Contents

Installing and Uninstalling

Upgrading

Administering

Firewall Client

Publishing

Documentation

Read This First

This document provides information about Microsoft Security and Acceleration (ISA) Server 2006.

Be sure to read the Microsoft Internet Security and Acceleration (ISA) Server 2006 "Quick Start Guide" (Isastart.chm). This guide provides installation instructions and setup prerequisites, describes new ISA Server 2006 features, and details walk-throughs highlighting these features. This document is available from the ISA Server 2006 Autorun page, and is located in the root folder on the ISA Server 2006 CD. In addition, for deployment instructions and information about common scenarios, refer to the solution documents, available at the ISA Server Guidance Web site.

Back to Contents

1. Installing and Uninstalling

  1. For best security practice, always install the latest updates for your operating system. For information about recent updates that you may need to install, see Microsoft Update.

  2. This release does not support ISA Server 2006 installed on computers running the Microsoft Windows Server Code Name "Longhorn" operating system.

  3. This release does not support ISA Server Management installed on computers running Microsoft Windows Vista operating system.

  4. When you uninstall ISA Server, some files are not completely removed from the computer. The following table lists the files that remain and their location.

    Folder File name

    %windir%

    IsUninst.exe, Atl71.dll, ismifcom.dll, msvcp71.dll, msvcr71.dll. Enterprise Edition only: \config\adam_isastgctrl.evt

    %windir%\System32

    DBmsLPCn.dll, dbmsgnet.dll, dbmsqlgc.dll

  5. When ISA Server 2004 is installed on a computer that is running Windows 2000 Server, Microsoft SQL Server 2000 Desktop Engine (MSDE) runs under the Local System account. After you upgrade to Windows Server 2003, MSDE continues to run under the Local System account. However, when upgrading ISA Server, the Microsoft Firewall service runs under the Network Service account. Because the Network Service account does not have permission to access MSDE, the Firewall service does not have access to MSDE, and Upgrade fails. To work around this problem, use the ISA Server 2004 Installation Wizard to uninstall and reinstall MSDE. To do this, follow these steps:

    1. Click Start, click Run, type appwiz.cpl in the Open box, and then click OK.

    2. In the Add or Remove Programs window, click Microsoft ISA Server 2004, and then click Change/Remove.

    3. In the Microsoft ISA Server 2004 Installation Wizard, click Next.

    4. On the Program Maintenance page, click Modify, and then click Next.

    5. On the Custom Setup page, expand Firewall Services, and then click Advanced Logging.

    6. Click This feature will not be available.

    7. Click Next, and then click Install.

    8. On the Installation Wizard Completed page, click Finish, and then close the Internet Explorer window that automatically opens.

    9. Repeat steps 1 through 5, and then click This feature will be installed on local hard drive.

  6. If MSDE has been uninstalled from the ISA Server computer, you will need to reinstall it by running ISA Server Setup, and modifying the installation. Prior to reinstalling MSDE, you should stop the Firewall service. Otherwise, MSDE installation may take up to 45 minutes. Note that the Firewall service will restart automatically when the installation is complete.

  7. Occasionally, some interfaces are not registered during Msfpccom.dll registration, which may result in the user receiving the error message An interface is not registered in the ISA Server Management snap-in. If this occurs, you should unregister (by running regsvr32 –u msfpccom.dll), and then register again (by running regsvr32 msfpccom.dll).

  8. When installing ISA Server Enterprise Edition, several DLLs are installed to the following Windows system folders: C:\WINDOWS\ADAM and C:\\WINDOWS\ADAM\EN.

  9. ISA Server 2006 has been tested on Microsoft Virtual Server 2005 R2 and is expected to be fully functional. However, deployment of ISA Server on a Virtual Server 2005 R2 environment should be limited to testing purposes only. Specifically, we do not recommend a Virtual Server 2005 R2 production environment where ISA Server 2006 is expected to serve as the network firewall.

