exp_ee
asked on
ISA Server (Cache Mode) in DMZ
Hi,
I am going to have a network something like this
Internet ----------Hardware Firewall-----------------I nternal Network (10.0.20.0)
|
|
|
DMZ (172.16.0.0)
I will be placing ISA 2004 in DMZ. I want to allow the users to have internet access based on Domain Username. Do I need to have 2 NIC cards (1 for DMZ & 1 for Internal) on ISA server or only 1 will do. If I use only one, then how the clients in Internal Network will communicate with the ISA Server? WHAT PORTS SHOULD BE OPEN on the firewall for Internal & External networks communication?
Do not want to make ISA server as firewall and place the DMZ in between 2 firewalls.
Any other suggestions will be highly recommended.
Exp_ee
I am going to have a network something like this
Internet ----------Hardware Firewall-----------------I
|
|
|
DMZ (172.16.0.0)
I will be placing ISA 2004 in DMZ. I want to allow the users to have internet access based on Domain Username. Do I need to have 2 NIC cards (1 for DMZ & 1 for Internal) on ISA server or only 1 will do. If I use only one, then how the clients in Internal Network will communicate with the ISA Server? WHAT PORTS SHOULD BE OPEN on the firewall for Internal & External networks communication?
Do not want to make ISA server as firewall and place the DMZ in between 2 firewalls.
Any other suggestions will be highly recommended.
Exp_ee
ASKER
As the customer with whom I am working is hard to convince the benifits of Hardware firewall as the external firewall and ISA server as internal firewall, but he wants to stick to the above design.
Now if I keep the ISA server in DMZ (cache only) as a stand alone with 2 NIC cards (without joining to domain), how should I proceed now. Can I give internet access to users based on domain username & password?
Please bear with me as I am new to ISA.
Now if I keep the ISA server in DMZ (cache only) as a stand alone with 2 NIC cards (without joining to domain), how should I proceed now. Can I give internet access to users based on domain username & password?
Please bear with me as I am new to ISA.
I am in a predicament here.
I hear what you say in that you are new to ISA and I am more than happy to work with you to move forward at whatever pace suits you. However, after performing ISA installations that now number in the three-figures, it is not a configuration I would recommend to any company or user nor would I support such an installation. Therefore I am not comfortable advising you on such a course.
I am not saying it cannot be done; some of my colleagues within Experts-Exchange may have different views so I will leave this call to them to progress.
Regards
Keith
I hear what you say in that you are new to ISA and I am more than happy to work with you to move forward at whatever pace suits you. However, after performing ISA installations that now number in the three-figures, it is not a configuration I would recommend to any company or user nor would I support such an installation. Therefore I am not comfortable advising you on such a course.
I am not saying it cannot be done; some of my colleagues within Experts-Exchange may have different views so I will leave this call to them to progress.
Regards
Keith
ASKER
If I use only one NIC card in the ISA server (cache only mode) in DMZ, what ports should be open on the hardware firewall from DMZ to LAN & LAN to DMZ.
ASKER
In addition to the above question, if the ISA is in DMZ and cannot be pinged by workstations, which address will be specified on browser settings?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I know that the design I am proceeding with is not recommended, but I have no other way from the customer.
Thanks Dushan to show a direction. Now the ISA will be a part of domain in DMZ (dont scream pls) and members of a windows security group will be allowed to access internet. Apart from the static route, do I need to have any other ports open from DMS to Internal and vise-versa for the authentications and all?
Thanks Dushan to show a direction. Now the ISA will be a part of domain in DMZ (dont scream pls) and members of a windows security group will be allowed to access internet. Apart from the static route, do I need to have any other ports open from DMS to Internal and vise-versa for the authentications and all?
Yes. You should open ports vise versa as required. You can double check ports are working or not via telnet command.
BR Dushan
BR Dushan
As an 'other suggestion',
Internet ---------- Isa External Isa Internal ----- Internal network
ISA DMZ
|
|
Put three nics in ISA. Internal, External, perimeter (DMZ)
Gives you full capability of isa including firewall and proxy.
Allows publishing of all services
Allows ISA client etc and SecureNAT.
You can use ordinary routing between ISA interfaces allowing external firewall to perforn required NAT activities. WIN-WIN condition.
As for which ports you want open, what do you want ISA to do? this will dictate the ports.
Keith
ISA MCT