Date and Time using GPO

How to use a GPO with a customized ADM file to force a specific date and time format.

 
 
Group policy management is one of the tools for Administrators that, in my experience, is not being used to its full potential enough. To name one example: publishing software (not assigning!) is something I do not see very often, even though it potentially is a great way of rolling out less 'business- critical' software. The problem there is that users are involved to do the install using add and remove software (or programs and features in Vista), and that may be where 'the train stops' since there would be extra training involved (or a decent intranet website with examples and video tutorials). Which of course take extra resources, money and time.

This article however covers a piece of Group Policy Management that does not involve training any users, so there's no reason not to deploy it (in your lab environment first ;-) This article targets MCSE level administrators, in particular; it extends on exam 70-294.

As I'm sure you know, it's possible to use .adm files (Administrative Template files) to make changes to systems available through Group Policies. In fact, I'm pretty sure most admins are familiar with the 'wuau.adm' file, which is the administrative template file for WSUS.

There's a lot more that can be done with these administrative templates! Actually, just about anything that can be changed by making registry changes can be made 'distributable' through Group Policies this way. The .adm files allow for a nice user-friendly interface to be 'generated' and this way make your changes available and usable to peer administrators in your organization. Keep a few things in mind though; first of all, be very careful when using localized versions of Windows. And secondly, always pilot your group policies. With that in mind it is always wise to first thoroughly test your new GPO's in the lab.

 
 
How to change time and date

 
 
In the example we'll be making an administrative template that allows for a specific date and time format to be forced on the OU (or domain or site) where the GPO is applied.

To be precise; we'll be making an .adm file that forces: 'dd.MM.yyyy' for date and 'HH:mm:ss' for time.

First we create .adm template so that these can be added to the group policy.

We'll skip the exact details of the creation of the .adm file, especially since Microsoft already has an excellent article online that gets you started quickly and has references for people wanting to try advanced features. For now we'll use the templates I have provided here, and if you're tempted to try your own implementations, make sure to visit the previously mentioned link as well as this one.

Once created the files will be put in the following location %SystemRoot%\inf (usually c:\windows\inf) on the domain controller where we apply the templates.

Filename: GP-Date-Edits.adm (or whatever you would like to call it)

Contains:


CLASS USER

 
 
CATEGORY "Control Panel"

CATEGORY "Regional Settings"

     POLICY "Specify Date Settings"

    KEYNAME "Control Panel\International"

            EXPLAIN !!expSetDateFormat

PART "Short date style" DROPDOWNLIST REQUIRED

VALUENAME "sShortDate"

ITEMLIST

    NAME "M/d/yy"     VALUE "M/d/yy"

    NAME "M/d/yyyy"     VALUE "M/d/yyyy"

    NAME "MM/dd/yy"     VALUE "MM/dd/yy"

    NAME "MM/dd/yyyy"     VALUE "MM/dd/yyyy"

    NAME "yy/MM/dd"     VALUE "yy/MM/dd"

    NAME "dd-MMM-yy"     VALUE "dd-MMM-yy"

                    NAME "dd.MM.yyyy"        VALUE "dd.MM.yyyy" DEFAULT

END ITEMLIST

END PART

PART "Long date style" DROPDOWNLIST REQUIRED

VALUENAME "sLongDate"

ITEMLIST

                NAME "dddd d MMMM yyyy"        VALUE "dddd d MMMM yyyy" DEFAULT

NAME "dddd MMMM dd, yyyy" VALUE "dddd MMMM dd yyyy"

NAME "MMMM dd yyyy" VALUE "MMMMdd yyyy"

NAME "dddd dd MMMM yyyy" VALUE "dddddd MMMM, yyyy"

NAME "dd MMMM yyyy" VALUE "dd MMMM yyyy"

END ITEMLIST

END PART

END POLICY

END CATEGORY

END CATEGORY

[strings]

expSetDateFormat="Specifies the format for client default date format"

 
 
 
 
Now we can apply the .adm file.

