Setup Wizard on ISA500 Series Integrated Security Appliance

Document

Sat, 07/09/2016 - 14:00
Apr 26th, 2016
User Badges:

Cisco Support Community

Article ID: 3750

Objective

The Setup Wizard on the ISA500 Series Integrated Security Appliances allows an administrator to configure the main settings for the device in one location of the ISA500 Series Configuration Utility. The Setup Wizard shortens the amount of time that is spent on configuration.

This article explains how to use the Setup Wizard on the ISA500 Series Integrated Security Appliance.

Applicable Devices

• ISA500 Series Integrated Security Appliances

Software Version

• v1.1.14

Setup Wizard

This procedure explains how to configure the primary settings in the Setup Wizard.

Note: Before you continue, it is recommended that you have an active WAN connection, a valid Cisco account, and a Product Authorization Key (PAK) or license code. You need the WAN connection to verify your Cisco account. The Cisco account validates security license and upgrades, and the PAK activates security services.

Step 1. Log in to the ISA500 Series Configuration Utility, and choose Configuration Wizards > Setup Wizard. The Setup Wizard page opens. The Setup Wizard page is shown when you log in to the configuration utility for the first time.

Step 2. Click Next. The Date and Time page appears.

Date and Time page can be used to configure the system time manually or to synchronize the system time with the Network Time Protocol (NTP) server.

In the date and time configuration of the setup wizard, the current date and time of the device that is synchronized with the current NTP server can be seen in the Current Time field.

Step 3. World time is divided into different time zones based on region. Choose the desired time zone from the Time Zone drop-down list.

Step 4. To set the date and time manually, click the Manually Set System Time radio button. If you click this radio button, choose the date and time from the Date and Time drop-down lists.

Step 5. To set the date and time dynamically with NTP server synchronization, click the Dynamically Set System Time radio button.

Step 6. To adjust the time for Daylight savings automatically, click the On radio button in the Daylight Saving Time Adjustment field.

Step 7. There are two methods to choose the NTP servers:

• Default NTP Servers – Click the default NTP server radio button to choose the default NTP server.

• Custom NTP Servers – Click the custom NTP server radio button to choose a custom NTP server. A primary and a secondary server IP Address can be entered for the custom NTP Server. For this option, enter the primary and secondary NTP server IP addresses or names in the Server 1 Name/IP Address and the Server 2 Name/IP Address fields respectively.

Step 8. Click Next. The Cisco.com Credentials page appears.

On the ISA500 Series Integrated Security Appliance, a Cisco.com account can be associated with the device. The account is used to check for firmware updates and is used in features such as anti-virus, application control, and web treat filtering.

Step 9. In the Cisco.com Credentials area, enter your Cisco.com username in the Username field.

Step 10. In the Password field, enter your Cisco.com password.

Step 11. In the Confirm Password field, enter your Cisco.com password again.

Step 12. Click Next. The Update Firmware page appears.

On the ISA500 Series Integrated Security Appliance, firmware updates can fix problems with the device and add more features.

Step 13. To upgrade firmware for the device, perform one of the following actions.

Automatic — To automatically update firmware, check the Check for firmware update when setup wizard completes check box to update the firmware after the setup wizard is finished.

Manual — To manually update firmware, click Browse, and locate the firmware image. Click Upgrade.

Step 14. Click Next. The page License Installation appears.

If you have a security license with you Cisco.com account, the license can be used to access advance security measures on the ISA500 Series Integrated Security Appliance. Security licenses require valid Cisco.com credentials. If the security license has already been installed on the device, skip to Step 17.

Timesaver: If you do not wish to install a security license, which is not recommended, check the Continue without installing license (not recommended) check box, and proceed to Step 17.

Step 15. In the Email Address field, enter the email address associated with the security license.

Step 16. In the PAK ID field, enter the Product Authorization Key (PAK) ID for the security license. This ID can be located in the paperwork included with the device.

Step 17. Click Next. The Discovery page appears.

Discovery protocols are used by the ISA500 Series Integrated Security Appliance to identify devices that are connected to the LAN ports. It is recommended that the discovery protocols are both enabled to optimize the OnPlus service.

Step 18. (Optional) Check the Enable Bonjour Discovery Protocol check box to enable Bonjour Discovery Protocol. Bonjour is used for service discovery, address assignment, and hostname resolution.

