Microsoft Perimeter Network Installation Guide

Microsoft ® Business Solutions
Perimeter Network
Installation Guide
Microsoft Perimeter Network Installation Guide
Information in this document, including URL and other Internet Web site references, is subject to
change without notice. Unless otherwise noted, the example companies, organizations, products,
domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious,
and no association with any real company, organization, product, domain name, e-mail address,
logo, person, place, or event is intended or should be inferred. Complying with all applicable
copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of
this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in
any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for
any purpose, without the express written permission of Microsoft Corporation.
Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any written
license agreement from Microsoft, the furnishing of this document does not give you any license to
these patents, trademarks, copyrights, or other intellectual property.
© 2005 Microsoft Corporation. All rights reserved.
Microsoft, Navision, MS-DOS, Windows, Windows NT, Windows Server, Active Directory, Axapta,
and Great Plains are either registered trademarks or trademarks of Microsoft Corporation or
Microsoft Business Solutions ApS in the United States and/or other countries. Microsoft Business
Solutions ApS is a subsidiary of Microsoft Corporation.
All other trademarks are property of their respective owners.
Copyright © 2005 Microsoft Corporation. All rights reserved. ii

Table of Contents
Introduction.................................................................................................................................... 1
Supported Network Configurations ........................................................................................ 1
System Requirements .............................................................................................................. 2
Software Requirements............................................................................................................ 3
Hardware Requirements .......................................................................................................... 4
Planning Your Perimeter Network ............................................................................................... 5
Signing Up for Broadband Internet Service ........................................................................... 5
Registering an Internet-Facing Domain Name ....................................................................... 6
Purchasing Networking Hardware .......................................................................................... 6
Determining Your Server Certificate Needs ........................................................................... 6
Deploying Your Perimeter Network ............................................................................................. 7

Recording Internal and Perimeter Network Configuration
Information................................................................................................................................. 8
Installing Windows Server 2003 on All Perimeter and Internal
Network Servers ........................................................................................................................ 8
Labeling Network Servers and Hubs ...................................................................................... 8
Installing Network Interface Cards into All Network Servers ............................................... 9
Configuring Hardware Drivers ................................................................................................. 9
Connecting Networking Hardware and Cables ...................................................................... 9

Adding My Network Places to the Desktops of Each Internal
Network and Perimeter Server............................................................................................... 11
Configuring ISA1 ..................................................................................................................... 11
Changing Network Connections Names on ISA1 .................................................................. 11
Configuring TCP/IP Settings for Each Network Connection in ISA1...................................... 12
Configuring IIS Servers in Perimeter Network ..................................................................... 14

Installing IIS on All IIS Servers............................................................................................... 14
Configuring TCP/IP Settings for IIS Servers .......................................................................... 15
Configuring TCP/IP Settings for All Application Servers ................................................... 15
Configuring Certificate Settings for ISA1 and IIS Servers.................................................. 18
Creating and Installing a Server Certificate for a Production
Network .................................................................................................................................. 18
Installing Third-party Certificates into the Default Web Site of IIS1 ....................................... 19
Creating and Installing a Server Certificate for Test Network ................................................ 19
Installing Server Certificates into ISA1 and Remaining IIS Servers....................................... 20
Installing and Running the Microsoft Business Solutions
Perimeter Network Configuration Wizard............................................................................. 23
Copyright © 2005 Microsoft Corporation. All rights reserved. iii

Installing Microsoft Business Solutions Software and Configuration

Files ........................................................................................................................................ 23
Testing Perimeter Network Access after Completing the Microsoft
Perimeter Network Configuration Wizard............................................................................... 23
Troubleshooting .......................................................................................................................... 24
Glossary ....................................................................................................................................... 25
Appendix A: Microsoft Business Solutions Network Examples ............................................ 27
Appendix B: SelfSSL Parameters .............................................................................................. 31
Appendix C: Network Information Form ................................................................................... 32
Copyright © 2005 Microsoft Corporation. All rights reserved. iv

Introduction
Welcome to the Microsoft Business Solutions Perimeter Network Installation Guide. This installation guide
will help you configure a perimeter network for your internal network of Microsoft® Business Solutions
applications, allowing them to be accessed from remote locations using an encrypted channel of
communication. Protecting your network from malicious attacks is an important step to keeping sensitive
information private and network resources online and available.
When you are finished with this installation guide, you will have configured and installed a perimeter network
that includes a firewall, Microsoft Internet Security and Acceleration (ISA) Server 2004 and at least one Web
server, and Microsoft Windows Server™ 2003 with Internet Information Services (IIS) 6.0.
This installation guide includes detailed instructions on how to obtain, connect, and configure the servers
and network hardware you will need in your perimeter and internal networks in order to run your Microsoft
Business Solutions applications over the Web.
When you are finished with the steps in this installation guide, you can then run the Microsoft Business
Solutions Perimeter Network Configuration Wizard, which installs and configures ISA Server 2004 as your
company firewall. In addition the wizard will validate that you have configured your perimeter network
correctly.
You can use the wizard to configure firewall and network access rules for the following Microsoft Business
Solutions applications:
● Microsoft CRM
● Microsoft CRM Mobile
● Microsoft Dynamics AX Enterprise Portal
● Microsoft Dynamics Business Portal
Depending on your configuration, you might not see all of these applications.
The wizard is designed to support additional Microsoft Business Solutions applications as they are released.
Supported Network Configurations

The Microsoft Perimeter Network Configuration Wizard supports only the network configurations detailed in
this installation guide. The supported perimeter network configuration includes a single firewall server
running ISA Server 2004 and a Web server running Microsoft Internet Information Services (IIS) 6.0 on the
Microsoft Windows Server 2003 operating system. In some cases, you will have multiple Web servers
depending on the specific Microsoft Business Solutions applications you want to deploy.
Figure 1 shows an example of a network that consists of an internal network that hosts application servers
and domain controllers, a perimeter network that includes your ISA and IIS servers, and a connection to the
Internet provided by your Internet service provider (ISP). If you have an existing network in place, the
Microsoft Perimeter Network will integrate with that network as a separate Internet-facing component of your
Microsoft Business Solutions applications. If you plan to keep your existing networking hardware, do not
install a hardware firewall between your new perimeter network and existing internal network. If you do this,
you will create conflicts in the perimeter network setup processes.
The Microsoft Perimeter Network Configuration Wizard also supports other network configurations that
include additional application and Internet servers, as is required for some Microsoft Business Solutions
applications. For example, Microsoft Business Portal and Microsoft Enterprise Portal both support multiple
Internet servers. Check the implementation guide for the Microsoft Business Solutions applications you want
to deploy for specific network requirements. The Microsoft Business Solutions applications you are using will
determine the exact number and configuration of servers in the perimeter network and internal network;
however, it is important that you start this installation with the correct number of servers you will need for
your planned perimeter and internal network before you begin the deployment process.
Copyright © 2005 Microsoft Corporation. All rights reserved. 1