 
 
Note that in the group policy editor on the menu "view" and "filter" the following should be disabled:

"Only show policy settings that can be fully managed"



 
 
If this is not disabled, the manual GP settings will not show up.

Now we add the .adm file as a template on the (in this example) Citrix Server GPO, to do this right-click on the Administrative Templates and choose 'Add/remove templates':




 
 
Clicking 'add' allows you to add our template. This adds our custom created date possibility:



(notice all the different formats we defined in the template?)

Once applied we can see it in the 'settings' overview:




I promised we would do time as well as date…: For the time format the procedure is the same, but the .adm file could contain something like:

CLASS USER

 
 
CATEGORY "Control Panel"

CATEGORY "Regional Settings"

     POLICY "Specify Time Settings"

    KEYNAME "Control Panel\International"

            EXPLAIN !!expSetTimeFormat

PART "Short date style" DROPDOWNLIST REQUIRED

VALUENAME "sTimeFormat"

ITEMLIST

                NAME 24-Hour     VALUE "HH:mm:ss" DEFAULT

                NAME 12-Hour     VALUE "H:mm:ss"

END ITEMLIST

END PART

END POLICY

END CATEGORY

END CATEGORY

[strings]

expSetTimeFormat="Specifies the format for client default time format"

pride and prejudice family tree

Endian Firewall Root Default Password

ENDIAN FIREWALL DEFAULT ROOT PASSWORD


 
User name : root

Password : endian

Microsoft ISA server 2006 Installation

MICROSOFT ISA SERVER 2006

Series Index

 

1. Getting started with Microsoft ISA Server 2006, Part 1: Introduction
   
2. Getting started with Microsoft ISA Server 2006, Part 2: Environment Setup
   
3. Getting started with Microsoft ISA Server 2006, Part 3: Installation
   
4. Getting started with Microsoft ISA Server 2006, Part 4: Service Pack 1
   
5. Getting started with Microsoft ISA Server 2006, Part 5: Network Layout Concept
   
6. Getting started with Microsoft ISA Server 2006, Part 6: Configure Network Layout
   
7. Getting started with Microsoft ISA Server 2006, Part 7: Create DNS Lookup Rule
   
8. Getting started with Microsoft ISA Server 2006, Part 8: Create Web Access Rule
   
9. Getting started with Microsoft ISA Server 2006, Part 9: Client Configuration
   
10. Getting started with Microsoft ISA Server 2006, Part 10: Logging
    
11. Getting started with Microsoft ISA Server 2006, Part 11: HTTP Filtering
    
12. 
    
    Getting started with Microsoft ISA Server 2006, Part 12: Block Windows Live Messenger
    
    
    
    

INTRODUCTION

 

History of ISA Server

The history of ISA Server starts from Microsoft Proxy Server 1.0 and Microsoft Proxy Server 2.0 which both were released in 1997. They were merely designed to provide internet access (Internet Sharing) and came in only one edition of each version. Microsoft Proxy Server 1.0 only has basic functionality and many limitations. The second version improves many features from the previous version. It supports Windows NT account integration, many more protocols, packet filtering capability.

Then, ISA Server 2000 was released in 2001. And in 2004 for ISA Server 2004 and ISA Server 2006 in 2006. Each product has two editions: Standard and Enterprise. ISA Server 2004 introduced multi-networking support, integrated virtual private networking (VPN) configuration, Application-Layer Firewall support, support for the H.323 protocol, Active Directory Integration, SecureNAT, Secure Server Publishing, and improved reporting and management features. The rules based configuration was also considerably simplified on ISA Server 2000. ISA Server 2004 Enterprise Edition included array support, integrated Network Load Balancing (NLB), and Cache Array Routing Protocol (CARP). One of the core capabilities of ISA Server 2004 was its ability to securely publish Web servers. ISA Server 2006 is an updated version of ISA Server 2004. It doesn't has major difference compare to ISA Server 2004. Most features and interface of both versions are quite similar.

The future version of ISA Server is Forefront Threat Management Gateway which runs only on 64-bot platform and Windows Server 2008. At this time, the current version is beta 3.


