Installing ISA Server 2000.

If you have not yet installed ISA Server on your network, this
is the article for you. In this article I will walk you through,
step-by-step, the installation of ISA Server 2000 onto a
computer in your network. We will cover the different types of
installations you can perform (either as a stand-alone server or
as part of an array of ISA Servers) and discuss the caveats
associated with each.
• Published: Dec 28, 2001
• Updated: Jul 23, 2004
• Section: Tutorials :: Installation & Planning
• Author: Will Schmied
• Printable Version
• Adjust font size:
• Rating: 2.9/5 - 430 Votes

• 1
• 2
• 3
• 4
• 5

If you have not yet installed ISA Server on your network, this is the article for you. In this
article I will walk you through, step-by-step, the installation of ISA Server 2000 onto a
computer in your network. We will cover the different types of installations you can
perform (either as a stand-alone server or as part of an array of ISA Servers) and discuss
the caveats associated with each.

Before we get started on the actual installation of ISA Server, there are some things you
should do beforehand though:

1. Ensure that Windows 2000 Server is installed on your ISA Server machine,
including the most recent Service Pack. Service Pack 1 is required to be installed,
at a minimum, before installing ISA Server.
2. Configure the server that will be hosting the ISA Server installation. You should
 start with Jim Harrison’s wonderful article Configuring ISA Server Interface
Settings, which will walk you through the setup of your ISA Server machine’s
network adapters.
3. Figure out what your internal network will encompass, both presently and in the
future in regards to IP addresses. Write these down if it’s a complicated picture—
you will need this information again later.
4. If your internal network contains more than one range of IP addresses (say
192.168.x.y and 10.x.y.z, for example), then you need to create the routing table
on the server that is to be the ISA Server via the command shell route command. If
you only have one address range, Windows will do this for you. Be sure to view
the routing table before installing ISA Server to make sure it’s correct…this can
prevent problems later.
5. Two articles by Tom Shinder, Designing An ISA Server Solution on a Simple
Network and Designing An ISA Server Solution on a Complex Network should
help you get a good idea of where you want to go with you ISA Server setup.

Some basic information before we get our hands dirty

The process of installing ISA Server can be started by inserting ISA Server CD-ROM into
your CD drive. Under most cases, the installation program should auto-start and display
the screen shown in Figure 1.
 Figure 1 – The ISA Server 2000 installation screen.

If for some reason the installation program doesn’t auto-start, just double click the
ISAAutorun.exe file in the root of the CD-ROM as shown in Figure 2.
 Figure 2 – Starting the ISA Server 2000 installation manually.

The Installation and Deployment Guide, as shown in Figure 3 is very good reading
before getting started on your installation if you have any questions. We will try to cover
most of the basic situations here in this tutorial. If you are migrating from Microsoft
Proxy Server 2.0, there is some outstanding migration information available in the Read
About Migrating to ISA Server area, as shown in Image 4.
Figure 3 – The Installation and Deployment Guide.
 Figure 4 – Migration instructions.

To initialize or not to initialize…

Up to this point, you haven’t had to make any decisions…well, the time has come for
making a decision, and your first one is big one indeed. If you will be using this ISA
Server as an array member, then you must install the ISA Server schema into Active
Directory. This is a one-way decision—you cannot undo it later if you change your mind.
However, if you want to add additional ISA Servers to the ISA Server array at a later
time, you will not have to reinstall the schema changes. In order to make the changes to
the schema, you must be a member of the Enterprise Admins and Schema Admins groups.
To initialize the schema, click Run ISA Server Enterprise Initialization, which will bring
up a dialog box as shown in Figure 5. (Note that this is not your last chance to abort this
procedure, as we will see later.)
 Figure 5 – Initializing the schema for ISA Server.

Like previously mentioned, you will have one more chance to abort the schema
initialization process, as shown in Figure 6. There are, however, options on this dialog
box that require some discussion, so we will address them before moving any further into
the installation.

Figure 6 – Configuring Enterprise initialization options prior to schema initialization.