Note: The Microsoft Perimeter Network Configuration Wizard is not compatible with Microsoft Windows®
Small Business Server 2003 or Microsoft Small Business Server 2000.
Figure 1
Example Network Architecture of Existing Network Components and Microsoft Perimeter Network
System Requirements
To complete this implementation, you must purchase the number of servers required for your desired
network and install the required software before you can use the Perimeter Network Configuration Wizard.
The following section describes software and hardware requirements for the Microsoft Perimeter Network
Configuration Wizard.
The following list of Microsoft software and technologies are required to use the Microsoft Perimeter Network
Configuration Wizard:
● Microsoft Windows Server 2003. Windows Server 2003, Standard Edition or Enterprise Edition
provides a platform for the Web hosting and security software required for this implementation
wizard. In some cases, you will be able to use Microsoft Windows 2000 Server, but it is strongly
recommended you build your perimeter network using the newest Windows Server operating
system. In addition, this installation guide assumes you are using Windows Server 2003.
● Microsoft Internet Information Services (IIS) 6.0. IIS 6.0 is the Web server built into Windows
Server 2003. You can use IIS 6.0 to host Web sites and publish those sites to the Internet.
● Microsoft ISA Server 2004. Microsoft ISA Server 2004 is the Microsoft firewall and Web caching
software. For the perimeter network deployment, use ISA Server 2004. Although the procedures
included in this installation guide do not require ISA Server 2004, you must purchase it for the
Microsoft Perimeter Network Configuration Wizard. Previous versions of Microsoft ISA Server are
not compatible with the Microsoft Perimeter Network Configuration Wizard.
● Microsoft Business Solutions software. Microsoft Business Solutions are integrated business
applications for small and mid-size organizations, and divisions of large enterprises.

● Microsoft SQL Server 2000. SQL Server 2000 or later is the database used by Microsoft Business
Solutions applications to store important data and configuration information.
Software Requirements
Your new perimeter network includes an ISA server, and at least one IIS server is used to make your
Microsoft Business Solutions applications available to the Web. Depending on your specific application
requirements, you might need more than one IIS server. If you are already running an internal network of
Microsoft Business Solutions applications, this installation guide assumes that internal network is functional
and configured according to the requirements for Microsoft Business Solutions software. Table 1 describes
the requirements for both your internal and perimeter network.
Table 1: Required Software for Microsoft Business Solutions Deployment
Server type Required software Comments

Firewall server (ISA1) Microsoft Windows Server 2003, Standard Edition or The firewall server must have three
Enterprise Edition network interface cards (NICs).
Microsoft ISA Server 2004
Web server (IIS1) Microsoft Windows Server 2003, Standard Edition or You might have more than one IIS
Web Server Edition server in your perimeter network,
Microsoft IIS 6.0 depending on your network
configuration needs.
Database server Microsoft Windows Server 2003, Standard Edition

Microsoft SQL Server 2000 or later
Application server (you Microsoft Windows Server 2003, Standard Edition Application servers must have the
might have more than, Microsoft Business Solutions Software: operating system installed on them
one depending on your • Microsoft CRM before using the Microsoft Perimeter
internal network • Microsoft CRM Mobile Network Configuration Wizard.
configuration)
• Microsoft Dynamics AX Enterprise Portal
For specific hardware and software
• Microsoft Dynamics Business Portal requirements, see the implementation
guide for the Microsoft Business
Solution application you want to
deploy.
Preferred domain Microsoft Windows Server 2003; or Microsoft
controller (DC1) Windows 2000 Server
Alternate domain Microsoft Windows Server 2003; or Microsoft For your internal network, an alternate
controller (DC2) Windows 2000 Server domain controller is optional.
(optional)

Hardware Requirements
Table 2 describes the hardware requirements for the Microsoft software you must use for your perimeter
network deployment.
Table 2: Hardware Requirements

Software Component Requirements
Microsoft Windows Computer and processor PC with a 133-MHz processor required; 550-MHz or faster
Server 2003, Standard processor recommended (Windows Server 2003 Standard Edition
Edition or Web supports up to four processors on one server)
Edition Memory 128 MB of RAM required; 256 MB or more recommended; 4 GB
maximum
Hard disk 1.25 to 2 GB of available hard-disk space
Drive CD-ROM or DVD-ROM drive
Display VGA or hardware that supports console redirection required;
Super VGA supporting 800 x 600 or higher-resolution monitor
recommended
Microsoft ISA Server Computer and processor PC with a 133-MHz processor required; 550-MHz or faster
2004 processor recommended (Windows Server 2003 Standard Edition
supports up to four processors on one server)
Operating System Window Server 2003, Standard Edition or Web Edition
Memory 128 MB of RAM required; 256 MB or more recommended; 4 GB
maximum
Hard disk 1.25 to 2 GB of available hard-disk space
Drive CD-ROM or DVD-ROM drive
Display VGA or hardware that supports console redirection required;
Super VGA supporting 800 x 600 or higher-resolution monitor
recommended
Microsoft SQL Server Computer or Processor 166-megahertz (MHz) or higher processor
2000 Operating System Windows Server 2003, Standard Edition or Web Edition
Memory 64 megabytes (MB) of RAM; 128 MB recommended
Hard disk Enterprise, Standard, Workgroup, Evaluation, Developer, and
Personal Editions require:
• 95–270 MB of available hard disk space for the server; 250
MB for a typical installation.
• 50 MB of available hard disk space for a minimum
installation of Analysis Services; 130 MB for a typical
installation.
• 80 MB of available hard disk space for English Query.
MSDE requires 44 MB of available hard disk space.
Drive CD-ROM
Display VGA or higher-resolution monitor

Planning Your Perimeter Network

Before you begin your perimeter network configuration, you must identify and record each component of
your existing network. This section of the installation guide will help you to perform these identification steps.
If you are building a new network, you can use this section to assign new network configuration
requirements, such as subnet masks and static Internet Protocol (IP) addresses.
To make installation easier, you can use the Network Information form to record the network configuration
information that you use during the installation processes. The Network Information form is included as a
separate document. Use the table in the Network Information form to record the information you gather
during the planning steps of this implementation.
Figure 2 describes the steps you must complete during the planning phase of this implementation:
Figure 2
Planning Steps
Signing Up for Broadband Internet Service

If you do not already have a connection to the Internet, you must sign up for broadband Internet service
using an ISP. When you sign up with your ISP, you must choose a broadband service that provides a static
IP address that you can use to connect to the Internet. Internet services that use dynamic IP address will not
work for this deployment. If f you already have Internet service and a static IP address for an existing
network, you must obtain a second, dedicated static IP address for your perimeter network.
► After you finish setting up your Internet service, record the following information in lines 2
through 6 of the Network Information form. Your ISP will provide all of the following information:
● Static IP address
● Subnet mask
● Default gateway
● Preferred Domain Name System (DNS) server
● Alternate DNS server

Registering an Internet-Facing Domain Name

If you have not already done so, register an Internet-facing domain name (for example, contoso.com) for
your perimeter network. The Internet-facing domain name is used by users who want to access your
Microsoft Business Solutions applications from a remote location.
When you register your new Internet-facing domain name, ask the Internet registrar to redirect traffic to the
domain to the static, Internet-facing IP address that you obtained from your ISP. Most Web hosting services
can do this by setting up a domain parking account. Domain parking accounts forward all traffic to an
Internet-facing domain name to a specific IP address or Web site.
Record your Internet host name on line 1 of the Network Information form.
Purchasing Networking Hardware

