Chapter 4 UPGRADING MICROSOFT PROXY 2.0 SERVER
123
á
SOCKS rules from Proxy Server 2.0 are not migrated, ISA
Server uses SOCKS application filters. You may need to con-
figure, or adjust these. ISA Server listens on port 1080 for
SOCKS requests. This can be changed.
á
ISA Server installs with only Windows integrated authentica-
tion. This means that previously supported requests from non-
IE/browsers are rejected. You need to configure basic
authentication for Web requests.
Information on how to do many of these post-installation configura-
tion items is located in Chapter 5, “Outbound Internet Access,” and
Chapter 6, “ISA Server Hosting Roles.”
You will find that between the isasupgrade.log file and an examina-
tion of the interface, you can quickly establish the status of migrated
configurations. Many of these settings are even labeled as Proxy 2.0
related settings. Figures 4.9–4.13 show examples of migrated settings
displayed in the ISA Server interface.
M
IGRATING THE
M
INDSET
Proxy Server 2.0 and ISA Server use slightly different names for sim-
ilar processes. Part of the migration process is that it is necessary for
the administrators to get used to the new system. Two items need to
be contended with:
á
Different names and locations for similar concepts
á

New features and configuration processes
New features and their configuration processes can be learned by
using this book and practicing with the interface on a test network.
The hardest thing about migrating to a new system is learning how
to do what you already know how to do. Like most major product
evolutions, ISA Server requires you to learn a new vocabulary and
interface to just do what Microsoft Proxy Server 2.0 allowed you to
do with a less fancy toolset. ISA Server, however, also adds an
incredible array of new features and a granularity of effect that was
not possible with Microsoft Proxy Server 2.0. Of course you can’t
expect the same dashboard on an F-111 fighter as you find on your
SUV. With a little bit of help and a little bit of patience, you can
FIGURE 4.11
Proxy DomainFilter.
FIGURE 4.12
Proxy DenySitesSet.
06 mcse CH04 6/5/01 11:58 AM Page 123
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
124
Part I INSTALLATION AND UPGRADE
learn to maneuver in either and the new interface will soon feel like
home. Table 4.5 can assist with vocabulary translation.
TABLE 4.5
P
ROXY
-
TO
-ISA-D
ICTIONARY
Proxy Server 2.0 ISA Server Comment/Where

Domain filter Site and content Restrict domain-site access by clients/
rules
For array policies: /Servers and
Arrays/name/access policy/site and content
Rules
For enterprise policies: /enterprise/poli-
cies/enterprise policy/site and content
rules
Publish HTTP Create Web /Servers and
sites publishing rules Arrays/Name/Publishing/Web Publishing
Rules
Restrict protocols Create protocol rule For array policies: /servers and
arrays/name/access policy/protocol rules
For enterprise policies: /enterprise/poli-
cies/enterprise policy/protocol rules
Create packet Create IP Servers and arrays/name/access policies/IP
filters packet filter Packet filters
Create alerts Create an alert Servers and arrays/name/monitoring
configuration/alerts
Configure routing Configure Web Servers and arrays/name/network
Proxy Service configuration/routing
routing
Configure LAT Configure LAT Servers and arrays/name/network
configuration/Local Address Table
Configure cache Configure cache Servers and arrays/name/cache
configuration
FIGURE 4.13
Proxy site rules.
06 mcse CH04 6/5/01 11:58 AM Page 124
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.

Chapter 4 UPGRADING MICROSOFT PROXY 2.0 SERVER
125
Understanding the migration process from Proxy Server 2.0 has
been the goal of this chapter. Although the actual process is straight-
forward, numerous variables can combine to alter the expected
result. It is always wise to understand the possibilities and plan for
the operation rather than subject users to longer periods of down-
time. Specifically, the following items were addressed:
á
The migration process
á
What’s migrated and what’s not
á
Post-migration activities
á
Helping Proxy administrators adjust to ISA Server
This completes Part I, “Installation and Upgrade.” Part II,
“Configuring and Troubleshooting ISA Server Services” covers
the implementation, configuration, and troubleshooting of the
following:
á
Outing Web access
á
Hosting roles
á
The H.323 gatekeeper
á
Remote access
á
Virtual Private Network integration

