Release Notes

Microsoft Internet Security and Acceleration Server 2004 Enterprise Edition Release Notes

Contents

Read This First

Be sure to read the Getting Started Guide and the Upgrading to ISA Server 2004 Enterprise Edition document, available when you run ISAAutorun.exe. These guides provide installation instructions and setup prerequisites, describe new features, and provide upgrade information. The latest updates to the Getting Started Guide and the Upgrading to ISA Server 2004 Enterprise Edition document are available on the ISA Server Web site.

Before installation, check the ISA Server Web site for any last minute release notes or announcements.

1. Installing

1. ISA Server Setup makes some changes to the Windows Server 2003 TCP/IP stack, including:
   • Restart the Network Load Balancing (NLB) driver if it was running before Setup commenced.
   • Update the limit on the number of outgoing TCP/IP connections.
   • Tune the TCP/IP stack to reduce impact of SYN attacks.
   For all the changes to take effect, restart the computer after Setup completes.
2. When running Setup, joining multiple servers concurrently to the same array is not supported.
3. During Setup, ISA Server configures the ADAM service to run under the Network Service account. During unattended installation of Configuration Storage server on a domain controller, you should specify an alternative user account for the ADAM service, using the STORAGESERVICE_ACCOUNT entry. The account you specify will automatically be given permissions to log on as a service. If you are not installing Configuration Storage server on a domain controller, do not specify a value for this entry.
4. If you are replicating an enterprise configuration with a large number of arrays over a slow network, 10 megabits per second (Mbps) or less, note the following:
   • When replicating an existing Configuration Storage server during installation, you can choose to replicate over the network, or to replicate the initial configuration by restoring from a backup file. Over a slow network we recommend replicating from a backup file.
   • To do this, create a backup file (.bkf) on the Configuration Storage server from which you are replicating. Copy the backup files to the computer on which you are installing the replicated Configuration Storage server, and restore the configuration from the copied files.
   For detailed instructions, see Use Windows Backup utility to back up a large enterprise configuration, in the ISA Server online Help, and the article Replicating a large enterprise configuration over a slow network at the ISA Server Guidance Web site.
5. Array members communicate with each other, and with the Configuration Storage server, using an intra-array IP address configured when you install ISA Server. If you deploy a multi-server array with NLB, there must be a dedicated network adapter on each array member for this intra-array address. Furthermore, a dedicated adapter in a separate physical network, using a dedicated hub or virtual LAN (VLAN), provides enhanced security in other deployment scenarios. After installing a dedicated adapter, do the following:
   • Specify that the IP address of this adapter should be used for intra-array communication.
   • Create a dedicated array-level network that includes the intra-array address of each array member. Specify the network type as Internal.
   For more information, see the topic Configuring and securing intra-array communication, in ISA Server online Help.
6. Before using Add/Remove Programs (Modify) to add a Configuration Storage server to an existing computer running ISA Server services, you must enable the Replicate Configuration Storage Servers system policy rule in ISA Server Management. After enabling the rule, apply the changes. Check that the new settings are synchronized in the Configuration tab of the Monitoring node. Then run Setup to replicate an existing Configuration Storage server.
7. After installing a third-party application filter that was created for earlier versions of ISA Server, you must restart the Microsoft Firewall service. Do not restart until the new configuration settings are updated following installation of the filter. Check that settings are synchronized in the Configuration tab of the Monitoring node in ISA Server Management.

Back to Contents

2. Administering

1. If you enable or disable a network adapter, or remove an IP address from the adapter and then later add the same IP address, ISA Server may fail to listen for Web proxy requests on the adapter or IP address. As a workaround, restart the Firewall service.
2. If the network adapter dedicated to intra-array communication has more than one IP address, use the primary IP address for intra-array communication.
3. During installation, ISA Server assigns a persistent, unique host ID in the range of 2-32 to each server in an array during Setup. (An array does not support more than 31 servers.) This host ID is used to identify the server for storage purposes, virtual private network (VPN) settings, and NLB configuration. The host ID value should not be changed, unless an alert is issued indicating that a conflict has occurred in host ID assignment. A conflict may occur if settings are not specified correctly in the .ini file for unattended Setup, or in some export and import scenarios. For instructions, see the Troubleshooting Host IDs article.
4. When you create a new network, Firewall client settings for the network are configured by default to use the array name, and not the DNS name of the array. After creating the network, modify this setting. In ISA Server Management, click to expand the Configuration node, and then click Networks. In the details pane, right-click the network, and then click Properties. On the Firewall Client tab, do the following:
   • In Firewall client configuration, specify the DNS name of the array in ISA Server name or IP address.
   • In Web browser configuration on the Firewall client computer, specify the DNS name of the array in ISA Server name or IP address.
   Note that when you modify the array's DNS name, the change will take affect for all networks with Firewall client settings configured with the previous array DNS name.
5. To rename a Configuration Storage server, there are a number of configuration steps you must complete in a specified order. For more information, see the article Renaming Configuration Storage servers, at the ISA Server Guidance Web site.
6. Before using the Windows Backup utility to back up and restore a large enterprise configuration with multiple Configuration Storage servers, you should install a dsdbutil hotfix.
7. If you configure firewall chaining to route requests to an upstream server using a dial-up connection, ensure that you specify upstream array settings by IP address so that no name resolution is required. Configure settings as follows:
   • In Firewall Chaining settings, specify an IP address for the upstream proxy, rather than a fully qualified domain name (FQDN).
   • On the upstream proxy, in Firewall Client settings for the appropriate network, specify an IP address rather than an FQDN, in the ISA Server name or IP address dialog box.
   If upstream proxy settings require name resolution, the Firewall service may become unresponsive, halting all communication through ISA Server.
8. The Hypertext Transfer Protocol (HTTP) filter is configured on a per rule basis. However, the maximum length of headers is a global property of the HTTP filter, and is applied to all rules. At array level and enterprise level, you should configure this property on one rule only, to apply to all rules. Because this is a global configuration, it remains even after the rule on which it is configured is deleted. The effective value for this property is the smallest value set between the enterprise level and the array level.