Before you deploy your perimeter network, purchase the networking hardware that enables you to connect
your servers to the Internet and to an existing network in your company, if applicable. You will need to
purchase the following items:
Network servers. Most of the major computer manufactures today sell preconfigured servers. In many
cases, you can buy these servers with Microsoft Windows Server 2003, Standard Edition already installed.
Ordering servers that are preconfigured also means hardware drivers will be configured for you before you
begin your installation. Make sure to order the correct number of servers for type of network you want to
deploy. The number of server depends on how many Microsoft Business Solutions applications you plan to
run in your network. Use the example network diagrams in Appendix A to determine the number of servers
you will need for your network.
Network interface cards. If you plan to order servers from a manufacturer, make sure each server has at
least one NIC, with the exception of the ISA server. Your ISA server must have three NICs installed in it
before you begin your deployment. If you plan to use existing servers to create your perimeter and
internal networks, see the instructions about how to install and configure NICs in the “Deploy Your Perimeter
Network” section of this installation guide.
Network hubs. At least two network hubs are required for this deployment. In place of hubs, you can also
use network switches, as discussed in the “Reference” section of this document. However, for this
installation guide, this guide assumes you will be using network hubs.
Networking cables. For your network, use Category 5 (CAT5) Ethernet cables. CAT5 Ethernet cables can
be purchased in most major computer or office supply stores. Make sure you buy cable lengths that will
accommodate your planned network’s physical location. Buying network cables of different colors also helps
to distinguish between internal and perimeter network connections.
Determining Your Server Certificate Needs

If you are deploying a production network, purchase a certificate from a third-party certificate authority (CA).
However, if you are planning to configure a test-only environment, you also have the option to create your
certificate by using Windows Server 2003. During the planning stage, evaluate the costs and procedures
associated with a purchasing a server certificate from a third-party CA.
Instructions about how to implement both types of certificates are covered in this installation guide, but you
should determine which type you want to implement before you begin your deployment.

Deploying Your Perimeter Network

The following section guides you through the perimeter network deployment process. Before deploying your
network, make sure you have completed all of the planning steps necessary for your specific deployment.
Figure 3 is an overview of the deployment steps you need to complete for this implementation:
Figure 3
Perimeter Network Deployment Steps

Recording Internal and Perimeter Network

Configuration Information
Identify each of your network components and then record the network attributes. The Microsoft Perimeter
Network Configuration Wizard requires that you choose static server names and IP addresses for your
perimeter and internal network servers.
To make the setup procedures easier, this guide provides a table where you can record and reference the
information for your network. Procedural information in later sections of this document will use the IP
addresses you record in the Network Information form (see Appendix C). Note that some of the IP
addresses might be the same as other entries in the table if you are hosting multiple-server software on one
physical computer. Record these addresses separately even if they are duplicates.
Important: Because the steps of this document refer to specific entries in the Network Information form,
finish recording your network configuration information before continuing to step 2.
You will need to record network configuration information for the servers listed in the Network Information
form. Some servers are optional with this configuration and are noted in the Network Information form.
Installing Windows Server 2003 on All Perimeter and Internal

Network Servers
Install the Microsoft Windows Server 2003, Standard Edition operating system on every server in your
perimeter or internal networks. Windows Server 2003 is the required server operating system for this
deployment scenario and it must be preinstalled on all servers before you begin the Microsoft Perimeter
Network Configuration Wizard. The Microsoft Perimeter Network Configuration Wizard does not support
other server operating systems.
Note: Windows Server 2003 might already be installed on your servers if you purchased servers with a
pre-installed operating system. If this is the case with your servers, you can skip rest of this section and go
to step 3.
If you are already running a server for a specific Microsoft Business Solutions application, that server should
already have Windows Server 2003 installed. In addition, for any Microsoft Business Solutions applications
servers you plan to deploy, but are not currently running, you must configure a server running Windows
Server 2003 for the application. Although these application servers will not have the specific Microsoft
Business Solutions application installed, the wizard must configure those servers as part of the network.
For example, if you plan to have an application server running Microsoft Enterprise Portal, you must have a
server for it running Windows Server 2003 and be connected to the network before you begin the Microsoft
Perimeter Network Configuration Wizard.
This guide does not provide specific procedures on how to install Windows Server 2003. However, detailed
instructions and information about installing Windows Server 2003 are available in the Windows Server
Deployment Guide.
Labeling Network Servers and Hubs

Label each server in your network to make connecting cables and changing configurations easier. Use the
server names provided in this installation guide, IIS1, ISA1, CRM1, and other servers in your networks.
If you have not done so already, label your network hubs. Label one network hub “Perimeter network” and
the other “Internal network.” Throughout this document, these hubs will be referenced using these names.

Installing Network Interface Cards into All Network Servers

Install the proper number of NICs into each of your networks servers. If you purchased your servers with the
correct number of NICs in each one, you can skip this step and go on to step 5.
Each server in your perimeter and internal network needs at least one NIC for this deployment, with the
exception of your perimeter network’s firewall server (ISA1). The ISA1 server must have three NICs
installed before you run the Microsoft Perimeter Network Configuration Wizard.
To install NICs into each server, use the instructions provided by the NICs’ manufacturer. Installing NICs
involves opening the server chassis to gain access to internal PCI (Peripheral Component Interconnect)
expansion slots. If you are unfamiliar with installing PCI-based expansion cards or if modifying server
hardware components violates warranty agreements, contact your server manufacturer or a computer
hardware specialist for more help.
After you have completed the physical installation of each NIC, make sure drivers for the NICs have been
installed on each of the servers. Many NIC drivers are installed automatically by Windows Server 2003 and
Windows 2000 Server by using stored drivers in the operating systems.
After installing NIC cards in a specific server, start the computer and let the automatic hardware installation
wizard attempt to install drivers. If the drivers have been installed automatically, a prompt from the
notification area of your desktop will appear indicating the process has been completed successfully. You
can manually check to see if the drivers have been installed by using Control Panel.
► Check if the NIC drivers have already been installed by the operating system
1. Click Start, point to Control Panel, and then click System.
2. On the Hardware tab, click Device Manager.
3. Expand Network adapters. If you do not see any warnings and errors next to the NICs you have
just installed, then the operating system has installed the drivers automatically.
If the drivers could not be installed automatically by the operating system, follow the installation instructions
provided with the NIC. If you do not have instructions, you can manually install drivers using the Add
Hardware Wizard in Control Panel.
To run the Add Hardware Wizard, click Start, point to Control Panel, and then click Add Hardware. Follow
the wizard’s directions to find and install drivers for your new NIC(s).
Configuring Hardware Drivers

After installing the NIC drivers install the other hardware drivers for the devices in your servers, such as
video cards and controller cards. Driver conflicts can affect performance and server stability. Install all
necessary drivers for your servers before continuing. Drivers and instructions about how to correctly install
and configure drivers should be included with the device when you purchase it.
For help with installing hardware drivers correctly, contact the manufacturer of the device or visit their Web
site.
Connecting Networking Hardware and Cables

Depending on your current network configuration, you might also need to install and configure the necessary
networking hardware needed for your network, including network hubs and cables.
Figure 4 shows a sample network diagram you can use when setting up your perimeter and internal
networks. Exact network topologies will vary from network to network, but use Figure 4 and the provided
instructions as a reference while you are installing networking components. As shown, ISA1 has three NICs
installed. The NICs in ISA1 are labeled to clarify connection specifications. Other servers have only one NIC
and connect to other servers in the network using your network hubs.
Make sure you have chosen a location for each of your network hubs and that they are turned on before you
connect your network components.

