Modifying the Local Address Table (LAT) for ISA Server Installation

When ISA Server runs as a firewall (install ISA Server in Firewall mode or in Integrated mode), ISA Server uses the Local Address Table (LAT) to determine the following information so that it can implement access rules:

  • Determine the IP addresses on the private network.

  • Determine the IP addresses on the public network.

  • The firewall client uses the information in the LAT to determine the following:

    • The addresses that need to be forwarded to the firewall

    • The addresses which should be requested directly.

To ensure that routing occurs correctly, the Local Address Table has to be built and configured correctly. This would prevent internal objects from being routed to the Internet.

There are a number of methods used to add information to the Local Address Table (LAT):

  • During ISA Server setup, ISA Server builds the LAT according to the information contained within the Windows Routing table of the network card used for the private network.

  • You can manually add the IP address ranges from the network that is not in the Routing table.

  • The LAT can also include all private IP address ranges assigned by Internet Assigned Numbers Authority (IANA) from RFC 1918.Installing ISA Server

How to configure the LAT

  1. When installing ISA Server, select the Configure the LAT option.

  2. After ISA Server installation, open the ISA Management console.

  3. Navigate to Local Address Table in the console tree and right-click the Local Address Table.

  4. If you want to add private IP address ranges assigned by Internet Assigned Numbers Authority (IANA), select the Add the Following Private Ranges checkbox.

  5. If you want to manually add the IP address ranges, select the New button and then select LAT Entry. Proceed to specify the start IP address and end IP address that defines the IP address range which should be added.

  6. If you want to add IP addresses based on the Windows Routing table, select the Add Address Ranges Based on the Selected Computer's Windows 2000 Routing Table checkbox.

  7. In the Select Computer box, select the computer to use.

  8. Select the NIC used to obtain the IP address ranges.

Preparing the Server for ISA Server Installation

To prepare the server for ISA Server installation, you have to perform the following tasks:

  • Verify that the network adapter which is connected to your private internal network is correctly configured:

    • The network adapter must not have a default gateway defined.

    • The network adapter must have a static IP address.

  • Ensure that the network adapter, ISDN adapter, or modem which is being used for connecting to the Internet is correctly configured:

    • The network adapter can have a static IP address or use a dynamically assigned IP address.

    • The IP address must be a valid Internet address obtained from your Internet Service Provider (ISP).

  • You should disable the following components on the external interface:

    • File and Printer Sharing for Microsoft Networks

    • Client for Microsoft Networks

    • NetBIOS Over TCP/IP

  • For dialup connections, disable Internet Connection Firewall (ICF).

  • You have to create a Windows Server 2003 domain or a Windows 2000 domain if you want to install ISA Server arrays.

  • When installing ISA Server arrays and you need to support Window NT 4.0 clients, you have to ensure that you have defined an Active Directory trust relationship to join the Windows 2000 domain to the Windows NT 4.0 domain.
    If you want the ISA server to access the Web, you have to configure the Web browser to use the internal network address of the ISA server for the proxy server address.

  • Apply the latest Windows service packs and security updates.

  • Apply the latest ISA Server 2000 service pack.

  • You should connect all servers and clients on the internal network and external network, and test connectivity.

Installing ISA Server

When you install ISA Server, you have to choose between the following ISA Server installation options:

  • Firewall mode.

  • Cache mode.

  • Integrated mode.

If you are installing ISA Server Standard Edition, you have to complete the following:

  • For Firewall mode and Integrated mode, you have to correctly configure the Local Address Table (LAT).

  • For Cache mode and Integrated mode, you have to define the ISA Server cache location and cache size.

If you are installing ISA Server Enterprise Edition, you have to complete the following:

  • Run the ISA Server Enterprise Initialization process to add the ISA Server classes and attributes to Active Directory. This process extends the Active Directory schema to include ISA Server classes and attributes.

  • To initiate the ISA Server Enterprise Initialization process, you have to be a member of the following groups:

    • Enterprise Administrators

    • Schema Administrators

  • Install ISA Server.

