Read This First
This document provides information about Microsoft Security and Acceleration (ISA) Server 2006.
Be sure to read the Microsoft Internet Security and Acceleration
(ISA) Server 2006 "Quick Start Guide" (Isastart.chm). This guide provides
installation instructions and setup prerequisites, describes new ISA
Server 2006 features, and details walk-throughs highlighting these
features. This document is available from the ISA Server 2006 Autorun page,
and is located in the root folder on the ISA Server 2006 CD. In addition,
for deployment instructions and information about common scenarios, refer to the
solution documents, available at the
1. Installing and Uninstalling
- For best security practice, always install the latest updates for your
operating system. For information about recent updates that you may need to
- This release does not support ISA Server 2006 installed on computers
running the Microsoft Windows Server Code Name "Longhorn" operating
- This release does not support ISA Server Management installed on computers
running Microsoft Windows Vista operating system.
- When you uninstall ISA Server, some files are not completely removed from
the computer. The following table lists the files that remain and their
Folder File name
IsUninst.exe, Atl71.dll, ismifcom.dll, msvcp71.dll, msvcr71.dll. Enterprise Edition only: \config\adam_isastgctrl.evt
DBmsLPCn.dll, dbmsgnet.dll, dbmsqlgc.dll
- When ISA Server 2004 is installed on a computer that is running
Windows 2000 Server, Microsoft SQL Server 2000 Desktop Engine (MSDE)
runs under the Local System account. After you upgrade to Windows
Server 2003, MSDE continues to run under the Local System account.
However, when upgrading ISA Server, the Microsoft Firewall service runs under
the Network Service account. Because the Network Service account does not have
permission to access MSDE, the Firewall service does not have access to MSDE,
and Upgrade fails. To work around this problem, use the ISA Server 2004
Installation Wizard to uninstall and reinstall MSDE. To do this, follow these
- Click Start, click Run, type appwiz.cpl in the
Open box, and then click OK.
- In the Add or Remove Programs window, click Microsoft ISA
Server 2004, and then click Change/Remove.
- In the Microsoft ISA Server 2004 Installation Wizard, click
- On the Program Maintenance page, click Modify, and then
- On the Custom Setup page, expand Firewall Services, and
then click Advanced Logging.
- Click This feature will not be available.
- Click Next, and then click Install.
- On the Installation Wizard Completed page, click Finish,
and then close the Internet Explorer window that automatically
- Repeat steps 1 through 5, and then click This feature will be
installed on local hard drive.
- Click Start, click Run, type appwiz.cpl in the Open box, and then click OK.
- If MSDE has been uninstalled from the ISA Server computer, you will need
to reinstall it by running ISA Server Setup, and modifying the installation.
Prior to reinstalling MSDE, you should stop the Firewall service. Otherwise,
MSDE installation may take up to 45 minutes. Note that the Firewall
service will restart automatically when the installation is complete.
- Occasionally, some interfaces are not registered during Msfpccom.dll
registration, which may result in the user receiving the error message An
interface is not registered in the ISA Server Management snap-in. If this
occurs, you should unregister (by running regsvr32 –u msfpccom.dll), and then
register again (by running regsvr32 msfpccom.dll).
- When installing ISA Server Enterprise Edition, several DLLs are installed
to the following Windows system folders: C:\WINDOWS\ADAM and
- ISA Server 2006 has been tested on Microsoft Virtual Server 2005
R2 and is expected to be fully functional. However, deployment of ISA Server
on a Virtual Server 2005 R2 environment should be limited to testing
purposes only. Specifically, we do not recommend a Virtual Server 2005 R2
production environment where ISA Server 2006 is expected to serve as the
- After installing ISA Server 2006, we recommend that you use the
Windows Security Configuration Wizard to harden your Windows
infrastructure for ISA Server. For details, see the
ISA Server 2006 Security Hardening and Administration Guide. Note the following:
- The MSDE logging feature was removed from the Windows Security
Configuration Wizard for both ISA Server 2006 and ISA
Server 2004. ISA Server now controls MSDE usage.
