microsoft perimeter network installation guide

8/8/2019 Microsoft Perimeter Network Installation Guide

1/37

Microsoft Business Solutions

Perimeter NetworkInstallation Guide


2/37

Microsoft Perimeter Network Installation Guide

Information in this document, including URL and other Internet Web site references, is subject tochange without notice. Unless otherwise noted, the example companies, organizations, products,domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,and no association with any real company, organization, product, domain name, e-mail address,logo, person, place, or event is intended or should be inferred. Complying with all applicablecopyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted inany form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectualproperty rights covering subject matter in this document. Except as expressly provided in any writtenlicense agreement from Microsoft, the furnishing of this document does not give you any license tothese patents, trademarks, copyrights, or other intellectual property.

2005 Microsoft Corporation. All rights reserved.

Microsoft, Navision, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, Axapta,and Great Plains are either registered trademarks or trademarks of Microsoft Corporation or Microsoft Business Solutions ApS in the United States and/or other countries. Microsoft BusinessSolutions ApS is a subsidiary of Microsoft Corporation.

All other trademarks are property of their respective owners.

Copyright 2005 Microsoft Corporation. All rights reserved. ii


3/37


Table of Contents

Introduction.................................................................................................................................... 1

Supported Network Configurations ........................................................................................ 1

System Requirements .............................................................................................................. 2 Software Requirements............................................................................................................ 3 Hardware Requirements .......................................................................................................... 4

Planning Your Perimeter Network ............................................................................................... 5

Signing Up for Broadband Internet Service ........................................................................... 5

Registering an Internet-Facing Domain Name ....................................................................... 6

Purchasing Networking Hardware .......................................................................................... 6

Determining Your Server Certificate Needs ........................................................................... 6

Deploying Your Perimeter Network ............................................................................................. 7

Recording Internal and Perimeter Network ConfigurationInformation................................................................................................................................. 8 Installing Windows Server 2003 on All Perimeter and InternalNetwork Servers........................................................................................................................ 8

Labeling Network Servers and Hubs ...................................................................................... 8

Installing Network Interface Cards into All Network Servers ............................................... 9

Configuring Hardware Drivers ................................................................................................. 9

Connecting Networking Hardware and Cables ...................................................................... 9

Adding My Network Places to the Desktops of Each Internal

Network and Perimeter Server............................................................................................... 11

Configuring ISA1..................................................................................................................... 11 Changing Network Connections Names on ISA1 .................................................................. 11 Configuring TCP/IP Settings for Each Network Connection in ISA1...................................... 12

Configuring IIS Servers in Perimeter Network ..................................................................... 14 Installing IIS on All IIS Servers............................................................................................... 14 Configuring TCP/IP Settings for IIS Servers .......................................................................... 15

Configuring TCP/IP Settings for All Application Servers ................................................... 15

Configuring Certificate Settings for ISA1 and IIS Servers .................................................. 18 Creating and Installing a Server Certificate for a Production Network .................................................................................................................................. 18 Installing Third-party Certificates into the Default Web Site of IIS1 ....................................... 19 Creating and Installing a Server Certificate for Test Network ................................................ 19 Installing Server Certificates into ISA1 and Remaining IIS Servers....................................... 20

Installing and Running the Microsoft Business SolutionsPerimeter Network Configuration Wizard............................................................................. 23

Copyright 2005 Microsoft Corporation. All rights reserved. iii


4/37


Installing Microsoft Business Solutions Software and Configuration Files ........................................................................................................................................ 23 Testing Perimeter Network Access after Completing the Microsoft Perimeter Network Configuration Wizard............................................................................... 23

Troubleshooting .......................................................................................................................... 24

Glossary ....................................................................................................................................... 25

Appendix A: Microsoft Business Solutions Network Examples ............................................ 27

Appendix B: SelfSSL Parameters .............................................................................................. 31

Appendix C: Network Information Form ................................................................................... 32

Copyright 2005 Microsoft Corporation. All rights reserved. iv


5/37


Introduction Welcome to the Microsoft Business Solutions Perimeter Network Installation Guide . This installation guidewill help you configure a perimeter network for your internal network of Microsoft Business Solutionsapplications, allowing them to be accessed from remote locations using an encrypted channel of

communication. Protecting your network from malicious attacks is an important step to keeping sensitiveinformation private and network resources online and available.

When you are finished with this installation guide, you will have configured and installed a perimeter networkthat includes a firewall, Microsoft Internet Security and Acceleration (ISA) Server 2004 and at least one Webserver, and Microsoft Windows Server 2003 with Internet Information Services (IIS) 6.0.

This installation guide includes detailed instructions on how to obtain, connect, and configure the serversand network hardware you will need in your perimeter and internal networks in order to run your MicrosoftBusiness Solutions applications over the Web.

When you are finished with the steps in this installation guide, you can then run the Microsoft BusinessSolutions Perimeter Network Configuration Wizard, which installs and configures ISA Server 2004 as your company firewall. In addition the wizard will validate that you have configured your perimeter networkcorrectly.

You can use the wizard to configure firewall and network access rules for the following Microsoft BusinessSolutions applications:

Microsoft CRM Microsoft CRM Mobile Microsoft Dynamics AX Enterprise Portal Microsoft Dynamics Business Portal

Depending on your configuration, you might not see all of these applications.

The wizard is designed to support additional Microsoft Business Solutions applications as they are released.

Supported Network ConfigurationsThe Microsoft Perimeter Network Configuration Wizard supports only the network configurations detailed inthis installation guide. The supported perimeter network configuration includes a single firewall server running ISA Server 2004 and a Web server running Microsoft Internet Information Services (IIS) 6.0 on theMicrosoft Windows Server 2003 operating system. In some cases, you will have multiple Web serversdepending on the specific Microsoft Business Solutions applications you want to deploy.

Figure 1 shows an example of a network that consists of an internal network that hosts application serversand domain controllers, a perimeter network that includes your ISA and IIS servers, and a connection to theInternet provided by your Internet service provider (ISP). If you have an existing network in place, theMicrosoft Perimeter Network will integrate with that network as a separate Internet-facing component of your Microsoft Business Solutions applications. If you plan to keep your existing networking hardware, do not install a hardware firewall between your new perimeter network and existing internal network. If you do this,you will create conflicts in the perimeter network setup processes.

The Microsoft Perimeter Network Configuration Wizard also supports other network configurations thatinclude additional application and Internet servers, as is required for some Microsoft Business Solutionsapplications. For example, Microsoft Business Portal and Microsoft Enterprise Portal both support multipleInternet servers. Check the implementation guide for the Microsoft Business Solutions applications you wantto deploy for specific network requirements. The Microsoft Business Solutions applications you are using willdetermine the exact number and configuration of servers in the perimeter network and internal network;however, it is important that you start this installation with the correct number of servers you will need for your planned perimeter and internal network before you begin the deployment process.

Copyright 2005 Microsoft Corporation. All rights reserved. 1


6/37


Note: The Microsoft Perimeter Network Configuration Wizard is not compatible with Microsoft Windows Small Business Server 2003 or Microsoft Small Business Server 2000.

