1. Download the ISA Server 2004 beta 2 software from http://www.microsoft.com/isaserver/beta/default.asp. When you run the exe file, it will create a folder on your C: drive containing the installation files. Double click on the isaautorun.exe file.

2. On the Microsoft Internet Security and Acceleration Server 2004 Beta 2 Setup page, click the link for Review Release Notes and read the release notes. The doc isn’t that long, and you’ll get some useful information about what works and what doesn’t, as well as some useful tips on how to access the Internet from the ISA Server 2004 firewall machine itself. After reading the release notes, click the Read Setup and Feature Guide link. You don’t need to read the entire guide right now, but you might want to print it out to read later. Click the Install ISA Server 2004 link.

3. Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2004 Beta 2 page.

4. Select the I accept the terms in the license agreement option on the License Agreement page. Click Next.

5. On the Customer Information page, enter your name and the name of your organization in the User Name and Organization text boxes. The Product Serial Number is automatically entered for you. Click Next.

6. On the Setup Type page, select the Custom option. If you do not want to install the ISA Server 2004 software on the C: drive, then click the Change button to change the location of the program files on the hard disk. Click Next.

7. On the Custom Setup page you can choose which components to install. By default, the Firewall Services, ISA Server Management and Firewall Client Installation Share are installed. The Message Screener, which is used to control spam and file attachments from entering and leaving the network, is not installed by default. You need to install the IIS 6.0 SMTP service on the ISA Server 2004 firewall computer before you install the Message Screener. I will do some articles in the near future on how to install the Message Screener on the ISA Server 2004 firewall to control inbound and outbound flow of spam and email attachments. Use the default settings and click Next.

8. On the Internal Network page, click the Add button. The Internal network is different than how the LAT was used in ISA Server 2000. In the case of ISA Server 2004, the internal network contains trusted network services that the ISA Server 2004 firewall must communicate with. Examples of such services include Active Directory domain controllers, DNS, DHCP, terminal services clients, and others. The firewall System Policy is automatically applied to the Internal network. We will look at the System Policy later in this article.

9. In the Internal Network setup page, click the Configure Internal Network button.

10. In the Configure Internal Network dialog box, remove the checkmark from the Add the following private ranges… checkbox. Leave the checkmark in the Add address ranges based on the Windows Routing Table checkbox. Put a checkmark in the checkbox next to the adapter that is connected to the Internal network. Click OK.

11. Click OK in the dialog box informing you that the Internal network was defined, based on the Windows routing table.

12. Click OK on the Internal network address ranges dialog box.

13. Click Next on the Internal Network page.

14. Click Install on the Ready to Install the Program page.

15. On the Installation Wizard Completed page, put a checkmark in the Invoke ISA Server Management when wizard closes checkbox and click Finish.

16. The Microsoft Internet Security and Acceleration Server 2004 management console opens. By default you are taken to the top node in the left pane of the console. Notice that ISA Server 2004 console requires quite a bit more screen real-estate than ISA Server 2000 did. To get the most out of the interface, change your screen resolution to 1024x768 or higher. I will need to keep the resolution at 640x480 for these screen shots to make them fit the Web page. For that reason, I will use the Show/Hide Console Tree button in the button bar of the console frequently.

Create the Remote Site at the Local Site ISA Server 2004 Firewall

The first step to enabling a site to site IPSec tunnel mode link is to create a Remote Site. This can be done in the VPN configuration interface in the Microsoft Internet Security and Acceleration Server 2004 management console.

Perform the following steps at the local site to create the remote site network definition:

1. In the left pane of the Microsoft Internet Security and Acceleration Server 2004 management console, expand your server name and then click on the Virtual Private Networks (VPN) node.

2. Click on the Remote Sites tab in the Details pane, then click the Tasks tab in the Task Pane. On the Tasks tab, click on the Add remote Site Network link.

3. On the Welcome to the New Network Wizard page, enter the name for the remote site’s network in the Network name box. In this example, we will name the remote site network branch1. Click Next.

4. On the VPN Protocol page, select the IP Security protocol (IPSec) tunnel mode option and click Next.

5. On the Connection Settings page, enter the IP address on the external interface of the remote site’s external interface in the Remote VPN gateway IP address text box. In this example the IP address of the remote site is 192.168.1.71, so we will enter that into the text box. Select the IP address on the external interface of the local site’s ISA Server 2004 firewall in the Local VPN gateway IP address list. Click Next.

6. On the IPSec Authentication page, select the Use pre-shared key for authentication option. We will use this option as a convenience in this walk through. In a production environment that requires a higher level of security, you should use the Use a certficiate from this certificate authority (CA) option. In the Use pre-shared key for authentication text box, enter a complex value for the pre-shared key. In the current example, we will enter 123 for convenience. If you decide to use a pre-shared key in a production environment, make sure you use a complex key to provide an adequate level of security. Click Next.

7. On the Network Addresses page, click the Add button. Enter the range of IP addresses on the remote office network. In this example, the remote office network consists of all the hosts in network ID 10.0.1.0/24. We will enter 10.0.1.0 in the Starting address text box and 10.0.1.255 in the Ending address text box. Click OK. Click Next on the Network Addresses page.

8. Click Finish on the Completing the New Network Wizard page.

9. Do not click the Apply button yet. We still need to create the Routing Rule and the Access Rule for this network.

Create the Routing Rule Between the Local and Remote Sites

The next step is to create the routing relationship between these networks. In this example we will create a route relationship between the networks. You do have the option to create a NAT relationship between the networks, but this limits you to using applications that work correctly when crossing NAT devices.

Perform the following steps to create the route relationship:

1. In the left pane of the Microsoft Internet Security and Acceleration Server 2004 management console, expand the Configuration node and click the Networks node.