Step 19. Check the Enable Cisco Discover Protocol (CDP) check box to enable CDP. CDP allows directly connected Cisco devices to share information about themselves with each other.

Step 20. Click Next. The Remote Administration page appears.

Remote Administration allows the ISA500 Series Integrated Security Appliance to be configured without an administrator directly connected to the device.

Step 21. In the Remote Administration field, click a radio button.

• On — This option enables remote administration for the device. By default, remote administration uses Hypertext Transfer Protocol Secure (HTTPS) for security.

• Off — This option disables remote administration for the device.

Step 22. In the HTTP Enable field, click a radio button. HTTP serves as a basis for HTTPS but lacks the security of HTTPS. The benefit of HTTP is a faster connection than HTTPS connections.

• On — This option allows Hypertext Transfer Protocol (HTTP) to be used for remote administration instead of HTTPS.

• Off — This option does not allow HTTP to be used for remote administration.

Step 23. (Optional) If you chose On in Step 22, enter the HTTP port number to use in the HTTP Listen Port Number field. The HTTP port number is used to identify a remote administration connection as an HTTP connection.

Step 24. (Optional) If you chose Off in Step 22, enter the HTTPS port number to use in the HTTPS Listen Port Number field. The HTTPS port number is used to identify a remote administration connection as an HTTPS connection.

Step 25. (Optional) From the Access Type drop-down list, choose an option.

• Allow access from any IP Address — This option allows a remote host with any IP address to perform remote administration.

• Restrict Access to a Range of IP Addresses — This option only allows remote hosts within a specified range of IP addresses to perform remote administration.

• Restrict to a Specific IP address — This option only allows one host with a specified IP address to perform remote administration.

Step 26. (Optional) If you chose Restrict Access to a Range of IP Addresses in Step 25, enter the first address of the range in the From field.

Step 27. (Optional) If you chose Restrict Access to a Range of IP Addresses in Step 25, enter the last address of the range in the To field.

Step 28. (Optional) If you chose Restrict Access to a Specific Address in Step 25, enter the IP address to allow in the IP address field.

Step 29. In the Remote SNMP field, click a radio button.

• On — This option allows a remote user to access ISA500 Series Configuration Utility through Simple Network Management Protocol (SNMP). SNMP is an Internet-based protocol that helps manage computer networks.

• Off — This option does not allow a remote user to access the ISA500 Series Configuration Utility through SNMP.

Step 30. Click Next. The Port Configuration page appears.

Step 31. If configuration is applied to the ISA550 or ISA550W Integrated Security Appliances, choose an option from the Port Configuration drop-down list.

• 1 WAN, 1 DMZ, 5 LAN Switch — This option sets the ports on the devices to one WAN port, one De-Militarized Zone (DMZ) port, and 5 LAN ports. A DMZ is a subnetwork within the network firewall but separated from the rest of the network for security. Choose this option if you have a part of your network that needs to be exposed to the public such as a network webpage.

• 1 WAN, 1 WAN backup, 1 DMZ, and 4 LAN Switch — This option sets the ports on the devices to one primary WAN port, one secondary WAN port, one DMZ port, and 4 LAN ports. Primary and secondary WAN ports allow for redundancy and security in the WAN connection. Choose this option if you have a part of your network that needs to be exposed to the public such as a network webpage and a constant WAN connection is vital to network performance such as a network that possesses important files and services for remote users.

• 1 WAN, 1 WAN backup, 5 LAN Switch — This option sets the ports on the devices to one primary WAN port, one secondary WAN port, and 5 LAN ports. Choose this option if a constant WAN connection is needed and a DMZ is not important to the network and you want more ports for network devices. Choose this option if a constant WAN connection is vital to network performance such as a network that possesses important files and services for remote users.

• 1 WAN, 6 LAN Switch — This option sets the ports on the devices to one WAN port and 6 LAN ports. Choose this option if a constant WAN connection and a DMZ are not important to the network and you want more ports for network devices.

Step 32. If configuration is applied to the ISA570 or ISA570W Integrated Security Appliances, choose an option from the Port Configuration drop-down list.

• 1 WAN, 1 DMZ, 8 LAN Switch — This option sets the ports on the devices to one WAN port, one De-Militarized Zone (DMZ) port, and 8 LAN ports. A DMZ is a subnetwork within the network firewall but separated from the rest of the network for security. Choose this option if you have a part of your network that needs to be exposed to the public such as a network webpage.

• 1 WAN, 1 WAN backup, 1 DMZ, and 7 LAN Switch — This option sets the ports on the devices to one primary WAN port, one secondary WAN port, one DMZ port, and 7 LAN ports. Primary and secondary WAN ports allow for redundancy and security in the WAN connection. Choose this option if you have a part of your network that needs to be exposed to the public such as a network webpage and a constant WAN connection is vital to network performance such as a network that possesses important files and services for remote users.

• 1 WAN, 1 WAN backup, 8 LAN Switch — This option sets the ports on the devices to one primary WAN port, one secondary WAN port, and 8 LAN ports. Choose this option if a constant WAN connection is vital to network performance such as a network that possesses important files and services for remote users. Choose this option if DMZ is not important to the network and you want more ports for network devices.

• 1 WAN, 9 LAN Switch — This option sets the ports on the devices to one WAN port and 9 LAN ports. Choose this option if a constant WAN connection and a DMZ are not important to the network and you want more ports for network devices.

Step 33. Click Next. The Primary WAN Connection page appears:

Note: The WAN Name field is a read only field.

Step 34. From the IP Address Assignment drop-down menu, choose an option.

• DHCP Client — Dynamic Host Configuration Protocol (DHCP) uses a dynamic IP address that allows different devices on a network to share IP addresses on the network.

• L2TP — Layer 2 Tunneling Protocol (L2TP) is a combination of PPTP and Layer 2 Forwarding Protocol (L2F) and is designed for Virtual Private Network (VPN) tunneling.

• PPPoE — Point-to-Point Protocol over Ethernet (PPPoE) is a protocol that connects two points over Ethernet and uses frames for communication.

• PPTP — Point-to-Point Tunneling Protocol (PPTP) is a protocol that sends encapsulated PPP packets through isolated tunnels.

• Static IP — A static IP address is an IP address that does not change. This makes the IP address for the device easier to know.

Step 35. Enter the information in the appropriate fields.

• IP Address — In this field, enter the IP address provided by your Internet Service Provider. This applies to L2TP, PPTP, and Static IP.

• Netmask — In this field, enter the subnet mask for you IP address. This applies to L2TP, PPTP, and Static IP.

• Gateway — In this field, enter the IP address of the default gateway. This applies to L2TP, PPTP, and Static IP.

• User Name — In this field, enter the username for the account on the L2TP, PPPoE, or PPTP server. This applies to L2TP, PPPoE, and PPTP.

• Password — In this field, enter the password for the account on the L2TP, PPPoE, or PPTP server. This applies to L2TP, PPPoE, and PPTP.

• L2TP Server IP Address — In this field, enter the IP address for the L2TP server. This applies to L2TP.

• Secret — (Optional) In this field, enter the secret for Challenge-Handshake Authentication Protocol (CHAP) if necessary. This applies to L2TP.

• Connect Idle Time — Click this radio button if you want the ISA500 Series Integrated Security Appliance to disconnect from the Internet after a specified time of inactivity. In the adjacent field, enter the time in minutes to wait before disconnecting. This applies to L2TP, PPPoE, and PPTP.

• Keep Alive — Click this radio button if you want the ISA500 Series Integrated Security Appliance to always stay connected to the Internet. This applies to L2TP, PPPoE, and PPTP.

• Authentication Type — From this drop-down menu, choose an authentication method. This applies to PPPoE.

• Add VLAN Tag — Click the Yes radio button if you want the traffic from a specified VLAN to flow through the WAN port, or click the No radio button if you do not want to use this feature. This applies to PPPoE.

• VLAN Tag ID — If you clicked the Yes radio button for Add VLAN Tag, enter the VLAN Tag ID in the adjacent field. This applies to PPPoE.

• Reset Timer — From the adjacent drop-down menus, choose how often the PPPoE connection is reset and on what day and at what time the reset occurs. This applies to PPPoE.

• PPTP Server IP Address — In this field, enter the IP address for the PPTP server. This applies to PPTP.

