HELP!!! ISA 2004 migrating to Netscreen firewall
Scenario:
I have an ISA 2004 box at the edge right now. It handles everything including firewall duties, VPN access, and proxy duties.
I am replacing this box with a Juniper SSG520 (Netscreen OS), and we have decided NOT to keep the ISA around behind the Netscreen.
I can handle the idea/logic behind converting the firewall rules over however I am at a loss as to the others (logistically).
For instance:
=============
VPN ACCESS
=============
Right now we use PPTP into the ISA server and RRAS (on the ISA box). My thought was to accomplish the same idea for now with the Netscreen passing the PPTP traffic through to the ISA server until we can get the IPSEC VPN settings established on the Netscreen and get the clients setup.
1. Is this as simple as a rule allowing PPTP through the Netscreen to the ISA Server?
2. Should I put the ISA server in the DMZ and just allow it to continue to act as a "firewall" with the only rules/IPs being the PPTP VPN?
3. Any better way?
=================
internal user web browsing
=================
Right now the client workstations have their proxy settings set to the ISA server and they also have the Firewall client installed.
1. Is the best route to use Group Policy to remove these proxy settings?
2. How can I do a mass uninstall of the MS Firewall client?
3. I plan to use IAS as a RADIUS server for authentication/etc. Anyone done this with a Netscreen?
4. Any other suggestions?
Man, it's pretty hard to leave ISA I guess...I figured it was going to be simpler, but these questions have me second guessing things.
I have an ISA 2004 box at the edge right now. It handles everything including firewall duties, VPN access, and proxy duties.
I am replacing this box with a Juniper SSG520 (Netscreen OS), and we have decided NOT to keep the ISA around behind the Netscreen.
I can handle the idea/logic behind converting the firewall rules over however I am at a loss as to the others (logistically).
For instance:
=============
VPN ACCESS
=============
Right now we use PPTP into the ISA server and RRAS (on the ISA box). My thought was to accomplish the same idea for now with the Netscreen passing the PPTP traffic through to the ISA server until we can get the IPSEC VPN settings established on the Netscreen and get the clients setup.
1. Is this as simple as a rule allowing PPTP through the Netscreen to the ISA Server?
2. Should I put the ISA server in the DMZ and just allow it to continue to act as a "firewall" with the only rules/IPs being the PPTP VPN?
3. Any better way?
=================
internal user web browsing
=================
Right now the client workstations have their proxy settings set to the ISA server and they also have the Firewall client installed.
1. Is the best route to use Group Policy to remove these proxy settings?
2. How can I do a mass uninstall of the MS Firewall client?
3. I plan to use IAS as a RADIUS server for authentication/etc. Anyone done this with a Netscreen?
4. Any other suggestions?
Man, it's pretty hard to leave ISA I guess...I figured it was going to be simpler, but these questions have me second guessing things.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Barny,
All worked well this weekend...thanks for the assistance.
All worked well this weekend...thanks for the assistance.
ASKER
BTW, we ended up throwing the ISA server in the DMZ zone, and just worrying about stragglers still pointing to the ISA server this week. It forces us to make the changes to the clients asap.
Sounds good and well done. Never easy as there is always a few wierd clients around !!
Barny
Barny
ASKER
My only follow up questions to you are:
"Set the upstream neighbor as the Netscreen"
Are you saying set this in ISA just as if there were two ISA's inline? Not a problem on the details, I know how, just wondered if it was necessary or if I can just set the default route of the ISA server to use the Netscreen?
"Use GPO's to change the proxy settings"
I'm assuming the proxy settings just go away right? The core layer 3 switches will have their default routes pointing to the Netscreen box, so no proxy control is really necessary as far as I know. Are you suggesting to actually set the proxy settings or just use a GPO to remove them completely (maybe just set it to "automatically detect settings")?
Thanks again...