- When hardening the computer manually, the Microsoft ISA Server Storage
service on the Configuration Storage server computer must be enabled. You
can verify the status of this service in the details pane of the Windows
Services snap-in. This change applies to Enterprise Edition
- The MSDE logging feature was removed from the Windows Security Configuration Wizard for both ISA Server 2006 and ISA Server 2004. ISA Server now controls MSDE usage.
- When an array member is installed in an array for which NLB is enabled,
the ports used by any listeners defined in the array will not be available
immediately following the Firewall service restart at the end of the
installation. This is due to the NLB configuration needing time to synchronize
after adding an array member. After the NLB configuration is synchronized
(this may take several minutes), listener functionality should be restored
automatically. In some instances, some listeners may not be fully functional
even after the NLB configuration is synchronized. Restarting the Firewall
service will resolve the issue.
This section covers issues that may occur when upgrading from ISA Server 2004 to ISA Server 2006.
- To familiarize yourself with how to upgrade from ISA Server 2004 to
ISA Server 2006, read the upgrade guide available from the ISA
Server 2006 Autorun page.
- When upgrading to ISA Server 2006, any changes made in ISA
Server 2004 to the alert Compression by Unsupported Method are not
be reflected in the upgraded alert configuration. Instead, the default ISA
Server 2006 alert configuration is applied to this alert. In addition,
any user-defined alerts referencing the Compression by Any unsupported
method event are not included in the upgraded configuration.
- When upgrading to ISA Server 2006, these parameters of the RTSP
filter are not upgraded: RtspSetupLimit, RtspMaxUrlLength, and
- When an ISA Server 2004 Web listener specifies SecurID as the client
authentication method and a Web Publishing rule using that Web listener
specifies Basic authentication delegation, the rule cannot be upgraded and the
upgrade will be blocked. To avoid this, before upgrading, verify that any Web
publishing rules using a Web listener configured for SecurID client
authentication do not have Basic authentication delegation selected.
- In ISA Server Enterprise Edition, if an exported ISA Server 2004
configuration file specifies an alternate Configuration Storage server in the
array properties, a failure may occur when upgrading the imported
configuration file to an ISA Server 2006 Configuration Storage server. To
avoid this, after importing the file, open the array properties, and on the
Configuration Storage tab, delete the specified alternate Configuration
Storage server, and then click OK. Then apply the configuration by
clicking the Apply button on the Apply Changes bar.
- If you are upgrading from ISA Server 2004 SP2, pass-through authentication
with the published server over an HTTP connection, which is not secure, may
not be functional after the upgrade. For pass-through authentication to
function properly, you may need to edit the Web listener, and do one of the
- On the Connections tab, modify the Web listener Client
Connection Type to use a secure connection.
- On the Authentication tab, click Advanced, and modify the
Web listener by selecting the Allow client authentication over HTTP
- On the Connections tab, modify the Web listener Client Connection Type to use a secure connection.
This section covers issues that may occur when upgrading from ISA Server 2006 release candidate (RC) to ISA Server 2006.
- To familiarize yourself with how to upgrade from the ISA Server 2006
RC build to this released version of ISA Server 2006 (build-to-build
upgrade), read the "Upgrade Guide," available from the ISA Server 2006
- A build-to-build upgrade from the ISA Server 2006 Beta version to this
released version of ISA Server 2006 is not supported. You must first upgrade
the ISA Server 2006 Beta version to ISA Server 2006 RC, and then complete the
upgrade from the RC build. Before upgrading, read the ISA Server 2006 RC
- If the Microsoft Operations Manager (MOM) agent is running on the ISA
Server computer during build-to-build upgrade or installation repair, the
operation may fail. To avoid this, prior to initiating the build-to-build
upgrade or repair operation, stop the MOM service. To stop the MOM service, at
the command prompt, type net stop mom, or use the Service Control
Manager (run services.msc).
