, image/jpeg, text/xml.
• Host. The domain name of the server, for example, www.bing.com, www.linglom.com.

For more information about HTTP, see these links from wiki.org:

• Hypertext Transfer Protocol
• Lists of HTTP headers

So why learn about these HTTP headers? You can use these HTTP headers information to block or allow specific application on ISA Server 2006. Still not get it? Let’s see some examples of real HTTP traffic.

You can use some sniffer program to capture data packets that pass in/out through a network interface card on a computer. On this example, I use Ethereal. I install it on the same server as ISA Server 2006 but you can install and test on any computer as you want. Then, I start capturing packets on the network interface card that connects to the Internet and browse to http://www.bing.com using Internet Explorer.

After that, I see these HTTP traffics on ethereal. First, My computer sends a HTTP request to the web server (www.bing.com).
Detail: Request Method is GET. User-Agent is Mozilla/4.0 (compatible: MSIE 6.0). HOST is www.bing.com.

Second, the web server has send HTTP response back to the client. The response packet looks similar as the figure below.
Detail: Response Code is 200 (OK). Content-Type is text/html.

What’s Next?

Now you learn some concepts about HTTP and its header. Next, I will show how to use these information to block Windows Live Messenger on ISA Server 2006. See Part 12: Block Windows Live Messenger.

Related posts:

1. Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter
2. Getting started with Microsoft ISA Server 2006, Part 12: Block Windows Live Messenger

This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index of this series at Getting started with Microsoft ISA Server 2006, Part 1: Introduction.

Logging

From Part 9: Client Configuration, you learn how to configure a client computer. On this post, I will show how to use logging to observe usage which is a feature on ISA Server 2006 which keeps track any usage on ISA Server 2006.

When there is a communication between networks (Internal, External, Localhost, etc.) on the ISA Server, it will generate log. The log shows the log time, source IP address, destination IP address and port, action, rule applied to, etc. You can configure what fields that you want to log. There are three log storage formats supported on ISA Server 2006: MSDE database, SQL database and file.

The benefits of logging:

• Track usage on certain users, groups.
• Troubleshoot issues on the ISA Server.
• Keep as Internet access log. In some countries, it is require to keep the Internet access log in order to comply with the law.

Step-by-step

Logging Configuration

Actually, there is no need to configure logging on ISA Server 2006 because the configuration works great on default settings already.

1. Open Logging by expand Arrays -> BKKISA001 -> Monitoring. Click on Logging tab.
   
2. To configure firewall logging, select Tasks -> Configure Firewall Logging.
   Note: You also can configure web proxy logging by click on Configure Web Proxy Logging. The configuration is the same as firewall logging so I will not repeat it.
   
3. On Firewall Logging Properties, you can choose to keep log on MSDE, SQL Server or a file. The default configuration is MSDE database and the default location is C:\Program Files\Microsoft ISA Server\ISALogs. Let’s click on Options next to MSDE database to see what can be configured for MSDE database.
   
4. On Options, you see that you can change location to store the log files and the log file storage limitation. You can limit the size of log files, maintain disk space by deleting the older log files or discard new entries and whether you want to delete log files after period of time.
   
5. Back to Firewall Logging Properties, there is another tab, Fields. Here you can customize which fields you want to keep or discard on log files. Normally, you don’t have to modify these configuration. It works perfect by default.
   

Observe Logging

1. On Logging, click on Start Query.
   
2. Generate some traffic by access the Internet on the client computer. Open web browser and browse to www.google.com.
   
3. Now you see some logs on the ISA Server 2006.
   
4. You can filter logging on ISA Server 2006 by click on Edit Filter.
   
5. On Edit Filter, modify columns and conditions as you want. Then, click Start Query.
   
6. This is an example of the filtered logs on ISA Server 2006.
   

What’s Next?

Now you learn how to observe logging on ISA Server 2006. It is a useful feature which allow you to troubleshoot issues most of the time. Next, I will show more advance topic, HTTP filtering. See Part 11: HTTP Filtering.

No related posts.

This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index of this series at Getting started with Microsoft ISA Server 2006, Part 1: Introduction.

Client Configuration

From Part 8: Create Sample Access Rule, you have created an access rule on ISA Server 2006. Now, it is time to configure the client computer. There are three types of client that you can choose: SecureNAT, Firewall client and Web Proxy. Each type has a different features, see the table below for the comparison.