Figure 1Example Network Architecture of Existing Network Components and Microsoft Perimeter Network

System RequirementsTo complete this implementation, you must purchase the number of servers required for your desirednetwork and install the required software before you can use the Perimeter Network Configuration Wizard.The following section describes software and hardware requirements for the Microsoft Perimeter NetworkConfiguration Wizard.

The following list of Microsoft software and technologies are required to use the Microsoft Perimeter NetworkConfiguration Wizard: Microsoft Windows Server 2003. Windows Server 2003, Standard Edition or Enterprise Edition

provides a platform for the Web hosting and security software required for this implementationwizard. In some cases, you will be able to use Microsoft Windows 2000 Server, but it is stronglyrecommended you build your perimeter network using the newest Windows Server operatingsystem. In addition, this installation guide assumes you are using Windows Server 2003.

Microsoft Internet Information Services (IIS) 6.0. IIS 6.0 is the Web server built into WindowsServer 2003. You can use IIS 6.0 to host Web sites and publish those sites to the Internet.

Microsoft ISA Server 2004. Microsoft ISA Server 2004 is the Microsoft firewall and Web cachingsoftware. For the perimeter network deployment, use ISA Server 2004. Although the proceduresincluded in this installation guide do not require ISA Server 2004, you must purchase it for theMicrosoft Perimeter Network Configuration Wizard. Previous versions of Microsoft ISA Server arenot compatible with the Microsoft Perimeter Network Configuration Wizard.

Microsoft Business Solutions software. Microsoft Business Solutions are integrated businessapplications for small and mid-size organizations, and divisions of large enterprises.



7/37


Microsoft SQL Server 2000. SQL Server 2000 or later is the database used by Microsoft BusinessSolutions applications to store important data and configuration information.

Software Requirements Your new perimeter network includes an ISA server, and at least one IIS server is used to make your Microsoft Business Solutions applications available to the Web. Depending on your specific applicationrequirements, you might need more than one IIS server. If you are already running an internal network of Microsoft Business Solutions applications, this installation guide assumes that internal network is functionaland configured according to the requirements for Microsoft Business Solutions software. Table 1 describesthe requirements for both your internal and perimeter network.

Table 1: Required Software for Microsoft Business Solutions Deployment

Server type Required software CommentsFirewall server (ISA1) Microsoft Windows Server 2003, Standard Edition or

Enterprise EditionMicrosoft ISA Server 2004

The firewall server must have threenetwork interface cards (NICs).

Web server (IIS1) Microsoft Windows Server 2003, Standard Edition or Web Server EditionMicrosoft IIS 6.0

You might have more than one IISserver in your perimeter network,depending on your networkconfiguration needs.

Database server Microsoft Windows Server 2003, Standard EditionMicrosoft SQL Server 2000 or later

Application server (youmight have more than,one depending on your internal networkconfiguration)

Microsoft Windows Server 2003, Standard EditionMicrosoft Business Solutions Software:

Microsoft CRM Microsoft CRM Mobile Microsoft Dynamics AX Enterprise Portal Microsoft Dynamics Business Portal

Application servers must have theoperating system installed on thembefore using the Microsoft Perimeter Network Configuration Wizard.

For specific hardware and softwarerequirements, see the implementationguide for the Microsoft BusinessSolution application you want todeploy.

Preferred domaincontroller (DC1)

Microsoft Windows Server 2003; or MicrosoftWindows 2000 Server

Alternate domaincontroller (DC2)(optional)

Microsoft Windows Server 2003; or MicrosoftWindows 2000 Server

For your internal network, an alternatedomain controller is optional.



8/37


Hardware Requirements Table 2 describes the hardware requirements for the Microsoft software you must use for your perimeter network deployment.

Table 2: Hardware Requirements

Software Component Requirements

Computer and processor PC with a 133-MHz processor required; 550-MHz or faster processor recommended (Windows Server 2003 Standard Editionsupports up to four processors on one server)

Memory 128 MB of RAM required; 256 MB or more recommended; 4 GBmaximum

Hard disk 1.25 to 2 GB of available hard-disk spaceDrive CD-ROM or DVD-ROM drive

Microsoft WindowsServer 2003, StandardEdition or WebEdition

Display VGA or hardware that supports console redirection required;Super VGA supporting 800 x 600 or higher-resolution monitor recommended

Computer and processor PC with a 133-MHz processor required; 550-MHz or faster processor recommended (Windows Server 2003 Standard Editionsupports up to four processors on one server)

Operating System Window Server 2003, Standard Edition or Web Edition

Memory 128 MB of RAM required; 256 MB or more recommended; 4 GBmaximum

Hard disk 1.25 to 2 GB of available hard-disk spaceDrive CD-ROM or DVD-ROM drive

Microsoft ISA Server 2004

Display VGA or hardware that supports console redirection required;Super VGA supporting 800 x 600 or higher-resolution monitor recommended

Computer or Processor 166-megahertz (MHz) or higher processor Operating System Windows Server 2003, Standard Edition or Web EditionMemory 64 megabytes (MB) of RAM; 128 MB recommendedHard disk Enterprise, Standard, Workgroup, Evaluation, Developer, and

Personal Editions require: 95270 MB of available hard disk space for the server; 250

MB for a typical installation. 50 MB of available hard disk space for a minimuminstallation of Analysis Services; 130 MB for a typicalinstallation.

80 MB of available hard disk space for English Query.

MSDE requires 44 MB of available hard disk space.Drive CD-ROM

Microsoft SQL Server 2000

Display VGA or higher-resolution monitor



9/37


Pla nning Your Perimete r Netw orkBefore you begin your perimeter network configuration, you must identify and record each component of your existing network. This section of the installation guide will help you to perform these identification steps.If you are building a new network, you can use this section to assign new network configurationrequirements, such as subnet masks and static Internet Protocol (IP) addresses.To make installation easier, you can use the Network Information form to record the network configurationinformation that you use during the installation processes. The Network Information form is included as aseparate document. Use the table in the Network Information form to record the information you gather during the planning steps of this implementation.

Figure 2 describes the steps you must complete during the planning phase of this implementation:

Figure 2

Planning Steps

Signing Up for Broadband Internet ServiceIf you do not already have a connection to the Internet, you must sign up for broadband Internet serviceusing an ISP. When you sign up with your ISP, you must choose a broadband service that provides a staticIP address that you can use to connect to the Internet. Internet services that use dynamic IP address will notwork for this deployment. If f you already have Internet service and a static IP address for an existingnetwork, you must obtain a second, dedicated static IP address for your perimeter network.

After you finish setting up your Internet service, record the following information in lines 2through 6 of the Network Information form. Your ISP will provide all of the following information:

Static IP address Subnet mask Default gateway Preferred Domain Name System (DNS) server Alternate DNS server



10/37


Registering an Internet-Facing Domain NameIf you have not already done so, register an Internet-facing domain name (for example, contoso.com) for your perimeter network. The Internet-facing domain name is used by users who want to access your Microsoft Business Solutions applications from a remote location.

