HELP!!!  ISA 2004 migrating to Netscreen firewall

Posted on 2006-05-24
Last Modified: 2013-11-16

I have an ISA 2004 box at the edge right now.  It handles everything including firewall duties, VPN access, and proxy duties.

I am replacing this box with a Juniper SSG520 (Netscreen OS), and we have decided NOT to keep the ISA around behind the Netscreen.

I can handle the idea/logic behind converting the firewall rules over however I am at a loss as to the others (logistically).

For instance:


Right now we use PPTP into the ISA server and RRAS (on the ISA box).  My thought was to accomplish the same idea for now with the Netscreen passing the PPTP traffic through to the ISA server until we can get the IPSEC VPN settings established on the Netscreen and get the clients setup.

                    1.  Is this as simple as a rule allowing PPTP through the Netscreen to the ISA Server?
                    2.  Should I put the ISA server in the DMZ and just allow it to continue to act as a "firewall" with the only rules/IPs being the PPTP VPN?
                    3.  Any better way?

internal user web browsing

Right now the client workstations have their proxy settings set to the ISA server and they also have the Firewall client installed.

                     1.  Is the best route to use Group Policy to remove these proxy settings?
                     2.  How can I do a mass uninstall of the MS Firewall client?
                     3.  I plan to use IAS as a RADIUS server for authentication/etc.  Anyone done this with a Netscreen?
                     4.  Any other suggestions?

Man, it's pretty hard to leave ISA I guess...I figured it was going to be simpler, but these questions have me second guessing things.
Question by:TheCleaner
    LVL 9

    Accepted Solution

    That's MS for you... easy to join... hard to leave. The only rason it is hard is because you feel it is easier or somehow better to use the MS solution. Welcome to the Matrix... welcome to the world without MicroSoft !!!

    To answer your questions, I would look to keep ISA for the VPN for now, but turn it of for everything except Firewall/VPN access. If you leave it behind the Juniper and set it's default network to point to the Juniper then traffic will flow OK. However, better off moving it out of the way.
    As you are looking to migrate in production you may be safer to migrate slowly then you can be sure you get it all working.

    1. Migrate the firewall rules onto the Juniper, move ISA into a DMZ and turn off all the rules you have migrated. Set the upstream neighbour to the Juniper. Clients will still work and VPN inbound will continue.

    2. Use GPO (if you have enough PC's to warrant it) to change the Proxy settings on your clients. This should take about 5 minutes tops !

    3. Configure the VPN on the Juniper thus allowing you to turn off the ISA.

    At each phase you can monitor the ISA to see that the traffic has indeed moved before shutting down services. To be honest, once you have configured the Juniper you can migrate and shut down over the course of a week (max) to ensure all your users are not pointing to the old ISA server.

    Congrates, you are one step closer to being set free from the Matrix!

    Hope this helps
    LVL 23

    Author Comment

    Thanks very much...that really helps.  We've agreed that instead of a one-night switchover we'll be putting the ISA server in the DMZ like you said.

    My only follow up questions to you are:

    "Set the upstream neighbor as the Netscreen"

    Are you saying set this in ISA just as if there were two ISA's inline?  Not a problem on the details, I know how, just wondered if it was necessary or if I can just set the default route of the ISA server to use the Netscreen?

    "Use GPO's to change the proxy settings"

    I'm assuming the proxy settings just go away right?  The core layer 3 switches will have their default routes pointing to the Netscreen box, so no proxy control is really necessary as far as I know.  Are you suggesting to actually set the proxy settings or just use a GPO to remove them completely (maybe just set it to "automatically detect settings")?

    Thanks again...
    LVL 23

    Author Comment


    All worked well this weekend...thanks for the assistance.
    LVL 23

    Author Comment

    BTW, we ended up throwing the ISA server in the DMZ zone, and just worrying about stragglers still pointing to the ISA server this week.  It forces us to make the changes to the clients asap.
    LVL 9

    Expert Comment

    Sounds good and well done. Never easy as there is always a few wierd clients around !!


    Featured Post

    How your wiki can always stay up-to-date

    Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
    - Increase transparency
    - Onboard new hires faster
    - Access from mobile/offline

    Join & Write a Comment

    Suggested Solutions

    Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
    This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
    To add imagery to an HTML email signature, you have two options available to you. You can either add a logo/image by embedding it directly into the signature or hosting it externally and linking to it. The vast majority of email clients display l…
    Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…

    734 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    20 Experts available now in Live!

    Get 1:1 Help Now