 

 

 

Features of ISA Server 2006

Microsoft ISA Server 2006 has 2 editions: Standard and Enterprise. The major different of the two editions are scalability and network load balancing capable. The standard edition can be installed on a single server up to 4 CPUs and memory (RAM) limits at 2 GB. See Comparison of Standard and Enterprise Editions for ISA Server 2006 for more information.

Here is the summary features of ISA Server 2006:

1. Multi-layer firewall. Provides three types of firewall functionality: packet filtering (also called circuit-layer), stateful filtering, and application layer filtering.
   
2. Application layer filtering. Provides deep content filtering through built-in application filters.
   
3. Virtual private networking capability.
   
4. Intrusion detection capability. Flood protection such as denial of service (DoS) and distributed denial of service (DDoS) attacks, IP spoofing protection, etc.
   
5. Supports various authentication. Authenticate users with built-in Windows, LDAP, RADIUS, or RSA SecurID authentication.
   

For more details, see Key features of ISA Server 2006.


 

Environment Setup

In the first part, you learn an overview of ISA Server 2006. Before going to the real example on ISA Server 2006, you should know system environment which I'm going to use on this series. On this post, you will know the hardware and software requirements for ISA Server 2006. And you will see the server and network configurations.


 

System Requirements

Below is the minimum requirements for ISA Server 2006 Standard Edition or ISA Server 2006 Enterprise Edition.

• Pentium III 733 MHz or higher.
  
• 512 MB of RAM or more.
  
• 150 MB of free hard-disk space.
  
• Microsoft Windows Server 2003 32-bit operating system with Service Pack 1 (SP1) or Microsoft Windows Server 2003 R2 32-bit.
  

Server Configuration

There are three servers which I will use throughout this series. I already have the following servers in the network:

• 
  
  BKKPDC001 which runs under Windows Server 2003 R2 with Service Pack 2. It runs these services:
  
  • Active directory
    
  • DNS
    
  • 
    
    DHCP
    
    • Address pool: 192.168.10.101-192.168.10.150
      
    • Scope option: DNS Servers – 192.168.10.2, 203.144.255.71, 203.144.255.72
      Note: The IP address 203.144.255.71 and 203.144.255.72 are the IP addresses of my ISP's DNS servers.
      
  • 
    
    IP Configuration:
    
    • IP address: 192.168.10.2/24
      
    • Gateway: 192.168.10.10
      
    • DNS Server: 192.168.10.2, 203.144.255.71, 203.144.255.72
      Note: The IP address 203.144.255.71 and 203.144.255.72 are the IP addresses of my ISP's DNS servers.
      
• BKKNET001 which runs under Windows XP Professional. This is a client PC for test Internet access. The IP address is obtained from the DHCP server.
  
• 
  
  BKKISA001 which runs under Windows Server 2003 Standard edition with Service Pack 2. I am going to setup ISA Server 2006 on this server. There are two network interface cards on this server.
  
  • 
    
    Internal network (LAN):
    
    • IP Address: 192.168.10.10/24
      
    • Gateway: 192.168.10.2
      
    • DNS Server: 192.168.10.2, 203.144.255.71, 203.144.255.72
      Note: The IP address 203.144.255.71 and 203.144.255.72 are the IP addresses of my ISP's DNS servers.
      
  • 
    
    External network (the Internet):
    
    • IP Address: 192.168.0.10/24
      
    • Gateway: 192.168.0.1
      
    • DNS Server: None
      

Network Configuration

I try to keep the network configuration simple as possible. You will see on the left side of the ISA Server 2006 server are my internal network (LAN). It contains clients and a server of my network. On the right side of the ISA Server 2006 server is the external network. It connects to the router which connects to the Internet.

The image below is the network diagram of my example.

What's Next?

 

 
INSTALLATION


 
Getting started with Microsoft ISA Server 2006, Part I: Installation

Introduction

Microsoft Internet Security & Acceleration Server 2006 is a firewall and proxy product from Microsoft. It can protects local network from hackers, limit access for internet access, improve internet speed for users and also logging any connections that pass through ISA Server.