When you register your new Internet-facing domain name, ask the Internet registrar to redirect traffic to thedomain to the static, Internet-facing IP address that you obtained from your ISP. Most Web hosting servicescan do this by setting up a domain parking account. Domain parking accounts forward all traffic to anInternet-facing domain name to a specific IP address or Web site.

Record your Internet host name on line 1 of the Network Information form.

Purchasing Networking HardwareBefore you deploy your perimeter network, purchase the networking hardware that enables you to connectyour servers to the Internet and to an existing network in your company, if applicable. You will need topurchase the following items:

Network servers. Most of the major computer manufactures today sell preconfigured servers. In manycases, you can buy these servers with Microsoft Windows Server 2003, Standard Edition already installed.Ordering servers that are preconfigured also means hardware drivers will be configured for you before youbegin your installation. Make sure to order the correct number of servers for type of network you want todeploy. The number of server depends on how many Microsoft Business Solutions applications you plan torun in your network. Use the example network diagrams in Appendix A to determine the number of serversyou will need for your network.

Network interface cards. If you plan to order servers from a manufacturer, make sure each server has atleast one NIC, with the exception of the ISA server. Your ISA server must have three NICs installed in it before you begin your deployment. If you plan to use existing servers to create your perimeter andinternal networks, see the instructions about how to install and configure NICs in the Deploy Your Perimeter Network section of this installation guide.

Network hubs. At least two network hubs are required for this deployment. In place of hubs, you can alsouse network switches, as discussed in the Reference section of this document. However, for thisinstallation guide, this guide assumes you will be using network hubs.

Networking cables. For your network, use Category 5 (CAT5) Ethernet cables. CAT5 Ethernet cables canbe purchased in most major computer or office supply stores. Make sure you buy cable lengths that willaccommodate your planned networks physical location. Buying network cables of different colors also helpsto distinguish between internal and perimeter network connections.

Determining Your Server Certificate NeedsIf you are deploying a production network, purchase a certificate from a third-party certificate authority (CA).However, if you are planning to configure a test-only environment, you also have the option to create your certificate by using Windows Server 2003. During the planning stage, evaluate the costs and proceduresassociated with a purchasing a server certificate from a third-party CA.

Instructions about how to implement both types of certificates are covered in this installation guide, but youshould determine which type you want to implement before you begin your deployment.



11/37


Deploying Your Perimete r NetworkThe following section guides you through the perimeter network deployment process. Before deploying your network, make sure you have completed all of the planning steps necessary for your specific deployment.Figure 3 is an overview of the deployment steps you need to complete for this implementation:

Figure 3Perimeter Network Deployment Steps



12/37


Recording Internal and Perimeter NetworkConfiguration InformationIdentify each of your network components and then record the network attributes. The Microsoft Perimeter Network Configuration Wizard requires that you choose static server names and IP addresses for your perimeter and internal network servers.

To make the setup procedures easier, this guide provides a table where you can record and reference theinformation for your network. Procedural information in later sections of this document will use the IPaddresses you record in the Network Information form (see Appendix C). Note that some of the IPaddresses might be the same as other entries in the table if you are hosting multiple-server software on onephysical computer. Record these addresses separately even if they are duplicates.

Important: Because the steps of this document refer to specific entries in the Network Information form,finish recording your network configuration information before continuing to step 2.

You will need to record network configuration information for the servers listed in the Network Informationform. Some servers are optional with this configuration and are noted in the Network Information form.

Installing Windows Server 2003 on All Perimeter and InternalNetwork ServersInstall the Microsoft Windows Server 2003, Standard Edition operating system on every server in your perimeter or internal networks. Windows Server 2003 is the required server operating system for thisdeployment scenario and it must be preinstalled on all servers before you begin the Microsoft Perimeter Network Configuration Wizard. The Microsoft Perimeter Network Configuration Wizard does not supportother server operating systems.

Note: Windows Server 2003 might already be installed on your servers if you purchased servers with apre-installed operating system. If this is the case with your servers, you can skip rest of this section and goto step 3.

If you are already running a server for a specific Microsoft Business Solutions application, that server shouldalready have Windows Server 2003 installed. In addition, for any Microsoft Business Solutions applicationsservers you plan to deploy, but are not currently running, you must configure a server running WindowsServer 2003 for the application. Although these application servers will not have the specific MicrosoftBusiness Solutions application installed, the wizard must configure those servers as part of the network.

For example, if you plan to have an application server running Microsoft Enterprise Portal, you must have aserver for it running Windows Server 2003 and be connected to the network before you begin the MicrosoftPerimeter Network Configuration Wizard.

This guide does not provide specific procedures on how to install Windows Server 2003. However, detailedinstructions and information about installing Windows Server 2003 are available in the Windows Server Deployment Guide .

Labeling Network Servers and HubsLabel each server in your network to make connecting cables and changing configurations easier. Use theserver names provided in this installation guide, IIS1, ISA1, CRM1, and other servers in your networks.

If you have not done so already, label your network hubs. Label one network hub Perimeter network andthe other Internal network. Throughout this document, these hubs will be referenced using these names.

http://go.microsoft.com/fwlink/?LinkId=53745http://go.microsoft.com/fwlink/?LinkId=53745http://go.microsoft.com/fwlink/?LinkId=53745http://go.microsoft.com/fwlink/?LinkId=53745


13/37


Installing Network Interface Cards into All Network ServersInstall the proper number of NICs into each of your networks servers. If you purchased your servers with thecorrect number of NICs in each one, you can skip this step and go on to step 5.

Each server in your perimeter and internal network needs at least one NIC for this deployment, with theexception of your perimeter networks firewall server (ISA1). The ISA1 server must have three NICs installed before you run the Microsoft Perimeter Network Configuration Wizard .

To install NICs into each server, use the instructions provided by the NICs manufacturer. Installing NICsinvolves opening the server chassis to gain access to internal PCI (Peripheral Component Interconnect)expansion slots. If you are unfamiliar with installing PCI-based expansion cards or if modifying server hardware components violates warranty agreements, contact your server manufacturer or a computer hardware specialist for more help.

After you have completed the physical installation of each NIC, make sure drivers for the NICs have beeninstalled on each of the servers. Many NIC drivers are installed automatically by Windows Server 2003 andWindows 2000 Server by using stored drivers in the operating systems.

After installing NIC cards in a specific server, start the computer and let the automatic hardware installationwizard attempt to install drivers. If the drivers have been installed automatically, a prompt from thenotification area of your desktop will appear indicating the process has been completed successfully. Youcan manually check to see if the drivers have been installed by using Control Panel.

Check if the NIC drivers have already been installed by the operating system1. Click Start , point to Control Panel , and then click System .

2. On the Hardware tab, click Device Manager .

3. Expand Network adapters . If you do not see any warnings and errors next to the NICs you have just installed, then the operating system has installed the drivers automatically.

