I would say the approach discussed below is one of the easiest ones and not to mention that it has worked for me most of the time.So when we have Isa server 2006 Enterprise Edition and want to install it in workgroup scenario Then we need to follow certain steps for this typical set up .
Let us assume that we have two servers both windows 2003 sp2 and are in work group.We will install ISA server 2006 enterprise edition on them, we will have CSS(Configuration Storage Server) on one and would make both as firewall nodes.
Some Basic requirements before we start
1. In work group environment we need to use a dns suffix to get a FQDN name for the servers so e.g if we had names as follows :
If we use dns suffix as contoso.com on both the servers then names would now be
Server1: Isaserver1.contoso.com (will have CSS installed on it)
2. We need to get a server authentication certificate on the server which is going to act as CSS server i.e. Isaserver1.contoso.com . You can install Certification Authority that comes with windows 2003 on the CSS server itself and then assign itself a server authentication certificate and on Isaserver2.contoso.com we need to put certification authority root certificate in the trusted computer certificate store.
Server Authentication certificate
3. Assuming we have dual NIC servers then in the Tcp/ip configuration on the internal network card should not have default gateway configured on it but external network card should have default gateway configured on it.
4. Create mirrored user accounts on both the nodes. They are not required to be local administrators. mirror accounts are user accounts which are identical and are created on all the array members.
5. On Isaserver1.contoso.com create a host file entry for Isaserver2.contoso.com resolving to its internal NIC IP address and similary on Isaserver2.contoso.com create host file entry for Isaserver1.contoso.com resolving to its internal NIC IP address This manual name resolution is very important as you wont be able to join Isaserver2.contoso.com to the array.
Note. The Screens which I am posting here are the important screens as it would be very difficult to post all the screens of the installation wizard.
1. Start the Isa server installation on Isaserver1.contoso.com begining with CSS server role
Choose workgroup deployment
and here you need to browse and select the server authentication certificate file as shown above. Then complete the installation of CSS server role. Then create a new array give it a name as per your choice.Then in the properties of the array under Configuration Storage tab change authentication to ssl authentication.
2. We can now install the firewall service on the Isaserver1.contoso.com.
Choose the CSS server to connect to
and then Join to the array created after the installation of CSS.
during the installation of the ISA services we will get a prompt within the wizard that will ask us how node would authenticate to the CSS server and we would choose ssl as follows
Then complete the installation of the ISA server services on Isaserver1.contoso.com following the directions in the wizard.
3. Then start installation of the ISA server services on the Isaserver2.contoso.com , connect to CSS server and join it to the same array using the same method as described above for the ISA server services on Isaserver1.contoso.com i.e step 2 .
4. Now in the array properties go to intra array authentication tab and then use the mirror account created earlier for authentication.
As a result we have ISA server 2006 in work group environment with CSS on one and both servers acting as firewall nodes. But there is important point to remember in workgroup scenario and that is we cannot have additional CSS server in workgroup scenario.
We can have a variation to the above scenario i.e. in above scenario we have only two nodes and one of them is acting as CSS server. We can have a variation in above scenario in which we can have CSS server on altogether a different server and we have two dedicated firewall nodes.
In this scenario we would follow the above steps making sure we have server authentication certificate and Root CA certificate on CSS server and other two nodes have Root CA certificate. Then on designated CSS server install CSS only and on nodes install Isa firewall services. So everything stays the same except we have CSS on different server.
Another variation could be that CSS server is in domain but the firewall nodes are in the workgroup so it would also be considered as workgroup model and in this case we can have addition CSS server and all the workgroup scenario requirements are same as discussed above.
You can also refer to the following article for more information: http://technet.microsoft.com/hi-in/library/cc302483(en-us).aspx