  10. After installing ISA Server 2006, we recommend that you use the Windows Security Configuration Wizard to harden your Windows infrastructure for ISA Server. For details, see the ISA Server 2006 Security Hardening and Administration Guide. Note the following:

    • The MSDE logging feature was removed from the Windows Security Configuration Wizard for both ISA Server 2006 and ISA Server 2004. ISA Server now controls MSDE usage.

    • When hardening the computer manually, the Microsoft ISA Server Storage service on the Configuration Storage server computer must be enabled. You can verify the status of this service in the details pane of the Windows Services snap-in. This change applies to Enterprise Edition only.

  11. When an array member is installed in an array for which NLB is enabled, the ports used by any listeners defined in the array will not be available immediately following the Firewall service restart at the end of the installation. This is due to the NLB configuration needing time to synchronize after adding an array member. After the NLB configuration is synchronized (this may take several minutes), listener functionality should be restored automatically. In some instances, some listeners may not be fully functional even after the NLB configuration is synchronized. Restarting the Firewall service will resolve the issue.

2. Upgrading

This section covers issues that may occur when upgrading from ISA Server 2004 to ISA Server 2006.

  1. To familiarize yourself with how to upgrade from ISA Server 2004 to ISA Server 2006, read the upgrade guide available from the ISA Server 2006 Autorun page.

  2. When upgrading to ISA Server 2006, any changes made in ISA Server 2004 to the alert Compression by Unsupported Method are not be reflected in the upgraded alert configuration. Instead, the default ISA Server 2006 alert configuration is applied to this alert. In addition, any user-defined alerts referencing the Compression by Any unsupported method event are not included in the upgraded configuration.

  3. When upgrading to ISA Server 2006, these parameters of the RTSP filter are not upgraded: RtspSetupLimit, RtspMaxUrlLength, and RtspTransportList.

  4. When an ISA Server 2004 Web listener specifies SecurID as the client authentication method and a Web Publishing rule using that Web listener specifies Basic authentication delegation, the rule cannot be upgraded and the upgrade will be blocked. To avoid this, before upgrading, verify that any Web publishing rules using a Web listener configured for SecurID client authentication do not have Basic authentication delegation selected.

  5. In ISA Server Enterprise Edition, if an exported ISA Server 2004 configuration file specifies an alternate Configuration Storage server in the array properties, a failure may occur when upgrading the imported configuration file to an ISA Server 2006 Configuration Storage server. To avoid this, after importing the file, open the array properties, and on the Configuration Storage tab, delete the specified alternate Configuration Storage server, and then click OK. Then apply the configuration by clicking the Apply button on the Apply Changes bar.

  6. If you are upgrading from ISA Server 2004 SP2, pass-through authentication with the published server over an HTTP connection, which is not secure, may not be functional after the upgrade. For pass-through authentication to function properly, you may need to edit the Web listener, and do one of the following:  

    • On the Connections tab, modify the Web listener Client Connection Type to use a secure connection.

    • On the Authentication tab, click Advanced, and modify the Web listener by selecting the Allow client authentication over HTTP check box.

This section covers issues that may occur when upgrading from ISA Server 2006 release candidate (RC) to ISA Server 2006.

  1. To familiarize yourself with how to upgrade from the ISA Server 2006 RC build to this released version of ISA Server 2006 (build-to-build upgrade), read the "Upgrade Guide," available from the ISA Server 2006 Autorun page.

  2. A build-to-build upgrade from the ISA Server 2006 Beta version to this released version of ISA Server 2006 is not supported. You must first upgrade the ISA Server 2006 Beta version to ISA Server 2006 RC, and then complete the upgrade from the RC build. Before upgrading, read the ISA Server 2006 RC release notes.

  3. If the Microsoft Operations Manager (MOM) agent is running on the ISA Server computer during build-to-build upgrade or installation repair, the operation may fail. To avoid this, prior to initiating the build-to-build upgrade or repair operation, stop the MOM service. To stop the MOM service, at the command prompt, type net stop mom, or use the Service Control Manager (run services.msc).

