I have an ISA 2004 box at the edge right now. It handles everything including firewall duties, VPN access, and proxy duties.
I am replacing this box with a Juniper SSG520 (Netscreen OS), and we have decided NOT to keep the ISA around behind the Netscreen.
I can handle the idea/logic behind converting the firewall rules over however I am at a loss as to the others (logistically).
Right now we use PPTP into the ISA server and RRAS (on the ISA box). My thought was to accomplish the same idea for now with the Netscreen passing the PPTP traffic through to the ISA server until we can get the IPSEC VPN settings established on the Netscreen and get the clients setup.
1. Is this as simple as a rule allowing PPTP through the Netscreen to the ISA Server?
2. Should I put the ISA server in the DMZ and just allow it to continue to act as a "firewall" with the only rules/IPs being the PPTP VPN?
3. Any better way?
internal user web browsing
Right now the client workstations have their proxy settings set to the ISA server and they also have the Firewall client installed.
1. Is the best route to use Group Policy to remove these proxy settings?
2. How can I do a mass uninstall of the MS Firewall client?
3. I plan to use IAS as a RADIUS server for authentication/etc. Anyone done this with a Netscreen?
4. Any other suggestions?
Man, it's pretty hard to leave ISA I guess...I figured it was going to be simpler, but these questions have me second guessing things.