Or you can say that ISA Server is a gateway between intranet(LAN) and internet so it has more than one network interfaces usually it has 2 or 3 network interfaces depends on network topology(Edge firewall, 3-Leg Perimeter, etc.) in your organization.


 
This post will show how to install ISA Server 2006 Standard Edition on a Windows 2003 Server which has 2 network interfaces: one is connected to internal network(LAN) and the other connected to external(Internet). The diagram is as below:



 
Step-by-step

1. Open ISA setup program.
   
   
2. Click Next.
   
   
3. Enter your license information. Click Next.
   
   
4. Select Setup Type. If you want to customize features or change installed directory, select Custom. Otherwise, select Typical. I leave Typical for convenience.
   
   
5. On Internal Network, you must enter your internal IP address range. You can do this by adding manually or select from network adapter. Before click Next, ensure that your network addressed was configured correctly.
   
   
6. On Firewall Client Connections, if you haven't upgrade from previous ISA Server(ISA 2000 or 2004), leave the check box uncheck and click Next. Otherwise, check the check box before continue.
   
   
7. On Service Warning, click Next. Notice that some of services will be restarted or disabled while installing.
   
   
8. Click Install.
   
   
9. Wait for install finishes.
   
   
10. You can check "Invoke ISA Server Management when the wizard closes" if you want to configure ISA now.
    
    
11. Now you have finished installing ISA Server 2006. For configure the ISA details, continue on the next part.
    
    

 

 

 

 

 
Getting started with Microsoft ISA Server 2006, Part II: Configure Network Topology

Network Topology

From Part I, you have finished install ISA Server 2006. Before using the server, you need to do some configurations first. On Getting Started with ISA Server 2006 page on ISA Server Management, there are 5 steps for set up ISA Server as the figure below.



 

 
To use ISA Server, only first 2 steps on the figure above are needed to be configured so this part will shows how to configure Network Topology on ISA Server which is the first step in the figure above. For the second step, I will cover in the next part(part III). Also, you need to enable client to access ISA Server by configure on clients,too. Client Configuration will be covered in part IV.


 
Step-by-step

Next, I will create a new web access rule for all users in internal network to access internet(external network) with only HTTP (port 80) and HTTPS (port 443) protocols.


 

 

 

 

 

 

 

 

 
Getting started with Microsoft ISA Server 2006, Part III: Create Firewall Policy Rule


 
Firewall Policy

From part II, you have configured Network Topology. Now you need to create a policy rule to allow traffic pass through the ISA Server.

By default, ISA Server is configured with default rule which blocks all traffics pass through ISA Server. But you can customize rules to match your policy in organization. On each rule, you can customize to allow or deny access, protocols, source and destination addresses, users (ISA Server can integrated with Active Directory), time to use the rule, content types.

 

Open ISA Server Management. Expand server name(in this example, BKKFRW001) -> Right click on Firewall Policy -> New -> Access Rule.

1. New Access Rule Wizard appears, enter the name of access rule. Click Next.
   
   
2. On Rule Action, select Allow. Click Next.
   
   
3. On Protocols, click Add. Add Protocols window appears, expand Common protocols and select HTTP and HTTPS.
   
   
4. On Access Rule Sources, click Add. Add Network Entities window appears, expand Networks and select Internal.
   
   
5. On Access Rule Destinations, add External network.
   
   
6. On User Sets, leave All Users. Click Next.
   
   
7. Click Finish to complete create new rule.
   
   
8. Again, don't forget to apply your setting on ISA Server to take effect. Click Apply.
   
   
9. Next part will be about client configuration to access to ISA Server
   

 
Getting started with Microsoft ISA Server 2006, Part IV: Configure Client Type


 
After completed part III, you have done basic configurations on ISA Server. In this part, you're going to configure on client computer to be one of these types: SecureNAT Client, Firewall Client or Web Proxy Client. You can see more detail in topic below.


 
Client Types

The table below compares the ISA Server clients.