• MPPE Encryption — (Optional) Check the adjacent check box to use Microsoft Point-to-Point Encryption (MPPE). This applies to PPTP.

• DNS1 — In this field, enter a primary Domain Name System (DNS) IP address for domain name resolution. This field applies to Static IP.

• DNS2 — (Optional) In this field, enter a secondary Domain Name System (DNS) IP address for domain name resolution. This field applies to Static IP.

Step 36. In the MTU field, click a radio button.

• Auto — This option automatically adjusts the Maximum Transmission Unit (MTU).

• Manual — This option allows you to enter the MTU size in the MTU Value field.

Step 37. Click Next.

Timesaver: If you chose 1 WAN, 1 WAN backup, 1 DMZ, 4 LAN Switch or 1 WAN, 1 WAN backup, 5 LAN Switch from Step 31 or if you chose 1 WAN, 1 WAN backup, 1 DMZ, 7 LAN Switch or 1 WAN, 1 WAN backup, 8 LAN Switch from Step 32, the Secondary WAN Connection page appears.

Step 38. (Optional) If you chose 1 WAN, 1 WAN backup, 1 DMZ, 4 LAN Switch or 1 WAN, 1 WAN backup, 5 LAN Switch from Step 31 or if you chose 1 WAN, 1 WAN backup, 1 DMZ, 7 LAN Switch or 1 WAN, 1 WAN backup, 8 LAN Switch from Step 32, repeat Steps 34 to 37 for the secondary WAN port. The WAN Redundancy with Load Balancing page appears.

Step 39. (Optional) If you chose 1 WAN, 1 WAN backup, 1 DMZ, 4 LAN Switch or 1 WAN, 1 WAN backup, 5 LAN Switch from Step 31 or if you chose 1 WAN, 1 WAN backup, 1 DMZ, 7 LAN Switch or 1 WAN, 1 WAN backup, 8 LAN Switch from Step 32, click a radio button on the WAN Redundancy with Load Balancing page.

• Equal Load Balancing — This option periodically switches between the two WAN connections so that only one connection is used at a time.

• Weighted Load Balancing — This option divides the entire network bandwidth between the two WAN connections based on either percentage or bandwidth amounts.

• Failover — This option uses a primary WAN connection, and only switches to the secondary WAN connection when the primary fails.

Step 40. (Optional) If you chose Weighted Load Balancing in Step 39, click one of the following radio buttons.

• Weighted by Percentage — This option divides the bandwidth based on percentages.

• Weighted by Link Bandwidth — This option allows an administrator to divide the bandwidth by specifying exactly how much bandwidth each WAN connection gets.

Step 41. (Optional) If you choose Weighted by Percentage from Step 40, choose what percentage each WAN connection handles from the WAN1 and WAN2 drop-down lists.

Step 42. (Optional) If you choose Weighted by Link Bandwidth from Step 40, enter the amount of bandwidth each WAN connection is to handle in the WAN1 and WAN2 fields.

Step 43. (Optional) If you chose Failover in Step 39, choose an option from Select WAN Precedence drop-down list.

• Primary: WAN1; Secondary: WAN2 — This option makes WAN1 the primary connection and WAN2 the secondary connection.

• Primary: WAN2; Secondary: WAN1 — This option makes WAN2 the primary connection and WAN1 the secondary connection.

Step 44. (Optional) If you chose Failover in Step 39, enter how long in seconds the ISA500 Series Integrated Security Appliance waits after the primary connection is secure again to switch back to the primary in the Preempt Delay Timer field.

Step 45. (Optional) If you chose 1 WAN, 1 WAN backup, 1 DMZ, 4 LAN Switch or 1 WAN, 1 WAN backup, 5 LAN Switch from Step 31 or if you chose 1 WAN, 1 WAN backup, 1 DMZ, 7 LAN Switch or 1 WAN, 1 WAN backup, 8 LAN Switch from Step 32, click Next on the WAN Redundancy with Load Balancing page.

The LAN Configuration page appears:

Step 46. In the IP address field, enter the IP address for the LAN. This address is the default LAN.

Step 47. In the Netmask field, enter the subnet mask for the default LAN.

Step 48. From the DHCP Mode drop-down list, choose an option for the Dynamic Host Configuration Protocol (DHCP).