When you install ISA Server, you have to provide the following configuration information during the installation process:

  • Provide the10 digit number CD key on the back of the ISA Server CD-ROM cover.

  • Specify the ISA installation option to use:

    • Typical installation: Installs the following:

      • ISA services

      • H.323 Gatekeeper Service

      • Administration Tools

    • Full installation; Installs the following:

      • ISA services

      • H.323 Gatekeeper Service

      • Message Screener

      • Administration Tools

      • H.323 Gatekeeper Administration Tools

    • Custom installation: Installs the components that you select to be installed.

  • ISA Server is installed as a standalone server if you have not run the ISA Server Enterprise Initialization process to update the Active Directory schema. If you have run the ISA Server Enterprise Initialization process to update the Active Directory schema, then you can choose the array that should be joined.

  • Specify the mode of ISA Server to install: Firewall mode, Cache mode or Integrated mode. For Cache mode or Integrated mode, you have to define cache location and cache size.

After you install ISA Server, a number of ISA Server default settings are used for the following features:

  • Access Control: If you have not configured enterprise policy settings to prohibit array level rules – allow, then a default site and content rule called Allow Rule allows all clients access to all content on all sites, all the time. Because no protocol rules are defined and applied, traffic will not be able to pass through.

  • Alerts: Alerts other than those listed here are active:

    • All port scan attack

    • Dropped packets

    • Protocol violation

    • UDP bomb attack

  • Caching – Cache mode or Integrated mode: The size of the cache is based on the settings specified during ISA Server setup:

    • HTTP caching is enabled

    • FTP caching is enabled.

    • Active caching is disabled

  • Client configuration default settings: For Firewall clients and Web Proxy clients, automatic discovery is active/enabled. When you install firewall clients, Web browser applications are configured.

  • Enterprise policy settings: If you create a new ISA Server array, that array gets the default enterprise policy settings.

  • Local Address Table – Firewall mode or Integrated mode: The LAT contains those entries specified during the ISA Server installation.

  • Packet filtering: Packet filtering is disabled in Cache mode. It is enabled in Firewall mode and Integrated mode.

  • Publishing: The default Web publishing rule enables no publishing. This means that your internal servers cannot be accessed by external clients.

  • Routing: The default setting allows Web Proxy client requests to be directly obtained from the Internet.

  • User permissions: Members of the Domain Admins group and Enterprise Admins group can configure array and enterprise policies. Members of the Administrators group can configure policies for stand-alone servers.

How to install ISA Server Standard Edition

  1. Start by disconnecting the ISA server from the Internet.

  2. Apply the latest Windows service packs and security updates.

  3. Apply the latest ISA Server 2000 service pack.

  4. Place the ISA Server Standard Edition CD-ROM in the CD-ROM drive.

  5. When the Autostart menu opens, click the Install option.

  6. A Welcome screen is displayed next, click Continue.

  7. On the Enter Product Key screen, enter the 10 digit number CD key on the back of the ISA Server CD-ROM cover. Click OK.

  8. On the Microsoft license agreement screen, read the End User License Agreement then click I Agree to continue.

  9. Select the installation option that you want to perform:

    • Typical installation

    • Full installation.

    • Custom installation.

  10. If you have selected the Custom installation option, proceed to choose the components that you want to install.

  11. Select the mode of ISA Server to install:

    • Firewall Mode.

    • Cache Mode

    • Integrated Mode

  12. If you have selected Firewall Mode or Integrated Mode, you have to configure the Local Address Table.

  13. If you have selected Cache Mode or Integrated Mode, select the NTFS drive location for the ISA Server cache. Set the size of the cache.

