ISA Server (Cache Mode) in DMZ

I am going to have a network something like this

Internet ----------Hardware Firewall-----------------Internal Network (
                              DMZ (

I will be placing ISA 2004 in DMZ. I want to allow the users to have internet access based on Domain Username. Do I need to have 2 NIC cards (1 for DMZ & 1 for Internal) on ISA server or only 1 will do. If I use only one, then how the clients in Internal Network will communicate with the ISA Server? WHAT PORTS SHOULD BE OPEN on the firewall for Internal & External networks communication?
Do not want to make ISA server as firewall and place the DMZ in between 2 firewalls.

Any other suggestions will be highly recommended.

Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
I'll leave your design to others to comment on as I cannot see the purpose/need/benefit.

As an 'other suggestion',

         Internet ---------- Isa External   Isa Internal ----- Internal network
                                               ISA DMZ

Put three nics in ISA. Internal, External, perimeter (DMZ)
Gives you full capability of isa including firewall and proxy.
Allows publishing of all services
Allows ISA client etc and SecureNAT.
You can use ordinary routing between ISA interfaces allowing external firewall to perforn required NAT activities. WIN-WIN condition.
As for which ports you want open, what do you want ISA to do? this will dictate the ports.

exp_eeAuthor Commented:
As the customer with whom I am working is hard to convince the benifits of Hardware firewall as the external firewall and ISA server as internal firewall, but he wants to stick to the above design.
Now if I keep the ISA server in DMZ (cache only) as a stand alone with 2 NIC cards (without joining to domain), how should I proceed now. Can I give internet access to users based on domain username & password?
Please bear with me as I am new to ISA.
Keith AlabasterEnterprise ArchitectCommented:
I am in a predicament here.

I hear what you say in that you are new to ISA and I am more than happy to work with you to move forward at whatever pace suits you. However, after performing ISA installations that now number in the three-figures, it is not a configuration I would recommend to any company or user nor would I support such an installation. Therefore I am not comfortable advising you on such a course.

I am not saying it cannot be done; some of my colleagues within Experts-Exchange may have different views so I will leave this call to them to progress.



SD-WAN: Making It Work for You

As bandwidth requirements and Internet costs grow, businesses naturally want to manage budgets by reducing reliance on their most expensive connection types. Learn more about how to make SD-WAN work for your business in our on-demand webinar!

exp_eeAuthor Commented:
If I use only one NIC card in the ISA server (cache only mode) in DMZ, what ports should be open on the hardware firewall from DMZ to LAN & LAN to DMZ.
exp_eeAuthor Commented:
In addition to the above question, if the ISA is in DMZ and cannot be pinged by workstations, which address will be specified on browser settings?
Dushan De SilvaTechnology ArchitectCommented:
there's a couple ways you can get access from dmz to internal, one of them is to create rules on ISA for DMZ to internal policy settings.  Another way is to use static routes and router.  And the way you mentioned with dual nics is also a possibility.  I would suggest to go for ISA rules or static routes.

BR Dushan

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
exp_eeAuthor Commented:
I know that the design I am proceeding with is not recommended, but I have no other way from the customer.
Thanks Dushan to show a direction. Now the ISA will be a part of domain in DMZ (dont scream pls) and members of a windows security group will be allowed to access internet. Apart from the static route, do I need to have any other ports open from DMS to Internal and vise-versa for the authentications and all?
Dushan De SilvaTechnology ArchitectCommented:
Yes. You should open ports vise versa as required. You can double check ports are working or not via telnet command.

BR Dushan
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Software Firewalls

From novice to tech pro — start learning today.