ISA Server 2006 Dual NIC / Separator/Back-end Firewall

wedge1988 · November 2008

Hi guys,

Got a bit of a problem. We have just bought ISA Server 2006 to give us more control over our infrastructure, however, im at a loss as to how to set the thing up. You see, we have a dedicated internet server, which is controlled externally. Anyways, hope somebody can help me its driving me mad! Here is a diagram, and how it is physically set up also.

Our internal address range is 10.1.4.2 - 10.1.7.255 (10.1.4.1 is the managed server)

We are not allowed to have any other type of address because it is managed externally. When i try to set the network cards up only one will be able to connect to either the internal lan or the external depending on which card is disabled.

is there anything i can do? help![/img]

HeroPsycho · November 2008

Add a third NIC to the ISA server, setup the three pronged template, stick the management server and DMZ switch in the DMZ network/NIC, internal on the Internal network, External NIC on your WAN link.

Simply then publish resources necessary on the management server through ISA.

Is there a reason you're not wanting to do this?

wedge1988 · November 2008

no reason, i just dont know much about ISA server!

Is there a reason you're not wanting to do this?

Anyways, i can add another NIC to the equation, but that still doesnt fix my problem. as far as i am aware, linking the ISA server to the switch is the same as the 3 way setup??? since all DMZ servers will be on the switch which is between the ISA server and the Managed server.

Am i right?

darkerosxx · November 2008

I think what he was saying is this:

(Imagine the dashes aren't there)

WAN/Internet

|

ISA Server

/

\
DMZ Switch

Internal Network

|
Managed Server

That it?

wedge1988 · November 2008

Sorry guys, you both have the wrong idea.

-> the managed server is a linux BB Box with a Firewall built in (Front-end)

-> the DMZ comes next

-> the ISA Server is linked to the DMZ switch

-> the ISA Server is also connected to the internal network.

I believe this is the topology used:

And my problem is actually getting both connections to work together at the same time. Remember that its not an external address im using to link to the internet, im using a private address because the front end firewall connects with a public address. (Not managed by me in any way)

HeroPsycho · November 2008

For clarity next time, please say your "managed server" is a firewall, because that's what it is.

You would use the back firewall template included with ISA 2006 if you do not wish to provide DMZ hosts protection with ISA.

You're gonna have to change the IP on the internal NIC of your linux box, assign the .1 address to the internal NIC on the ISA server, and set the external NIC on the ISA server and the internal NIC on the linux server to IP's on the same subnet.

Or you could subnet your network, with one subnet on your internal, and a second in your DMZ network.

ISA doesn't transcend the rules of TCP/IP, sorry.

What specific functionality are you looking to gain from ISA? Control of web traffic, or all types of traffic? Are you looking to securely publish access to all internal resources, or just web servers?

wedge1988 · November 2008

Thanks for your reply. just as i suspected!

I can subnet my internal network because its not on the net and will be "NATed" when data goes through to the DMZ/external.

I can leave the DMZ subnet as 10.1.x.x because it connects directly to the managed linux/firewall server for the external connections.

(Doing both this way should not affect the assigned addresses to us)

Im assuming that i dont need a router to place between the ISA server and the Switch?

-> I want to be able to control connections to the internet better for users within the organisation. The fact i can integrate it with out 2-way domain trust is very useful because i can capture and restrict more. For example, at the moment, i cannot restrict access to the filetypes of ".mp3" and i have no clear way of seeing what banned websites have been accessed, which in ISA can be done using the reporting monitor tool. etc etc.

Plus, it will allow me to have more ports unblocked for the DMZ without risking the internal infrastructure.

thanks.

wedge1988 · November 2008

just out of curiosity; could i just change the address to:

10.1.7.x replacing the .4 with a .7?

HeroPsycho · November 2008

wedge1988 wrote:

Thanks for your reply. just as i suspected!

I can subnet my internal network because its not on the net and will be "NATed" when data goes through to the DMZ/external.

I can leave the DMZ subnet as 10.1.x.x because it connects directly to the managed linux/firewall server for the external connections.

(Doing both this way should not affect the assigned addresses to us)

Im assuming that i dont need a router to place between the ISA server and the Switch?

-> I want to be able to control connections to the internet better for users within the organisation. The fact i can integrate it with out 2-way domain trust is very useful because i can capture and restrict more. For example, at the moment, i cannot restrict access to the filetypes of ".mp3" and i have no clear way of seeing what banned websites have been accessed, which in ISA can be done using the reporting monitor tool. etc etc.

Plus, it will allow me to have more ports unblocked for the DMZ without risking the internal infrastructure.

thanks.

Understand that your ISA server is becoming a router. Do you need another router? No.

You've left an awful lot off your initial posts that would have been vital to know to help give you advice. You seem to be suggesting your DMZ network is already a different subnet than your internal network. That makes this a lot easier. Yes, you could have your DMZ network as one 10.1.X.X/16 subnet, and your internal as another.

If you're only looking to regulate web browser access, and you don't wish to publish through ISA anything but web based traffic, you don't even need to integrate ISA into the routing of your network. Just add it just like another server and use the single network template, and point your clients to the ISA server as a web proxy, and deny outbound web traffic from your workstations on your linux firewall, while granting access from the ISA server.

wedge1988 · November 2008

If you're only looking to regulate web browser access, and you don't wish to publish through ISA anything but web based traffic, you don't even need to integrate ISA into the routing of your network. Just add it just like another server and use the single network template, and point your clients to the ISA server as a web proxy, and deny outbound web traffic from your workstations on your linux firewall, while granting access from the ISA server.

I thought of doing this initially, but i cant because the provider for the managed firewall box will only change ports, and even then i have to write down what i need doing and it takes 2 weeks lol. But thats what i would have initially done.

I was playing with the settings this morning and it seems that creating a networking bridge also gives me a connection to both sides, but i doubt ISA would work because its the same address for the internal & External connections.

Thanks for all of your help! I cant believe all i needed to know was to subnet the stuff... lol.

HeroPsycho · November 2008

wedge1988 wrote:

If you're only looking to regulate web browser access, and you don't wish to publish through ISA anything but web based traffic, you don't even need to integrate ISA into the routing of your network. Just add it just like another server and use the single network template, and point your clients to the ISA server as a web proxy, and deny outbound web traffic from your workstations on your linux firewall, while granting access from the ISA server.

I thought of doing this initially, but i cant because the provider for the managed firewall box will only change ports, and even then i have to write down what i need doing and it takes 2 weeks lol. But thats what i would have initially done.

I was playing with the settings this morning and it seems that creating a networking bridge also gives me a connection to both sides, but i doubt ISA would work because its the same address for the internal & External connections.

Thanks for all of your help! I cant believe all i needed to know was to subnet the stuff... lol.

In order for ISA to regulate traffic other than HTTP/HTTPS, traffic must go in one NIC and out another. Unless you integrate ISA into the routing of your network, your clients could bypass ISA provided they have the ability to route around it, which they would likely have if you don't integrate ISA into your network's routing. No, you can't use a network bridge.

I will say, with no offense to you, it doesn't sound like you have much ISA knowledge, and it's very likely you will not setup ISA according to best practices, and you very well may end up setting it up incorrectly. I would highly suggest reading the Tom Shinder book sections regarding initial setup and how to create policies, setup clients, etc. before you proceed, or get training, or hire a consultant.

ISA Server 2006 Dual NIC / Separator/Back-end Firewall

Comments