• DHCP Relay — This option allows the ISA500 Series Integrated Security Appliance to use a remote DHCP server to assign host IP addresses.

• DHCP Server — This option allows the ISA500 Series Integrated Security Appliance to assign host IP addresses itself.

• Disable — This option disables DHCP on the ISA500 Series Integrated Security Appliance. This option is recommended if network hosts have static IP addresses or if the hosts get IP addresses from another DHCP server.

Step 49. (Optional) If you chose DHCP Relay in Step 48, enter the remote DHCP server IP address in the Relay IP field.

Timesaver: If you chose DHCP Server in Step 48, perform Steps 50 to 59; otherwise, skip to Step 60.

Step 50. Enter the first address of the DHCP pool in the Start IP field.

Step 51. Enter the last address of the DHCP pool in the End IP field.

Step 52. Enter the how long in days, hours, and minutes an IP address is leased to a host before the address is renewed in the Day, Hour, and Min fields.

Step 53. Enter the primary DNS server IP address in the DNS1 field.

Step 54. (Optional) Enter the secondary DNS server IP address in the DNS2 field.

Step 55. (Optional) Enter the primary WINS server IP address in the WINS1 field. Windows Internet Name Service (WINS) is Microsoft service that maps a host name to a network addresses

Step 56. (Optional) Enter the secondary WINS server IP address in the WINS2 field.

Step 57. Enter a domain name for the default LAN in the Domain Name field.

Step 58. Enter the IP address of the default gateway in the Default Gateway field.

Step 59. Click Next.

Timesaver: If you chose 1 WAN, 1 DMZ, 5 LAN Switch or 1 WAN, 1 WAN backup, 1 DMZ, 4 LAN Switch from Step 31 or if you chose 1 WAN, 1 DMZ, 8 LAN Switch or 1 WAN, 1 WAN backup, 1 DMZ, 7 LAN Switch from Step 32, perform Steps 60 to 84, and the DMZ Configuration page appears:

Step 60. In the IP address field, enter the IP address for the DMZ. This address is the default DMZ address.

Step 61. In the Netmask field, enter the subnet mask for the default DMZ.

Step 62. From the DHCP Mode drop-down list, choose an option for the Dynamic Host Configuration Protocol (DHCP).

• DHCP Relay — This option allows the ISA500 Series Integrated Security Appliance to use a remote DHCP server to assign host IP addresses on the DMZ.

• DHCP Server — This option allows the ISA500 Series Integrated Security Appliance to assign host IP addresses on the DMZ.

• Disable — This option disables DHCP for the DMZ on the ISA500 Series Integrated Security Appliance. This option is recommended if network hosts have static IP addresses or if the hosts get IP addresses from another DHCP server.

Step 63. (Optional) If you chose DHCP Relay in Step 62, enter the remote DHCP server IP address in the Relay IP field.

Note: If you chose DHCP Server in Step 62, perform Steps 64 to 72.

Step 64. Enter the first address of the DHCP pool for the DMZ in the Start IP field.

Step 65. Enter the last address of the DHCP pool for the DMZ in the End IP field.

Step 66. Enter the how long in days, hours, and minutes an IP address on the DMZ is leased to a host before the address is renewed in the Day, Hour, and Min fields.

Step 67. Enter the primary DNS server IP address for the DMZ in the DNS1 field.

Step 68. (Optional) Enter the secondary DNS server IP address for the DMZ in the DNS2 field.

Step 69. (Optional) Enter the primary WINS server IP address for the DMZ in the WINS1 field. Windows Internet Name Service (WINS) is Microsoft service that maps a host name to a network addresses

Step 70. (Optional) Enter the secondary WINS server IP address for the DMZ in the WINS2 field.

Step 71. (Optional) Enter a domain name for the DMZ in the Domain Name field.

Step 72. Enter the IP address of the default gateway in the Default Gateway field.

Step 73. Click Next. The DMZ Services table appears:

Step 74. In the DMZ Service table, click add to create a new DMZ service, or click the edit (pencil) icon to edit an existing DMZ service. The DMZ Service - Add/Edit window appears:

Step 75. From the Original Service drop-down list, choose an option for the inbound service to translate. This inbound service is translated into a different service.

• Create a new service — This option allows you create a new service to use. Refer to the Create a New Service subsection for configuration of this option.