Figure 4
Microsoft Perimeter Network Wiring Example
► Connect network cables for Perimeter and Internal networks

1. Connect a network cable from an open ISA1 NIC to your Perimeter network hub.
2. In another open ISA1 NIC, connect a network cable to your Internal network hub.
3. Connect one end of a network cable to the remaining open NIC on ISA1; however, do not connect
the other end of the cable to the wall jack or router from which you receive your Internet connection.
Connecting your network to the Internet before you have the ISA server configured could create a
security risk. You will make this connection after you finish running the Microsoft Perimeter Network
Configuration Wizard.
4. For each IIS server in your perimeter network, connect a cable from the IIS server NIC to your
Perimeter network hub. Each IIS server should have only one NIC connected to the perimeter
network hub.
5. For each of the following servers, connect a network cable from the server’s NIC to your Internal
network hub:
● DC1
● DC2 (optional)
● SQL1 (if you have a stand-alone database server)
● All application servers in your internal network (for example, CRM1 or AOS1)

Note: You might not have all of these servers in your network, depending on your specific deployment
scenario. Some internal network servers might already be configured and connected to network hubs,
depending on your existing network.
When you are finished connecting your network components, turn on all of your servers. The lights on your
hub will begin to blink as network activity starts. If you do not see any activity, make sure your hubs have
electricity and that network cable connections are properly connected at both ends of each cable.
Adding My Network Places to the Desktops of Each Internal

Network and Perimeter Server
During this implementation, you will need to regularly open My Network Places. To make opening My
Network Places easier while configuring your servers, add a shortcut to My Network Places to the desktop of
each network server.
► Add My Network Places to your servers’ desktops
1. Log on to the server to which you want to add the Add My Network Places icon.
2. Double-check to see if the My Network Places icon already exists on your desktop. If the shortcut
already exists, go to step 8.
3. Right-click an open area of your desktop, and then click Properties.
4. In the Display Properties dialog box, on the Desktop tab, click Customize Desktop.
5. In the Desktop items dialog box, under Desktop icons, select the My Network Places check box,
and then click OK.
6. In the Display Properties dialog box, click OK to return to the desktop.
7. Repeat steps 1–6 for all of your internal and perimeter network servers.
After you have successfully added the My Network Places shortcut to all of your server desktops, you can
begin configuring you perimeter network servers. The following section describes how to configure ISA1.
Configuring ISA1
This section describes the configuration procedure for ISA1 that you must complete before you run the
Microsoft Perimeter Network Configuration Wizard. Configuring ISA1 requires you to perform the following
tasks:
● Change network connection names on ISA1
● Configure TCP/IP settings for each network connection in ISA1
Note: To perform the following procedures, you must be a member of the Account Operators group,
Domain Admins group, or the Enterprise Admins group in Active Directory®, or you must have been
delegated the appropriate authority.
Changing Network Connections Names on ISA1

You must manually configure network settings for all three network connections in ISA1 by using Network
Connections. To configure ISA1 network settings, rename each network connection first, and then configure
the Transmission Control Protocol/Internet Protocol (TCP/IP) settings.
When configuring the network settings for you perimeter network servers, use the information you recorded
in the Network Information form.
► Rename network connections in ISA1
1. On the desktop, right-click My Network Places, and then click Properties.

2. In the Network Connections window, right-click the network connection that you intend to connect to
the Internet, click Rename, type Internet, and then press ENTER. .
Note: This network connection should be disconnected, and should remain disconnected
after you rename it to Internet.
3. Rename the Perimeter network connection by doing the following:

a. Find the cable that connects ISA1 to your perimeter network hub and unplug it from ISA1.
b. In the Network Connections window, right-click the network connection for the perimeter network
hub that is disconnected, and then click Rename.
c. Type Perimeter Network and press ENTER.
d. Plug the cable back into the NIC in ISA1. Check the Network Connections window and make
sure that the Perimeter Network connection is now connected.
Note: The network connection might display as connected; however, it might display with a question
mark. Please note that this is normal at this point in the implementation and that you will be configuring
these network connections in later sections of this installation guide.
4. Rename the Internal network connection by doing the following:

a. Find the cable that connects ISA1 to your internal network hub and unplug it.
b. In the Network Connections window, right-click the network connection for the internal network
hub that is disconnected, and then click Rename.
c. Type Internal Network and press ENTER.
d. Plug the cable back into the NIC in ISA1. Check the Network Connections window and make
sure that the Internal Network connection is now connected.
Now that you have renamed all three network connections in ISA1, you need to configure TCP/IP settings. In
the following section you will configure TCP/IP settings for all three network connections in ISA1.
Configuring TCP/IP Settings for Each Network Connection in ISA1
After you have successfully renamed all of the ISA1 NICs, you must manually configure each NIC TCP/IP
setting. The following steps guide through configuring each ISA1 NIC. To configure the ISA1 TCP/IP
settings, you must complete the following tasks:
● Configure TCP/IP settings for the Internet network connection
● Configure TCP/IP settings for the Internal Network connection
● Configure TCP/IP settings for the Perimeter Network connection
Note: If you are unsure about a configuration setting for a specific network connection, refer to Figure 5
as a reference.
Start your network configuration process by configuring the TCP/IP connections for the Internet network
connection.
► Configure TCP/IP settings for the Internet network connection
2. In the Network Connections window, right-click Internet, and then click Properties.
3. On the General tab, under This connection uses the following items, click Internet Protocol
(TCP/IP), and then click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, on the General tab, select Use the following
IP address, and then do the following:

a. In the IP address box, type the Internet-facing static IP address you recorded on line 2 of the
Network Information form.
b. In the Subnet mask box, type the Internet-facing subnet mask you recorded on line 3 of the
Network Information form. After typing the IP address, the subnet mask is automatically
populated with a default address.
c. In the Default gateway box, type the Internet-facing default gateway that you recorded on line 4
of the Network Information form.
Note: When configuring TCP/IP setting for all network servers, the first three entries of the server IP
address should match the first three entries of the default gateway address. For example, if your server
IP address is 192.168.12.103, your default gateway address should also start with 192.168.12. If these
do not match, recheck your entries in the Network Information form, and make sure that you have the
correct addresses for each server.
4. Select Use the following DNS server addresses and do the following:
a. In the Preferred DNS server box, type the ISP preferred DNS address that you recorded on line
5 of the Network Information form.
b. In the Alternate DNS server box, type the ISP alternate DNS address that you recorded on line
5. Click OK, and then click Close.
Second, configure TCP/IP settings for the Internal Network connection.

► Configure TCP/IP settings for the Internal Network connection
2. In the Network Connections window, right-click Internal Network, and then click Properties.
4. In the Internet Protocol (TCP/IP) Properties dialog box, on the General tab, select Use the
following IP address, and then do the following:
● In the IP address box, type the Internal network IP address you recorded on line 8 of the
Network Information form. After typing your IP address, the subnet mask is automatically
● In the Subnet mask box, clear the default entry, and then type the internal network’s subnet
mask that you recorded on line 21 of the Network Information form.
● Leave the Default gateway box blank.
● In the Preferred DNS server box, type the IP address that you recorded for DC1 on in line
● In the Alternate DNS server box, type the IP address that you recorded for DC2 on line 23
of the Network Information form. This IP address is optional. If you do not have an alternate
DNS server in your network, leave this box blank.
6. Click OK, and then click Close. The icon for this network connection changes to show that the
network connection has been configured correctly.
Finally, configure TCP/IP connections for the Perimeter Network connection.