• Your first option is whether to select Use array policy only or Use this
enterprise policy. If you select the Use array policy only option, then no
enterprise policy is applied to the array and the array Administrator can create any
rule they desire. If the Use this enterprise policy option is selected, then an
Administrator at the enterprise level dictates that only the selected policy may be
applied—no additional rules may be created.
• If you place a check mark in the selection box for Allow array-level access policy
rules… you have created a Combined enterprise and array policy. In this case,
an array policy is added to the enterprise policy. The enterprise policy overrides
the array policy. That is, the array policy can impose additional limitations, but
cannot be more permissive than the enterprise policy.
• Checking Allow publishing rules allows you to create publishing rules (which
must be created separately on each server), which will listen for publishing
 requests. Web publishing rules essentially map incoming requests to the
appropriate Web servers behind the ISA Server computer.
• Checking Force packet filtering on the array does just that. Packet filtering
allows you to control the flow of IP packets in and out of your network. With
packet filtering enabled, all packets that arrive at the external (Internet) interface
will be dropped unless they have been explicitly allowed. This occurs statically via
IP packet filters or dynamically by access policy and publishing rules. This serves
to further protect your internal network from attacks originating outside of your
network.
• Note that you can change all of these options from the Getting Started Wizard
after installation of ISA Server has completed.

If you choose to continue the process, you will see two new windows on your machine,
shown in Figure 7 and Figure 8 as well as a lot of disk activity for about 2 – 5 minutes
(depending on the machine configuration and loading). After the initialization is done,
both windows will close out, the dialog box shown in Figure 9 will be displayed, and you
are ready to continue the process of installing ISA Server.

Figure 7 – Now we sit on our hands and wait…

 Figure 8 – There are over 300 changes made to the schema during the initialization
process.

Figure 9 – Schema initialization has been completed.

Installation time
Now that we have done all of our preparatory work, we can now move on to the actual
process of installing ISA Server on our machine as follows:

1. Clicking Install ISA Server from the ISA Server Setup window (shown in Figure
1) will start the process.
2. A informational window will appear shortly letting you know that the process is
underway then you will be presented with the standard Wizard first page—you can
dismiss it by clicking Continue.
3. Doing so brings up the next window, in which we must input our CD-KEY.
Unlike most other high-end Microsoft products, ISA Server does not require
Windows Product Activation (WPA). Enter your CD-KEY and click OK to
continue on. The next window will display your Product ID, but it’s available
under the Help > About… option within the program, so you don’t have to write it
down. Click OK to continue past this screen.
4. After Setup quickly scans your hard drive you will be presented with the EULA
window, on which you must click I Agree (as always) to continue the installation
process.
5. As shown in Figure 10, you are now faced with three different installation options,
which are fairly simple. You can choose which one suits your needs; most often
this will be Typical Installation. (In our example, I am going to perform a Full
Installation.)

Figure 10 – Choosing the type of installation to perform.

6. If you haven’t already installed Windows 2000 SP1, you will get the error window
 as shown in Figure 11.

Figure 11 – Looks like someone forgot to install SP1 on the Server!

7. Continuing on with the installation, we are next presented with the window shown
in Figure 12 if we have initialized the schema or the window shown in Figure 13 if
we have not. Note that if you install as a stand-alone server for either reason, you
can upgrade to an array server later (we will talk about this later).

Figure 12 – What kind of ISA Server will this be?

Figure 13 – Installing as a stand-alone server.

8. In this instance, I am going to install as a stand-alone server (we can always

upgrade later as previously mentioned), so I will click NO to continue on (this is
 assuming that I have initialized the schema—otherwise you would click YES as
shown Figure 13).
9. The next window presents, as shown in Figure 14, asks to choose what mode this
server will be operating in. The most robust option is Integrated mode and is the
recommended mode…thus we will continue the installation by selecting
Integrated mode as shown and clicking Continue.

Figure 14 – Selecting the mode of the server.

10. The setup process will not stop the IIS publishing service and present you a dialog
box instructing you to reconfigure Web site as required; this is shown in Figure 15.
Click OK to continue the installation.
 Figure 15 – Instructions for IIS Web sites…

11. On the next window, you must configure the cache size. This option, like most others
can be changed after installation is complete. The default setting is for a 100 MB sized
cache, and for now we will leave it be. Click OK to continue.
12. The next step, one of great importance if you want this whole thing to work properly,
is to construct the LAT table. The easiest way to do this is to click the Construct Table…
button and select the range for the internal network adapter as shown in Figure 16. The
results of this are shown in Figure 17. Click OK to continue past this step.