On this example, I configure the client computer as firewall client type. But you will see how to configure all types of client.

Section

• Client Types
• SecureNAT client
• Firewall client
• Web Proxy client

Client Types

The table below compares the ISA Server clients.

Back to top

SecureNAT client

1. To configure client as SecureNAT client type, set the default gateway of the network interface card on client to the ISA Server.
   
2. If you are using DHCP, you can configure by add Router scope option to the ISA Server.
   

Back to top

Firewall client

1. Download Firewall Client for ISA Server from Microsoft.
2. Install Microsoft Firewall Client on the client computer.
   
3. On ISA Server Computer Selection, select Connect to this ISA Server computer and type the ISA Server host name.
   
4. After the installation completes, you will see the firewall client’s icon on the task bar.
   
5. You can view and modify configuration by double-click on the icon and select Settings tab. Also, you can click on Apply Default Settings Now for other users on this computer can use this configuration.
   

Back to top

Web Proxy client

1. Open your web browser. On this example, I use Internet Explorer.
2. On Menu bar, Click on Tools -> Internet Options.
   
3. On Internet Options, Select Connections tab and click on LAN settings.
   
4. On Local Area Network (LAN) Settings, check the box Use a proxy server for your LAN and type the ISA Server address and port.
   

Back to top

What’s Next

Now I have done the basic configuration on both ISA Server 2006 and the client computer. Next, it is time to test accessing the Internet from the client through the ISA Server. See Part 10: Logging.

Related posts:

1. Getting started with Microsoft ISA Server 2006, Part IV: Configure Client Type
2. Getting started with Microsoft ISA Server 2006, Part 1: Introduction

This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index of this series at Getting started with Microsoft ISA Server 2006, Part 1: Introduction.

Create Firewall Policy Rule

From Part 7: Create DNS Lookup Rule, you have create an access rule to allow DNS look up from the internal network to the external DNS addresses. But you do not have any web access rule for users. So now, I will show how to create an access rule on ISA Server 2006 to allow HTTP and HTTPS protocols for a user to access the Internet.

Step-by-step

1. On ISA Server Management, open Firewall Policy by expand Arrays -> BKKISA001 -> Firewall Policy (BKKISA001).
   
2. On Firewall Policy, select Tasks and click on Create Access Rule.
   
3. On Welcome to the New Access Rule Wizard, type a name for the access rule. On this example, I type “Allow HTTP, HTTPS for Linglom” and click Next.
   
4. On Rule Action, select Allow and click Next.
   
5. On Protocols, you have to choose which protocols will be applied to this rule.
   • Select Selected protocols and click Add.
     
   • On Add Protocols, expand Common Protocols and double-click on HTTP and HTTPS. Then, click Close and click Next to continue.
     
6. On Access Rule Sources, select the source network for this rule.
   • Click Add.
     
   • On Add Network Entities, expand Network and double-click on Internal. Click Close and click Next to continue.
     
7. On Access Rule Destinations, do the same as the previous step but select External network as a destination.
   
8. On User Sets, you have to select which users and groups are applied to this access rule. On this example, I want this rule apply to only a domain user account – linglom.
   • Remove All Users by click on Remove and add a new User Sets by click Add.
     
   • On Add Users, you see existing user sets available. There is no user set that I want so I will create a new one. Click New.
     
   • On Welcome to the New User Set Wizard, type the name of a new user set that you want and click Next.
     
   • On Users, click Add -> Windows users and groups.
     
   • On Select Users or Groups, select the users or groups that you want to add to this new user set. On this example, I select the domain user – linglom. Then, click OK.
     
   • You see that the user has been added to a new user set. Click Next.
     
   • On Completing the New User Set Wizard, click Finish.
     
   • A new user set is created. The, select on it and click Add to add the new user set to this rule.
     
   • Now the user set is added to the rule. So this rule will be apply to only this user – Linglom. Click Next.
     
9. On Completing the New Access Rule Wizard, click Finish.
   
10. Don’t forget to save the changes that you have made by click on Apply at the top.
    
11. The changes have been saved. Click OK.
    
12. Now you see the rule that you have created.
    

What’s Next

You have some access rules on ISA Server 2006. That’s it for the basic configuration on the sever. Next, I will start configure client to access the Internet through ISA Server 2006. See Part 9: Client Configuration.

