ISA “under the hood stuff” in SBS 2003 [Windows Small Business Server 2003 Best Practices book excerpt]

G’day mates – welcome to my virtual book reading – I am Harry Brelsford – that author of the Windows Small Business Server 2003 Best Practices book and each day I like to hold a virtual book reading! Today it’s all abot going under the hood in ISA in the SBS 2003 time frame.



Harry Brelsford, CEO at smb nation

Microsoft Small Business Specialist SBSC, MBA, MCSE, MCT, MCP, CNE, CLSE, CNP

PS – did u know I host a technology conference in the New York City area each spring? Save the date for March 6-8, 2009 and watch “voice meet data” in the SMB space!

PPS – my SBS 2008 book will be out in mid-November 2008!

PPPS – my Microsoft Response Point Primer book is here NOW!

Under the Hood Setup Stuff

Try as I might to position this book as being oriented toward the beginning and intermediate SBS crowd, I know that a few SBS gurus are reading it. Ergo, let’ me throw them thar’ gurus a bone and share a BAT file and some Visual Basic script.

Here’s what occurs when you install ISA Server 2000 in the SBS 2003 premium SKU. A file titled configure_isa.bat (located at %SystemRoot%\Program Files\Microsoft Windows Small Business Server) runs with the following command line that essentially launches a VB script:

SystemRoot%\System32\csscript.exe //Nologo “%sbsprogramdir%\isaconfig.vbs

 Visit for the latest updates for any Microsoft product.

Then, the VBS script runs (located at %SystemRoot%\Program Files\Microsoft Windows Small Business Server\isaconfig.vbs). The first part (showing the well-commented section up top) is shown in Figure 13-12.

Figure 13-12

This VBS file is SBS 2003 premium edition-specific with respect to ISA Server 2000 being configured.

BEST PRACTICE: Time to integrate an earlier concept in this chapter with the above figure. If you look closely under Tasks, the first four tasks relate to exploiting ISA Server 2000’s policy management (see the Unified Management bullet point a few pages ago). It is here that outbound access is being managed via Active Directory objects.

Run the E-mail and Internet Connection Wizard

So did you notice the last task in the above figure? It launches the E-mail and Internet Connection Wizard (EICW). Before I delved deep into the isaconfig.vbs file, I was simply going to write up this section to reflect that the EICW is run after installing ISA. But that would gloss over the mechanics of how it launches

and what then occurs. After the EICW launches, you’re presented with many of the same EICW screens you witnessed in Chapter 4. However, this time the firewall port openings are made in ISA Server 2000 and not the RRAS NAT/ Basic Firewall. This is communicated in a unique screen (not seen when you run the EICW with SBS 2003 standard edition) that is shown in Figure 13-13.

BEST PRACTICE: Let’s pretend for a moment that you previously ran the EICW after the initial SBS 2003 installation and before you installed the premium components. In such a case, you would effectively be “rerunning” the EICW and that would be a required step to switch the firewall protection function from RRAS NAT/Basic Firewall to ISA Server 2000.

Figure 13-13

This message, seen when the second network adapter card receives its IP address dynamically, refers to ISA Server 2000 providing the firewall services.

BEST PRACTICE: Let’s talk VPN connectivity. In the baseline SBS case, you would proceed to configure VPN connectivity by completing the Remote Access Wizard (this hasn’t changed from the SBS 2003 standard edition). The Remote Access Wizard is launched from the Configure Remote Access link on the To Do List.


However, you may recall that in SBS 2000 time frame, you were instructed on the Configure Remote Access link via the To Do List on the Small Business

 Visit for the latest updates for any Microsoft product.

Server Administrator Console to configure the VPN connections in ISA Server 2000. This is no longer the case and you may use either the RRAS VPN configuration (this is the baseline case) or the ISA Server 2000 VPN configuration (found from Start, All Programs, Microsoft ISA Server, ISA Management, Servers and Arrays, SPRINGERS1, Network Configuration, and clicking Configure a Local Virtual Private Network (VPN), and then completing the wizard. My SBS 2000 Best Practices book presents the step-by­step procedure to complete this task).

Client Computer Setup

You will need to add the Firewall Client to each client computer to redirect traffic through ISA Server 2000 on the SBS 2003 network. You can do this by adding the Firewall Client software to the list of applications in the Setup Computer Wizard (which is chained to the Add User Wizard). The instructions for doing this are presented at the end of the How to Install document shown previously in Figure 13-9.

BEST PRACTICE: If for some reason you have already set up the client machines prior to installing ISA Server 2000 on the SBS 2003 server machine, you can manually add the Firewall Client by running the setup file at: \\servername\Mspclnt\Setup.exe. This is also the approach to use for operating systems older than Windows 2000 Professional or Windows XP Pro.

Managing ISA Server 2000

By default, the ISA Management snap-in is not added to the Server Management console. You will want to do this when working with premium edition by completing the following procedure.

1                    Log on as Administrator with the password Husky9999! on SPRIGNERS1.

2                    Open My Computer from the desktop.

3                    Navigate to %SystemRoot%\Program Files\Microsoft Windows Small Business Server\Administration.

4                    Right-click itprosbsconsole.msc and select Author. This places the Server Management console in author mode.


 Visit for additional SMB and SBS book, newsletter and conference resources.

Chapter 13 Premium Security: ISA Server 2000


5.         Select Add/Remove Snap-in from the File menu.


6.         Select Add.


7.         Select ISA Management and click Add.


8.         Select Connect to local server and click OK on the Connect to dialog box.


9.         Click Close on the Add Standalone Snap-in dialog box.


10.       Click OK. The ISA Management snap-in will now appear in the Server Management console. Be sure to save the Server Management con­sole to save your hard work.


Leave a comment

Filed under Book

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s