Figure 16 – Selecting local addresses.

Figure 17 – The results, showing the Internal IP address range ISA Server will recognize.

13. The setup program works for a while, installing ISA Server, and you are in
business. That was pretty easy, wasn’t it? The only decision we have left to make
is whether or not to start the Getting Started Wizard after the setup program closes
out. I recommend doing so, as your ISA Server must still be configured. Tom
Shinder has written a great article in this: Getting Started with ISA Server.

That’s all for now folks…

That’s all there is to this process. Installing ISA Server is actually one of the simplest
product installations you will perform—provided you have done your research ahead of
time.

Determining RAM and CPU Specifications

Updated: March 28, 2003

Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003
with SP1, Windows Server 2003 with SP2

As hardware continues to improve, hardware vendors frequently change the RAM and
CPU configurations in the servers they offer. Use the information about performance
improvements and scaling factors in the sections that follow to choose the hardware that
best meets your organization’s needs.
When designing RAM and CPU specifications for server clusters, also consider the
failover policy that you plan to use and the maximum number of File Share resources and
share subdirectories that will be hosted on any one node after a failure. Each node must
have the RAM and CPU resources required to host the resources of one or more failed
nodes, depending on your failover policy. For more information about failover policies
and server cluster capacity planning, see "Designing and Deploying Server Clusters" in
this book.

Note

• Many of the figures presented in this section are derived from NetBench statistics
for file server throughput. NetBench is a portable Ziff Davis Media benchmark
program that measures how well a file server handles file I/O requests from 32-bit
Windows clients. NetBench provides an overall I/O throughput score and average
response time for servers, along with individual scores for clients. You can use
these scores to measure, analyze, and predict how well your server can handle file
requests from clients.

Reviewing Windows Server 2003 CPU Specifications

Table 2.11 describes the recommended CPU speed and number of processors supported
by Windows Server 2003.

Table 2.11 CPU Requirements for Windows Server 2003

Windows Windows Windows

Specification Server 2003, Server 2003, Server 2003,
Standard Edition Enterprise Edition Datacenter Edition
Minimum
recommended CPU 550 MHz 550 MHz 550 MHz
speed
Number of CPUs
1–4 1–8 8–32
supported

Reviewing Operating System Performance Improvements

Even if you plan to use existing hardware to run Windows Server 2003, you can benefit
from performance enhancements available in Windows Server 2003, as well as client and
server protocol improvements available when using clients running Windows XP
Professional.

Table 2.12 describes performance improvements that can be gained by migrating to new
operating systems on identical hardware.
Table 2.12 Operating System Performance Improvements on the Same Hardware

Current Server and Client Operating New Server and Client Improvement
Systems Operating Systems Factor
Windows NT Server 4.0 with Windows 2000 Server with
Microsoft® Windows NT® Windows 2000 Professional Up to 1.25X
Workstation 4.0 clients clients
Windows Server 2003 with
Windows 2000 Server with
Windows XP Professional Up to 2.2X
Windows 2000 Professional clients
clients
Windows Server 2003 with
Windows NT Server 4.0 with
Windows XP Professional Up to 2.75X
Windows NT Workstation 4.0 clients
clients

These figures are based on the following assumptions:

• The server is uniprocessor (UP), 2P, 4P, or 8P.

• For each comparison, the server hardware is the same.

• No memory, disk, or network bottlenecks prevent the processor from performing

at full capacity.

Reviewing Performance Improvements Gained by Upgrading

Processors

Table 2.13 describes performance improvements that can be gained by upgrading server
processors. Upgrading processors improves processing power, memory bandwidth, I/O
bandwidth, and the system bus. These figures are based on actual processor
improvements, not operating system improvements. If you plan to use processors that are
faster than those listed here, performance will be greater than the following figures show.