Feature\ Client types	SecureNAT client	Firewall client	Web Proxy client
Installation required	Some network configuration changes may be required	Yes	No, Web browser configuration required
Operating system support	Any operating system that supports Transmission Control Protocol/Internet Protocol (TCP/IP)	Only Windows platforms	All platforms, but by way of Web application
Protocol support	Application filters for multiple connection protocols required	All Winsock applications	Hypertext Transfer Protocol (HTTP), Secure HTTP (HTTPS), File Transfer Protocol (FTP), and Gopher
User-level authentication	Some network configuration changes required	Yes	Yes
Server applications	No configuration or installation required	Configuration file required	Not applicable

Configurations

On this section, I will how to configure each client type on a client computer. You only select one of these three client types configurations.

• 
  
  SecureNAT client
  To configure SecureNAT client, only change gateway in network properties to ISA Server
  
  • Open Network Connection Properties on client computer.
    
    
  • On Network Properties, select Internet Protocol(TCP/IP) and click Properties.
    
    
  • On Internet Protocol(TCP/IP) Properties, change IP Address on default gateway to ISA Server.
    
    
• 
  
  Firewall client
  
  • Download Firewall Client for ISA Server at Microsoft or at here – Microsoft Firewall Client.
    
  • Run setup program, set the ISA Server DNS name or IP Address on ISA Server Computer Selection page.
    
    
  • After install, you'll see icon as the figure below in task icon. The green color means the client has successfully connected to ISA Server. If the red shows, the client can't connect to ISA Server. You can double-click on icon to see more detail.
    
    
  • If you have double-clicked on previous step, select Settings tab and you can verify that ISA Server Selection is type correctly or not. Also, click on Apply Default Settings Now for other users on this computer can use this configuration,too.
    
    
• 
  
  Web Proxy client
  
  • Open Web browser. In this example, I demonstate on Internet Explorer.
    
  • On menu bar, select Tools -> Internet Options.
    
    
  • On Internet Options, select Connections tab and click on LAN Settings.
    
    
  • On Local Area Network (LAN) Settings, set Address and Port to your ISA Server configuration.
    Note: By default, Web proxy port is 8080.
    
    

 

 
Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter


 
Have you ever need to block users using MSN or Yahoo Messenger? Or block them to using free email services? Or even block them to post anythings on web boards? Or block them to using bit torrent to download files? This topic can answer these questions by using Microsoft ISA Server 2006.

From Part I to IV, you have finished simple configurations on Microsoft ISA Server 2006 to work in your network. But ISA Server can do a lot more than that. Another benefit of ISA Server is that it can filter HTTP traffic. If you know attributes of each HTTP traffic, you can block MSN/Yahoo Messenger, Bit torrent, web mail, disallow post on web boards, etc by allow or block HTTP traffic using HTTP filter. I think most of the readers may not familiar what HTTP traffic look like so let's see about HTTP traffic in the next section.


 
Note: This topic isn't require in order to running ISA Server, only Part I to IV are sufficient. But this topic will be benefits in most organization to improve security.


 

HTTP Traffic

HTTP Traffic on ISA Server is a data that pass through ISA Server using HTTP protocol (by default is on port 80) which is the protocol that is used by most applications. On each HTTP connection, there will be a header information about client that send to server or server to client. These information are such as Request Methods (GET, POST ,etc.), HTTP Versions (1.0,1.1,1.2), User-Agent (Mozilla/4.0, Firefox, etc.), Content-Type (application/xml, image/jpeg, text/xml, etc.), etc. I will not go into deep detail about HTTP protocol if you want more information, you can find at Wikipedia – HTTP. With these header information, ISA Server can filter HTTP traffic to allow or block specific application or traffic.

To see some sample of HTTP traffic, you can use sniffer program to capture each data packet that pass in/out a computer. The popular one is Ethereal. I have installed Ethereal on a computer which running a web server. Let see the different example of each HTTP header information below.

