Running Security Configuration wizard on ISA server


I recently worked on a case where ISA server administrator wanted to run SCW (security configuration wizard) on the ISA server. I created a lab to do repro of the scenario . So here I have walk through of running SCW on the ISA server. SCW is not installed on the ISA server (windows 2003 server on which ISA server is installed) by default. So we need to install it from the add remove programs->windows components.After the installation of SCW a folder (msscw) gets created at c:\windows\­security.  After installing it we need to download the package for ISA server, its link is http://www.microsoft.com/downloads/details.aspx?familyid=2748a927-bd3c-4d87-80fa-8687d5e2ab35&displaylang=en. This update adds the roles for ISA Server 2006 Standard Edition, ISA Server 2006 Enterprise Edition, and ISA Server Configuration Storage Server. After downloading it we need to run this package and extract the files from it. Then copy the two .xml files (isa.xml and isaloc.xml) to c:\windows\­security\msscw\kbs folder but first take the backup of the existing files with same name then overwrite these two files.


Then copy the isascwhlp.dll file to c:\windows\­security\msscw\bin folder. After adding these files at the respective folders we can start SCW wizard for ISA server.


Note: Please take backup of the server before performing the steps.  


 We can start by goint to start-administrative tools-SCW then we will see following screen



Then click next to proceed further and we will get following screen



in the above screen choose first option i.e. create a new security policy and move next and we will get following screen



mention the name of the server on which we are going to run the SCW in this case it is CorpA05 then move next



move next to configure SCW with role based service configuration i.e. only those services should be running which are as per the role on the server.



Then we will get following screen only choose ISA server role



Then we need to choose client features that we need ISA server to use  in my case I used following 



and



then choose the services that you want to keep in my case I chose following


1.



2.



3.



4.



5.



and additional services, in my case following services were there if you don’t want any service you can uncheck that from the list



then we need to specify what we would do with unspecified services we have two options either leave the startup mode of the service as it is or disable it.in my case I chose to disable such services.



then verify the service changes below



Then make sure we skip following as shown in following screen



then we will go to following screen



then we will get following screen keep the second option unchecked to save the cpu cycles where cpu utilization is a constraint.


 


Then we would define what method ISA would to authenticate with remote computers depending upon how we want ISA to authenticate to remote computers where it make connection, we can make this choice. In this case I chose domain accounts.



Then how outbound authentication should happen using domain accounts keep both options checked.



Then for inbound calls to ISA server we can uncheck both the options shown below.



Then we will get Registry changes summary as below



Then configure the Audit policy



Depending upon our requirement we can choose the option and in my case I chose third option to audit successful and failed activities.



Then we will get audit policy summary as below



Then we will save the security policy as below



and we will get to following screen  where we will define the location for the policy to be saved , we know that we can use this policy on another similar ISA server as baseline.


 


Then we will get the following screen where we can apply the policy now or later in my case i applied it right there.


 


then it starts getting applied



Then finaly we will get the completion sceen.



After completetion you can reboot the machine and test the connectivity and existing functionality on the ISA server.


 

Comments (0)

Skip to main content