Contents

Installing and Uninstalling

Upgrading

Administering

Firewall Client

Publishing

Documentation

Read This First

This document provides information about Microsoft Security and Acceleration (ISA) Server 2006 release candidate (RC).

Be sure to read the Microsoft Internet Security and Acceleration (ISA) Server 2006 "Quick Start Guide" (Isastart.chm). This guide provides installation instructions and setup prerequisites, describes new ISA Server 2006 features, and details walk-throughs highlighting these features. This document is available from the ISA Server 2006 Autorun page, and is located in the root folder on the ISA Server 2006 CD. In addition, for deployment instructions and information about common scenarios, refer to the solution documents, available at the ISA Server Guidance Web site.

We recommend that you install ISA Server 2006 RC in a non-production environment. If you have questions about the beta version of ISA Server 2006, post them to the Microsoft ISA Server newsgroups.

Back to Contents

1. Installing and Uninstalling

  1. For best security practice, always install the latest updates for your operating system. For information about recent updates that you may need to install, see Microsoft Update.

  2. This release does not support ISA Server 2006 installed on computers running the Microsoft Windows Server Code Name "Longhorn" operating system.

  3. This release does not support ISA Server Management installed on computers running Microsoft Windows Vista operating system.

  4. When you uninstall ISA Server, some files are not completely removed from the computer. The following table lists the files that remain and their location.

    Folder File name

    %windir%

    IsUninst.exe, Atl71.dll, ismifcom.dll, msvcp71.dll, msvcr71.dll. Enterprise Edition only: \config\adam_isastgctrl.evt

    %windir%\System32

    DBmsLPCn.dll, dbmsgnet.dll, dbmsqlgc.dll
  5. When ISA Server 2004 is installed on a computer that is running Windows 2000 Server, Microsoft SQL Server 2000 Desktop Engine (MSDE) runs under the Local System account. After you upgrade to Windows Server 2003, MSDE continues to run under the Local System account. However, when upgrading ISA Server, the Microsoft Firewall service runs under the Network Service account. Because the Network Service account does not have permission to access MSDE, the Firewall service does not have access to MSDE, and Upgrade fails. To work around this problem, use the ISA Server 2004 Installation Wizard to uninstall and reinstall MSDE. To do this, follow these steps:

    1. Click Start, click Run, type appwiz.cpl in the Open box, and then click OK.

    2. In the Add or Remove Programs window, click Microsoft ISA Server 2004, and then click Change/Remove.

    3. In the Microsoft ISA Server 2004 Installation Wizard, click Next.

    4. On the Program Maintenance page, click Modify, and then click Next.

    5. On the Custom Setup page, expand Firewall Services, and then click Advanced Logging.

    6. Click This feature will not be available.

    7. Click Next, and then click Install.

    8. On the Installation Wizard Completed page, click Finish, and then close the Internet Explorer window that automatically opens.

    9. Repeat steps 1 through 5, and then click This feature will be installed on local hard drive.

  6. If MSDE has been uninstalled from the ISA Server computer, you will need to reinstall it by running ISA Server Setup, and modifying the installation. Prior to reinstalling MSDE, you should stop the Firewall service. Otherwise, MSDE installation may take up to 45 minutes. Note that the Firewall service will restart automatically when the installation is complete.

  7. Occasionally, some interfaces are not registered during Msfpccom.dll registration, which may result in the user receiving the error message An interface is not registered in the ISA Server Management snap-in. If this occurs, the user should unregister (by running regsvr32 –u msfpccom.dll), and then register again (by running regsvr32 msfpccom.dll).

  8. When installing ISA Server Enterprise Edition, several DLLs are installed to the following Windows system folders: C:\WINDOWS\ADAM and C:\\WINDOWS\ADAM\EN.

  9. ISA Server 2006 has been tested on Microsoft Virtual Server 2005 R2 and is expected to be fully functional. However, deployment of ISA Server on a Virtual Server 2005 R2 environment should be limited to testing purposes only. Specifically, we do not recommend a Virtual Server 2005 R2 production environment where ISA Server 2006 is expected to serve as the network firewall.

  10. When an array member is installed in an array for which NLB is enabled, the ports used by any listeners defined in the array will not be available immediately following the Firewall service restart at the end of the installation. This is due to the NLB configuration needing time to synchronize after adding an array member. After the NLB configuration is synchronized (this may take several minutes), listener functionality should be restored automatically. In some instances, some listeners may not be fully functional even after the NLB configuration is synchronized. Restarting the Firewall service will resolve the issue.

  11. After installing ISA Server 2006, we recommend that you use the Windows Security Configuration Wizard to harden your Windows infrastructure for ISA Server. For details, see the ISA Server Security Hardening Guide. Note that the Hardening Guide was written for ISA Server 2004. Since the release of the guide, the following changes have been made to the ISA Server roles and options in the Windows Security Configuration Wizard:

    • Configuration Storage option was replaced with the new role Microsoft Internet Security and Acceleration Server Enterprise Edition Configuration Storage Server.