When client sends request to the web server by browser the Internet Explorer to http://bkkexternal (bkkexternal is the computer that runs a web server).
Detail: The request method is GET. URI is /. The User-Agent is Mozilla (compatible: MSIE 6.0).


This the response header from the above request.
Detail: The response code is 200 (OK). The server is running by Apache 2.2.4. The Content-Type is text/xml


When you submit a form on the browser to the web server.
Detail: The request method is POST. The client host is bkkmisc01. The Content-Type is application/x-www-form-urlencoded.


Note: "/r/n" is tag that tells end of a line, a control line feed.


 
Configurations

To configure HTTP filter, you need to know what attribute and value need to be configured. On this post, I will show only the following:

1. Block specific browser: Firefox.
   
2. Block MSN Messenger, Windows Live Messenger.
   
3. Block download file .torrent.
   
4. Block AOL Messenger.
   
5. Block Yahoo Messenger.
   
6. Block Kazaa.
   
7. Block free web mail. (e.g. hotmail.com, mail.yahoo.com, etc.)
   
8. Block post on web boards.
   

Step-by-step

• Open Microsoft ISA Server Management Console.
  
  
• Right-click on the rule that being configured HTTP filter -> select Configure HTTP.
  
  
• Click on Signatures tab and click Add.
  
  
• Block specific browser: Firefox.
  To block users to use Firefox browser by configure signature to "Firefox", "User-Agent" in HTTP Header and Request headers in Search in.
  
  
• 
  
  Block MSN Messenger, Windows Live Messenger.
  To block users to use MSN Messenger and Windows Live Messenger.
  
  • To block MSN Messenger by configure signature to "msnmsgr.exe", "User-Agent" in HTTP Header and Request headers in Search in.
    
    
  • To block Windows Live Messenger by configure signature to "login.live.com", "Host" in HTTP Header andRequest headers in Search in.
    
    
• Block download file .torrent.
  To block download any .torrent files by configure signature to "application/x-bittorrent", "Content-Type" in HTTP Header and Request headers in Search in.
  
  
• Block AOL Messenger.
  To block users to use AOL Messenger by configure signature to "Gecko", "User-Agent" in HTTP Header and Request headers in Search in.
  
  
• Block Yahoo Messenger.
  To block users to use Yahoo Messenger by configure signature to "msg.yahoo.com", "Host" in HTTP Header andRequest headers in Search in.
  
  
• Block Kazaa.
  To block users to use Kazaa by configure signature to "KazaaClient", "User-Agent" in HTTP Header and Request headers in Search in.
  
  
• Block free web mail. (e.g. hotmail.com, mail.yahoo.com, etc.)
  To block users to access free web mail, block any URL that contain string "mail" by configure on signature to mail.
  
  
• 
  
  Block post on web boards.
  Block users to sending any information to internet (e.g. post on web board) by configure to disallow HTTP method:POST.
  
  • Select on Methods tab and select block specified methods.
    
    
  • Click Add. New window appears, type "POST" on method and enter some description.
    
    
  • Don't forget to apply the settings after configuration.
    
    
• If the users are blocked by HTTP filter, they will see page like the figure.
  "Error Code: 500 Internal Server Error. The request was rejected by the HTTP filter."
  
  

Summary

This is the end of this serie. After complete this serie, starting from install ISA Server, configure the network topology, configure basic rule, configure client types and configure HTTP filter, now you have basic knowledge and understanding how to operate ISA Server on your own. But there are some configurations, I don't cover for instance how to configure cache on ISA Server, how to implement VPN, etc.


 
Getting started with Microsoft ISA Server 2006, Part 4: Service Pack 1

Update Service Pack 1

From Part 3: Installation, I have installed ISA Server 2006 enterprise edition on the server. At this time, there is a service pack for ISA Server 2006 which you can download from Microsoft website. So I am going to show how to update the server to ISA Server 2006 Service Pack 1 on this post.
Note: There are others security updates for ISA Server 2006 available besides the service pack which I will not cover on this series. So you should check and update them on your own.