Related posts:

1. Getting started with Microsoft ISA Server 2006, Part III: Create Firewall Policy Rule
2. Getting started with Microsoft ISA Server 2006, Part 7: Create DNS Lookup Rule
3. Getting started with Microsoft ISA Server 2006, Part 6: Configure Network Layout

This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index of this series at Getting started with Microsoft ISA Server 2006, Part 1: Introduction.

Create DNS Lookup Rule

From Part 6: Configure Network Layout, you have configured network environment of the ISA Server 2006. Now let’s create some access rules on ISA Server 2006.

On this example, I have internal and external DNS servers as I have shown the network diagram in Part 2: Environment Setup. The internal DNS server should work fine since it is on the same network with clients – the Internal network. But the external DNS servers (or my ISP’s DNS servers) are on the external network. And currently, ISA Server 2006 blocks all network access so clients from the internal network cannot request any DNS look up from the external DNS servers. This would be a problem if some clients want to use the Internet. Therefore, I will create an access rule to allow DNS look up for clients on the internal network to the external DNS servers. The external DNS servers are 203.144.255.71 and 203.144.255.72.

Step-by-step

1. On ISA Server Management, open Firewall Policy by expand Arrays -> BKKISA001 -> Firewall Policy (BKKISA001).
   
2. Create a new access rule by click on Tasks tab -> Create Access Rule.
   
3. On Welcome to the New Access Rule Wizard, type the access rule name. On this example, I type “Allow DNS Lookup” and click Next.
   
4. On Rule Action, you can select allow or deny on this rule. Select Allow and click Next.
   
5. On Protocols, you can select the protocols this rule applied to.
   • Choose Select protocols from a drop down menu and click Add.
     
   • On Add Protocols, expand Common Protocols and double-click on DNS. Click Close.
     
   • Back to Protocols, now the DNS protocol is added to the rule. Click Next.
     
6. On Access Rule Sources, you can specify source networks for this rule.
   • Click Add.
     
   • On Add Network Entities, expand Networks and double-click on Internal. Click Close.
     
   • Back to Access Rule Sources, now the Internal network is added as access rule source. Click Next.
     
7. On Access Rule Destination, you can specify destination networks for this rule.
   • Click Add.
     
   • On Add Network Entities, click on New -> Address Range.
     
   • On New Address Range Rule Element, type the name and specify the IP address range. On this example, I name it as “External DNS Addresses” and the IP address range is 203.144.255.71 to 203.144.255.72. Click OK.
     
   • Back to Add Network Entities, there is a new address range that I have just created so double-click on it to add to the rule and click Close.
     
   • Back to Access Rule Destination, now the “External DNS Addresses” is added to the rule as access rule destination. Click Next.
     
8. On User Sets, you can specify the user sets for the rule. On this example, I leave it as All Users and click Next.
   
9. On Completing the New Access Rule Wizard, click Finish.
   
10. To save changes that you have made, you must click on Apply.
    
11. On Saving Configuration Changes, click OK.
    
12. Now you have completed create an access rule to allow DNS look up from internal network to the external DNS server.
    

What’s Next?

You have created your first access rule for DNS look up. Now clients will be able to resolve name on the Internet. But there is no access rule for Internet access yet. So next, I will create another access rule for clients to access the Internet. See Part 8: Create Web Access Rule.

Related posts:

1. Getting started with Microsoft ISA Server 2006, Part III: Create Firewall Policy Rule
2. Getting started with Microsoft ISA Server 2006, Part 8: Create Web Access Rule
3. Getting started with Microsoft ISA Server 2006, Part 6: Configure Network Layout

This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index of this series at Getting started with Microsoft ISA Server 2006, Part 1: Introduction.

Configure Network Layout

From Part 5: Network Layout Concept, you learn about network templates. On this post, I will show how to configure networking environment of the ISA Server 2006 using edge firewall template which is the most suitable template for this example. You can see the network diagram of the example on Part 2: Environment Setup.