    • There are now separate sets of roles for ISA Server 2006 and ISA Server 2004.

    • The MSDE logging feature was removed from the Windows Security Configuration Wizard for both ISA Server 2006 and ISA Server 2004. ISA Server now controls MSDE usage.

    • The client installation share option was removed because this option is no longer included in ISA Server 2006.

    • To use the Windows Server Backup tool to back up your ISA Server computer, you must enable the Backup (NT or 3rd party) option.

    • In addition to the changes made to the Windows Security Configuration Wizard, when hardening the computer manually, the Microsoft ISA Server Storage service on the Configuration Storage server computer must be enabled. You can verify the status of this service in the details pane of the Windows Services snap-in. This change applies to Enterprise Edition only.

  12. When an array member is installed in an array for which NLB is enabled, the ports used by any listeners defined in the array will not be available immediately following the Firewall service restart at the end of the installation. This is due to the NLB configuration needing time to synchronize after adding an array member. After the NLB configuration is synchronized, which may take several minutes, listener functionality should be restored automatically. In some instances, some listeners may not be fully functional even after the NLB configuration is synchronized. Restarting the Firewall service resolves the issue.



2. Upgrading

This section covers issues that may occur when upgrading from ISA Server 2004 to ISA Server 2006 RC.

  1. To familiarize yourself with how to upgrade from ISA Server 2004 to ISA Server 2006, read the upgrade guide available from the ISA Server 2006 Autorun page.

  2. When upgrading to ISA Server 2006, any changes made in ISA Server 2004 to the alert Compression by Unsupported Method are not be reflected in the upgraded alert configuration. Instead, the default ISA Server 2006 alert configuration is applied to this alert. In addition, any user-defined alerts referencing the Compression by Any unsupported method event are not included in the upgraded configuration.

  3. When upgrading to ISA Server 2006, these parameters of the RTSP filter are not upgraded: RtspSetupLimit, RtspMaxUrlLength, and RtspTransportList.

  4. In ISA Server Enterprise Edition, if an exported ISA Server 2004 configuration file specifies an alternate Configuration Storage server in the array properties, a failure may occur when upgrading the imported configuration file to an ISA Server 2006 Configuration Storage server. To avoid this, after importing the file, open the array properties, and on the Configuration Storage tab, delete the specified alternate Configuration Storage server, and then click OK. Then apply the configuration by clicking the Apply button on the Apply Changes bar.

This section covers issues that may occur when upgrading from ISA Server 2006 Beta to ISA Server 2006 RC.

  1. To familiarize yourself with how to upgrade from the ISA Server 2006 Beta build to ISA Server 2006 RC (build-to-build upgrade), read the "Upgrade Guide," available from the ISA Server 2006 Autorun page.

  2. If the Microsoft Operations Manager (MOM) agent is running on the ISA Server computer during build-to-build upgrade or installation repair, the operation may fail. To avoid this, prior to initiating the build-to-build upgrade or repair operation, stop the MOM service. To stop the MOM service, at the command prompt, type net stop mom, or use the Service Control Manager (run services.msc).

  3. For security reasons, Internet Explorer does not send domain cookies when the server name contains an underscore character (_). Accordingly, ISA Server 2006 blocks the usage of the underscore character in the public names of publishing rules when the applied Web listener has single sign on (SSO) enabled. During a build-to-build upgrade, ISA Server checks whether the PublicNames property for Web publishing rules associated with an SSO-enabled Web listener includes a name containing an underscore. If this character is found in the PublicNames property, the upgrade will fail. To avoid this, before running a build-to-build upgrade, verify that any names included in the PublicNames property do not contain an underscore character.

  4. If you configured LDAP servers in the Beta version of ISA Server 2006, and are upgrading to ISA Server 2006 RC, you must remove the LDAP server configuration from the exported Beta configuration file before importing it to ISA Server 2006 RC. The configuration settings for LDAP changed between versions, and the migration will fail if you attempt to migrate the Beta configuration with the LDAP server settings. To remove the LDAP server settings, after exporting the Beta configuration, open the exported configuration file and remove all occurrences of the node FPC4:LDAPSERVERS. Delete the entire node and its contents.

  5. MSDE local logs on the ISA Server computer are not removed as part of the build-to-build upgrade process. This may result in disk space reaching its limit. To remove these log files, go to the \\Program Files\Microsoft ISA Server\ISAlogs directory, and manually delete the files. Note that you should only delete log files with either .mdf or .ldf extensions that have obsolete dates, and with the following log file name format:  ISALOG_YYYYMMDD_WEB_XXX, or ISALOG_ YYYYMMDD _FWS_XXX.

  6. When running build-to-build upgrade from a Beta refresh build to the RC build, the forms templates located in the ISA Server installation directory …\CookieAuthTemplates\ISA, are not replaced. The new forms are installed into the folder ...\CookieAuthTemplates\ISA\HTML.  As a result, any changes that were made to the forms before the upgrade are not migrated to the new forms. In addition, the following changes were made to the forms in the RC version:

    • Strings.txt uses a different format for customized strings. The new format is name=value.