► Configure TCP/IP settings for the Perimeter Network connection
2. Right-click Perimeter Network and then click Properties.

a. In the IP address box, type the Perimeter network IP address that you recorded on line 8 of
the Network Information form. After typing the IP address, the subnet mask is automatically
b. In the Subnet mask box, clear the default entry, and then type the Perimeter network
subnet mask that you recorded on line 10 of the Network Information form.
c. Leave the Default gateway box blank.
a. In the Preferred DNS server box, type the IP address that you recorded for DC1 on line 20 of
the Network Information form.
b. In the Alternate DNS server box, type the IP address that you recorded for DC2 on line 23 of
the Network Information form. This IP address is optional. If you do not have an alternate DNS
server in your network, leave this box blank.
After you finish configuring TCP/IP settings for ISA1 configure the TCP/IP settings for all of your IIS servers
in your perimeter network by using the procedures in step 9.
Configuring IIS Servers in Perimeter Network

After configuring ISA1, install IIS on all IIS servers and then configure the servers’ network connection
(TCP/IP) settings. IIS servers give your network the ability to communicate with inbound requests from
outside of your perimeter network and correctly route them to their intended destinations. This feature
enables you to access applications from the Internet.
Important: You must complete these steps for each of your perimeter network IIS servers.
To properly configure your IIS servers, complete the following:

● Install IIS (if it has not already been installed on your IIS server)
● Configure TCP/IP settings
Installing IIS on All IIS Servers

First, install IIS on each of your network servers.
► Install IIS 6.0
1. Log on to the IIS server you want to configure.
2. On the Start menu, point to Control Panel, and then click Add or Remove Programs.
3. Click Add/Remove Windows Components.
4. In the Windows Components Wizard, in the Components list, click Application Server, and then
click Details.
5. In the Subcomponents of Application Server list, select the Internet Information Services (IIS)
check box, click OK, and then click Next.
6. When the installation process is finished, click Close.
7. Repeat steps 1–6 for each of your IIS servers.

Configuring TCP/IP Settings for IIS Servers

When you have finished installing IIS on each of your IIS servers, configure the TCP/IP settings for the
server’s network connection.
► Configure TCP/IP settings for IIS servers
2. In the Network Connections window, right-click Local Area Connection and then click Properties.
Note: You should only have one Local Area Connection in each IIS server. If you are unsure
which network connection to configure or if you have more than one, unplug the cable that is
connected from the IIS server to the perimeter network hub. Configure the network connection
that appears as disconnected. Then, plug the network cable back into the IIS server NIC.
● In the IP address box, type the corresponding IIS server IP address that you recorded in the
Network Information form. After typing your IP address, your subnet mask is automatically
populated with a default address. For example, if you are configuring IIS1, type the IP
address you recorded on line 12 of the Network Information form. You must configure IIS1
for the Microsoft Perimeter Network Configuration Wizard; however, IIS2–IIS4 are optional.
● In the Subnet mask box, type the Perimeter network subnet mask address that you
recorded in line 10 of the Network Information form.
● In the Default gateway box, type the ISA1 Perimeter Network IP address that you recorded
in line 9 of the Network Information form.
Note: When configuring TCP/IP setting for all network servers, the first three entries of the
server IP address should match the first three entries of the default gateway address. For
example, if your server IP address is 192.168.12.103, your default gateway address should also
start with 192.168.12. If these do not match, recheck your entries in the network information
form, and make that sure you have the correct addresses for each server.
a. In the Preferred DNS server box, type the IP address that you recorded for DC1 on in line 20 of
the Network Information form. If you do not have an alternate DNS server in your network, leave
this box blank.
Configuring TCP/IP Settings for All Application Servers

After configuring your IIS servers, configure network connection (TCP/IP) settings for all of your application
servers. Use the following procedures to configure each application server. If you have existing servers that
are already configured to work with an existing network, you do not need to perform the following procedure
on those servers.

► Configure TCP/IP settings for application server

1. Log on to the application server you want to configure.
3. In the Network Connections window, right-click Local Area Connection, and then click Properties.
Note: You should only have one local area connection in each application server, but if you are
unsure which network connection to configure, unplug the cable connected to the NIC in the application
server. Configure the network connections that appear as disconnected. Then, plug the network cable
back into the application server NIC.
a. In the IP address box, type the IP address that you recorded in the Network Information form for
the application server you want to configure. For example, if you are configuring the CRM
server, type the address you recorded on line 27 of the Network Information form. After typing
your IP address, the subnet mask is automatically populated with a default address.
b. In the Subnet mask box, clear the default address and then type the Internal Network subnet
mask that you recorded in line 21 of the Network Information form.
c. In the Default gateway box, type the Internal Network IP address that you recorded in line 8 of
Note: When configuring TCP/IP settings for all network servers, the first three entries of the
server IP address should match the first three entries of the default gateway address. For example,
if your server IP address is 192.168.12.103, your default gateway address should also start with
192.168.12. If these do not match, recheck your entries in the Network Information form, and make
sure you have the correct addresses for each server.
a. In the Preferred DNS server box, type the IP address that you recorded for DC1 on line 20 of
the Network Information form. If you do not have an alternate DNS server in your network, leave
this box blank.
7. Click OK, and then click Close.
After you have configured TCP/IP settings for every application server in your internal network, you can
validate your network configurations. Figure 5 provides an example for this validation. The TCP/IP settings
shown in the diagram are an example based on the information that is recorded in the Network Information
form. Use the information provided in the diagram as a reference to help make sure that your network
components are configured correctly.
When you are satisfied that the configuration you created is correct, go to step 11. If you think that you have
made an error, recheck your steps to make sure your network is configured correctly.

Figure 5
TCP/IP Settings for Perimeter Network

Configuring Certificate Settings for ISA1 and IIS Servers

There are several options to obtain a server certificate for your perimeter network Internet server. If you are
configuring a production system, you can purchase a server certificate from a third-party certification
authority, or you can create your own certificate. Certificates use Secure Sockets Layer (SSL) to create a
protected line of transmission between Internet users and internal network resources. Purchasing a
certificate is the most secure and easiest approach.
It is also possible to use a test certificate, available at no charge from some third-party certification
authorities. Third-party certification authority test certificates are typically available for a few weeks. This
section includes procedures for creating both production-ready certificates and certificates for test networks.
When configuring a certificate for a production network, complete the following tasks:
1. Do one of the following:
● Create and install a certificate for a production network.
● Create and install a certificate for a test network.
2. Export your certificate file to a .pfx file.

