?
Solved

best practice for inserting ISA server behind existing PIX

Posted on 2005-03-04
8
Medium Priority
?
866 Views
Last Modified: 2013-11-16
We curerntly have a PIX in place at the edge of our corporate network.  I am looking at purchasing Microsoft's Internet Security & Acceleration Server 2004 to add layer 7 filtering and some AD based rules to our filtering/routing.  My question is how should I design this.  Here is my thoughts and someone can fill in the gaps or suggest changes as they see fit:

***INTERNET***----->(public IP)**ROUTER**(public IP)------(public ip)PIX506e(any private unused network??????)----------(???????)ISA(10.0.254.1/28)------>Core switch (4507R)

Where I'm at a loss is between the ISA server and the PIX.  Can someone plug in some addresses there that would work and tell me any other changes I'd need to make to get it set up properly.

Thanks in advance!
0
Comment
Question by:Network_MD
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 4
  • 3
8 Comments
 
LVL 79

Expert Comment

by:lrmoore
ID: 13463685
Whenever I setup a network like this, this is how I do it:

Internet -->router-->PIX Public ip
                               PIX Private IP 10.0.254.1/24
                                   |
                                   |Core switch-->users 10.0.254.x/24
                                             |
                                           ISA in single-NIC Proxy only mode
                                            10.0.254.2

Users IP configuration:
 IP address 10.0.254.x
 Mask 255.255.255.0  <== you can use /28 if you feel you must, I like to keep things as simple as possible
 Default GW: 10.0.254.1
 DNS server 10.0.254.2
Configure Client IE settings to use proxy 10.0.254.2

On the PIX, you can now restrict outbound access to the PROXY IP address only:
  access-list outbound_proxy permit ip host 10.0.254.2 any
  access-group outbound_proxy in interface inside

0
 

Author Comment

by:Network_MD
ID: 13463746
This isn't going to be a single NIC ISA server. I want to leverage the application layer filtering of ISA 2004, so I'll this ISA server to be "between" the two networks.
0
 
LVL 79

Accepted Solution

by:
lrmoore earned 1000 total points
ID: 13463795
> best practice for inserting ISA server behind existing PIX
IMHO only, best practice is to let the PIX - a world class firewall with all the application filtering you need - be your firewall, and let the ISA do one thing it does well and be a proxy/cache server to speed up the end user experience and control access at the user level.
You're setting yourself up for hard times if you ever want to use some of the other features like the VPN capabilites of the PIX and try to then get in behind the ISA.

0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:Network_MD
ID: 13463814
I have a pix 506e - will that do everything ISA 2004 will do?  Can it leverage my Active Directory to apply http filters per groups?  I didn't think it could.
0
 

Author Comment

by:Network_MD
ID: 13464055
I'll give it a go over the weekend and see how it goes.  I'm going to throw a 10.0.253.x/28 network between the PIX and the ISA box outside, and make the necessary route additions on the PIX and I think that should get traffic flowing anyway.  I'd really like to see how ISA performs, and we've got a new HP DL360 and the 120 eval of ISA 2004 so I might as well give it a go.  I can always go back to using just the PIX if it doesn't work.  Thanks for the feedback!
0
 
LVL 79

Expert Comment

by:lrmoore
ID: 13475812
Let me know how it works out for you.

- Cheers!
0
 
LVL 16

Expert Comment

by:samccarthy
ID: 13477026
The PIX is not going to be able to utilize your AD Groups to apply filters per group.
0
 

Author Comment

by:Network_MD
ID: 13618046
Finally decided that you were right when you said:
---
> best practice for inserting ISA server behind existing PIX
IMHO only, best practice is to let the PIX - a world class firewall with all the application filtering you need - be your firewall, and let the ISA do one thing it does well and be a proxy/cache server to speed up the end user experience and control access at the user level.
You're setting yourself up for hard times if you ever want to use some of the other features like the VPN capabilites of the PIX and try to then get in behind the ISA.
---

I left the PIX in place, and put our ISA server off to the side with the NIC's teamed.  I used a group policy to push out the ISA IP as the proxy and blocked all outboud internet access except that coming from the ISA server.  Seems to be working well so far.  This way I can still leverage AD to block/allow access by groups and still am able to utilize the application layer filtering of ISA.  I haven't poked around much with the layer 7 filterin on ISA - but theoretically I should be able to do this as I have it configured.  ISA is caching too.  Thanks for the advice!
0

Featured Post

10 Questions to Ask when Buying Backup Software

Choosing the right backup solution for your organization can be a daunting task. To make the selection process easier, ask solution providers these 10 key questions.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This process allows computer passwords to be managed and secured without using LAPS. This is an improvement on an existing process, enhanced to store password encrypted, instead of clear-text files within SQL
This article is written by John Gates, CISSP. Gates, the SNUG President-Elect, currently holds the position of Manager of Information Systems at Lake Park High School in Roselle, Illinois.
Sending a Secure fax is easy with eFax Corporate (http://www.enterprise.efax.com). First, Just open a new email message.  In the To field, type your recipient's fax number @efaxsend.com. You can even send a secure international fax — just include t…
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Suggested Courses

764 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question