- For security reasons, Internet Explorer does not send domain cookies when
the server name contains an underscore character (_). Accordingly, ISA
Server 2006 blocks the usage of the underscore character in the public
names of publishing rules when the applied Web listener has single sign on
(SSO) enabled. During a build-to-build upgrade, ISA Server checks whether the
PublicNames property for Web publishing rules associated with an SSO-enabled
Web listener includes a name containing an underscore. If this character is
found in the PublicNames property, the upgrade will fail. To avoid this,
before running a build-to-build upgrade, verify that any names included in the
PublicNames property do not contain an underscore character.
- MSDE local logs on the ISA Server computer are not removed as part of the
build-to-build upgrade process. This may result in disk space reaching its
limit. To remove these log files, go to the \\Program Files\Microsoft ISA
Server\ISAlogs directory, and manually delete the files. Note that you should
only delete log files with either .mdf or .ldf extensions that have obsolete
dates, and with the following log file name format:
ISALOG_YYYYMMDD_WEB_XXX, or ISALOG_ YYYYMMDD _FWS_XXX.
- When running build-to-build upgrade from an ISA Server 2006 RC build to
this released version, the forms templates located in the ISA Server
installation directory …\CookieAuthTemplates\ISA, are not replaced. The new
forms are installed into the folder ...\CookieAuthTemplates\ISA\HTML. As
a result, any changes that were made to the forms before the upgrade are not
migrated to the new forms. In addition, the following changes were made to the
forms in the RC version:
- Strings.txt uses a different format for customized strings. The new
format is name=value.
- Links in HTML files must include the file extension. For example,
- Strings.txt uses a different format for customized strings. The new format is name=value.
- After upgrading from the ISA Server 2006 RC build to this released version
of ISA Server 2006, the names of some performance counters will not display
properly in Performance Monitor. To avoid this issue, prior to upgrading, you
should unregister performance objects and counters. To do this, run: unlodctr
<service>, where <service> is each of the following: w3pcache,
FwEng, H323FLTR, SocksFlt, w3proxy, and FwSrv.
- After upgrading, the version number displayed in the Servers node in ISA
Server Management is not updated. To see the updated version number, click
Help, and then click About Microsoft ISA Server 2006. The
dialog box that appears shows the version details.
- While uninstalling the primary Configuration Storage server, it must be
able to communicate with at least one other Configuration Storage server in
the enterprise. This communication is required so that during the uninstall
process the replicas can be updated accordingly. Otherwise, when you try to
uninstall a Configuration Storage server that was not connected, it may
attempt to connect to the uninstalled, primary Configuration Storage server.
As a result, you will not be able to uninstall the Configuration Storage
server as required to complete the upgrade. This issue applies to Enterprise
- DiffServ support is provided only for Web Proxy clients. DiffServ packets
are applied to traffic from transparent clients, but should not be used for
packet prioritization for those clients.
- ISA Server cannot change the DiffServ priority during a Secure HTTP
(HTTPS) session, and the first selected priority remains in effect for the
entire session. As a result, the following limitations apply to content
tunneled over HTTPS:
- The Allow special handling of request and response headers according
to this priority option in the Priorities tab is not applicable.
- The Apply a size limit to this priority option on the Add
Priority property page is not applicable.
- The Allow special handling of request and response headers according to this priority option in the Priorities tab is not applicable.
- The Create Answer File Wizard supports Unicode input. However, because the
output answer file is generated in ANSI format, characters used in the input
strings must be translatable to ANSI. As such, if your input strings include
characters that cannot correctly translate to ANSI, the answer file will not
be generated properly. To avoid this, do the following:
- When running the Create Answer File wizard, use an ANSI file path
to save the generated file and input placeholders in ANSI characters (such
as English) for the following properties: name of site-to-site network for
the remote site, preshared key, array name and array description, and path
to the certificate
- Open the generated answer file and save the file in UNICODE format.
- Edit the UNICODE answer file and change the strings to their actual
- When running the Create Answer File wizard, use an ANSI file path to save the generated file and input placeholders in ANSI characters (such as English) for the following properties: name of site-to-site network for the remote site, preshared key, array name and array description, and path to the certificate
- The Browse button in the Join Existing Array page of the
Create Answer File Wizard is not functional. To enter the name of the
array, you must type it in the Array Name text box.