Step-by-step

1. Open ISA Server Management by click Start -> Programs -> Microsoft ISA Server -> ISA Server Management.
   
2. On Microsoft Internet Security and Acceleration Server 2006, expand Arrays -> BKKISA001 -> Configuration -> Networks.
   
3. Select Templates tab and click on the Edge Firewall template.
   
4. A Network Template Wizard window appears, click Next to continue.
   
5. On Export the ISA Server Configuration, you can click on Export button to backup your current ISA Server configuration. But this is the first time configuration so there is no need to backup anything.
   
6. On Internal Network IP Addresses, verify if the IP address ranges are correct. My internal network is 192.168.10.0/24 so the existing range is correct. Click Next.
   
7. On Select a Firewall Policy, you can choose a pre-defined firewall policy which will be applied to the network specified in this template. On this example, I select Block all. I will create firewall rules manually on the next part.
   Note: On edge firewall template, there are five predefined firewall policies which are:
   1. Block all
      Block all network access through ISA Server. This option does not create any access rules other than the default rule which blocks all access.
      Use this option when you want to define firewall policy on your own.
   2. Block Internet access, allow access to ISP network services
      Block all network access through ISA Server, except for access to network services, such as DNS. This option is useful when these services are provided by your Internet Service Provider (ISP).
      Use this option when you want to define firewall policy on your own.

      The following access rules will be created:

      • Allow DNS from Internal Network and VPN Clients Network to External Network (Internet).
   3. Allow limited Web access
      Allow Web access using HTTP, HTTPS, FTP, only. Block all other network access.

      The following access rules will be created:

      • Allow HTTP, HTTPS, FTP from Internal Network to External Network.
      • Allow all protocols from VPN Clients Network to Internal Network.
   4. Allow limited Web access and access to ISP network services.
      Allow limited Web access using HTTP, HTTPS, and FTP, and allows access to ISP network services, such as DNS. Block all other network access.
      The following access rules will be created:
      • Allow HTTP, HTTPS, FTP from Internal Network and VPN Clients Network to External Network (Internet).
      • Allow DNS from Internal Network and VPN Clients Network to External Network (Internet).
      • Allow all protocols from VPN Clients Network to Internal Network.
   5. Allow unrestricted access
      Allow unrestricted access to the Internet through ISA Server. ISA Server will prevent access from the Internet.

      The following access rules will be created:

      • Allow all protocols from Internal Network and VPN Clients Network to External Network (Internet).
      • Allow all protocols from VPN Clients Network to Internal Network.

   

8. On Completing the Network Template Wizard, click Finish.
   
9. Then, you notice that there is a warning icon at the top of ISA Server Management. This means that the changes which you have made do not take effect yet. To update the configuration, click Apply.
   Note: If you want to undo changes that you have made, click Undo.
   
10. The changes have been saved.
    

What’s Next

You have configure networking environment for the ISA Server 2006. Next, let’s see how to create some access rules on ISA Server 2006. See Part 7: Create DNS Lookup Rule.

Related posts:

1. Getting started with Microsoft ISA Server 2006, Part 5: Network Layout Concept
2. Getting started with Microsoft ISA Server 2006, Part II: Configure Network Topology
3. Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter

This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index of this series at Getting started with Microsoft ISA Server 2006, Part 1: Introduction.

Configure Network Layout

From Part 3: Installation and Part 4: Service Pack 1, you learn how to install and update ISA Server 2006. Next, it is time to configure the ISA Server 2006. On this post, I am going to show how to configure networking environment for ISA Server 2006 by selecting from the pre-defined network templates.

By default, ISA Server 2006 comes with five pre-defined network templates. You can select one of them that match your networking environment. Let’s see each of them in details.

1. Edge Firewall
   This is a standard network topology for small to medium organization. The ISA Server is a main gateway controlling traffic between the intranet (LAN) and the Internet networks. The ISA Server needs 2 network interface cards.
   
2. 3-Leg Perimeter
   This is a standard network topology for medium to large organization. There is an additional network which is a perimeter network connects to ISA server compare to the edge firewall. The perimeter network or DMZ (Demilitarized Zone) is a network that is less secure for serving Web server, E-Mail server, DNS server and other services to the Internet users and also the internal users. The ISA Server needs 3 network interface cards.
   
3. Front Firewall
   This is a network topology for organization that security is high priority. In this case, there are more than one firewall. When a hacker attacks the front firewall and it compromises, there is still a back firewall to protect the internal network. This template, ISA Server acts as front firewall server between the Internet and the perimeter network and needs 2 network interface cards.
   