Back to Contents

3. Network Load Balancing

1. When enabling or disabling Network Load Balancing (NLB) on a network object in ISA Server Management, or changing a virtual IP address on a network, you may experience a loss of network connectivity to the ISA Server computer. Typically this issue will produce warning event 212238 in the Event Viewer. This may happen when NLB makes a change to the MAC address of the network adapter when NLB integration is enabled (unicast mode), and other network computers are not updated with this change. As a workaround, do either of the following:
   • Wait approximately 10 minutes to allow the change to propagate.
   • Alternatively, on the computer that has lost connectivity to the ISA Server computer, force an update of MAC addresses. To do this, type arp –d at a command prompt.

Back to Contents

4. Remote Management

1. Use Terminal Server to connect to the Configuration Storage server for remote management in the following circumstances:
• If the link between the remote management computer and the Configuration Storage server is slower than 5 Mbps.
• If you are remotely managing ISA Server over a VPN connection.
2. If the Server service is not running on the Configuration Storage server (for example, because of system hardening), there are some user management tasks that cannot be performed remotely using the ISA Server Management MMC snap-in. Some of these tasks include:
   • Delegating administration permissions
   • Defining user sets in firewall policy
   • Defining VPN users
   Either perform these tasks from ISA Server Management running on the Configuration Storage server, or connect remotely to the Configuration Storage server with Terminal Services or Remote Desktop Connection.

Back to Contents

5. Monitoring

1. ISA Server logs all traffic, and you should take log requirements into account when allocating disk space. Insufficient disk space for logging may cause inaccurate reporting, and ISA Server may enter lockdown mode. Consider the following:
   • Monitor log consumption requirements. You can estimate daily requirements in the log folders (located by default in \Program Files\Microsoft ISA Server\ISALogs).
   • In an attack scenario, such as flooding, logging may increase substantially. You should consider allocating additional space for this. To reduce logging, consider disabling logging on specific rules. For example, most attacks will be denied by the default firewall policy rule. This rule denies access to all traffic that is not specifically allowed or denied.
2. The following issues may cause some reporting inaccuracies when generating ISA Server reports:
   • The Web usage (Top Web Users) report may include extraneous traffic. In addition to the user request traffic that appears in all Web usage reports, it includes extra Web traffic from array member servers relaying user requests to the Internet. Such traffic will appear in the report under the intra-array credentials user name (by default the computer account of the array member).
   • The Application usage (Top Application Users) report may be missing information that appears in other Application usage reports, because traffic originating from array member servers is not included. For example, traffic from array members to the Configuration Storage server will not appear in this report.
   • The Summary (Top Users) report combines the Top Web Users and Top Application Users reports, and includes each of the limitations described for each report.
3. To publish a report, the user account specified must have write permission to the publishing folder, and at least Array Auditor privileges on the array.
4. When you clone an array configuration by exporting from one array and importing to another without specifying that server-specific information should be imported, there may be some issues with imported report jobs. As a workaround, do the following:
   • If you have imported to an array with more than one server, modify the report job properties to specify which server it should run on. For instructions on editing report job properties, see the ISA Server online Help.
   • Alternatively, delete the report job.
   If you do not take either of these actions, an error will appear when you open the report created by the job. In addition, you will not be able to export the imported configuration.

Back to Contents

6. SDK

1. The ISA Server 2004 Enterprise Edition Software Development Kit (SDK), including the header files and .idl files needed to create the development environment, the SDK documentation, and samples, is not provided on the installation CD. It is available on the Web.

Back to Contents

Back to Contents