3. Import your certificate file into ISA1, and then into your additional IIS servers if you have more than
one.
Creating and Installing a Server Certificate for a Production Network

If you plan to deploy your perimeter network to the Web for production purposes, use the following
procedures to create a third-party certificate request. The server certificate request is a text file that you will
send to the third-party CA from which you want to obtain your network.
Because IIS1 does not have an Internet connection, you must copy the certificate request file to removable
media and send the request from a computer that is separate from your Internal and Perimeter networks.
Important: If you want to create a test certificate, perform the procedures in this section of the document
and move onto the “Create and Install a Server Certificate for Test Network” section of this document.
► Create a certificate request using the Web Server Certificate Wizard in IIS 6.0
1. Log on to IIS1.
2. On the Start menu, point to All Programs, point to Administrative Tools, and then click Internet
Information Services (IIS) Manager.
3. Expand the local computer, expand the Web sites folder, and then click Default Web site.
4. On the Action menu, click Properties, and then select the Directory Security tab.
5. Click Server Certificate to open the Web Server Certificate Wizard.
6. On the Welcome to the Web Server Certificate Wizard page, click Next.
7. Select Create a new certificate and then click Next.
8. Select Prepare the request now, but send it later and then click Next.
9. In the Name box, type a unique name for the new certificate, select a bit length from the Bit length
list, and then click Next.
If you plan to keep the certificate for more than a year, 2,048 bits is recommended for the additional
security. Higher bit lengths will cause a slightly longer SSL establishment delay for each client’s
initial request to the server that has SSL enabled.
10. In the Organization box, type the legal name of the company for which this certificate is requested,
and in the Organization unit box, enter the organizational unit to which you attach the certificate.
11. Click Next.
12. In the Common name box, type the Fully Qualified Domain Name (FQDN) users on the Internet will
use to reach your Web site.

13. Click Next.

14. Enter the geographical information for your server. Do not use abbreviations for the State/province
or City/locality, and then click Next.
15. In the Location box, type the location and file name where the certificate request information will be
stored.
16. Click Next twice, and then click Finish.
Installing Third-party Certificates into the Default Web Site of IIS1

When you receive the certificate file from the third-party CA, install the certificate into the Default Web site of
IIS1.
► Install the server certificate on remaining IIS servers, if available
1. Log on to the perimeter network server on which you want to install the certificate file.
2. Copy the .pfx file you saved to a removable media in the previous procedure, “Export IIS1 certificate
to .pfx file,” to a location on your server’s local drive.
3. Open Internet Information Services Manager and select Default Web site.
4. On the Action menu, click Properties, and then click the Directory Security tab.
5. Click Server Certificate, and then click Next.
6. Select Process the pending request and install the certificate and then click Next.
7. Browse to the location of the certificate file, and then click Next.
8. In the SSL port this web site should use box, accept the default value, 443, click Next twice, and
then click Finish.
After you install your production certificate into IIS1, go to the “Install Server Certificate into ISA1 and
Remaining IIS Servers” section of this installation guide. Do not create a test certificate after you have
completed the procedures above.
Creating and Installing a Server Certificate for Test Network
Alternatively, if you are deploying a test environment and do not want to purchase a third-party certificate,
you can create a temporary test certificate for your network. Test certificates should only be used in a test
environment and are not intended for production networks that communicate over the Internet. Because
SelfSSL does not meet the security requirements of a production system, use it only for testing purposes.
In place of using SelfSSL to create server certificate, you can also obtain a test certificate from a third-party
CA. Obtaining a test certificate from a third-party Certification Authority involves the same request and
installation and configuration steps described earlier in the “Configure Certificate Settings for ISA1 and IIS
Servers” section of this document. The difference is that test certificates from third-party CAs have finite
usage periods associated with them. Specific usage times depend on the specific CA.
Important: If you have already deployed a production-ready certificate, do not attempt to create a test
certificate for the same server. Move to the “Install Server Certificate into ISA1 and Remaining IIS Servers”
section of this document.
SelfSSL is a downloadable Microsoft tool that you can use to create a server certificate and install it on a
server in one step. SelfSSL is a command-line tool and requires you to use a command prompt to complete
this procedure.
► Download and use SelfSSL.exe to create and install a test server certificate
1. Log on to IIS1.
2. Download the IIS 6.0 Resource Kit Tools, located at the Microsoft Download Center and run the file
to install it on IIS1. You can install these tools only on a computer running Windows XP or Windows
Server 2003. The included SelfSSL utility can be used with IIS 5.0 and Windows 2000 Server, as
well as with IIS 6.0. SelfSSL will be installed in the Program Files\IIS Resources\SelfSSL directory.

3. On the Start menu, point to All Programs, point to Accessories, and then click Command
Prompt.
4. At the command prompt, type cd\ and press ENTER.
5. Type cd\program files\IIS Resources\SelfSSL, and then press ENTER.
6. Run SelfSSL by typing the following command line. The parameters of this command line are case-
sensitive. A full description of SelfSSL parameters is available in Appendix B.
SELFSSL.exe /N:cn=Your Internet-facing domain name /V:duration-of-validity

(in days)
Example: To set up a certificate for the Internet-facing domain name contoso.com that is valid for a
period of 60 days, you would type the following line at the command prompt:
SelfSSL.exe /N:cn= contoso.com /V:60
For the Internet-facing domain name, it is not necessary to add “www” to the beginning of the host
name.
7. When asked Do you want to replace the SSL settings for site 1?, type Y, and then press ENTER.
After running SelfSSL, the test certificate is automatically created and installed into the Default Web
site on IIS1.
8. Close the command prompt and return to the desktop.
Now that the certificate has been installed in IIS1, you need to export the certificate to a .pfx file, and then
import that file into ISA1 and, if applicable, IIS2–IIS4.
Installing Server Certificates into ISA1 and Remaining IIS Servers
After installing the certificate file on IIS1, export the certificate to a .pfx file. You will use the .pfx file to install
the certificate into ISA1, and then into any remaining IIS servers you have in your network.
► Export IIS1 certificate to a .pfx file
1. Log on to IIS1.
2. On the Start menu, point to Administrative Tools, and then click Internet Information Services
(IIS) Manager.
4. On the Action menu, click Properties, and then click the Directory Security tab.

6. On the Welcome page, click Next.

7. Select Export the current certificate to .pfx file, and then click Next.
8. In the Path and file name box, enter a location where you want to save the exported file, and then
click Next.
9. Type a password. This password encrypts the .pfx file. Write down the password because you will
use it again when you import the certificate file into your other perimeter network servers.
10. Review the information in the wizard, click Next twice, and then click Finish.
11. Close IIS Manager.
12. Save the .pfx file to a removable media. You will need to copy the file to ISA1 and, if applicable, to
the remaining IIS servers.
Now, install the certificate into ISA1 using the .pfx file you have just created. Install the exported certificate
file into ISA1 using the following procedure.
► Install the certificate file (.pfx file) onto ISA1
1. Log on to ISA1.
2. Copy the .pfx file you saved to a removable media in the previous procedure, Export IIS1
certificate to a .pfx file, to a location on ISA1’s local drive.
3. On the Start menu, click Run, type MMC, and then click OK.
4. On the File menu, click Add/Remove Snap-in.
5. In the Add/Remove Snap-in dialog box, click Add.
6. In the Available Standalone Snap-ins list, click Certificates, and then click Add to open the
certificates snap-in wizard.