If the drivers could not be installed automatically by the operating system, follow the installation instructionsprovided with the NIC. If you do not have instructions, you can manually install drivers using the AddHardware Wizard in Control Panel.

To run the Add Hardware Wizard, click Start , point to Control Panel , and then click Add Hardware . Followthe wizards directions to find and install drivers for your new NIC(s).

Configuring Hardware DriversAfter installing the NIC drivers install the other hardware drivers for the devices in your servers, such asvideo cards and controller cards. Driver conflicts can affect performance and server stability. Install allnecessary drivers for your servers before continuing. Drivers and instructions about how to correctly installand configure drivers should be included with the device when you purchase it.

For help with installing hardware drivers correctly, contact the manufacturer of the device or visit their Website.

Connecting Networking Hardware and CablesDepending on your current network configuration, you might also need to install and configure the necessary

networking hardware needed for your network, including network hubs and cables.Figure 4 shows a sample network diagram you can use when setting up your perimeter and internalnetworks. Exact network topologies will vary from network to network, but use Figure 4 and the providedinstructions as a reference while you are installing networking components. As shown, ISA1 has three NICsinstalled. The NICs in ISA1 are labeled to clarify connection specifications. Other servers have only one NICand connect to other servers in the network using your network hubs.

Make sure you have chosen a location for each of your network hubs and that they are turned on before youconnect your network components.



14/37


Figure 4Microsoft Perimeter Network Wiring Example

Connect network cables for Perimeter and Internal networks1. Connect a network cable from an open ISA1 NIC to your Perimeter network hub.

2. In another open ISA1 NIC, connect a network cable to your Internal network hub.

3. Connect one end of a network cable to the remaining open NIC on ISA1; however, do not connectthe other end of the cable to the wall jack or router from which you receive your Internet connection.Connecting your network to the Internet before you have the ISA server configured could create asecurity risk. You will make this connection after you finish running the Microsoft Perimeter NetworkConfiguration Wizard.

4. For each IIS server in your perimeter network, connect a cable from the IIS server NIC to your Perimeter network hub. Each IIS server should have only one NIC connected to the perimeter network hub.

5. For each of the following servers, connect a network cable from the servers NIC to your Internalnetwork hub: DC1 DC2 (optional) SQL1 (if you have a stand-alone database server) All application servers in your internal network (for example, CRM1 or AOS1)



15/37


Note: You might not have all of these servers in your network, depending on your specific deploymentscenario. Some internal network servers might already be configured and connected to network hubs,depending on your existing network.

When you are finished connecting your network components, turn on all of your servers. The lights on your hub will begin to blink as network activity starts. If you do not see any activity, make sure your hubs haveelectricity and that network cable connections are properly connected at both ends of each cable.

Adding My Network Places to the Desktops of Each InternalNetwork and Perimeter Server During this implementation, you will need to regularly open My Network Places. To make opening MyNetwork Places easier while configuring your servers, add a shortcut to My Network Places to the desktop of each network server.

Add My Network Places to your servers desktops

1. Log on to the server to which you want to add the Add My Network Places icon.

2. Double-check to see if the My Network Places icon already exists on your desktop. If the shortcutalready exists, go to step 8.

3. Right-click an open area of your desktop, and then click Properties .

4. In the Display Properties dialog box, on the Desktop tab, click Customize Desktop .

5. In the Desktop items dialog box, under Desktop icons , select the My Network Places check box,and then click OK .

6. In the Display Properties dialog box, click OK to return to the desktop.

7. Repeat steps 16 for all of your internal and perimeter network servers.

After you have successfully added the My Network Places shortcut to all of your server desktops, you canbegin configuring you perimeter network servers. The following section describes how to configure ISA1.

Configuring ISA1This section describes the configuration procedure for ISA1 that you must complete before you run theMicrosoft Perimeter Network Configuration Wizard. Configuring ISA1 requires you to perform the followingtasks: Change network connection names on ISA1 Configure TCP/IP settings for each network connection in ISA1

Note: To perform the following procedures, you must be a member of the Account Operators group,Domain Admins group, or the Enterprise Admins group in Active Directory, or you must have beendelegated the appropriate authority.

Changing Network Connections Names on ISA1You must manually configure network settings for all three network connections in ISA1 by using NetworkConnections. To configure ISA1 network settings, rename each network connection first, and then configurethe Transmission Control Protocol/Internet Protocol (TCP/IP) settings.

When configuring the network settings for you perimeter network servers, use the information you recordedin the Network Information form. Rename network connections in ISA1

1. On the desktop, right-click My Network Places , and then click Properties .



16/37


2. In the Network Connections window, right-click the network connection that you intend to connect tothe Internet, click Rename , type Internet , and then press ENTER. .

Note: This network connection should be disconnected, and should remain disconnectedafter you rename it to Internet .

3. Rename the Perimeter network connection by doing the following:

a. Find the cable that connects ISA1 to your perimeter network hub and unplug it from ISA1.b. In the Network Connections window, right-click the network connection for the perimeter network

hub that is disconnected, and then click Rename .

c. Type Perimeter Network and press ENTER.

d. Plug the cable back into the NIC in ISA1. Check the Network Connections window and makesure that the Perimeter Network connection is now connected.

Note: The network connection might display as connected; however, it might display with a questionmark. Please note that this is normal at this point in the implementation and that you will be configuringthese network connections in later sections of this installation guide.

4. Rename the Internal network connection by doing the following:

a. Find the cable that connects ISA1 to your internal network hub and unplug it.

b. In the Network Connections window, right-click the network connection for the internal networkhub that is disconnected, and then click Rename .

c. Type Internal Network and press ENTER.

d. Plug the cable back into the NIC in ISA1. Check the Network Connections window and makesure that the Internal Network connection is now connected.

Now that you have renamed all three network connections in ISA1, you need to configure TCP/IP settings. Inthe following section you will configure TCP/IP settings for all three network connections in ISA1.

Configuring TCP/IP Settings for Each Network Connection in ISA1After you have successfully renamed all of the ISA1 NICs, you must manually configure each NIC TCP/IPsetting. The following steps guide through configuring each ISA1 NIC. To configure the ISA1 TCP/IPsettings, you must complete the following tasks: Configure TCP/IP settings for the Internet network connection Configure TCP/IP settings for the Internal Network connection Configure TCP/IP settings for the Perimeter Network connection

Note: If you are unsure about a configuration setting for a specific network connection, refer to Figure 5as a reference.

Start your network configuration process by configuring the TCP/IP connections for the Internet networkconnection.

Configure TCP/IP settings for the Internet network connection

1. On the desktop, right-click My Network Places , and then click Properties .2. In the Network Connections window, right-click Internet , and then click Properties .3. On the General tab, under This connection uses the following items , click Internet Protocol

(TCP/IP) , and then click Properties .4. In the Internet Protocol (TCP/IP) Properties dialog box, on the General tab, select Use the following

IP address , and then do the following:



17/37


a. In the IP address box, type the Internet-facing static IP address you recorded on line 2 of theNetwork Information form.

b. In the Subnet mask box, type the Internet-facing subnet mask you recorded on line 3 of theNetwork Information form. After typing the IP address, the subnet mask is automaticallypopulated with a default address.

c. In the Default gateway box, type the Internet-facing default gateway that you recorded on line 4of the Network Information form.