• Service Objects — This option lists pre-configured services to use.

Step 76. From the Translated Service drop-down list, choose an option for the service to which the original service is translated. This translated service is mapped to the original service.

• Create a new service — This option allows you create a new service to use. Refer to the Create a New Service subsection for configuration of this option.

• Original — This option if the translated service and the original service are the same.

• Service Objects — This option lists pre-configured services to use.

Step 77. From the Translated IP drop-down list, choose an option for the address object to associate with the translated service. This address object is the IP address of the local server that needs to be translated.

• Create a new address — This option allows you create a new address to use. Refer to the Create a New Address subsection for configuration of this option.

• IP Address Objects — This option lists pre-configured addresses to use.

Step 78. From the WAN drop-down list, choose an option.

• Both — This option monitors both WAN interfaces for the port to translate.

• WAN1 — This option monitors the primary WAN interface for the port to translate.

• WAN2 — This option monitors the secondary WAN interface for the port to translate.

Step 79. (Optional) If you chose WAN1 or WAN2 in Step 6, choose an option from the WAN IP drop-down list for the WAN IP address.

• Create a new address — This option allows you create a new address to use. Refer to the Create a New Address subsection for configuration of this option.

• IP Address Objects — This option lists pre-configured addresses to use.

Step 80. In the Enable DMZ Service field, click a radio button.

• On — This option creates the DMZ service and applies it.

• Off — This option creates the DMZ service but does not apply it.

Step 81. (Optional) Check the Create Firewall Rule check box to create a firewall rule automatically that allows the DMZ service to be accessed.

Step 82. In the Description field, enter a name for the DMZ service.

Step 83. Click OK. The DMZ Services table re-appears.

Step 84. Click Next.

Note: If this configuration is for the ISA550W or ISA570W Integrated Security Appliance, perform Step 85 to 116, and the Wireless Radio Setting page appears; otherwise, skip to Step 117.

Step 85. In the Wireless Radio field, click a radio button.

• On — This option activates the wireless radio and enable the Service Set IDs (SSIDs).

• Off — This option deactivates the wireless radio.

Step 86. From the Wireless Network Mode drop-down list, choose an option.

• 802.11 b/g mixed — This option only allows 802.11b and 802.11g clients to connect the ISA500 Series Integrated Security Appliance.

• 802.11 b/g/n mixed — This option allows 802.11b, 802.11g, and 802.11n clients to connect the ISA500 Series Integrated Security Appliance.

• 802.11 g/n mixed — This option only allows 802.11g and 802.11n clients to connect the ISA500 Series Integrated Security Appliance.

Step 87. From the Wireless Channel drop-down list, choose a channel at which ISA500 Series Integrated Security Appliance operates, or choose Auto to let the device automatically determine the best channel to use.

Step 88. Click Next. The Intranet WLAN Access page appears.

Step 89. In the SSID Name field, enter a name for the SSID. This name is the name that appears when the wireless signal is received by wireless hosts.

Step 90. From the Security Mode drop-down list, choose an option.

• Open — This option does not encrypt data sent to and from the SSID, and any device within range can connect. This setting is not recommended.

• RADIUS — This option uses Remote Access Dial-In User Service (RADIUS). RADIUS performs Authentication, Authorization, and Accounting (AAA) for the SSID with the help of a remote RADIUS server.

• WEP — This option uses Wired Equivalent Privacy (WEP) for SSID security. WEP performs data encryption with either a 64-bit or 128-bit Shared Key

• WPA-Enterprise — This option uses Wi-Fi Protected Access (WPA) and RADIUS authentication. WPA uses a dynamic key encryption which makes WPA more secure than WEP.

• WPA-Personal — This option uses only WPA.

• WPA/WPA2-Enterprise mixed — This option allows both WPA and WPA2 clients to connect to the SSID with the authentication of RADIUS. WPA2 uses the most up-to-date standards for SSID security.

• WPA/WPA2-Personal mixed — This option uses WPA and WPA2 with no RADIUS.

• WPA2-Enterprise mixed — This option uses WPA2 and RADIUS for SSID security.

• WPA2-Personal mixed — This option uses only WPA2 for SSID security.

Note: If you chose RADIUS in Step 90, perform Steps 91 to 97; otherwise, skip these steps.