Table 2.13 Performance Improvements Gained by Upgrading Processors

Old Processor New Processor (Server Class) Improvement Factor

200 MHz Intel Pentium Pro 400 MHz Intel Pentium II Xeon 2X
400 MHz Intel Pentium II Xeon 900 MHz Intel Pentium III Xeon 2X
200 MHz Intel Pentium Pro 900 MHz Intel Pentium III Xeon 4X
Reviewing Performance Improvements Gained by Adding
Processors

To increase performance, consider using more than one processor in your file servers.
One advantage of using multiple processors is the ability to handle more concurrent
clients, resulting in higher scaling factors at high client loads. Table 2.14 describes the
NetBench throughput improvements gained by adding processors on file servers running
Windows Server 2003.

Table 2.14 Performance Improvements Gained by Adding Processors

Original Number of Processors After Upgrade Scaling Factor*

1 2 1.4X to 1.6X
2 4 1.3X to 1.4X
1 4 1.8X to 2.3X
4 8 1.3X to 1.4X
1 8 2.4X to 3.2X

* The scaling factors are based on a range of client loads.

Determining the Client Load Based on Processor Utilization

NetBench stresses the system by applying a heavy load on the file server. Microsoft used
the most intensive CPU operations — file opens and file creates (subsequently described
as opens/creates) — to translate a NetBench client load to a more realistic client load.

To determine the client load, Microsoft observed approximately 820 opens/creates per
second at peak NetBench throughput (100-percent CPU utilization) on a Xeon 900-MHz
server with a single processor (UP). Table 2.15 describes active client loads for light,
medium, and heavy user loads at 70-percent CPU utilization. The client loads are defined
as follows:

• Light: one open/create every 10 seconds

• Medium: two opens/creates every 10 seconds

• Heavy: three opens/creates every 10 seconds

Assuming that a light user load causes one open/create every 10 seconds, a UP Xeon 900-
MHz server can handle 5,700 users at 70-percent CPU utilization and 8,200 users at 100-
percent CPU utilization. (These figures are derived by dividing the opens/creates per
second at peak NetBench throughput by the opens/creates per second for light users.)
The figures in Table 2.15 for the UP Xeon 900-MHz server are based on the following
assumptions:

• No memory, disk, or network bottlenecks prevent the processor from performing

at 100-percent capacity.

• The clients are running Windows XP.

The figures for 2P, 4P, and 8P Xeon 900-MHz servers were calculated by using the
scaling factors described in Table 2.14. For example, on a 4P Xeon 900-MHz server,
under a heavy client load of three opens/creates every 10 seconds, the server can handle
3,400 to 4,400 active users. This figure is derived by taking the 1,900 heavy-load users
supported on a UP Xeon 900-MHz server and multiplying that figure by the UP-to-4P
scaling factors of 1.8X to 2.3X provided in Table 2.14.

Table 2.15 Number of Active Users Supported Based on a NetBench-Type

Workload

Processor Heavy Load Medium Load Light Load

UP Xeon, 900 MHz 1,900 2,800 5,700
2P Xeon, 900 MHz 2,600 to 3,000 3,900 to 4,500 8,000 to 9,100
4P Xeon, 900 MHz 3,400 to 4,400 5,000 to 6,400 10,300 to 13,100
8P Xeon, 900 MHz 4,600 to 6,100 6,700 to 9,000 13,700 to 18,200

Determining RAM Specifications

Using adequate RAM in file servers ensures that Windows Server 2003 can temporarily
cache (store) files in memory, reducing the need to retrieve files from disk. Table 2.16
describes the minimum recommended RAM and maximum RAM for Windows
Server 2003.

Table 2.16 Minimum and Maximum RAM for Windows Server 2003

Windows Windows Windows

RAM
Server 2003, Server 2003, Server 2003,
Specification
Standard Edition Enterprise Edition Datacenter Edition
Minimum
recommended 256 MB 256 MB 512 MB minimum
RAM
Maximum RAM 4 GB 32 GB 64 GB

To determine the amount of RAM required to support the file server workload, review
the number of remote file handles that can be efficiently supported by a file server
running Windows Server 2003. Next, review how additional RAM affects the total size
of files, or file set size, that can be held in memory at any time.

Remote concurrent file handles

A file server running Windows Server 2003 with 1 GB of RAM can efficiently support
approximately 100,000 remote concurrent file handles, regardless of the size of the files.
If your users are likely to have more than 100,000 files open at a time, plan to split this
load across two or more servers.