 
There are many new features and enhancements on the ISA Server 2006 service pack 1:
New Features

• Configuration Change Tracking. Registers all configuration changes applied to ISA Server to help you assess issues that may occur as a result of these changes.
  
• Web Publishing Rule Test Button. Tests the consistency of a Web publishing rule between the published server and ISA Server.
  
• Traffic Simulator. Simulates network traffic in accordance with specified request parameters, such as an internal user and the Web server, providing information about firewall policy rules evaluated for the request.
  
• Diagnostic Logging Query. Now integrated as a tab into the ISA Server Management console, this feature displays detailed events on packet progress and provides information about handling and rule matching.
  

Enhancements

• Support for integrated NLB mode in all three modes, including unicast, multicast, and multicast with Internet Group Management Protocol (IGMP). Previously, ISA Server integrated NLB-supported unicast mode only.
  
• Support for certificates with multiple Subject Alternative Name (SAN) entries in published web servers.
  
• Kerberos Constrained Delegation (KCD) authentication supports trusted-domain user accounts.
  
• Improve Web Publishing Load Balancing (WPLB) cookie handling.
  
• Alert Improvements.
  
• New performance counter.
  

For more information about this service pack, see Microsoft Article 943462.

Step-by-step

1. Download the file from Microsoft Internet Security and Acceleration (ISA) Server 2006 Service Pack 1.
   
   
2. Double-click the downloaded file, ISA2006-KB943462-X86-ENU.msp, to run the setup wizard.
   
   
3. On Welcome to the Update for Microsoft ISA Server 2006 Service Pack 1, click Next.
   
   
4. On License Agreement, select I accept the terms in the license agreement and click Next.
   
   
5. On Locate Configuration Storage Server, you have to specify the Configuration Storage Server. On this example, I leave it as default and click Next.
   
   
6. On Ready to Install the Program, click Install.
   
   
7. On Installing Microsoft ISA Server 2006 Service Pack 1, wait until the installation completes.
   
   
8. On Installation Wizard Completed, click Finish.
   
   
9. There is a pop-up message asks you to restart the system for the configuration changes made to ISA Server 2006 to take effect. Click Yes to restart it now.
   
   
10. Once the system is restarted, you can see the version of ISA Server 2006 is updated by open ISA Server Management. Click Start -> Programs -> Microsoft ISA Server -> ISA Server Management.
    
    
11. On ISA Server Management, click Help -> About Microsoft ISA Server 2006.
    
    
12. On About Microsoft ISA Server 2006, you see the current version of ISA Server 2006. The version of ISA Server 2006 Service Pack 1 is 5.0.5723.493.
    
    

 
Getting started with Microsoft ISA Server 2006, Part 5: Network Layout Concept


 
Configure Network Layout

From Part 3: Installation and Part 4: Service Pack 1, you learn how to install and update ISA Server 2006. Next, it is time to configure the ISA Server 2006. On this post, I am going to show how to configure networking environment for ISA Server 2006 by selecting from the pre-defined network templates.


 
By default, ISA Server 2006 comes with five pre-defined network templates. You can select one of them that match your networking environment. Let's see each of them in details.

1. Edge Firewall
   This is a standard network topology for small to medium organization. The ISA Server is a main gateway controlling traffic between the intranet (LAN) and the Internet networks. The ISA Server needs 2 network interface cards.
   
   
2. 3-Leg Perimeter
   This is a standard network topology for medium to large organization. There is an additional network which is a perimeter network connects to ISA server compare to the edge firewall. The perimeter network or DMZ (Demilitarized Zone) is a network that is less secure for serving Web server, E-Mail server, DNS server and other services to the Internet users and also the internal users. The ISA Server needs 3 network interface cards.
   
   
3. Front Firewall
   This is a network topology for organization that security is high priority. In this case, there are more than one firewall. When a hacker attacks the front firewall and it compromises, there is still a back firewall to protect the internal network. This template, ISA Server acts as front firewall server between the Internet and the perimeter network and needs 2 network interface cards.
   
