[Last Call] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 546
  • Last Modified:

ISA Server (Cache Mode) in DMZ

Hi,
I am going to have a network something like this

Internet ----------Hardware Firewall-----------------Internal Network (10.0.20.0)
                                 |
                                 |
                                 |
                              DMZ (172.16.0.0)

I will be placing ISA 2004 in DMZ. I want to allow the users to have internet access based on Domain Username. Do I need to have 2 NIC cards (1 for DMZ & 1 for Internal) on ISA server or only 1 will do. If I use only one, then how the clients in Internal Network will communicate with the ISA Server? WHAT PORTS SHOULD BE OPEN on the firewall for Internal & External networks communication?
Do not want to make ISA server as firewall and place the DMZ in between 2 firewalls.

Any other suggestions will be highly recommended.

Exp_ee
0
exp_ee
Asked:
exp_ee
  • 4
  • 2
  • 2
1 Solution
 
Keith AlabasterCommented:
I'll leave your design to others to comment on as I cannot see the purpose/need/benefit.

As an 'other suggestion',

         Internet ---------- Isa External   Isa Internal ----- Internal network
                                               ISA DMZ
                                                    |
                                                    |

Put three nics in ISA. Internal, External, perimeter (DMZ)
Gives you full capability of isa including firewall and proxy.
Allows publishing of all services
Allows ISA client etc and SecureNAT.
You can use ordinary routing between ISA interfaces allowing external firewall to perforn required NAT activities. WIN-WIN condition.
As for which ports you want open, what do you want ISA to do? this will dictate the ports.

Keith
ISA MCT
0
 
exp_eeAuthor Commented:
As the customer with whom I am working is hard to convince the benifits of Hardware firewall as the external firewall and ISA server as internal firewall, but he wants to stick to the above design.
Now if I keep the ISA server in DMZ (cache only) as a stand alone with 2 NIC cards (without joining to domain), how should I proceed now. Can I give internet access to users based on domain username & password?
Please bear with me as I am new to ISA.
0
 
Keith AlabasterCommented:
I am in a predicament here.

I hear what you say in that you are new to ISA and I am more than happy to work with you to move forward at whatever pace suits you. However, after performing ISA installations that now number in the three-figures, it is not a configuration I would recommend to any company or user nor would I support such an installation. Therefore I am not comfortable advising you on such a course.

I am not saying it cannot be done; some of my colleagues within Experts-Exchange may have different views so I will leave this call to them to progress.

Regards

Keith

0
Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 
exp_eeAuthor Commented:
If I use only one NIC card in the ISA server (cache only mode) in DMZ, what ports should be open on the hardware firewall from DMZ to LAN & LAN to DMZ.
0
 
exp_eeAuthor Commented:
In addition to the above question, if the ISA is in DMZ and cannot be pinged by workstations, which address will be specified on browser settings?
0
 
Dushan De SilvaCommented:
there's a couple ways you can get access from dmz to internal, one of them is to create rules on ISA for DMZ to internal policy settings.  Another way is to use static routes and router.  And the way you mentioned with dual nics is also a possibility.  I would suggest to go for ISA rules or static routes.


BR Dushan
0
 
exp_eeAuthor Commented:
I know that the design I am proceeding with is not recommended, but I have no other way from the customer.
Thanks Dushan to show a direction. Now the ISA will be a part of domain in DMZ (dont scream pls) and members of a windows security group will be allowed to access internet. Apart from the static route, do I need to have any other ports open from DMS to Internal and vise-versa for the authentications and all?
0
 
Dushan De SilvaCommented:
Yes. You should open ports vise versa as required. You can double check ports are working or not via telnet command.

BR Dushan
0

Featured Post

A Cyber Security RX to Protect Your Organization

Join us on December 13th for a webinar to learn how medical providers can defend against malware with a cyber security "Rx" that supports a healthy technology adoption plan for every healthcare organization.

  • 4
  • 2
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now