  4. For security reasons, Internet Explorer does not send domain cookies when the server name contains an underscore character (_). Accordingly, ISA Server 2006 blocks the usage of the underscore character in the public names of publishing rules when the applied Web listener has single sign on (SSO) enabled. During a build-to-build upgrade, ISA Server checks whether the PublicNames property for Web publishing rules associated with an SSO-enabled Web listener includes a name containing an underscore. If this character is found in the PublicNames property, the upgrade will fail. To avoid this, before running a build-to-build upgrade, verify that any names included in the PublicNames property do not contain an underscore character.

  5. MSDE local logs on the ISA Server computer are not removed as part of the build-to-build upgrade process. This may result in disk space reaching its limit. To remove these log files, go to the \\Program Files\Microsoft ISA Server\ISAlogs directory, and manually delete the files. Note that you should only delete log files with either .mdf or .ldf extensions that have obsolete dates, and with the following log file name format:  ISALOG_YYYYMMDD_WEB_XXX, or ISALOG_ YYYYMMDD _FWS_XXX.

  6. When running build-to-build upgrade from an ISA Server 2006 RC build to this released version, the forms templates located in the ISA Server installation directory …\CookieAuthTemplates\ISA, are not replaced. The new forms are installed into the folder ...\CookieAuthTemplates\ISA\HTML.  As a result, any changes that were made to the forms before the upgrade are not migrated to the new forms. In addition, the following changes were made to the forms in the RC version:

    • Strings.txt uses a different format for customized strings. The new format is name=value.

    • Links in HTML files must include the file extension. For example, lgntop.gif.

  7. After upgrading from the ISA Server 2006 RC build to this released version of ISA Server 2006, the names of some performance counters will not display properly in Performance Monitor. To avoid this issue, prior to upgrading, you should unregister performance objects and counters. To do this, run: unlodctr <service>, where <service> is each of the following: w3pcache, FwEng, H323FLTR, SocksFlt, w3proxy, and FwSrv.

  8. After upgrading, the version number displayed in the Servers node in ISA Server Management is not updated. To see the updated version number, click Help, and then click About Microsoft ISA Server 2006. The dialog box that appears shows the version details.

  9. While uninstalling the primary Configuration Storage server, it must be able to communicate with at least one other Configuration Storage server in the enterprise. This communication is required so that during the uninstall process the replicas can be updated accordingly. Otherwise, when you try to uninstall a Configuration Storage server that was not connected, it may attempt to connect to the uninstalled, primary Configuration Storage server. As a result, you will not be able to uninstall the Configuration Storage server as required to complete the upgrade. This issue applies to Enterprise Edition, only.

Back to Contents

3. Administering

  1. DiffServ support is provided only for Web Proxy clients. DiffServ packets are applied to traffic from transparent clients, but should not be used for packet prioritization for those clients.

  2. ISA Server cannot change the DiffServ priority during a Secure HTTP (HTTPS) session, and the first selected priority remains in effect for the entire session. As a result, the following limitations apply to content tunneled over HTTPS:

    • The Allow special handling of request and response headers according to this priority option in the Priorities tab is not applicable.

    • The Apply a size limit to this priority option on the Add Priority property page is not applicable.

  3. The Create Answer File Wizard supports Unicode input. However, because the output answer file is generated in ANSI format, characters used in the input strings must be translatable to ANSI. As such, if your input strings include characters that cannot correctly translate to ANSI, the answer file will not be generated properly. To avoid this, do the following:

    1. When running the Create Answer File wizard, use an ANSI file path to save the generated file and input placeholders in ANSI characters (such as English) for the following properties: name of site-to-site network for the remote site, preshared key, array name and array description, and path to the certificate

    2. Open the generated answer file and save the file in UNICODE format.

    3. Edit the UNICODE answer file and change the strings to their actual values.

  4. The Browse button in the Join Existing Array page of the Create Answer File Wizard is not functional. To enter the name of the array, you must type it in the Array Name text box.