   
4. Back Firewall
   This network template is similar as the front firewall template except that the ISA Server that you're configuring is the back firewall which stands between the internal and the perimeter networks.This template, ISA Server needs 2 network interface cards.
   
   
5. Single Network Adapter
   This is a network template for ISA Server to be act as Proxy server only. ISA Server can do caching to improve performance for users using the Internet in organization. This template, ISA Server requires only a single network interface card as the name of the template.
   
   

Note: About front and back Firewall templates, you have more than one firewalls. It is best practice not to use the same firewall model. For example, you should have the front firewall as hardware base from one company and the back firewall as software base from another company, or vice versa. If a hacker breaks the front firewall, then the hacker will takes an extra time to break another firewall to reach our internal network since the hacker cannot use the same technique to break the back firewall.


 
Getting started with Microsoft ISA Server 2006, Part 6: Configure Network Layout


 
Configure Network Layout

you learn about network templates. On this post, I will show how to configure networking environment of the ISA Server 2006 using edge firewall template which is the most suitable template for this example. You can see the network diagram of the example on 


 
Step-by-step

• Open ISA Server Management by click Start -> Programs -> Microsoft ISA Server -> ISA Server Management.
  
  
• On Microsoft Internet Security and Acceleration Server 2006, expand Arrays -> BKKISA001 -> Configuration ->Networks.
  
  
• Select Templates tab and click on the Edge Firewall template.
  
  
• A Network Template Wizard window appears, click Next to continue.
  
  
• On Export the ISA Server Configuration, you can click on Export button to backup your current ISA Server configuration. But this is the first time configuration so there is no need to backup anything.
  
  
• On Internal Network IP Addresses, verify if the IP address ranges are correct. My internal network is 192.168.10.0/24 so the existing range is correct. Click Next.
  
  
• 
  
  On Select a Firewall Policy, you can choose a pre-defined firewall policy which will be applied to the network specified in this template. On this example, I select Block all. I will create firewall rules manually on the next part.
  Note: On edge firewall template, there are five predefined firewall policies which are:
  
  • Block all
    Block all network access through ISA Server. This option does not create any access rules other than the default rule which blocks all access.
    Use this option when you want to define firewall policy on your own.
    
  • 
    
    Block Internet access, allow access to ISP network services
    Block all network access through ISA Server, except for access to network services, such as DNS. This option is useful when these services are provided by your Internet Service Provider (ISP).
    Use this option when you want to define firewall policy on your own.
    
    The following access rules will be created:
    
    
    • Allow DNS from Internal Network and VPN Clients Network to External Network (Internet).
      
  • 
    
    Allow limited Web access
    Allow Web access using HTTP, HTTPS, FTP, only. Block all other network access.
    
    The following access rules will be created:
    
    
    • Allow HTTP, HTTPS, FTP from Internal Network to External Network.
      
    • Allow all protocols from VPN Clients Network to Internal Network.
      
  • 
    
    Allow limited Web access and access to ISP network services. 
    Allow limited Web access using HTTP, HTTPS, and FTP, and allows access to ISP network services, such as DNS. Block all other network access.
    The following access rules will be created:
    
    • Allow HTTP, HTTPS, FTP from Internal Network and VPN Clients Network to External Network (Internet).
      
    • Allow DNS from Internal Network and VPN Clients Network to External Network (Internet).
      
    • Allow all protocols from VPN Clients Network to Internal Network.
      
  • 
    
    Allow unrestricted access
    Allow unrestricted access to the Internet through ISA Server. ISA Server will prevent access from the Internet.
    
    The following access rules will be created:
    
    
    • Allow all protocols from Internal Network and VPN Clients Network to External Network (Internet).
      
    • Allow all protocols from VPN Clients Network to Internal Network.
      
  
  
  
• On Completing the Network Template Wizard, click Finish.
  
  
• Then, you notice that there is a warning icon at the top of ISA Server Management. This means that the changes which you have made do not take effect yet. To update the configuration, click Apply.
  Note: If you want to undo changes that you have made, click Undo.
  
  
• The changes have been saved.