best practice for inserting ISA server behind existing PIX

We curerntly have a PIX in place at the edge of our corporate network.  I am looking at purchasing Microsoft's Internet Security & Acceleration Server 2004 to add layer 7 filtering and some AD based rules to our filtering/routing.  My question is how should I design this.  Here is my thoughts and someone can fill in the gaps or suggest changes as they see fit:

***INTERNET***----->(public IP)**ROUTER**(public IP)------(public ip)PIX506e(any private unused network??????)----------(???????)ISA(10.0.254.1/28)------>Core switch (4507R)

Where I'm at a loss is between the ISA server and the PIX.  Can someone plug in some addresses there that would work and tell me any other changes I'd need to make to get it set up properly.

Thanks in advance!
Network_MDAsked:
Who is Participating?
 
lrmooreConnect With a Mentor Commented:
> best practice for inserting ISA server behind existing PIX
IMHO only, best practice is to let the PIX - a world class firewall with all the application filtering you need - be your firewall, and let the ISA do one thing it does well and be a proxy/cache server to speed up the end user experience and control access at the user level.
You're setting yourself up for hard times if you ever want to use some of the other features like the VPN capabilites of the PIX and try to then get in behind the ISA.

0
 
lrmooreCommented:
Whenever I setup a network like this, this is how I do it:

Internet -->router-->PIX Public ip
                               PIX Private IP 10.0.254.1/24
                                   |
                                   |Core switch-->users 10.0.254.x/24
                                             |
                                           ISA in single-NIC Proxy only mode
                                            10.0.254.2

Users IP configuration:
 IP address 10.0.254.x
 Mask 255.255.255.0  <== you can use /28 if you feel you must, I like to keep things as simple as possible
 Default GW: 10.0.254.1
 DNS server 10.0.254.2
Configure Client IE settings to use proxy 10.0.254.2

On the PIX, you can now restrict outbound access to the PROXY IP address only:
  access-list outbound_proxy permit ip host 10.0.254.2 any
  access-group outbound_proxy in interface inside

0
 
Network_MDAuthor Commented:
This isn't going to be a single NIC ISA server. I want to leverage the application layer filtering of ISA 2004, so I'll this ISA server to be "between" the two networks.
0
Evaluating UTMs? Here's what you need to know!

Evaluating a UTM appliance and vendor can prove to be an overwhelming exercise.  How can you make sure that you're getting the security that your organization needs without breaking the bank? Check out our UTM Buyer's Guide for more information on what you should be looking for!

 
Network_MDAuthor Commented:
I have a pix 506e - will that do everything ISA 2004 will do?  Can it leverage my Active Directory to apply http filters per groups?  I didn't think it could.
0
 
Network_MDAuthor Commented:
I'll give it a go over the weekend and see how it goes.  I'm going to throw a 10.0.253.x/28 network between the PIX and the ISA box outside, and make the necessary route additions on the PIX and I think that should get traffic flowing anyway.  I'd really like to see how ISA performs, and we've got a new HP DL360 and the 120 eval of ISA 2004 so I might as well give it a go.  I can always go back to using just the PIX if it doesn't work.  Thanks for the feedback!
0
 
lrmooreCommented:
Let me know how it works out for you.

- Cheers!
0
 
Steve McCarthy, MCSE, MCSA, MCP x8, Network+, i-Net+, A+, CIWA, CCNA, FDLE FCIC, HIPAA Security OfficerIT Consultant, Network Engineer, Windows Network Administrator, VMware AdministratorCommented:
The PIX is not going to be able to utilize your AD Groups to apply filters per group.
0
 
Network_MDAuthor Commented:
Finally decided that you were right when you said:
---
> best practice for inserting ISA server behind existing PIX
IMHO only, best practice is to let the PIX - a world class firewall with all the application filtering you need - be your firewall, and let the ISA do one thing it does well and be a proxy/cache server to speed up the end user experience and control access at the user level.
You're setting yourself up for hard times if you ever want to use some of the other features like the VPN capabilites of the PIX and try to then get in behind the ISA.
---

I left the PIX in place, and put our ISA server off to the side with the NIC's teamed.  I used a group policy to push out the ISA IP as the proxy and blocked all outboud internet access except that coming from the ISA server.  Seems to be working well so far.  This way I can still leverage AD to block/allow access by groups and still am able to utilize the application layer filtering of ISA.  I haven't poked around much with the layer 7 filterin on ISA - but theoretically I should be able to do this as I have it configured.  ISA is caching too.  Thanks for the advice!
0
All Courses

From novice to tech pro — start learning today.