4. Back Firewall
   This network template is similar as the front firewall template except that the ISA Server that you’re configuring is the back firewall which stands between the internal and the perimeter networks.This template, ISA Server needs 2 network interface cards.
   
5. Single Network Adapter
   This is a network template for ISA Server to be act as Proxy server only. ISA Server can do caching to improve performance for users using the Internet in organization. This template, ISA Server requires only a single network interface card as the name of the template.
   

Note: About front and back Firewall templates, you have more than one firewalls. It is best practice not to use the same firewall model. For example, you should have the front firewall as hardware base from one company and the back firewall as software base from another company, or vice versa. If a hacker breaks the front firewall, then the hacker will takes an extra time to break another firewall to reach our internal network since the hacker cannot use the same technique to break the back firewall.

What’s Next?

Well, bore with reading the concept? Let’s see how to configure networking environment in action. See Part 6: Configure Network Layout.

Related posts:

1. Getting started with Microsoft ISA Server 2006, Part 6: Configure Network Layout
2. Getting started with Microsoft ISA Server 2006, Part II: Configure Network Topology
3. Getting started with Microsoft ISA Server 2006, Part I: Installation

This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index of this series at Getting started with Microsoft ISA Server 2006, Part 1: Introduction.

Update Service Pack 1

From Part 3: Installation, I have installed ISA Server 2006 enterprise edition on the server. At this time, there is a service pack for ISA Server 2006 which you can download from Microsoft website. So I am going to show how to update the server to ISA Server 2006 Service Pack 1 on this post.
Note: There are others security updates for ISA Server 2006 available besides the service pack which I will not cover on this series. So you should check and update them on your own.

There are many new features and enhancements on the ISA Server 2006 service pack 1:
New Features

• Configuration Change Tracking. Registers all configuration changes applied to ISA Server to help you assess issues that may occur as a result of these changes.
• Web Publishing Rule Test Button. Tests the consistency of a Web publishing rule between the published server and ISA Server.
• Traffic Simulator. Simulates network traffic in accordance with specified request parameters, such as an internal user and the Web server, providing information about firewall policy rules evaluated for the request.
• Diagnostic Logging Query. Now integrated as a tab into the ISA Server Management console, this feature displays detailed events on packet progress and provides information about handling and rule matching.

Enhancements

• Support for integrated NLB mode in all three modes, including unicast, multicast, and multicast with Internet Group Management Protocol (IGMP). Previously, ISA Server integrated NLB-supported unicast mode only.
• Support for certificates with multiple Subject Alternative Name (SAN) entries in published web servers.
• Kerberos Constrained Delegation (KCD) authentication supports trusted-domain user accounts.
• Improve Web Publishing Load Balancing (WPLB) cookie handling.
• Alert Improvements.
• New performance counter.

For more information about this service pack, see Microsoft Article 943462.

Step-by-step

1. Download the file from Microsoft Internet Security and Acceleration (ISA) Server 2006 Service Pack 1.
   
2. Double-click the downloaded file, ISA2006-KB943462-X86-ENU.msp, to run the setup wizard.
   
3. On Welcome to the Update for Microsoft ISA Server 2006 Service Pack 1, click Next.
   
4. On License Agreement, select I accept the terms in the license agreement and click Next.
   
5. On Locate Configuration Storage Server, you have to specify the Configuration Storage Server. On this example, I leave it as default and click Next.
   
6. On Ready to Install the Program, click Install.
   
7. On Installing Microsoft ISA Server 2006 Service Pack 1, wait until the installation completes.
   
8. On Installation Wizard Completed, click Finish.
   
9. There is a pop-up message asks you to restart the system for the configuration changes made to ISA Server 2006 to take effect. Click Yes to restart it now.
   
10. Once the system is restarted, you can see the version of ISA Server 2006 is updated by open ISA Server Management. Click Start -> Programs -> Microsoft ISA Server -> ISA Server Management.
    
11. On ISA Server Management, click Help -> About Microsoft ISA Server 2006.
    
12. On About Microsoft ISA Server 2006, you see the current version of ISA Server 2006. The version of ISA Server 2006 Service Pack 1 is 5.0.5723.493.
    

What’s Next?