  14. At this point, services are stopped, all necessary files are added, and then the services are started again.

How to run ISA Server Enterprise Initialization

  1. Apply the latest Windows service packs and security updates.

  2. Apply the latest ISA Server 2000 service pack.

  3. Place the ISA Server Enterprise Edition CD-ROM in the CD-ROM drive.

  4. On the Microsoft ISA Server Setup screen, select the Run ISA Server Enterprise Initialization option.

  5. If this is the first ISA Server in the forest, click Yes to the ISA Enterprise Initialization message that appears, stating that the ISA Server schema will be installed to Active Directory and that this process cannot be reversed.

  6. The ISA Enterprise Initialization dialog box presents the following options:

    • Use Array Policy Only option.

    • Use This Enterprise Policy option: If you select this option, you have to enter the enterprise policy name in the provided textbox. You also have the option of selecting the Allow array-level access rules that restrict enterprise policy checkbox.

  7. Select the Use Array Policy Only option.

  8. Select the Allow Publishing Rules checkbox ifyou want to publish your internal servers and enable external clients to access them.

  9. Uncheck the Force Packet Filtering On The Array checkbox. Leaving the checkbox enabled results in packet filtering always being enabled for the ISA Server arrays within the enterprise.

  10. Click OK.

  11. The ISA Enterprise Initialization progress message is displayed next. The message indicates that the ISA Server schema has extended the Active Directory schema. You can now configure ISA Server as a member of the array.

  12. Click OK.

How to install ISA Server Enterprise Edition (Full installation)

  1. Start by disconnecting the ISA server from the Internet.

  2. Apply the latest Windows service packs and security updates.

  3. Apply the latest ISA Server 2000 service pack.

  4. Place the ISA Server Enterprise Edition CD-ROM in the CD-ROM drive.

  5. When the Autostart menu opens, click the Install option.

  6. A Welcome screen is displayed next, click Continue.

  7. On the Enter Product Key screen, enter the CD key (10 digit number) on the back of the ISA Server CD-ROM cover. Click OK.

  8. On the Microsoft license agreement screen, read the End User License Agreement then click I Agree to continue.

  9. On the Microsoft ISA Server (Enterprise Edition) Setup dialog box, select Full Installation.

  10. When the Microsoft Internet Security And Acceleration Server Setup dialog box opens, click Yes to install ISA Server as an array member.

  11. When the New Array dialog box opens, enter a name for the server and then click OK.

  12. On the Configure Enterprise Policy Settings dialog box, select the following settings

    • Use Custom Enterprise Policy Settings

    • Use Array Policy Only

    • Allow Publishing Rules checkbox

    The Force Packet Filtering On This Array checkbox should be unchecked. Click Continue.

  13. Select Integrated Mode as your ISA Server mode of operation and then click Continue.

  14. A Microsoft Internet Security And Acceleration Server Setup message is displayed, stating that the IIS publishing service will be stopped. Click OK.

  15. When the Cache Settings dialog box opens, select the NTFS drive for the cache. The default cache size is 100 MB if the NTFS partition has a minimum of 150 MB available. Set the maximum cache size in the Cache size (MB) textbox, and click the Set button. Click OK.

  16. On the IP Address Range dialog box, enter the IP address range for the internal network.

  17. Click Construct Table to access the Local Address Table dialog box.

  18. Deselect the Add The Following Private Ranges checkbox.

  19. Select the Add Address Ranges Based On The Windows 2000 Routing Table checkbox.

  20. Click OK. Click OK again when a message is displayed, verifying that the Local Address Table was built.

  21. At this stage, ISA Server stops services, install the files, and then restarts the services.

  22. After the installation, the Launch ISA Management Tool message is displayed. Click OK.

  23. A Microsoft ISA Server (Enterprise Edition) Setup message is displayed, verifying that ISA Server Enterprise Edition Setup has completed.

  24. Click OK.

  25. The ISA Management Tool console opens. You can use the Getting Started wizard to configure and modify settings.

How to install ISA Server Enterprise Edition (Custom installation)

  1. Start by disconnecting the ISA server from the Internet.

  2. Apply the latest Windows service packs and security updates.

  3. Apply the latest ISA Server 2000 service pack.

  4. Plce the ISA Server Enterprise Edition CD-ROM in the CD-ROM drive.

  5. When the Autostart menu opens, click the Install option.

  6. A Welcome screen is displayed next, click Continue.

  7. On the Enter Product Key screen, enter the 10 digit number CD key on the back of the ISA Server CD-ROM cover. Click OK.