C
HAPTER
S
UMMARY
KEY TERMS
• Stateful inspection
• Migration
• Upgrade
• Domain filter
06 mcse CH04 6/5/01 11:58 AM Page 125
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
126
Part I INSTALLATION AND UPGRADE
A
PPLY
Y
OUR
K
NOWLEDGE
Exercises
4.1 Migrate a Windows NT 4.0/Proxy
Server 2.0 to ISA Server
This exercise will help you understand the upgrade
path from Proxy Server 2.0 to ISA Server. By complet-
ing it, you will be better prepared to plan and complete
a migration from Proxy Server 2.0 to ISA Server. By
configuring the Proxy 2.0 Server with domain filters,
packet filters, and other settings, you will be able to see
the transfer of configuration information from Proxy
2.0 to ISA Server.

Estimated Time: 30 minutes
1. Remove the Proxy Server from the Internet and
backup its configuration.
2. Disable and stop the Proxy services.
3. Install Windows 2000, SP 1 (or relevant SP) and
any hotfixes.
4. Install ISA Server. Note progress reports and error
messages.
Review Questions
1. You currently have five Microsoft Proxy Server
2.0 systems in an array and need to upgrade
them to ISA Server. Can you migrate this array
while still maintaining caching services for
Internet Access? How?
2. The ABC Carpet Company has a single Proxy
Server 2.0 system running on Windows NT 4.0.
They would like to know the preliminary steps
they can do to get ready for migration. They
want to minimize downtime when the actual
migration takes place. What would you suggest?
3. Windows 2000 and the Active Directory have
been deployed. The Proxy 2.0 system has been
upgraded to Windows 2000 and the Proxy 2.0
upgrade has been installed so that Proxy 2.0 is
now running correctly on a Windows 2000 server
in a workgroup. What steps should be taken to
upgrade the Proxy 2.0 Server to ISA Server?
4. Proxy 2.0 has been successfully upgraded to ISA
Server. Where would you look to determine
which configuration settings migrated?

5. Why is it important to backup the Proxy 2.0
configuration prior to beginning the migration
process?
6. Why do you need to be a member of the
Enterprise Admins group in order to migrate an
array of Proxy 2.0 Servers to ISA Servers?
7. In the appendixes of this book are backup files
and log files created during the migration of a
Microsoft Proxy Server 2.0 system to ISA Server.
Examine the logs and determine at least one spe-
cific setting that did not migrate.
Exam Questions
1. Three reasons to carefully check the newly
migrated ISA Server before placing it back into
service are
A. Packet filters do not migrate, you will need to
re-create them.
B. Domain filters will need to be re-created as
site and content rules.
06 mcse CH04 6/5/01 11:58 AM Page 126
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Chapter 4 UPGRADING MICROSOFT PROXY 2.0 SERVER
127
A
PPLY
Y
OUR
K
NOWLEDGE
C. Network configuration might have changed

during the upgrade to Windows 2000.
D. SOCKs rules from Proxy Server 2.0 are not
migrated.
E. Some alerts that are part of Proxy Server 2.0
are not part of ISA Server.
2. Your policy is to require all users to authenticate
before accessing the Internet. Prior to migrating
to ISA Server from Proxy 2.0 users using
Netscape Navigator on Unix systems, could
access the Internet. After migration, they cannot.
How should this problem be resolved?
A. Upgrade the Unix users to Windows 98.
B. Modify ISA Server authentication to include
“basic authentication.”
C. Install the firewall client on the Unix systems.
D. Modify ISA Server authentication to include
“Digest Authentication.”
3. John is migrating six Proxy Server 2.0 systems to
ISA Server. All Proxy Servers are in an array.
These servers will be the first ISA Servers
installed on his network. John will be creating a
new array. He has initialized the Active Directory
Schema with the ISA elements. He removes the a
Proxy Server 2.0 system from the Proxy Server
array, upgrades the system to Windows 2000, and
installs ISA Server into a new array. The process
completes successfully. John checks the new ISA
Server to find out how its settings compare to
those he configured for the Proxy Server 2.0
array. He finds the following:

A. None of the Proxy Server 2.0 array settings
have migrated to the new ISA Server array.
B. The Proxy Server array settings have migrated
to the ISA Server array (with the usual excep-
tions).
C. Only packet filter configuration migrates to
the new array.
D. Only packet filters and domain filters migrate
to the new array.
4. Sally is getting ready to migrate the standalone
Proxy Server 2.0 to ISA Server. Her first step is to
backup the Proxy Server configuration. To do so,
she
A. Uses msbackup to backup the entire Proxy
Server 2.0 system.
B. Uses RDISK to backup the Registry because
the configuration settings are in the Windows
NT 4.0 Registry .
C. Uses her third-party back-up system to do a
backup.
D. Uses the Proxy 2.0 back-up program from the
Web Proxy service properties page.
5. Select the answer that lists (in the correct order)
the steps to be taken to migrate from Proxy
Server 2.0 to ISA Server.
A. Back up Proxy Server configuration, upgrade
server to Windows 2000, apply Service Pack
1, stop Proxy services, install ISA Server.
B. Back up Proxy Server configuration, stop
Proxy services, upgrade server to Windows

2000, install ISA Server.
C. Back up Proxy Server configuration, stop
Proxy services, upgrade server to Windows
2000, apply Service Pack 1, install ISA Server.
06 mcse CH04 6/5/01 11:58 AM Page 127
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
128
Part I INSTALLATION AND UPGRADE
A
PPLY
Y
OUR
K
NOWLEDGE
D. Stop Proxy services, Back up Proxy Server
configuration, upgrade server to Windows
2000, install ISA Server, apply Service Pack 1.
6. Nancy migrates Proxy Server 2.0 to ISA Server.
She examines the newly migrated ISA Server and
it appears to her that none of the Proxy Server
settings migrated. What two things might be the
issue?
A. Sometimes the settings just don’t migrate.
No one knows why. It’s just a feature.
B. When asked if she wanted to migrate existing
policies and settings to an ISA policy, she
clicked the No button.
C. The ISA Server was migrated to an existing
ISA Server array. The Enterprise policy
selected for this array does not allow array set-

tings to vary from those selected at the enter-
prise level.
D. Immediately after migration, before putting
the server back online, you must select the
Use Migrated Settings option from the ISA
Server Properties/General page. Nancy hasn’t
done this yet.
7. After migration to an ISA server in cache mode,
no users can access the Internet (they could prior
to migration). What needs to be done to correct
this situation? (Select all correct answers.)
A. Upgrade all users to I.E. 5.0.
B. Install the ISA Server firewall client on all
systems.
C. If the ISA Server is configured to allow
discovery, be sure clients are configured
to discover.
D. Change the port for the Proxy Server in the
properties of the client browsers from port 80
to port 8080.
Answers to Review Questions
1. To maintain caching services for Internet Access
during the migration process, take one Proxy
Server offline at a time and migrate it. Remove
one Proxy Server from the array. Remove its
access to/from the Internet. Back it up and pre-
pare it for migration. Initialize the AD Schema
for ISA Server. Upgrade the server to Windows
2000 sp1. Install this server as the first ISA Server
in a new array. Verify settings and place the array

on-line. Begin migrating clients to this new array.
Continue to migrate Proxy Server’s one at a time
to the new array, and switch clients as more
server’s come on-line. See the section, “Impact of
Proxy 2.0 Array Membership and ISA Installation
Selections on Migration.”
2. ABC can do three things to minimize migration
downtime.
•
Determine if the hardware on the existing
machine will support Windows 2000. If nec-
essary, upgrade any hardware or move the
Proxy server to a new hardware platform and
stabilize it prior to upgrading to Windows
2000. This prevents server upgrade issues
from meaning large downtimes during the
migration process.
•
Carefully examine their configuration settings
and the data on which settings will migrate.
This way, they are better prepared to quickly
examine and do any necessary configuration
after migration.
06 mcse CH04 6/5/01 11:58 AM Page 128
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
Chapter 4 UPGRADING MICROSOFT PROXY 2.0 SERVER
129
A
PPLY
Y