2. Click the Network Rules tab in the Details pane. In the Task Pane, click the Tasks tab and then click the Create a New Network Rule link.

3. On the Welcome to the New Network Rule Wizard page, enter a name for the network rule in the Network rule name text box. In this example, we will name the rule MainBranch. Click Next.

4. Click the Add button on the Network Traffic Source page. On the Add Network Entities dialog box, click on the Networks folder. Double click on the Internal network and then click Close on the Add Network Entities dialog box.

5. Click Next on the Network Traffic Source page.

6. Click the Add on the Network Traffic Destination page. In the Add Network Entities dialog box, click on the Networks folder. Double click on the Branch1 network and then click Close on the Add Network Entities dialog box.

7. Click Next on the Network Traffic Destination page.

8. Select the Route option on the Network Rules page. Click Next.

9. Click Finish on the Completing the New Network Rule Wizard page.

10. Do not click the Apply button yet, we still need to create an Access Rule controlling how traffic moves between the remote network and the local network.

Create an Access Rule Allowing Inbound From Remote Site to Internal

The next step is to create an Access Rule that controls how traffic moves from the remote network to the local network. In this example we will allow all traffic from the remote network into the local network. In a production environment, you would enforce strict traffic controls over what resources users on the remote network can access on the local network, which is typically the main office network.

Perform the following steps to configure the Access Rule:

1. In the Microsoft Internet Security and Acceleration Server 2004 management console, click on the Firewall Policies node in the scope pane. In the Task Pane, click the Tasks tab. Click the Create New Access Rule link.

2. On the Welcome to the New Rule Access Rule Wizard page, enter a name for the rule in the Access policy rule name text box. In this example we will name the rule Branch1Main. Click Next.

3. Select the Allow option on the Rule Action page and click Next.

4. On the Protocols page, select the All outbound protocols from the This rule applies to list. Click Next.

5. On the Access Rule Sources page, click the Add button. In the Add Network Entities dialog box, click the Networks folder and then double click on the branch1 network. Click Close.

6. On the Access Rule Destinations page, click the Add button. Click on the Computers folder and double click on the Internal entry. Click Close.

7. Click Next on the Access Rule Destinations page.

8. Accept the All Users entry on the User Sets page.

9. Click Finish on the Completing the New Access Rule Wizard page.

10. Now we’re ready to click the Apply button. Click the Apply button to save the changes.

11. Click the Apply button to save the changes and update the firewall policy.

Create the Remote Site at the Remote Site ISA Server 2004 Firewall

Now we’re ready to configure the site to site IPSec tunnel mode link at the Remote Site. This can be done in the VPN configuration interface in the Microsoft Internet Security and Acceleration Server 2004 management console.

Perform the following steps at the local site to create the remote site network definition:

1. In the left pane of the Microsoft Internet Security and Acceleration Server 2004 management console, expand your server name and then click on the Virtual Private Networks (VPN) node.

2. Click on the Remote Sites tab in the Details pane, then click the Tasks tab in the Task Pane. On the Tasks tab, click on the Add remote Site Network link.

4. On the VPN Protocol page, select the IP Security protocol (IPSec) tunnel mode option and click Next.

5. On the Connection Settings page, enter the IP address on the external interface of the remote site’s external interface in the Remote VPN gateway IP address text box. In this example the IP address of the remote site is 192.168.1.70, so we will enter that into the text box. Select the IP address on the external interface of the remote site’s ISA Server 2004 firewall in the Local VPN gateway IP address list. Click Next.

6. On the IPSec Authentication page, select the Use pre-shared key for authentication option. We will use this option as a convenience in this walk through. In a production environment that requires a higher level of security, you should use the Use a certificate from this certificate authority (CA) option. In the Use pre-shared key for authentication text box, enter a complex value for the pre-shared key. In the current example, we will enter 123 for convenience. If you decide to use a pre-shared key in a production environment, make sure you use a complex key to provide an adequate level of security. Click Next.

7. On the Network Addresses page, click the Add button. Enter the range of IP addresses on the remote office network. In this example, the remote office network consists of all the hosts in network ID 10.0.0.0/24. We will enter 10.0.0.0 in the Starting address text box and 10.0.0.255 in the Ending address text box. Click OK. Click Next on the Network Addresses page.

8. Click Finish on the Completing the New Network Wizard page.

9. Do not click the Apply button yet. We still need to create the Routing Rule and the Access Rule for this network.

Create the Routing Rule Between the Remote and Main Office Sites

Perform the following steps to create the route relationship:

1. In the left pane of the Microsoft Internet Security and Acceleration Server 2004 management console, expand the Configuration node and click the Networks node.

2. Click the Network Rules tab in the Details pane. In the Task Pane, click the Tasks tab and then click the Create a New Network Rule link.

3. On the Welcome to the New Network Rule Wizard page, enter a name for the network rule in the Network rule name text box. In this example, we will name the rule BranchMain. Click Next.

5. Click Next on the Network Traffic Source page.

6. Click the Add on the Network Traffic Destination page. In the Add Network Entities dialog box, click on the Networks folder. Double click on the main network and then click Close on the Add Network Entities dialog box.

7. Click Next on the Network Traffic Destination page.

8. Select the Route option on the Network Rules page. Click Next.

9. Click Finish on the Completing the New Network Rule Wizard page.

10. Do not click the Apply button yet, we still need to create an Access Rule controlling how traffic moves between the remote network and the local network.

Create an Access Rule Allowing Outbound From Remote Site to Main Office

The next step is to create an Access Rule at the branch office site that controls how traffic moves from the remote network to the main office (local) network. In this example we will allow all traffic from the remote network into the local network. In a production environment, you would enforce strict traffic controls over what resources users on the remote network can access on the local network, which is typically the main office network.

Perform the following steps to configure the Access Rule: