Options
Configuring an ISA Server ready for installation
I’m trying to use today as constructively as possible (being ill is no fun!) and I’ve decided to start playing about with ISA Server 2004.
Now as I understand from the MS Press book that you need to have two network adapters on the ISA box configured as follows:-
Internal Adapter
• No default gateway set
• Has an address routable internally (so in the 10.x.x.x – 172.x.x.x – 192.x.x.x ranges.)
• Has the internal DNS Servers specified (if you have them). In my case these are 10.0.0.100 and 10.0.0.101
Therefore my configuration can be seen here: http://www.lukepotter.co.uk/ISA/Internal.JPG
External Adapter
• IP Address routable on the internet
• If the ISA Server is at the network edge, default gateway must be that of the ISP
• If ISA Server is doing web proxy DNS lookups on behalf of clients the DNS servers should be those of the ISP.
Currently my external adapter is configured as follows: http://www.lukepotter.co.uk/ISA/External.JPG
This is all well and good but I have a perimeter router with an address of 10.0.0.138 therefore this is my network edge. Am I configuring the external adapter correctly and in the most secure configuration? The address I’ve currently given the adapter isn’t routable on the internet so I presume I need to obtain an IP from my ISP? Or should I just configure my router to forward all traffic to the ISA Server? Then configure my clients to use the ISA server as their gateway?
If possible I don’t want to change my current router. I need to try and keep my ‘home’ network and ‘study’ networks separate.
With limited resources I’m trying to replicate a commercial environment as best possible within Vmware (DNS, DCs etc.)
Thanks in advance and sorry for the long post!
Luke
Now as I understand from the MS Press book that you need to have two network adapters on the ISA box configured as follows:-
Internal Adapter
• No default gateway set
• Has an address routable internally (so in the 10.x.x.x – 172.x.x.x – 192.x.x.x ranges.)
• Has the internal DNS Servers specified (if you have them). In my case these are 10.0.0.100 and 10.0.0.101
Therefore my configuration can be seen here: http://www.lukepotter.co.uk/ISA/Internal.JPG
External Adapter
• IP Address routable on the internet
• If the ISA Server is at the network edge, default gateway must be that of the ISP
• If ISA Server is doing web proxy DNS lookups on behalf of clients the DNS servers should be those of the ISP.
Currently my external adapter is configured as follows: http://www.lukepotter.co.uk/ISA/External.JPG
This is all well and good but I have a perimeter router with an address of 10.0.0.138 therefore this is my network edge. Am I configuring the external adapter correctly and in the most secure configuration? The address I’ve currently given the adapter isn’t routable on the internet so I presume I need to obtain an IP from my ISP? Or should I just configure my router to forward all traffic to the ISA Server? Then configure my clients to use the ISA server as their gateway?
If possible I don’t want to change my current router. I need to try and keep my ‘home’ network and ‘study’ networks separate.
With limited resources I’m trying to replicate a commercial environment as best possible within Vmware (DNS, DCs etc.)
Thanks in advance and sorry for the long post!
Luke
Comments
-
Options
sprkymrk
Member Posts: 4,884 ■■■□□□□□□□
I think the first problem you may run into is that your internal and external networks (as far as the ISA is concerned) are on the same network:
10.0.0.x /8
I would make some minor changes, such as using 10.0.0.x with a subnet mask of 255.255.255.0 for one side and 10.0.1.x and 255.255.255.0 for the other to avoid routing problems. Then yes, you can assign the ISA as DG for your internal clients and you shouldn't have to do anything additional on your router because it will see all internal traffic as coming from the ISA; therefore return traffic will go to it by default. The ISA keeps track of the ports in it's NAT/PAT table in order to make sure the right packets get returned to the right clients.All things are possible, only believe. -
Options
LukeQuake
Member Posts: 579 ■■■□□□□□□□
Thanks sprkymrk
Do you mean putting all of my 'study' network on the a /24 subnet mask? I presume this is the case because surely ISA won’t function correctly if it’s on a different network segment with no gateway between the /8 and /24?
Edit: For the record I HATE Windows Firewall!
-
OptionsLukeQuake
Member Posts: 579 ■■■□□□□□□□
Hmmm.. I’m still having bit of trouble configuring this external adapter. Should I give it the same IP address as my boarder router? (ie the one that the ISP has assigned me?)
-
OptionsTechJunky
Member Posts: 881
No. You will get a message stating that you have an IP Address conflict with an adapter with address 00:e0
x.xx.xx.xx for example.
If your routers external address is 209.112.1.2 you would want your external interface set as DHCP, unless you purchased a static IP address from your internet service provider.
If you are using NAT from the router, IE 209.112.1.2 on the router, and under LAN settings it shows 192.168.1.1, then you could setup your external adapter with an address of 192.168.1.x
I hope thats clear enough. -
Optionssprkymrk
Member Posts: 4,884 ■■■□□□□□□□
LukeQuake wrote:Do you mean putting all of my 'study' network on the a /24 subnet mask? I presume this is the case because surely ISA won’t function correctly if it’s on a different network segment with no gateway between the /8 and /24?
The ISA server has 2 interfaces and routes between them, so I'm not sure what you mean about the gateway in between. I would change both ranges to a /24 unless you need more than 254 hosts on either network.LukeQuake wrote:Hmmm.. I’m still having bit of trouble configuring this external adapter. Should I give it the same IP address as my boarder router? (ie the one that the ISP has assigned me?)
As TechJunky replied, you don't want to do that. What you should have is something like this:
Internet<-->[(ISP Assigned IP) Router (10.0.0.13
]<-->[(10.0.0.254) ISA (10.0.1.200)]<--> Internal Network on 10.0.1.x/24
So unless you have another network to worry about you should be okay. If you have a seperate study network you're trying to keep segmented from your production network you'll want to put the ISA server in back of the production network like this:
Internet<-->[(ISP Assigned IP) Router (10.0.0.13]<-->[(Internal Network on 10.0.0.x/24]<-->[(10.0.0.254) ISA (10.0.1.200)]<--> Study Network on 10.0.1.x/24 All things are possible, only believe. -
OptionsLukeQuake
Member Posts: 579 ■■■□□□□□□□
Thanks very much for the help!
I’ll have a little play around this weekend and see if I can get things up and running. Apologies for my earlier post as it may have been a tad confusing I meant reassigning my gateways external IP to the ISA server and setting the ISA Server as the gateway.
Regards,
Luke