OUR
K
NOWLEDGE
•
Configure current clients for auto discovery.
After migration, configure the ISA Server to
allow discovery. (These steps avoid the large
amount of time right after migration that
would be used to modify browser settings.)
See the sections, “Post Migration Necessities” and
“The Migration Process.”
3. Backup the Proxy configuration, stop Proxy ser-
vices, install ISA Server. See the section, “The
Migration Process.”
4. You can examine the ISA Server interface. You
can also examine the isasetup.log file. See the sec-
tion, “Examine the Setup Logs.”
5. You backup the Proxy 2.0 configuration for two
reasons. One, if something happens and the
migration fails, you can install Proxy 2.0 and
restore the saved settings. Two, you can inspect
the configuration backup to determine what
Proxy 2.0 configuration settings were, this will
aide you in determining if the settings that you
need have migrated or additional work needs to
be done. See the section, “Backup the Proxy
Server Configuration.”
6. To migrate an array of Proxy 2.0 servers to an
array of ISA Servers requires you to first modify
the Active Directory Schema. You need to be a

member of the Enterprise Admins group, and the
Schema modification group to modify the Active
Directory Schema. See the section, “Migrating an
Array.”
7. Alert Disk Full, ICMP Ping Query packet filter.
See the section, “Review the Setup Logs.”
Answers to Exam Questions
1. C, D, E. To enable SOCKs applications to work
through ISA Server you will use application fil-
ters—the SOCKs rules, therefore, do not
migrate. Alerts do migrate, but not all Proxy
Server 2.0 alerts are configurable on ISA Server.
A is incorrect, packet filters do migrate. You
should check them for correctness, however, A
states they do not migrate, so this is not the rea-
son to check. B is incorrect, domain filters will be
migrated to site and content rules on their own.
See the sections, “Post Migration Necessities” and
“Predetermined Migration Effects.”
2. B. Proxy Server 2.0 can be set to allow both Basic
authentication (can be used by all Web browsers)
and Windows Integrated authentication (can
only be used by Windows clients).
Authentication settings after migration are set to
allow only Windows Integrated Authentication.
To enable Unix systems to once again access the
Internet, you must modify authentication settings
to allow basic authentication. Although A would
also work, it is not the best answer and is not
practical in most environments. C is not correct

because there is no Microsoft ISA Server firewall
client product for Unix. D is not correct because
Digest Authentication, while more secure is only
useful for Windows 2000 domain members. See
the section, “Post migration necessities.”
3. B. The array settings can be migrated to the new
array from the old. Therefore A is incorrect. C
and D are incorrect because more than packet
filters and domain filters will migrate. See the sec-
tion, “Predetermined Migration Effects.”
06 mcse CH04 6/5/01 11:58 AM Page 129
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
130
Part I INSTALLATION AND UPGRADE
A
PPLY
Y
OUR
K
NOWLEDGE
4. D. Proxy Server 2.0 provides its own configura-
tion backup program that is accessible from the
properties page of any of its services. A and C are
incorrect as they will backup the entire server;
this is not necessary and may also not end up
with the proxy configuration information neces-
sary for a restore. B will backup the registry, but
you only need the Proxy configuration informa-
tion. See the section, “Backup the Proxy
Configuration.”

5. C. A is incorrect. Proxy Server services should be
stopped before upgrading to Windows 2000. B is
incorrect. SP1 for Windows 2000 is required for
installation of ISA Server. D is incorrect. SP1
should be applied before installing ISA Server.
See the section, “The Migration Process.”
6. B, C. The option to not migrate existing policies
is available during migration. When migrating
the Proxy Server to an ISA array, the Enterprise
settings that are active in the array will affect the
migration of settings from Proxy. A is incorrect;
settings do migrate. D Settings either migrate, or
they don’t—there is no post-installation switch.
See the sections, “Upgrade to Windows 2000 and
Install ISA Server” and “Impact of Proxy 2.0
Array Membership and ISA Installation
Selections on Migration.”
7. C, D. ISA Server listens on port 8080 for client
Web requests. Proxy listens on port 80. Client
browsers must be adjusted. While installing the
firewall client is correct, it is not necessary. A is
incorrect. Upgrading the browsers is not neces-
sary and will not change the identified port. B is
incorrect, the firewall client is used for accessing
Winsock applications through the firewall and is
not supported in caching mode. (The firewall
client is not necessary for Web browsing.) See the
section, “Post Migration Necessities.”
1. The following items from the ISA Server
Help:

• Checklist: Migrating from Microsoft Proxy
Server 2.0, from the Help system of ISA
Server
• Migrating Microsoft Proxy Server 2.0
configuration
• Microsoft Proxy Server 2.0 array
considerations
• Migration process
• New ways to do familiar tasks
2. Run Microsoft Proxy Server 2.0 on Windows
2000—Microsoft white paper at
/>2kwizard.asp
?
3. “Why Migrate from Microsoft Proxy Server”
/>ductinfo/whymigrate.htm
4. Knowledge Base Article “Q251143 Problems
Installing Proxy Server 2.0 Update in
Windows 2000”,
/>ticles/Q251/1/43.ASP
Suggested Readings and Resources
06 mcse CH04 6/5/01 11:58 AM Page 130
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
II
C
ONFIGURING AND
T
ROUBLESHOOTING
ISA S
ERVER
S

ERVICES
5 Outbound Internet Access
6 ISA Server Hosting Roles
7 H.323 Gatekeeper
8 Dial-Up Connections and RRAS
9 ISA Virtual Private Networks
PART
07 mcse Pt 2 6/5/01 11:59 AM Page 131
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
07 mcse Pt 2 6/5/01 11:59 AM Page 132
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
O
BJECTIVES
5
CHAPTER
Outbound Internet
Access
This chapter covers the following Microsoft-specified
objectives for the Configuring and Troubleshooting ISA
Server Services section of the Installing, Configuring,
and Administering Microsoft Internet Security and
Acceleration (ISA) Server 2000 exam:
Configure and troubleshoot outbound Internet
access.
Whether ISA Server has been installed as a firewall,
caching server, or both, it is designed to allow out-
bound Internet access—if configured to do so. By
default, no outbound access is allowed. What must
be done to allow access? Can this access be
restricted? How do you go about giving access to

authorized users and yet protecting the network
from unauthorized external access? This objective is
primarily about providing authorized access in a
fashion that follows corporate policy. However, it’s
also about doing so in a manner that keeps in mind
network protection.
08 mcse CH05 6/5/01 12:00 PM Page 133
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.
O
UTLINE
Introduction 136
Post Installation Default Settings 136
ISA Server Object Permissions 137
Who Can Configure Policies? 138
Limiting Read Permissions 138
Configuring Permissions 140
Service Permissions 141
Local Access Table (LAT) 142
Policy Settings 142
Packet Filtering 143
Routing 144
Caching 145
Publishing 145
Alerts 146
Configuring Access Rules and Tools 146
Understanding and Configuring
Outgoing Web Request Properties 147
Listeners 147
Connections 147
Authentication Methods 148

How Are Rules Evaluated? 149
Creating Policy Elements 149
Configuring Site and Content Rules 153
Configuring Protocol Rules 154
Authentication and Rules 158
Custom HTML Error Messages 158
Default Error Messages 159
Configuring Custom Messages 159
Configuring a Single System Versus
an Array 160
Configuring Caching 161
Standalone Cache 161
Configuring Hierarchical Access 161
Configuring CARP 163
Configuring Network Settings 163
Bandwidth Rules 164
LAT and Local Domain Tables 166
Configuring Routing Rules 167
Configuring ISA Server Chains 168
Troubleshooting Client Access Problems 169
A Protocol Rule Exists for a Protocol
Definition, But Clients Cannot Use It 169
Clients Can’t Use a Specific Protocol 170
Clients Cannot Browse External Web
Sites 170
Clients Receive a 502 Error Every
Time They Attempt to Browse the Web 171
Clients Can Still Use a Protocol After
the Rule for this Protocol Has Been
Disabled 171

All Other Errors Including Intermittent
Issues 172
Chapter Summary 173
Apply Your Knowledge 174
Exercises 174
Answers to Exercises 175
Review Questions 175
Exam Questions 177
Answers to Review Questions 179
Answers to Exam Questions 179
08 mcse CH05 6/5/01 12:00 PM Page 134
Please purchase PDF Split-Merge on www.verypdf.com to remove this watermark.