HELP!!! ISA 2004 migrating to Netscreen firewall


I have an ISA 2004 box at the edge right now.  It handles everything including firewall duties, VPN access, and proxy duties.

I am replacing this box with a Juniper SSG520 (Netscreen OS), and we have decided NOT to keep the ISA around behind the Netscreen.

I can handle the idea/logic behind converting the firewall rules over however I am at a loss as to the others (logistically).

For instance:


Right now we use PPTP into the ISA server and RRAS (on the ISA box).  My thought was to accomplish the same idea for now with the Netscreen passing the PPTP traffic through to the ISA server until we can get the IPSEC VPN settings established on the Netscreen and get the clients setup.

                    1.  Is this as simple as a rule allowing PPTP through the Netscreen to the ISA Server?
                    2.  Should I put the ISA server in the DMZ and just allow it to continue to act as a "firewall" with the only rules/IPs being the PPTP VPN?
                    3.  Any better way?

internal user web browsing

Right now the client workstations have their proxy settings set to the ISA server and they also have the Firewall client installed.

                     1.  Is the best route to use Group Policy to remove these proxy settings?
                     2.  How can I do a mass uninstall of the MS Firewall client?
                     3.  I plan to use IAS as a RADIUS server for authentication/etc.  Anyone done this with a Netscreen?
                     4.  Any other suggestions?

Man, it's pretty hard to leave ISA I guess...I figured it was going to be simpler, but these questions have me second guessing things.
LVL 23
Who is Participating?
That's MS for you... easy to join... hard to leave. The only rason it is hard is because you feel it is easier or somehow better to use the MS solution. Welcome to the Matrix... welcome to the world without MicroSoft !!!

To answer your questions, I would look to keep ISA for the VPN for now, but turn it of for everything except Firewall/VPN access. If you leave it behind the Juniper and set it's default network to point to the Juniper then traffic will flow OK. However, better off moving it out of the way.
As you are looking to migrate in production you may be safer to migrate slowly then you can be sure you get it all working.

1. Migrate the firewall rules onto the Juniper, move ISA into a DMZ and turn off all the rules you have migrated. Set the upstream neighbour to the Juniper. Clients will still work and VPN inbound will continue.

2. Use GPO (if you have enough PC's to warrant it) to change the Proxy settings on your clients. This should take about 5 minutes tops !

3. Configure the VPN on the Juniper thus allowing you to turn off the ISA.

At each phase you can monitor the ISA to see that the traffic has indeed moved before shutting down services. To be honest, once you have configured the Juniper you can migrate and shut down over the course of a week (max) to ensure all your users are not pointing to the old ISA server.

Congrates, you are one step closer to being set free from the Matrix!

Hope this helps
TheCleanerAuthor Commented:
Thanks very much...that really helps.  We've agreed that instead of a one-night switchover we'll be putting the ISA server in the DMZ like you said.

My only follow up questions to you are:

"Set the upstream neighbor as the Netscreen"

Are you saying set this in ISA just as if there were two ISA's inline?  Not a problem on the details, I know how, just wondered if it was necessary or if I can just set the default route of the ISA server to use the Netscreen?

"Use GPO's to change the proxy settings"

I'm assuming the proxy settings just go away right?  The core layer 3 switches will have their default routes pointing to the Netscreen box, so no proxy control is really necessary as far as I know.  Are you suggesting to actually set the proxy settings or just use a GPO to remove them completely (maybe just set it to "automatically detect settings")?

Thanks again...
TheCleanerAuthor Commented:

All worked well this weekend...thanks for the assistance.
TheCleanerAuthor Commented:
BTW, we ended up throwing the ISA server in the DMZ zone, and just worrying about stragglers still pointing to the ISA server this week.  It forces us to make the changes to the clients asap.
Sounds good and well done. Never easy as there is always a few wierd clients around !!

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.