Installation of ISA server 2006 Enterprise edition in work group scenario for a clean install

I would say the approach discussed below is one of the easiest ones and not to mention that it has worked for me most of the time.So when we have Isa server 2006 Enterprise Edition and  want to install it in workgroup scenario Then we need to follow certain steps for this typical set up .

Let us assume that we have two servers both windows 2003 sp2 and are in work group.We will install ISA server 2006 enterprise edition on them, we will have CSS(Configuration Storage Server) on one and would make both as firewall nodes.

Some Basic requirements before we start

1. In work group environment we need to use a dns suffix to get a FQDN name for the servers so e.g if we had names as follows :

Server1:  Isaserver1

Server2:  Isaserver2

If we use dns suffix as on both the servers then names would now be

Server1: (will have CSS installed on it)


2. We need to get a server authentication certificate on the server which is going to act as CSS server i.e. . You can install Certification Authority that comes with windows 2003 on the CSS server itself and then assign itself a server authentication certificate and on we need to put certification authority root certificate in the trusted computer certificate store.

RootCA certificate

root CA certificate

Server Authentication certificate

server authentication certificate 


3. Assuming we have dual NIC servers then in the Tcp/ip configuration on the internal network card should not have default gateway configured on it but external network card should have default gateway configured on it.

4. Create mirrored user accounts on both the nodes. They are not required to be local administrators. mirror accounts are  user accounts which are identical and are created on all the array members.

5. On create a host file entry for resolving to its internal NIC IP address and similary on  create host file entry for resolving to its internal NIC IP address This manual name resolution is very important as you wont be able to join  to the array.

Note. The Screens which I am posting here are the important screens as it would be very difficult to post all the screens of the installation wizard.


1. Start the Isa server installation on begining with CSS server role

CSS server installation

Choose workgroup deployment

work group deployment

and here you need to browse and select the server authentication certificate file as shown above. Then complete the installation of CSS server role. Then create a new array give it a name as per your choice.Then in the properties of the array under Configuration Storage tab change authentication to ssl authentication.

ssl authentication

2. We can now install the firewall service on the

isa service node1

Choose the CSS server to connect to


and then Join to the array created after the installation of CSS.

join to existing array


during the installation of the ISA services we will get a prompt within the wizard that will ask us how node would authenticate to the CSS server and we would choose ssl as follows

node authentication 

Then complete the installation of the ISA server services on following the directions in the wizard.

3. Then start installation of the ISA server services on the , connect to  CSS server and join it to the same array using the same method as described above for the ISA server services on i.e step 2 .

4. Now in the array properties go to intra array authentication tab and then use the mirror account created earlier for authentication.

As a result we have  ISA server 2006 in work group environment with CSS on one and both servers acting as firewall nodes. But there is important point to remember in workgroup scenario and that is we cannot have additional CSS server in workgroup scenario.

We can have a variation to the above scenario i.e. in above scenario we have only two nodes and one of them is acting as CSS server. We can have a variation in above scenario in which we can have CSS server on altogether a different server and we have two dedicated firewall nodes.

In this scenario we would follow the above steps making sure we have server authentication certificate and Root CA certificate on CSS server and other two nodes have Root CA certificate. Then on designated CSS server install CSS only and on nodes install Isa firewall services. So everything stays the same except we have CSS on different server.

Another variation could be that CSS server is in domain but the firewall nodes are in the workgroup so it would also be considered as workgroup model and in this case we can have addition CSS server and all the workgroup scenario requirements are same as discussed above.

You can also refer to the following article for more information:

Take care

Suraj singh

Comments (1)

  1. Yogaprakash says:

    Very nice detailed instructions. Thank you very much.

Skip to main content