Note: When configuring TCP/IP setting for all network servers, the first three entries of the server IPaddress should match the first three entries of the default gateway address. For example, if your server IP address is 192.168.12.103, your default gateway address should also start with 192.168.12. If thesedo not match, recheck your entries in the Network Information form, and make sure that you have thecorrect addresses for each server.

4. Select Use the following DNS server addresses and do the following:

a. In the Preferred DNS server box, type the ISP preferred DNS address that you recorded on line5 of the Network Information form.

b. In the Alternate DNS server box, type the ISP alternate DNS address that you recorded on line

6 of the Network Information form.5. Click OK , and then click Close .

Second, configure TCP/IP settings for the Internal Network connection.

Configure TCP/IP settings for the Internal Network connection


2. In the Network Connections window, right-click Internal Network , and then click Properties .

3. On the General tab, under This connection uses the following items , click Internet Protocol(TCP/IP) , and then click Properties .

4. In the Internet Protocol (TCP/IP) Properties dialog box, on the General tab, select Use thefollowing IP address , and then do the following:

In the IP address box, type the Internal network IP address you recorded on line 8 of theNetwork Information form. After typing your IP address, the subnet mask is automaticallypopulated with a default address.

In the Subnet mask box, clear the default entry, and then type the internal networks subnetmask that you recorded on line 21 of the Network Information form.

Leave the Default gateway box blank.

5. Select Use the following DNS server addresses and do the following: In the Preferred DNS server box, type the IP address that you recorded for DC1 on in line

20 of the Network Information form. In the Alternate DNS server box, type the IP address that you recorded for DC2 on line 23

of the Network Information form. This IP address is optional. If you do not have an alternateDNS server in your network, leave this box blank.

6. Click OK , and then click Close . The icon for this network connection changes to show that thenetwork connection has been configured correctly.

Finally, configure TCP/IP connections for the Perimeter Network connection.

Configure TCP/IP settings for the Perimeter Network connection


2. Right-click Perimeter Network and then click Properties .



18/37




a. In the IP address box, type the Perimeter network IP address that you recorded on line 8 of the Network Information form. After typing the IP address, the subnet mask is automatically

populated with a default address.b. In the Subnet mask box, clear the default entry, and then type the Perimeter network

subnet mask that you recorded on line 10 of the Network Information form.

c. Leave the Default gateway box blank.


a. In the Preferred DNS server box, type the IP address that you recorded for DC1 on line 20 of the Network Information form.

b. In the Alternate DNS server box, type the IP address that you recorded for DC2 on line 23 of the Network Information form. This IP address is optional. If you do not have an alternate DNSserver in your network, leave this box blank.


After you finish configuring TCP/IP settings for ISA1 configure the TCP/IP settings for all of your IIS serversin your perimeter network by using the procedures in step 9.

Configuring IIS Servers in Perimeter NetworkAfter configuring ISA1, install IIS on all IIS servers and then configure the servers network connection(TCP/IP) settings. IIS servers give your network the ability to communicate with inbound requests fromoutside of your perimeter network and correctly route them to their intended destinations. This featureenables you to access applications from the Internet.

Important: You must complete these steps for each of your perimeter network IIS servers.

To properly configure your IIS servers, complete the following: Install IIS (if it has not already been installed on your IIS server) Configure TCP/IP settings

Installing IIS on All IIS Servers First, install IIS on each of your network servers.

Install IIS 6.0

1. Log on to the IIS server you want to configure.2. On the Start menu, point to Control Panel , and then click Add or Remove Programs .

3. Click Add/Remove Windows Components .

4. In the Windows Components Wizard , in the Components list, click Application Server , and thenclick Details .

5. In the Subcomponents of Application Server list, select the Internet Information Services (IIS)check box, click OK , and then click Next .

6. When the installation process is finished, click Close .

7. Repeat steps 16 for each of your IIS servers.



19/37


Configuring TCP/IP Settings for IIS Servers When you have finished installing IIS on each of your IIS servers, configure the TCP/IP settings for theservers network connection.

Configure TCP/IP settings for IIS servers


2. In the Network Connections window, right-click Local Area Connection and then click Properties .

Note: You should only have one Local Area Connection in each IIS server. If you are unsurewhich network connection to configure or if you have more than one, unplug the cable that isconnected from the IIS server to the perimeter network hub. Configure the network connectionthat appears as disconnected. Then, plug the network cable back into the IIS server NIC.



In the IP address box, type the corresponding IIS server IP address that you recorded in theNetwork Information form. After typing your IP address, your subnet mask is automaticallypopulated with a default address. For example, if you are configuring IIS1, type the IPaddress you recorded on line 12 of the Network Information form. You must configure IIS1for the Microsoft Perimeter Network Configuration Wizard; however, IIS2IIS4 are optional.

In the Subnet mask box, type the Perimeter network subnet mask address that yourecorded in line 10 of the Network Information form.

In the Default gateway box, type the ISA1 Perimeter Network IP address that you recordedin line 9 of the Network Information form.

Note: When configuring TCP/IP setting for all network servers, the first three entries of theserver IP address should match the first three entries of the default gateway address. For example, if your server IP address is 192.168.12.103, your default gateway address should alsostart with 192.168.12. If these do not match, recheck your entries in the network informationform, and make that sure you have the correct addresses for each server.


a. In the Preferred DNS server box, type the IP address that you recorded for DC1 on in line 20 of the Network Information form.

b. In the Alternate DNS server box, type the IP address that you recorded for DC2 on line 23 of the Network Information form. If you do not have an alternate DNS server in your network, leavethis box blank.


Configuring TCP/IP Settings for All Application ServersAfter configuring your IIS servers, configure network connection (TCP/IP) settings for all of your applicationservers. Use the following procedures to configure each application server. If you have existing servers thatare already configured to work with an existing network, you do not need to perform the following procedureon those servers.



20/37


Configure TCP/IP settings for application server

1. Log on to the application server you want to configure.


3. In the Network Connections window, right-click Local Area Connection , and then click Properties .

Note: You should only have one local area connection in each application server, but if you are

unsure which network connection to configure, unplug the cable connected to the NIC in the applicationserver. Configure the network connections that appear as disconnected. Then, plug the network cableback into the application server NIC.



a. In the IP address box, type the IP address that you recorded in the Network Information form for the application server you want to configure. For example, if you are configuring the CRMserver, type the address you recorded on line 27 of the Network Information form. After typingyour IP address, the subnet mask is automatically populated with a default address.

b. In the Subnet mask box, clear the default address and then type the Internal Network subnetmask that you recorded in line 21 of the Network Information form.

c. In the Default gateway box, type the Internal Network IP address that you recorded in line 8 of the Network Information form.

