Posted on 2006-06-02
Medium Priority
Last Modified: 2010-04-09
I would like to test run an ISA server running in integrated mode within a network.  Currently the network runs through a hardware firewall with 2 DC/DNS servers forwarding to ISP DNS.  Without going into to much detail, my thought was to install the ISA dual NIC (external/internal).  Create firewall rules and point everyones IE to the proxy servers internal IP.  Is there a problem running both DNS together or should I block the dns forwards from the DC/DNS servers at the firewall and only route via the ISA.  Can they both route out at the same time or will this cause issues?  
Question by:vivo123
  • 4
  • 2
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16818681
This really depends on your end position.

Firstly, I would point out that ISA2000 has been replaced by ISA2004 and ISA2006 is due for release quite soon. Its already available for a 6 month trial (in beta format) by download from MS.

Anyway, to answer your questions with questions of my own:

1.  Is there a problem running both DNS together or should I block the dns forwards from the DC/DNS servers at the firewall and only route via the ISA.

Are you talking about DNS that will be used by the internet to resolve names/ip's for your domain or is this simply your internal DNS?

You mention routing. Are you expecting to route traffic out through ISA or NAT it?

2. Can they both route out at the same time or will this cause issues?  
Isa will not care. It will treat the traffic as different streams as they will be coming from different source IP's. remember that DNS is not proxy traffic; it runs as udp port 53 for normal name resolution and tcp port 53 for zone transfers. The DNS boxes will either have to be SecureNAT clients whereby you point their default gateways at the internal NIC of the ISA server or standard boxes that must have an internal route that will get them to the ISA server so that DNS traffic can be sent out. Assuming you WANT to send DNS traffic out that is.

Author Comment

ID: 16825382
Thanks I will look into the latest versions.  We have a licensed copy of ISA 2000 which has never been used.

1.  I am talking about DNS used to resolve Internet names.  Currently we use forwarders to IP DNS.  Local clients point there DNS to the Internal DC/DNS servers for local resolution and forward out to ISP for Internet resolution.

I would like to perform tests with the ISA in the production network.  Maybe like conducting only on a group of computers within the domain (possibly 5 to 10).  This is where my question comes into play.

I was going to install the ISA in integrated mode and perform a one to one NAT route on the firewall to the external interface.  

2.  At this time I wanted to route Internet traffic on the non-testing computers through the normal method of the DC/DNS forwarders and the testing-clients through the ISA and out to the Internet and again I will have a NAT route at the HW firewall. On the ISA external Nic I will place the ISP DNS IP address.  Internal routing will still occur via the DC/DNS servers, but Internet traffic will flow through the ISA by means of proxy settings in IE.

Can I test this way without experiencing resolutions problems?

LVL 51

Accepted Solution

Keith Alabaster earned 500 total points
ID: 16826626

Whether you use ISA or not, your internal DNS servers can carry on providing their service exactly as they are now; you don't have to change this for ISA.
Be aware that mainstream support from Microsoft ended for ISA2000 in April 2006. Extended supprt continues for a futher 5 years till 2011 but this will cost you.....

I would strongly recommend you commenced your testing with 2004 or even 2006 as the experience is far superior and the whole process (of the way ISA operates, the gui etc) is completely different but naturally this has to be your call.

If you are installing ISA in integrated mode you will need to have decided how the test clients are going to connect. Using the ISA firewall client, SecureNAT (where you point the pc's default gateway to be the ISA internal NIC), Web proxy (where you use IE browser proxy settings) or a combination.

Up to you in respect to the NAT. If you route through ISA then thats fine, if you NAT then the traffic gets the ISA's external NIC address; nothing special there.

Threat Trends for MSPs to Watch

See the findings.
Despite its humble beginnings, phishing has come a long way since those first crudely constructed emails. Today, phishing sites can appear and disappear in the length of a coffee break, and it takes more than a little know-how to keep your clients secure.


Author Comment

ID: 16827315
Excellent.  Thanks for the response
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16827573
You're welcome :)
LVL 51

Expert Comment

by:Keith Alabaster
ID: 16832469
Anything else i can tell you vivo or do you want to close the question?

Featured Post

Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as high-speed processing of the cloud.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you are like regular user of computer nowadays, a good bet that your home computer is on right now, all exposed to world of Internet to be exploited by somebody you do not know and you never will. Internet security issues has been getting worse d…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Want to learn how to record your desktop screen without having to use an outside camera. Click on this video and learn how to use the cool google extension called "Screencastify"! Step 1: Open a new google tab Step 2: Go to the left hand upper corn…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question