  5. When running Enterprise Edition as an array administrator, selecting to participate in the Customer Experience Improvement program by clicking the Customer Experience Improvement Program link in the details pane, and then selecting the participate option in the Customer Feedback dialog box does not work. For array administrators to participate in the program, they will need to select the option in the array properties, on the Customer Feedback tab.

  6. When running Enterprise Edition, the Configuration Storage server generates the following log files in the Windows system folder: ADAM.log, ADAMUninst.log, and PFRO.log.

Back to Contents

4. Firewall Client

  • This release does not support Firewall clients installed on computers running the Microsoft Windows Server Code Name "Longhorn" or Microsoft Windows Vista operating system. Firewall Client installation is blocked for this operating system.

Back to Contents

5. Publishing

  1. Some applications, such as Windows Media Player, Microsoft Office Picture Manager, and Microsoft Outlook Mobile Access, do not support client certificate authentication during an SSL/TLS handshake, and will not be able to authenticate when client authentication is required. As a result, users will get an error message from such applications when trying to access the published content. This issue occurs if the Web listener requires SSL client certificate authentication, or if the Web listener requires forms-based authentication and any of the publishing rules using this Web listener requires an additional SSL client certificate. In some instances, such as for Windows Media Player, the user may be able to save the target of the link to a local folder, and then access the content from that folder.

  2. When Office Communicator Web Access is published using the Web Publishing Rule Wizard, users may experience errors when sending messages. If this occurs, delete the Web publishing rule and create a new rule using the Exchange Web Publishing Rule Wizard instead. In the Select Services page of the wizard, select Outlook Web Access as the Web client mail service you are publishing. After the rule is created, you will need to edit the rule properties and make the following changes: On the Authentication tab, select NTLM authentication. On the Paths tab, delete all Exchange paths, and then type the path /*.

  3. To allow a SecurID cookie to be generated by ISA Server, and then trusted by a SecurID Web Agent, the same domain secret must be shared on the ISA Server computer and the Web Agent. When exporting the domain secret on the Web Agent computer, verify that the Domain name text box in the Manage Domain Configuration dialog is cleared. If a domain name is entered in the text box, a failure will occur when importing the domain secret to the ISA Server computer.

  4. When configuring an Exchange Web client access publishing rule for Exchange Server 2007, the Exchange publishing attachment blocking options in the rule Application Settings property page are not functional.

Back to Contents

6. Documentation

  1. When opened from a network share, the pages of the "Quick Start Guide" will not display on a computer running Microsoft Windows Server 2003 with Service Pack 1. To view the "Quick Start Guide," copy the file Isastart.chm to a local directory, and open it from there. For more information and other options, see the Microsoft Knowledge Base article 896054, "You cannot open remote content by using the InfoTech protocol after you install security update 896358, security update 840315, or Windows Server 2003 Service Pack 1."

  2. In the document "Upgrading ISA Server 2004 Enterprise Edition to ISA Server 2006 Enterprise Edition," section "Scenario Four: Load Balanced Array," note the following corrections:

    • The text "After you complete the upgrade of the Configuration Storage server you need to disable NLB integration for the ISA Server array“ should be changed to: "After you complete the upgrade of the Configuration Storage server, you need to add any additional virtual IP addresses(VIPs), and then apply the changes by clicking the Apply button on the Apply Changes bar. Then disable NLB integration for the ISA Server array."

    • In the same section, under the heading "Start the NLB service on the ISA Server 2006 array members," there is a step missing. Before starting the NLB service, you must first enable NLB integration.

Back to Contents

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, people, and events depicted herein are fictitious and no association with any real company, organization, product, person, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2006. Microsoft Corporation. All rights reserved.

Microsoft, Outlook, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries/regions.

Back to Contents