Step 91. From the RADIUS Server ID drop-down list, choose a RADIUS server ID.

Step 92. In the Primary RADIUS Server IP Address field, enter the IP address of the primary RADIUS server.

Step 93. In the Primary RADIUS Server Port field, enter the port number which the RADIUS server uses.

Step 94. In the Primary RADIUS Server Shared Secret, enter the shared secret of the primary RADIUS server.

Step 95. (Optional) In the Secondary RADIUS Server IP Address field, enter the IP address of the secondary RADIUS server.

Step 96. (Optional) In the Secondary RADIUS Server Port field, enter the port number which the RADIUS server uses.

Step 97. (Optional) In the Secondary RADIUS Server Shared Secret, enter the shared secret of the secondary RADIUS server.

Timesaver: If you chose WEP in Step 90, perform Steps 98 to 102; otherwise, skip these steps.

Step 98. From the Authentication Type drop-down list, choose an option for which type of authentication the ISA500 Series Integrated Security Appliance accepts.

• Auto — This option accepts both Open System and Shared Key schemes.

• Open System — This option accepts only Open System schemes.

• Shared Key — This option accepts only Shared Key schemes.

Step 99. In the Default Transmit Key field, choose which key to use as the default key index.

Step 100. From the Encryption drop-down list, choose an option for which type of encryption to use.

• 128 bits(13 ASCII) — This option uses 128-bit encryption and is more secure than 64-bit encryption. The keys for this option are represented with 13 ASCII characters.

• 128 bits(26 hex digits) — This option uses 128-bit encryption and is more secure than 64-bit encryption. The keys for this option are represented with 26 hexadecimal digits.

• 64 bits(10 hex digits) — This option uses 64-bit encryption and is less secure than 128-bit encryption. The keys for this option are represented with 10 hexadecimal digits.

• 64 bits(5 ASCII) — This option uses 64-bit encryption and is less secure than 128-bit encryption. The keys for this option are represented with 5 ASCII characters.

Step 101. In the Passphrase field, enter a passphrase that is used to generate four keys.

Step 102. Click Generate. The Key fields are populated.

Timesaver: If you chose WPA-Enterprise, WPA/WPA2-Enterprise mixed, or WPA2-Enterprise in Step 90, perform Steps 103 to 111; otherwise, skip these steps.

Note: WPA/WPA2-Enterprise mixed automatically picks whether to use TKIP or AES. WPA2-Enterprise only uses AES.

Step 103. From the Encryption drop-down list, choose an option.

• AES — This option uses Advanced Encryption Standard (AES) for data encryption. AES is more advanced than TKIP and should be used when possible.

• TKIP — This option uses Temporal Key Integrity Protocol (TKIP) which is more secure than WEP but still can operate on WEP devices. Use this option if your network uses older WEP devices.

Step 104. In the Key Renewal Timeout field, enter how often in seconds the key for SSID clients refreshes.

Step 105. From the RADIUS Server ID drop-down list, choose a RADIUS server ID.

Step 106. In the Primary RADIUS Server IP Address field, enter the IP address of the primary RADIUS server.

Step 107. In the Primary RADIUS Server Port field, enter the port number which the RADIUS server uses.

Step 108. In the Primary RADIUS Server Shared Secret, enter the shared secret of the primary RADIUS server.

Step 109. (Optional) In the Secondary RADIUS Server IP Address field, enter the IP address of the secondary RADIUS server.

Step 110. (Optional)  In the Secondary RADIUS Server Port field, enter the port number which the RADIUS server uses.

Step 111. (Optional)  In the Secondary RADIUS Server Shared Secret, enter the shared secret of the secondary RADIUS server.

Timesaver: If you chose WPA-Personal, WPA/WPA2-Personal mixed, or WPA2-Personal in Step 90, perform Steps 112 to 116; otherwise, skip these steps.

Note: WPA/WPA2-Personal mixed automatically picks whether to use TKIP or AES. WPA2-Personal only uses AES.

Step 112. From the Encryption drop-down list, choose an option.

• TKIP — This option uses Temporal Key Integrity Protocol (TKIP) which is more secure than WEP but still can operate on WEP devices. Use this option if your network uses older WEP devices.