Note: When configuring TCP/IP settings for all network servers, the first three entries of theserver IP address should match the first three entries of the default gateway address. For example,if your server IP address is 192.168.12.103, your default gateway address should also start with192.168.12. If these do not match, recheck your entries in the Network Information form, and makesure you have the correct addresses for each server.

6. Select Use the following DNS server addresses and do the following:a. In the Preferred DNS server box, type the IP address that you recorded for DC1 on line 20 of

the Network Information form.

b. In the Alternate DNS server box, type the IP address that you recorded for DC2 on line 23 of the Network Information form. If you do not have an alternate DNS server in your network, leavethis box blank.

7. Click OK , and then click Close .

After you have configured TCP/IP settings for every application server in your internal network, you canvalidate your network configurations. Figure 5 provides an example for this validation. The TCP/IP settingsshown in the diagram are an example based on the information that is recorded in the Network Informationform. Use the information provided in the diagram as a reference to help make sure that your network

components are configured correctly.When you are satisfied that the configuration you created is correct, go to step 11. If you think that you havemade an error, recheck your steps to make sure your network is configured correctly.



21/37


Figure 5TCP/IP Settings for Perimeter Network



22/37


Configuring Certificate Settings for ISA1 and IIS ServersThere are several options to obtain a server certificate for your perimeter network Internet server. If you areconfiguring a production system, you can purchase a server certificate from a third-party certificationauthority, or you can create your own certificate. Certificates use Secure Sockets Layer (SSL) to create aprotected line of transmission between Internet users and internal network resources. Purchasing acertificate is the most secure and easiest approach.

It is also possible to use a test certificate, available at no charge from some third-party certificationauthorities. Third-party certification authority test certificates are typically available for a few weeks. Thissection includes procedures for creating both production-ready certificates and certificates for test networks.

When configuring a certificate for a production network, complete the following tasks:

1. Do one of the following: Create and install a certificate for a production network. Create and install a certificate for a test network.

2. Export your certificate file to a .pfx file.

3. Import your certificate file into ISA1, and then into your additional IIS servers if you have more thanone.

Creating and Installing a Server Certificate for a Production Network If you plan to deploy your perimeter network to the Web for production purposes, use the followingprocedures to create a third-party certificate request. The server certificate request is a text file that you willsend to the third-party CA from which you want to obtain your network.

Because IIS1 does not have an Internet connection, you must copy the certificate request file to removablemedia and send the request from a computer that is separate from your Internal and Perimeter networks.

Important: If you want to create a test certificate, perform the procedures in this section of the documentand move onto the Create and Install a Server Certificate for Test Network section of this document.

Create a certificate request using the Web Server Certificate Wizard in IIS 6.01. Log on to IIS1.

2. On the Start menu, point to All Programs , point to Administrative Tools , and then click InternetInformation Services (IIS) Manager .

3. Expand the local computer, expand the Web sites folder, and then click Default Web site .

4. On the Action menu, click Properties , and then select the Directory Security tab.

5. Click Server Certificate to open the Web Server Certificate Wizard.

6. On the Welcome to the Web Server Certificate Wizard page, click Next .

7. Select Create a new certificate and then click Next .

8. Select Prepare the request now, but send it later and then click Next .

9. In the Name box, type a unique name for the new certificate, select a bit length from the Bit length list, and then click Next .

If you plan to keep the certificate for more than a year, 2,048 bits is recommended for the additionalsecurity. Higher bit lengths will cause a slightly longer SSL establishment delay for each clientsinitial request to the server that has SSL enabled.

10. In the Organization box, type the legal name of the company for which this certificate is requested,and in the Organization unit box, enter the organizational unit to which you attach the certificate.

11. Click Next .

12. In the Common name box, type the Fully Qualified Domain Name (FQDN) users on the Internet willuse to reach your Web site.



23/37


13. Click Next .

14. Enter the geographical information for your server. Do not use abbreviations for the State/provinceor City/locality, and then click Next .

15. In the Location box, type the location and file name where the certificate request information will bestored.

16. Click Next twice, and then click Finish .

Installing Third-party Certificates into the Default Web Site of IIS1When you receive the certificate file from the third-party CA, install the certificate into the Default Web site of IIS1.

Install the server certificate on remaining IIS servers, if available

1. Log on to the perimeter network server on which you want to install the certificate file.

2. Copy the .pfx file you saved to a removable media in the previous procedure, Export IIS1 certificateto .pfx file, to a location on your servers local drive.

3. Open Internet Information Services Manager and select Default Web site .

4. On the Action menu, click Properties , and then click the Directory Security tab.

5. Click Server Certificate , and then click Next .

6. Select Process the pending request and install the certificate and then click Next .

7. Browse to the location of the certificate file, and then click Next .

8. In the SSL port this web site should use box, accept the default value, 443 , click Next twice, andthen click Finish .

After you install your production certificate into IIS1, go to the Install Server Certificate into ISA1 andRemaining IIS Servers section of this installation guide. Do not create a test certificate after you have completed the procedures above.

Creating and Installing a Server Certificate for Test Network Alternatively, if you are deploying a test environment and do not want to purchase a third-party certificate,you can create a temporary test certificate for your network. Test certificates should only be used in a testenvironment and are not intended for production networks that communicate over the Internet. BecauseSelfSSL does not meet the security requirements of a production system, use it only for testing purposes.

In place of using SelfSSL to create server certificate, you can also obtain a test certificate from a third-partyCA. Obtaining a test certificate from a third-party Certification Authority involves the same request andinstallation and configuration steps described earlier in the Configure Certificate Settings for ISA1 and IIS Servers section of this document. The difference is that test certificates from third-party CAs have finiteusage periods associated with them. Specific usage times depend on the specific CA.

Important: If you have already deployed a production-ready certificate, do not attempt to create a testcertificate for the same server. Move to the Install Server Certificate into ISA1 and Remaining IIS Servers section of this document.

SelfSSL is a downloadable Microsoft tool that you can use to create a server certificate and install it on aserver in one step. SelfSSL is a command-line tool and requires you to use a command prompt to completethis procedure.

Download and use SelfSSL.exe to create and install a test server certificate

1. Log on to IIS1.

2. Download the IIS 6.0 Resource Kit Tools, located at the Microsoft Download Center and run the fileto install it on IIS1. You can install these tools only on a computer running Windows XP or WindowsServer 2003. The included SelfSSL utility can be used with IIS 5.0 and Windows 2000 Server, aswell as with IIS 6.0. SelfSSL will be installed in the Program Files\IIS Resources\SelfSSL directory.

http://go.microsoft.com/fwlink/?LinkId=53744http://go.microsoft.com/fwlink/?LinkId=53744


24/37


3. On the Start menu, point to All Programs , point to Accessories , and then click CommandPrompt .

4. At the command prompt, type cd\ and press ENTER.

5. Type cd\program files\IIS Resources\SelfSSL , and then press ENTER.

6. Run SelfSSL by typing the following command line. The parameters of this command line are case-sensitive. A full description of SelfSSL parameters is available in Appendix B.