- When running Enterprise Edition as an array administrator, selecting to
participate in the Customer Experience Improvement program by clicking the
Customer Experience Improvement Program link in the details pane, and
then selecting the participate option in the Customer Feedback
dialog box does not work. For array administrators to participate in the
program, they will need to select the option in the array properties, on the
Customer Feedback tab.
- When running Enterprise Edition, the Configuration Storage server
generates the following log files in the Windows system folder: ADAM.log,
ADAMUninst.log, and PFRO.log.
4. Firewall Client
- This release does not support Firewall clients installed on computers
running the Microsoft Windows Server Code Name "Longhorn" or Microsoft
Windows Vista operating system. Firewall Client installation is blocked for
this operating system.
- Some applications, such as Windows Media Player, Microsoft Office Picture
Manager, and Microsoft Outlook Mobile Access, do not support client
certificate authentication during an SSL/TLS handshake, and will not be able
to authenticate when client authentication is required. As a result, users
will get an error message from such applications when trying to access the
published content. This issue occurs if the Web listener requires SSL client
certificate authentication, or if the Web listener requires forms-based
authentication and any of the publishing rules using this Web listener
requires an additional SSL client certificate. In some instances, such as for
Windows Media Player, the user may be able to save the target of the link to a
local folder, and then access the content from that folder.
- When Office Communicator Web Access is published using the Web Publishing
Rule Wizard, users may experience errors when sending messages. If this
occurs, delete the Web publishing rule and create a new rule using the
Exchange Web Publishing Rule Wizard instead. In the Select Services
page of the wizard, select Outlook Web Access as the Web client mail
service you are publishing. After the rule is created, you will need to edit
the rule properties and make the following changes: On the
Authentication tab, select NTLM authentication. On the
Paths tab, delete all Exchange paths, and then type the path /*.
- To allow a SecurID cookie to be generated by ISA Server, and then trusted
by a SecurID Web Agent, the same domain secret must be shared on the ISA
Server computer and the Web Agent. When exporting the domain secret on the Web
Agent computer, verify that the Domain name text box in the Manage
Domain Configuration dialog is cleared. If a domain name is entered in the
text box, a failure will occur when importing the domain secret to the ISA
- When configuring an Exchange Web client access publishing rule for
Exchange Server 2007, the Exchange publishing attachment blocking options in
the rule Application Settings property page are not
- When opened from a network share, the pages of the "Quick Start Guide"
will not display on a computer running Microsoft Windows Server 2003
with Service Pack 1. To view the "Quick Start Guide," copy the file
Isastart.chm to a local directory, and open it from there. For more
information and other options, see the Microsoft Knowledge Base article
896054, "You cannot open remote content by using the InfoTech protocol after you install security update 896358, security update 840315, or Windows Server 2003 Service Pack 1."
- In the document "Upgrading ISA Server 2004 Enterprise Edition to ISA
Server 2006 Enterprise Edition," section "Scenario Four: Load Balanced
Array," note the following corrections:
- The text "After you complete the upgrade of the Configuration Storage
server you need to disable NLB integration for the ISA Server array“ should
be changed to: "After you complete the upgrade of the Configuration Storage
server, you need to add any additional virtual IP addresses(VIPs), and then
apply the changes by clicking the Apply button on the Apply
Changes bar. Then disable NLB integration for the ISA Server array."
- In the same section, under the heading "Start the NLB service on the ISA
Server 2006 array members," there is a step missing. Before starting
the NLB service, you must first enable NLB integration.
- The text "After you complete the upgrade of the Configuration Storage server you need to disable NLB integration for the ISA Server array“ should be changed to: "After you complete the upgrade of the Configuration Storage server, you need to add any additional virtual IP addresses(VIPs), and then apply the changes by clicking the Apply button on the Apply Changes bar. Then disable NLB integration for the ISA Server array."
Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, people, and events depicted herein are fictitious and no association with any real company, organization, product, person, or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property.
© 2006. Microsoft Corporation. All rights reserved.
Microsoft, Outlook, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries/regions.