• TKIP_CCMP (AES) — This option uses Temporal Key Integrity Protocol with Counter Cipher Mode with Block Chaining Message Authentication Code Protocol (TKIP_CCMP). TKIP_CCMP is TKIP enhanced with the CCMP of AES. This option is more secure than regular TKIP and can also work on WPA2 devices.

Step 113. In the Shared Secret field, enter the Pre-Shared Key (PSK) for WPA. The PSK must be at least 8 characters and no more than 63 characters.

Step 114. In the Key Renewal Timeout field, enter how often in seconds the key for SSID clients refreshes.

Step 115. From the VLAN Name drop-down list, choose a VLAN to which the SSID is mapped. All SSID traffic occurs on this VLAN.

The VLAN ID field displays the ID number of the chosen VLAN.

Step 116. Click Next.

The Security Services page appears.

Step 117. (Optional) Check the Anti-Virus check box if you want to allow the ISA500 Series Integrated Security Appliance to block virus that may enter the network through various Internet connections.

Step 118. (Optional) Check the Intrusion Prevention (IPS) check box if you want to allow the ISA500 Series Integrated Security Appliance to analyze network traffic to avoid network attacks.

Step 119. (Optional)  Check the Network Reputation check box if you want to allow the ISA500 Series Integrated Security Appliance to examine the source address of traffic to see if the source is known to cause network attacks.

Step 120. (Optional) Check the Spam Filter check box if you want to allow the ISA500 Series Integrated Security Appliance to check for and block spam in emails.

Step 121. (Optional) Check the Web Reputation Filtering check box if you want to allow the ISA500 Series Integrated Security Appliance to deny network devices access to websites that contain viruses, spyware, malware, or phishing links.

Step 122. (Optional) If you checked the Spam Filter check box, enter the local Simple Mail Transfer Protocol (SMTP) server IP address or domain name in the Local SMTP Server IP Address/Domain field.

Step 123. (Optional) If you checked the Web Reputation Filtering check box, click a radio button in the If Reputation Services are unavailable field.

• Prevent affected network traffic — This option blocks affected traffic until reputation services are known.

• Allow affected network traffic — This option allows affected traffic until reputation services are known.

Step 124. Click Next. The Summary page appears:

The Summary page displays all configurations that you have made.

Step 125. Click Apply to apply configuration.

The ISA500 Series Integrated Security Appliance processes the configuration. After several minutes it should finish.

Step 126. Click Finish to end the Setup Wizard.

Create a New Service

This procedure explains how to create a new service from the DMZ Service - Add/Edit window.

Step 1. Choose Create a new service from either the Original Service drop-down list or the Translated Service drop-down list in the DMZ Service - Add/Edit window. The Service - Add/Edit appears:

Step 2. In the Name field, enter a name for the service.

Step 3. From the Protocol drop-down list, choose a protocol for the service to perform.

• TCP — Transmission Control Protocol (TCP) is a transport protocol that sends traffic and checks to make sure the traffic arrived completely and in the correct order. TCP, though, is slower than UDP because of the check process. TCP should be used to send data that requires reliable transport.

• UDP — User Datagram Protocol (UDP) is a transport protocol that sends traffic but does check to make sure the traffic arrived completely and in the correct order. The advantage of UDP is that it is faster than TCP since it does not double check the messages. UDP should be used when messages do not require reliable transport.

• both(TCP/UDP) — This option sets the service to perform both UDP and TCP.

Step 4. Enter the first port of a range of ports to which the service applies in the Port Range Start field, and enter the last port of a range of ports in the Port Range End field. For a single port, enter the same number in both fields.

Step 5. Click Save. The DMZ Service - Add/Edit window reappears.

Create a New IP Address Object

This procedure explains how to create a new IP address object from the DMZ Service - Add/Edit window.

Step 1. Choose Create a new address from the Translated IP drop-down list or the WAN IP drop-down list in the DMZ Service - Add/Edit window. The Address - Add/Edit window appears:

Step 2. In the Name field, enter a name for the IP address or addresses.

Note: In the Type drop-down list, Host is the only option as we can only translate service to hosts.

Step 3. Enter the host IP address in the IP address field.

Step 4. Click Save. The DMZ Service - Add/Edit window reappears.

Loading.

Actions

This Document