SELFSSL.exe /N:cn= Your Internet-facing domain name /V: duration-of-validity(in days)

Example: To set up a certificate for the Internet-facing domain name contoso.com that is valid for aperiod of 60 days, you would type the following line at the command prompt:

SelfSSL.exe /N:cn= contoso.com /V:60

For the Internet-facing domain name, it is not necessary to add www to the beginning of the hostname.

7. When asked Do you want to replace the SSL settings for site 1? , type Y, and then press ENTER.After running SelfSSL, the test certificate is automatically created and installed into the Default Website on IIS1.

8. Close the command prompt and return to the desktop.

Now that the certificate has been installed in IIS1, you need to export the certificate to a .pfx file, and thenimport that file into ISA1 and, if applicable, IIS2 IIS4.

Installing Server Certificates into ISA1 and Remaining IIS Servers After installing the certificate file on IIS1, export the certificate to a .pfx file. You will use the .pfx file to installthe certificate into ISA1, and then into any remaining IIS servers you have in your network.

Export IIS1 certificate to a .pfx file

1. Log on to IIS1.

2. On the Start menu, point to Administrative Tools , and then click Internet Information Services(IIS) Manager .


4. On the Action menu, click Properties , and then click the Directory Security tab.




25/37


6. On the Welcome page, click Next .

7. Select Export the current certificate to .pfx file , and then click Next .

8. In the Path and file name box, enter a location where you want to save the exported file, and thenclick Next .

9. Type a password. This password encrypts the .pfx file. Write down the password because you willuse it again when you import the certificate file into your other perimeter network servers.

10. Review the information in the wizard, click Next twice, and then click Finish .

11. Close IIS Manager.12. Save the .pfx file to a removable media. You will need to copy the file to ISA1 and, if applicable, to

the remaining IIS servers.

Now, install the certificate into ISA1 using the .pfx file you have just created. Install the exported certificatefile into ISA1 using the following procedure.

Install the certificate file (.pfx file) onto ISA1

1. Log on to ISA1.

2. Copy the .pfx file you saved to a removable media in the previous procedure, Export IIS1certificate to a .pfx file , to a location on ISA1s local drive.

3. On the Start menu, click Run , type MMC, and then click OK .

4. On the File menu, click Add/Remove Snap-in .5. In the Add/Remove Snap-in dialog box, click Add .

6. In the Available Standalone Snap-ins list, click Certificates , and then click Add to open thecertificates snap-in wizard.



26/37


7. Select Computer Account , and then click Next .

8. Select Local computer: (the computer this console is running on) , click Finish , and then clickClose .

9. In the Add/Remove Snap-in dialog box, click Certificates (Local Computer) , and then click OK .Ensure you have opened the correct certificate store. The MMC Console should list Certificates(Local Computer) . If you have accidentally opened the wrong store, close the MMC and return tostep 1.

10. Expand Certificates (Local Computer) , right-click the Personal folder, point to All Tasks , and then

click Import to open the Certificate Import Wizard.11. On the Welcome page, click Next .

12. On the File to Import page, browse to the locally saved .pfx file you copied to your local drive fromIIS1, and then click Next . In the Open dialog box, on the Files of type list, click PersonalInformation Exchange (*.pfx; *.p12) .

13. Type the password you created to encrypt the .pfx file, clear the Mark this key as exportable checkbox, and then click Next .

14. Select Place all certificates in the following Store and accept the default value, Personal , andthen click Next .

15. Click Finish , and then close all dialog boxes and applications.

After installing your certificate file into ISA1, install the certificate into your remaining IIS servers, if you havemore than one. Before you continue, make sure that you have installed IIS on all of your remaining IIS servers.

Install the certificate file into remaining IIS servers

1. Log on to IIS1.

2. On the Start menu, point to All Programs , point to Administrative Tools , and then click InternetInformation Services (IIS) Manager .


4. On the Action menu, click Properties , and then select the Directory Security tab.




27/37


6. On the Welcome to the Web Server Certificate Wizard page, click Next .

7. Select Copy or Move the current certificate to a remove server site , and then click Next .

8. Select Copy certificate from a remote server web site to this web site , clear the Mark cert asexportable check box, and then click Next .

9. Type the server name you have assigned to IIS1 in the Server name box; leave the username andpassword boxes blank, and then click Next .

10. In the Site Instance box, accept the default value, 1, and then click Next .11. Click Finish , and the close IIS manager.

12. Repeat steps 111 for each of your remaining IIS servers.

Installing and Running the Microsoft Business SolutionsPerimeter Network Configuration WizardWhen you have successfully completed the steps in this installation guide, you will be ready to run theMicrosoft Business Solutions Perimeter Network Configuration Wizard. The wizard helps you install ISAServer 2004, configure ISA 2004 access settings, and then validates that you have configured your networkcorrectly using the procedures in this installation guide.

First, Install the wizard onto ISA1 using the product CD-ROM or by using the downloadable installation file.After the wizard has been installed, run it using the Start menu:

On the Start menu, point to All Programs , point to Microsoft Perimeter Network Configuration Wizard ,and then click Perimeter Network Configuration Wizard .

The wizard will walk you through installing and configuring ISA Server 2004 on ISA1 for use with your Microsoft Business Solutions applications.

Installing Microsoft Business Solutions Software and Configuration Files After you have completed setting your ISA Server 2004 settings using the Microsoft Perimeter NetworkConfiguration Wizard, you can install the applications you plan to run in your network, if they are not alreadyinstalled. In addition, you can use configuration files (.pnc) to assist these installations.

Important: Make sure that the installation files and configuration files you use to deploy your applicationsare from a trusted source. Configuration files make changes to server operating systems that can bepotentially damage your network.

Installation instructions for specific Microsoft Business Solutions applications are available on the MicrosoftBusiness Solutions Web site . See the installation guide for the specific application you want to deploy.

Testing Perimeter Network Access after Completing the Microsoft Perimeter Network Configuration Wizard After using the Perimeter Network Configuration Wizard, test for access to your network. Using a computer that is connected to the Internet, but is located outside of your perimeter or internal networks, access your

network by going to your Internet host name.

http://go.microsoft.com/fwlink/?LinkId=53739http://go.microsoft.com/fwlink/?LinkId=53739


28/37


Troub leshootingNetwork interface cards are not displayed in Network Connections

The network interface cards (NICs) might not be installed correctly. Open the server and makesure that each NIC is seated tightly in its correct slot.

Network connections are not configuring correctly First, make sure the network is connected. Check the back of the server to see if the NIC has

been disconnected or if the NICs lights are flashing. If they are not, the network cable is either faulty or it is not connected correctly. Find both ends of the network cable and make sure theyare both plugged into the correct ports.

If the cables are connected correctly, open the Network Connections dialog box, right-click theconnection that is experiencing difficulties, and then click Repair. The network connection willrefresh network connection settings.



29/37


GlossaryThe following section describes many of the terms used in the Deploy Your Perimeter Network section of this document to help you understand the components you are working with while you are setting up your perimeter network.