7. Select Computer Account, and then click Next.

8. Select Local computer: (the computer this console is running on), click Finish, and then click
Close.
9. In the Add/Remove Snap-in dialog box, click Certificates (Local Computer), and then click OK.
Ensure you have opened the correct certificate store. The MMC Console should list Certificates
(Local Computer). If you have accidentally opened the wrong store, close the MMC and return to
step 1.
10. Expand Certificates (Local Computer), right-click the Personal folder, point to All Tasks, and then
click Import to open the Certificate Import Wizard.
11. On the Welcome page, click Next.
12. On the File to Import page, browse to the locally saved .pfx file you copied to your local drive from
IIS1, and then click Next. In the Open dialog box, on the Files of type list, click Personal
Information Exchange (*.pfx; *.p12).
13. Type the password you created to encrypt the .pfx file, clear the Mark this key as exportable check
box, and then click Next.
14. Select Place all certificates in the following Store and accept the default value, Personal, and
then click Next.
15. Click Finish, and then close all dialog boxes and applications.
After installing your certificate file into ISA1, install the certificate into your remaining IIS servers, if you have
more than one. Before you continue, make sure that you have installed IIS on all of your remaining IIS servers.
► Install the certificate file into remaining IIS servers
1. Log on to IIS1.
2. On the Start menu, point to All Programs, point to Administrative Tools, and then click Internet
Information Services (IIS) Manager.
4. On the Action menu, click Properties, and then select the Directory Security tab.

6. On the Welcome to the Web Server Certificate Wizard page, click Next.
7. Select Copy or Move the current certificate to a remove server site, and then click Next.
8. Select Copy certificate from a remote server web site to this web site, clear the Mark cert as
exportable check box, and then click Next.
9. Type the server name you have assigned to IIS1 in the Server name box; leave the username and
password boxes blank, and then click Next.
10. In the Site Instance box, accept the default value, 1, and then click Next.
11. Click Finish, and the close IIS manager.
12. Repeat steps 1–11 for each of your remaining IIS servers.
Installing and Running the Microsoft Business Solutions

Perimeter Network Configuration Wizard
When you have successfully completed the steps in this installation guide, you will be ready to run the
Microsoft Business Solutions Perimeter Network Configuration Wizard. The wizard helps you install ISA
Server 2004, configure ISA 2004 access settings, and then validates that you have configured your network
correctly using the procedures in this installation guide.
First, Install the wizard onto ISA1 using the product CD-ROM or by using the downloadable installation file.
After the wizard has been installed, run it using the Start menu:
On the Start menu, point to All Programs, point to Microsoft Perimeter Network Configuration Wizard,
and then click Perimeter Network Configuration Wizard.
The wizard will walk you through installing and configuring ISA Server 2004 on ISA1 for use with your
Microsoft Business Solutions applications.
Installing Microsoft Business Solutions Software and
Configuration Files
After you have completed setting your ISA Server 2004 settings using the Microsoft Perimeter Network
Configuration Wizard, you can install the applications you plan to run in your network, if they are not already
installed. In addition, you can use configuration files (.pnc) to assist these installations.
Important: Make sure that the installation files and configuration files you use to deploy your applications
are from a trusted source. Configuration files make changes to server operating systems that can be
potentially damage your network.
Installation instructions for specific Microsoft Business Solutions applications are available on the Microsoft
Business Solutions Web site. See the installation guide for the specific application you want to deploy.
Testing Perimeter Network Access after Completing the Microsoft Perimeter Network
Configuration Wizard
After using the Perimeter Network Configuration Wizard, test for access to your network. Using a computer
that is connected to the Internet, but is located outside of your perimeter or internal networks, access your
network by going to your Internet host name.

Troubleshooting
Network interface cards are not displayed in Network Connections
• The network interface cards (NICs) might not be installed correctly. Open the server and make
sure that each NIC is seated tightly in its correct slot.
Network connections are not configuring correctly
• First, make sure the network is connected. Check the back of the server to see if the NIC has
been disconnected or if the NIC’s lights are flashing. If they are not, the network cable is either
faulty or it is not connected correctly. Find both ends of the network cable and make sure they
are both plugged into the correct ports.
• If the cables are connected correctly, open the Network Connections dialog box, right-click the
connection that is experiencing difficulties, and then click Repair. The network connection will
refresh network connection settings.

Glossary
The following section describes many of the terms used in the “Deploy Your Perimeter Network” section of
this document to help you understand the components you are working with while you are setting up your
perimeter network.
Certificate Services
Certificate Services provide an encrypted connection between client computers connecting from the
Internet and network resources in your internal network. Encryption is provided by 128-bit Secure Socket
Layer (SSL) technology, the same technology used by many online banking Web sites to help protect
user and transaction information.
Default Gateway
A gateway is a server that allows two different networks to communicate. The default gateway is the
computer in your network that forwards traffic originating from your internal network to destinations
outside of your perimeter network. When configuring TCP/IP settings for your network’s servers, you
need to specify a default gateway for your internal network servers. The Microsoft Perimeter Network
Configuration tool configures your perimeter network firewall server as your default gateway.
For this implementation, your default gateway for internal network resources will be your perimeter
network’s firewall server.
Domain Controller
A domain controller (DC) is a computer running Windows Server 2003 that manages user access to a
network, which includes logging on, authentication, and access to the directory and shared resources.
If you are already running Microsoft Business Solutions software inside your existing network, you will
have already set up a primary domain controller (PDC), and possibly a secondary domain controller, to
run those applications. If you do not have a primary domain controller, you must create one and
configure it properly to run in your internal network before setting up your perimeter network.
Firewall
A computer firewall is used to prevent unauthorized Internet users from accessing private networks
connected to the Internet. Computer firewalls can be created using both hardware and software, or a
combination of both.
IP Address
An Internet Protocol (IP) address determines the network location of a specific NIC. IP addresses can be
either dynamic (refresh each time a computer is rebooted) or static depending on the network
configurations.
An IP address is a 32-bit address used to identify a computer in a network. Each computer in the
network must be assigned a unique IP address. This address is typically represented in dotted-decimal
notation, with the decimal value of each octet separated by a period, for example, 192.168.7.27. IP
addresses can be either dynamic (refresh each time a computer is restarted) or static, depending on the
network configuration. In Windows Server 2003, you can configure the IP address statically or
dynamically through Dynamic Host and Configuration Protocol (DHCP).
For server computers in your internal and perimeter networks, assign static IP address. This is a
requirement of the Microsoft Perimeter Network Configuration Wizard.

Network Hub
A network hub is a device that routes data between computers in your network. Rather than connecting
computers directly to one another, a hub is a central connection point where all computers in a network
can connect and share network resources.
Network Switch
For this implementation, you might also deploy network switches. Like hubs, switches connect
computers to each other; however, they include a layer of technology that allows them to more
intelligently route network traffic. Network switches help conserve network bandwidth. Network switches
tend to be more expensive than hubs, but either device will work in this network.
This installation guide assumes that you are using network hubs.
Server Certificate
A unique digital identification that forms the basis of the Secure Sockets Layer (SSL) security features
on a Web site. Server certificates are obtained from a trusted, third-party organization called a
certification authority, and they provide a way for users to authenticate the identity of a Web site.
Secure Sockets Layer (SSL)

A protocol to provide secure transmission of data between Web sites and browsers. SSL uses a digital
certificate to identify the sender and receiver of data.
Subnet Mask
A subnet mask helps you identify where specific networks and computers are located. Network IDs and
host IDs within an IP address are distinguished by using a subnet mask. Typically, you will have a single
subnet mask that defines your local area network (LAN), such as 255.255.255.0. Computers and servers
will have different IP address, but they will all belong to a specific subnet, defined by your subnet mask.
TCP/IP
Transmission Control Protocol/Internet Protocol (TCP/IP) is a set of networking protocols used in large
and small networks. It provides communications across interconnected networks made up of computers
with diverse hardware architectures and various operating systems. TCP/IP includes standards for how
computers communicate and conventions for connecting networks and routing traffic.