Now you have installed and updated ISA Server 2006. Next, I will show how to configure ISA Server 2006. See Part 5: Network Layout Concept.

Related posts:

1. Windows Server 2003 Service Pack 2 has released!
2. Getting started with Microsoft ISA Server 2006, Part 1: Introduction
3. How to silently install Office 2003 Service Pack 3 through GPO

This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index of this series at Getting started with Microsoft ISA Server 2006, Part 1: Introduction

ISA Server 2006 Installation

On this post, I show you how to install Microsoft ISA Server 2006 Enterprise edition on the server – BKKISA001. You can see the server and network configuration of the example at Part 2 – Environment Setup.
Note: On this series, I demonstrate using Microsoft ISA Server 2006 enterprise edition. But I will use only basic features which are available on both standard and enterprise editions. So if you have only a standard edition, you still can follow this series but you may notice that the user interface may slightly different a little bit.

Step-by-step

1. Insert ISA Server 2006 Enterprise edition CD-Rom, you will see Microsoft ISA Server 2006 Setup window. Click Install ISA Server 2006.
   
2. Microsoft ISA Server Installer is starting and beginning with Core Components.
   
3. On Welcome to the Installation Wizard for Microsoft ISA Server 2006, click Next.
   
4. On License Agreement, select I agree the terms in the license agreement and click Next.
   
5. On Customer Information, enter your user name, organization name and the product serial number. Click Next.
   
6. On Setup Scenarios, select Install both ISA Server services and Configuration Storage Server and click Next.
   Note: Scenarios description:
   • Install ISA Server services. You can select this option to install on ISA Server services without the Configuration Storage server so you will have to specify the existing Configuration Storage server on the network at the next step.
   • Install Configuration Storage server. This option will install only Configuration Storage server for ISA Server arrays to retrieve the configuration.
   • Install both ISA Server services and Configuration Storage server. This option will install both ISA Server services and Configuration Storage server.
   • Install ISA Server Management. Select this option if you want to install only the management console for ISA Server so you can remotely manage ISA Server enterprise.

   

7. On Component Selection, leave as default selection and click Next.
   Note:Components description:
   • ISA Server. Controls access and traffic between networks.
   • Advanced Logging. Installs Microsoft Data Engine (MSDE) used to view and to filter historical log data
   • ISA Server Management. Allows remote management of ISA Server using ISA Server Management console snap-in.
   • Configuration Storage server. Stores the enterprise configuration for ISA Server arrays.

   

8. On Enterprise Installation Options, select Create a new ISA server enterprise and click Next.
   
9. On New Enterprise Warning, click Next. This is a message telling you that they recommend only a single enterprise in your organization for ease of centralize management. If you already have an existing Configuration Storage server, you should select Create a replica of the enterprise configuration in the previous step.
   
10. On Internal Network, you have to specify the network address ranges of your internal network. Click Add.
    
11. On Addresses, you can add IP address ranges by add from network adapter, add from private network or add range manually. I will add from adapter, click Add Adapter.
    
12. On Select Network Adapters, select the network card interface which connects to the internal network and click OK.
    
13. Back to Addresses, check if the internal network range is correct or not. Then, click OK to continue.
    
14. Back to Internal Network, click Next.
    
15. On Firewall Clients Connections, click Next.
    Note: If you haven’t upgrade from ISA 2000 or 2004, leave the check box Allow non-encrypted Firewall client connections empty. Otherwise, check the box before continue.
    
16. On Services Warning, click Next.
    Note: This is a warning message that some services will be restarted or disabled while the installation is in progress.
    
17. On Ready to Install the Program, click Install to begin the ISA Server 2006 Installation.
    
18. On Installing Microsoft ISA Server 2006, waits for the installation to be complete.
    
19. Microsoft ISA Server Installer is installing Additional Components.
    
20. Microsoft ISA Server Installer is initialize system.
    
21. On Installation Wizard Completed, click Finish to complete the installation.
    Note: There is an option – Invoke ISA Server Management when the wizard closes. You can select this option to start ISA Server Management after closes the wizard. I will cover about ISA Server Management in the next part.
    

What’s Next?

You have done the installation. Next, I will show how to update ISA Server 2006 with the service pack 1. See Part 4: Service Pack 1.

Related posts:

1. Getting started with Microsoft ISA Server 2006, Part I: Installation