Certificate Services

Certificate Services provide an encrypted connection between client computers connecting from theInternet and network resources in your internal network. Encryption is provided by 128-bit Secure SocketLayer (SSL) technology, the same technology used by many online banking Web sites to help protectuser and transaction information.

Default Gateway

A gateway is a server that allows two different networks to communicate. The default gateway is thecomputer in your network that forwards traffic originating from your internal network to destinationsoutside of your perimeter network. When configuring TCP/IP settings for your networks servers, you

need to specify a default gateway for your internal network servers. The Microsoft Perimeter NetworkConfiguration tool configures your perimeter network firewall server as your default gateway.

For this implementation, your default gateway for internal network resources will be your perimeter networks firewall server.

Domain Controller

A domain controller (DC) is a computer running Windows Server 2003 that manages user access to anetwork, which includes logging on, authentication, and access to the directory and shared resources.

If you are already running Microsoft Business Solutions software inside your existing network, you willhave already set up a primary domain controller (PDC), and possibly a secondary domain controller, torun those applications. If you do not have a primary domain controller, you must create one andconfigure it properly to run in your internal network before setting up your perimeter network.

Firewall

A computer firewall is used to prevent unauthorized Internet users from accessing private networksconnected to the Internet. Computer firewalls can be created using both hardware and software, or acombination of both.

IP Address

An Internet Protocol (IP) address determines the network location of a specific NIC. IP addresses can beeither dynamic (refresh each time a computer is rebooted) or static depending on the networkconfigurations.

An IP address is a 32-bit address used to identify a computer in a network. Each computer in the

network must be assigned a unique IP address. This address is typically represented in dotted-decimalnotation, with the decimal value of each octet separated by a period, for example, 192.168.7.27. IPaddresses can be either dynamic (refresh each time a computer is restarted) or static, depending on thenetwork configuration. In Windows Server 2003, you can configure the IP address statically or dynamically through Dynamic Host and Configuration Protocol (DHCP).

For server computers in your internal and perimeter networks, assign static IP address. This is arequirement of the Microsoft Perimeter Network Configuration Wizard.



30/37


Network Hub

A network hub is a device that routes data between computers in your network. Rather than connectingcomputers directly to one another, a hub is a central connection point where all computers in a networkcan connect and share network resources.

Network SwitchFor this implementation, you might also deploy network switches. Like hubs, switches connectcomputers to each other; however, they include a layer of technology that allows them to moreintelligently route network traffic. Network switches help conserve network bandwidth. Network switchestend to be more expensive than hubs, but either device will work in this network.

This installation guide assumes that you are using network hubs.

Server Certificate

A unique digital identification that forms the basis of the Secure Sockets Layer (SSL) security featureson a Web site. Server certificates are obtained from a trusted, third-party organization called acertification authority, and they provide a way for users to authenticate the identity of a Web site.

Secure Sockets Layer (SSL)

A protocol to provide secure transmission of data between Web sites and browsers. SSL uses a digitalcertificate to identify the sender and receiver of data.

Subnet Mask

A subnet mask helps you identify where specific networks and computers are located. Network IDs andhost IDs within an IP address are distinguished by using a subnet mask. Typically, you will have a singlesubnet mask that defines your local area network (LAN), such as 255.255.255.0. Computers and serverswill have different IP address, but they will all belong to a specific subnet, defined by your subnet mask.

TCP/IP

Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of networking protocols used in largeand small networks. It provides communications across interconnected networks made up of computerswith diverse hardware architectures and various operating systems. TCP/IP includes standards for howcomputers communicate and conventions for connecting networks and routing traffic.



31/37


Ap pend ix A: Mic rosoft Business SolutionsNetwork Exa mples

This section includes sample network architecture diagrams for each of the Microsoft Business Solutionsapplications currently supported by the Microsoft Perimeter Network Configuration Wizard.

Figure 6Microsoft CRM Network Architecture Example



32/37


Figure 7

Microsoft CRM Mobile Network Architecture Example



33/37


Figure 8Microsoft Dynamics AX Enterprise Portal Network Architecture Example



34/37


Figure 9Microsoft Dynamics Business Portal Network Architecture Example



35/37


Ap pend ix B: SelfSSL Pa ra metersParameter Description

/N:cn= domain_name Specifies the common name of the certificate. The computer name is used if youdo not specify a common name.

/K: keylength Specifies the certificate key length. The default is 1024 . /V: duration-of-validity Specifies the duration for which the certificate is valid. The default is 7 days . /S: site-id Specifies the site ID of the SSL-protected site. The default is 1 for the default

Web site. As Web sites are added to IIS, each site is assigned a site ID: thesecond sites site ID is 2, and so forth.

/P: port Specifies the SSL port. The default is 443 . If you use port numbers to specify theMicrosoft CRM Web site, you can either specify the SSL port here, or specify itin the properties for the Microsoft CRM Web site.

/Q Specifies Quiet mode. In Quiet mode, any existing settings for the site areoverwritten with no user interaction or display.



36/37


Ap pend ix C: Network Informa tion FormAs described in the Microsoft Perimeter Network Configuration Installation Guide , use the following form torecord your network configuration information. Some server entries will be optional (as noted in the table)and are not required.

Note: Some Microsoft Business Solutions applications may share a single server. If this is the case, recordthe IP address of that shared server for both entries.

Internet Registrar Information

1 Internet-facing domain name (for examplecontoso.com)

ISP Information

2 Internet-facing static IP address

3 Internet-facing subnet mask

4 Internet-facing default gateway

5 ISP Preferred DNS

6 ISP Alternate DNS

ISA Server (ISA1)

7 ISA1 server name

8 Internal network IP address

9 Perimeter network IP address

10 Perimeter network subnet mask

IIS Servers (IIS1IIS 6)

11 IIS1 server name

12 IIS1 IP address

13 IIS2 server name

14 IIS2 IP address (optional)

15 IIS3 server name


17 IIS4 server name


Primary Domain Controller (DC1)

19 DC1 server name

20 DC1 IP address

21 Internal network subnet mask



37/37


Secondary Domain Controller (DC2) (optional)

22 DC2 server name

23 DC2 IP address

SQL Server (SQL1)

24 SQL1 server name

25 SQL1 IP address

Microsoft CRM Server (CRM1)

26 CRM1 server name

27 CRM1 IP address

Microsoft Dynamics AX Enterprise Portal Servers (AOS1 AOS 6) (optional)

28 AOS1 server name

29 AOS1 IP address (optional)

30 AOS2 server name

31 AOS2 IP address (optional)

32 AOS3 server name

33 AOS3 IP address (Optional)

34 AOS4 server name


36 AOS5 server name


38 AOS6 server name


Microsoft CRM Mobile

40 Microsoft CRM Mobile server name

41 Microsoft CRM Mobile server IP address

Microsoft Dynamics Business Portal Server

42 Microsoft Business Portal server name

43 Microsoft Business Portal server IP address

microsoft perimeter network installation guide

Documents