File set size

On a file server with 1 GB of RAM, Windows Server 2003 can hold approximately
500 MB of file content and NTFS metadata in memory. (The amount of memory used for
NTFS metadata depends on the depth of the directory hierarchy and query distribution,
among other factors.) Windows Server 2003 uses the rest of the RAM for providing
nonpaged pool and other operating system functions. For each additional gigabyte of
RAM that you add, Windows Server 2003 can use the entire RAM capacity for storing
file content in memory. For example, a file server with 3 GB of RAM can support
approximately 2.5 GB of file content in memory. When the file set size exceeds the
amount of memory, files are paged to disk. This paging can result in disk bottlenecks,
though using a fast disk subsystem can alleviate this problem.

When determining how much RAM you plan to install in file servers, consider the
following guidelines:

• When users typically access the same files, the file set is known as "hot," because
the files are frequently stored in memory. For hot file sets, invest in more RAM to
accommodate the entire hot file set. Typically, hot file sets are less than 1 percent
of the file set, although this figure can vary.

• When users access random files, the file set is known as "cold." For cold file sets,
invest in faster disks, because users typically open files that are not already in
memory, and the response time is limited by disk latency. For example, if you can
cut disk latency in half by using a faster disk subsystem (including number of
disks, mechanical speed, and disk cache), compare the cost of doing so to the
amount of RAM it would take to achieve similar performance. Using a faster disk
subsystem might be less expensive.

Security Configuration Wizard Quick Start Guide

Updated: March 2, 2005

Applies To: Windows Server 2003

This guide is designed to get you up and running quickly with Security Configuration
Wizard (SCW), a tool for reducing the attack surface of computers running Windows
Server® 2003 with Service Pack 1 (SP1). It provides system requirements, installation
instructions, steps for getting started with SCW, and instructions for troubleshooting
simple problems.

SCW determines the minimum functionality required for a server's role or roles, and
disables functionality that is not required. Specifically, SCW:

• Disables unneeded services.

• Blocks unused ports.

• Allows further address or security restrictions for ports that are left open.

• Prohibits unnecessary Internet Information Services (IIS) Web extensions, if

applicable.

• Reduces protocol exposure to server message block (SMB), LanMan, and

Lightweight Directory Access Protocol (LDAP).

• Defines a high signal-to-noise audit policy.

SCW guides you through the process of creating, editing, applying, or rolling back a
security policy based on the selected roles of the server. The security policies that are
created with SCW are XML files that, when applied, configure services, network
security, specific registry values, audit policy, and if applicable, Internet Information
Services (IIS).

Requirements for Installing and Running SCW

SCW is an optional component included with Windows Server 2003 SP1. You can install
and run SCW only on computers running Windows Server 2003 with SP1. The
computers you target with SCW (for prototyping to create security policy or for
application of SCW-created security policy) must also run Windows Server 2003 with
SP1.

Several security-related IIS settings can be configured by using SCW. You need a server
running IIS if you want to do this.

SCW is not used with Windows XP or other client operating systems or Microsoft
Windows Small Business Server 2003.

Securing Windows Small Business Server 2003

Instead of SCW, Windows Small Business Server 2003 uses the default settings in Setup
and in the Configure E-mail and Internet Connection Wizard to help secure your server.
If you have not already run the Configure E-mail and Internet Connection Wizard, you
should run it to help secure your server.

To start the Configure E-mail and Internet Connection Wizard on the computer
running Windows Small Business Server 2003

1. Click Start, and then click Server Management.

2. In the console tree, click Internet and E-mail.
3. In the details pane, click Connect to the Internet.

Getting Help

SCW Help is installed with Windows Server 2003 SP1, and it contains information
beyond what is in this Quick Start Guide, including help for every page of SCW. After
you install Windows Server 2003 SP1, you can access SCW Help through Help and
Support Center, or at the command line.

Viewing SCW Help topics

The SCW Help is available even though SCW itself is not installed by default.

To access SCW help through Help and Support Center

1. Click Start, and then click Help and Support.

2. In Search, type SCW or type Security Configuration Wizard, and then press
ENTER.
3. Click one of the listed SCW Help topics.

To access SCW help at the command line

1. Click Start, and then click Run.

2. Type hh scwhelp.chm, and then press ENTER.