    • Links in HTML files must include the file extension. For example, lgntop.gif.

  7. After upgrading from the ISA Server 2006 beta build to the RC build, the names of some performance counters will not display properly in Performance Monitor. To avoid this issue, prior to upgrading, you should unregister performance objects and counters. To do this, run: unlodctr <service>, where <service> is each of the following: w3pcache, FwEng, H323FLTR, SocksFlt, w3proxy, and FwSrv.



Back to Contents

3. Administering

  1. DiffServ support is provided only for Web Proxy clients. DiffServ packets are applied to traffic from transparent clients, but should not be used for packet prioritization for those clients.

  2. ISA Server cannot change the DiffServ priority during a Secure HTTP (HTTPS) session, and the first selected priority remains in effect for the entire session. As a result, the following limitations apply to content tunneled over HTTPS:

    • The Allow special handling of request and response headers according to this priority option in the Priorities tab is not applicable.

    • The Apply a size limit to this priority option on the Add Priority property page is not applicable.

  3. When running Enterprise Edition as an array administrator, selecting to participate in the Customer Experience Improvement program by clicking the Customer Experience Improvement Program link in the details pane, and then selecting the participate option in the Customer Feedback dialog box does not work. For array administrators to participate in the program, they will need to select the option in the array properties, on the Customer Feedback tab.

  4. When running Enterprise Edition, the Configuration Storage server generates the following log files in the Windows system folder: ADAM.log, ADAMUninst.log, and PFRO.log.

Back to Contents

4. Firewall Client

  • This release does not support Firewall clients installed on computers running the Microsoft Windows Server Code Name "Longhorn" or Microsoft Windows Vista operating system. Firewall Client installation is blocked for this operating system.

Back to Contents

5. Publishing

  1. Customized logon forms can be defined per publishing rule and per Web listener. If multiple custom forms are defined, this may result in the user being presented with varying logon forms. This is likely to occur when users navigate from one site to another and must reauthenticate due to a session time-out. You can avoid this issue by specifying matching custom logon forms for Web publishing rules and the associated Web listener for those rules.

  2. Some applications, such as Windows Media Player, Microsoft Office Picture Manager, and Microsoft Outlook Mobile Access, do not support client certificate authentication during an SSL/TLS handshake, and will not be able to authenticate when client authentication is required. As a result, users will get an error message from such applications when trying to access the published content. This issue occurs if the Web listener requires SSL client certificate authentication, or if the Web listener requires forms-based authentication and any of the publishing rules using this Web listener requires an additional SSL client certificate. In some instances, such as for Windows Media Player, the user may be able to save the target of the link to a local folder, and then access the content from that folder.

  3. When Office Communicator Web Access is published using the Web Publishing Rule Wizard, users may experience errors when sending messages. If this occurs, delete the Web publishing rule and create a new rule using the Exchange Web Publishing Rule Wizard instead. In the Select Services page of the wizard, select Outlook Web Access as the Web client mail service you are publishing. After the rule is created, you will need to edit the rule properties and make the following changes: On the Authentication tab, select NTLM authentication. On the Paths tab, delete all Exchange paths, and then type the path /*.

  4. To allow an SecurID cookie to be generated by ISA Server, and then trusted by a SecurID Web Agent, the same domain secret must be shared on the ISA Server computer and the Web Agent. When exporting the domain secret on the Web Agent computer, verify that the Domain name text box in the Manage Domain Configuration dialog is cleared. If a domain name is entered in the text box, a failure will occur when importing the domain secret to the ISA Server computer.

Back to Contents

6. Documentation

  1. When opened from a network share, the pages of the "Quick Start Guide" will not display on a computer running Microsoft Windows Server 2003 with Service Pack 1. To view the "Quick Start Guide," copy the file Isastart.chm to a local directory, and open it from there. For more information and other options, see the Microsoft Knowledge Base article 896054, "You cannot open remote content by using the InfoTech protocol after you install security update 896358, security update 840315, or Windows Server 2003 Service Pack 1."

  2. In the document "Upgrading ISA Server 2004 Enterprise Edition to ISA Server 2006 Enterprise Edition," section "Scenario Four: Load Balanced Array," note the following corrections:

    • The text "After you complete the upgrade of the Configuration Storage server you need to disable NLB integration for the ISA Server array“ should be changed to: "After you complete the upgrade of the Configuration Storage server, you need to add any additional virtual IP addresses(VIPs), and then apply the changes by clicking the Apply button on the Apply Changes bar. Then disable NLB integration for the ISA Server array."

    • In the same section, under the heading "Start the NLB service on the ISA Server 2006 array members," there is a step missing. Before starting the NLB service, you must first enable NLB integration.

Back to Contents

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, people, and events depicted herein are fictitious and no association with any real company, organization, product, person, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.

© 2006. Microsoft Corporation. All rights reserved.

Microsoft, Outlook, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries/regions.

Back to Contents