  8. On the Microsoft license agreement screen, read the End User License Agreement then click I Agree to continue.

  9. On the Microsoft ISA Server (Enterprise Edition) Setup dialog box, select Custom Installation.

  10. The Custom Installation dialog box opens, displaying the following options that you can choose between:

    • ISA services

    • H.323 Gatekeeper Service

    • Message Screener

    • Administration Tools

    • H.323 Gatekeeper Administration Tools


    Click OK after you have selected your options.

  11. Click Yes to install ISA Server as an array member.

  12. In the New Array dialog box opens, provide a name for the server and then click OK.

  13. On the Configure Enterprise Policy Settings dialog box, select the Use Custom Enterprise Policy Settings option, Use Array Policy Only option or Use Default Enterprise Policy Settings, and the Allow Publishing Rules checkbox. The Force Packet Filtering On This Array checkbox should not be selected. Click Continue.

  14. Select the ISA Server mode of operation and then click Continue.

  15. A Microsoft Internet Security And Acceleration Server Setup message is displayed, stating that IIS publishing service will be stopped. Click OK.

  16. If you chose the Cache or Integrated modes previously, when the Cache Settings dialog box opens, select the NTFS drive for the cache. The default cache size is 100 MB if the NTFS partition has a minimum of 150 MB available. Set the maximum cache size in the Cache size (MB) textbox, and click the Set button. Click OK.

  17. On the IP Address Range dialog box, enter the IP address range for the internal network.

  18. Click Construct Table to access the Local Address Table dialog box.

  19. Deselect the Add The Following Private Ranges checkbox.

  20. Select the Add Address Ranges Based On The Windows 2000 Routing Table checkbox.

  21. The Launch ISA Management Tool message is displayed. Click OK.

  22. A Microsoft ISA Server (Enterprise Edition) Setup message is displayed, verifying that ISA Server Enterprise Edition Setup has completed.

  23. Click OK. The ISA Management Tool console opens. You can use the Getting Started wizard to configure and modify settings.

How to install additional ISA servers in an array

  1. Place the ISA Server Enterprise Edition CD-ROM in the CD-ROM drive and start ISA Server Enterprise Edition Setup.

  2. Click Continue on the Welcome screen.

  3. Enter the 10 digit number CD key on the back of the ISA Server CD-ROM cover. Click OK.

  4. At this stage, the ISA Server Setup program detects installed components.

  5. Read the End User License Agreement then click I Agree to continue.

  6. On the Microsoft ISA Server (Enterprise Edition) Setup dialog box, select Custom Installation.

  7. When the Custom Installation dialog box opens, select the desired options and then click OK after you have selected your options.

  8. Click Yes to install ISA Server as an array member.

  9. The ISA Server Setup program next displays all the names of existing arrays that it has detected.

  10. Select the array to install the server to and then click OK.

  11. At this point, services are stopped, all necessary files are added, and then the services are started again.

  12. Click OK to the message indicating that ISA Server Setup has completed.

How to uninstall ISA Server

  1. Place the ISA Server CD-ROM in the CD-ROM drive.

  2. Click the Install option.

  3. ISA Server at this stage searches for all installed ISA Server components and then displays the following options:

    • Add/Remove button

    • Reinstall button

    • Remove ALL button

  4. Click Remove ALL to uninstall ISA Server.

  5. Click Yes to the message displayed, to verify that you want to remove ISA Server.

  6. Click Yes to the message displayed, to verify that you want to remove all logs and backup configuration information created by ISA Server.

  7. ISA Server Setup now stops the necessary services, removes the ISA objects, deletes all necessary files, and then restarts services.