Appendix A: Microsoft Business Solutions

Network Examples
This section includes sample network architecture diagrams for each of the Microsoft Business Solutions
applications currently supported by the Microsoft Perimeter Network Configuration Wizard.
Figure 6
Microsoft CRM Network Architecture Example

Figure 7
Microsoft CRM Mobile Network Architecture Example

Figure 8
Microsoft Dynamics AX Enterprise Portal Network Architecture Example

Figure 9
Microsoft Dynamics Business Portal Network Architecture Example

Appendix B: SelfSSL Parameters

Parameter Description
/N:cn=domain_name Specifies the common name of the certificate. The computer name is used if you
do not specify a common name.
/K:keylength Specifies the certificate key length. The default is 1024.
/V:duration-of-validity Specifies the duration for which the certificate is valid. The default is 7 days.
/S:site-id Specifies the site ID of the SSL-protected site. The default is 1 for the default
Web site. As Web sites are added to IIS, each site is assigned a site ID: the
second site’s site ID is 2, and so forth.
/P:port Specifies the SSL port. The default is 443. If you use port numbers to specify the
Microsoft CRM Web site, you can either specify the SSL port here, or specify it
in the properties for the Microsoft CRM Web site.
/Q Specifies Quiet mode. In Quiet mode, any existing settings for the site are
overwritten with no user interaction or display.

Appendix C: Network Information Form

As described in the Microsoft Perimeter Network Configuration Installation Guide, use the following form to
record your network configuration information. Some server entries will be optional (as noted in the table)
and are not required.
Note: Some Microsoft Business Solutions applications may share a single server. If this is the case, record
the IP address of that shared server for both entries.
Internet Registrar Information

Internet-facing domain name (for example
1
contoso.com)
ISP Information
2 Internet-facing static IP address
3 Internet-facing subnet mask
4 Internet-facing default gateway
5 ISP Preferred DNS
6 ISP Alternate DNS
ISA Server (ISA1)

7 ISA1 server name
8 Internal network IP address
9 Perimeter network IP address
10 Perimeter network subnet mask
IIS Servers (IIS1–IIS 6)

11 IIS1 server name
12 IIS1 IP address
13 IIS2 server name
14 IIS2 IP address (optional)
15 IIS3 server name
17 IIS4 server name
Primary Domain Controller (DC1)

19 DC1 server name
20 DC1 IP address
21 Internal network subnet mask

Secondary Domain Controller (DC2) (optional)

22 DC2 server name
23 DC2 IP address
SQL Server (SQL1)

24 SQL1 server name
25 SQL1 IP address
Microsoft CRM Server (CRM1)

26 CRM1 server name
27 CRM1 IP address
Microsoft Dynamics AX Enterprise Portal Servers (AOS1 – AOS 6) (optional)

28 AOS1 server name
29 AOS1 IP address (optional)
30 AOS2 server name
31 AOS2 IP address (optional)
32 AOS3 server name
33 AOS3 IP address (Optional)
34 AOS4 server name
36 AOS5 server name
38 AOS6 server name
Microsoft CRM Mobile

40 Microsoft CRM Mobile server name
41 Microsoft CRM Mobile server IP address
Microsoft Dynamics Business Portal Server

42 Microsoft Business Portal server name
43 Microsoft Business Portal server IP address

Microsoft Perimeter Network Installation Guide

Hochgeladen von

Dokumentinformationen

Originalbeschreibung:

Copyright

Verfügbare Formate

Dieses Dokument teilen

Dokument teilen oder einbetten

Freigabeoptionen

Stufen Sie dieses Dokument als nützlich ein?

Sind diese Inhalte unangemessen?

Copyright:

Verfügbare Formate

Microsoft Perimeter Network Installation Guide

Hochgeladen von

Copyright:

Verfügbare Formate

Microsoft ® Business Solutions

© 2005 Microsoft Corporation. All rights reserved.

All other trademarks are property of their respective owners.

Copyright © 2005 Microsoft Corporation. All rights reserved. ii

Deploying Your Perimeter Network ............................................................................................. 7

Connecting Networking Hardware and Cables ...................................................................... 9

Configuring IIS Servers in Perimeter Network ..................................................................... 14

Copyright © 2005 Microsoft Corporation. All rights reserved. iii

Installing Microsoft Business Solutions Software and Configuration

Copyright © 2005 Microsoft Corporation. All rights reserved. iv

Supported Network Configurations

Copyright © 2005 Microsoft Corporation. All rights reserved. 1

Copyright © 2005 Microsoft Corporation. All rights reserved. 2

Table 1: Required Software for Microsoft Business Solutions Deployment

Server type Required software Comments

Database server Microsoft Windows Server 2003, Standard Edition

Copyright © 2005 Microsoft Corporation. All rights reserved. 3

Table 2: Hardware Requirements

Copyright © 2005 Microsoft Corporation. All rights reserved. 4

Planning Your Perimeter Network

Signing Up for Broadband Internet Service

Copyright © 2005 Microsoft Corporation. All rights reserved. 5

Registering an Internet-Facing Domain Name

Purchasing Networking Hardware

Determining Your Server Certificate Needs

Copyright © 2005 Microsoft Corporation. All rights reserved. 6

Deploying Your Perimeter Network

Copyright © 2005 Microsoft Corporation. All rights reserved. 7

Recording Internal and Perimeter Network

Installing Windows Server 2003 on All Perimeter and Internal

Labeling Network Servers and Hubs

Copyright © 2005 Microsoft Corporation. All rights reserved. 8

Installing Network Interface Cards into All Network Servers

Configuring Hardware Drivers

Connecting Networking Hardware and Cables

Copyright © 2005 Microsoft Corporation. All rights reserved. 9

► Connect network cables for Perimeter and Internal networks

Copyright © 2005 Microsoft Corporation. All rights reserved. 10

Adding My Network Places to the Desktops of Each Internal

Changing Network Connections Names on ISA1

Copyright © 2005 Microsoft Corporation. All rights reserved. 11

3. Rename the Perimeter network connection by doing the following:

4. Rename the Internal network connection by doing the following:

Copyright © 2005 Microsoft Corporation. All rights reserved. 12

Second, configure TCP/IP settings for the Internal Network connection.

Finally, configure TCP/IP connections for the Perimeter Network connection.

Copyright © 2005 Microsoft Corporation. All rights reserved. 13

Configuring IIS Servers in Perimeter Network

To properly configure your IIS servers, complete the following:

Installing IIS on All IIS Servers

Copyright © 2005 Microsoft Corporation. All rights reserved. 14

Configuring TCP/IP Settings for IIS Servers

Configuring TCP/IP Settings for All Application Servers

Copyright © 2005 Microsoft Corporation. All rights reserved. 15

► Configure TCP/IP settings for application server

Copyright © 2005 Microsoft Corporation. All rights reserved. 16

Copyright © 2005 Microsoft Corporation. All rights reserved. 17

Configuring Certificate Settings for ISA1 and IIS Servers

2. Export your certificate file to a .pfx file.

Creating and Installing a Server Certificate for a Production Network

Copyright © 2005 Microsoft Corporation. All rights reserved. 18

13. Click Next.

Installing Third-party Certificates into the Default Web Site of IIS1