vivo123
asked on
ISA2000
I would like to test run an ISA server running in integrated mode within a network. Currently the network runs through a hardware firewall with 2 DC/DNS servers forwarding to ISP DNS. Without going into to much detail, my thought was to install the ISA dual NIC (external/internal). Create firewall rules and point everyones IE to the proxy servers internal IP. Is there a problem running both DNS together or should I block the dns forwards from the DC/DNS servers at the firewall and only route via the ISA. Can they both route out at the same time or will this cause issues?
ASKER
Thanks I will look into the latest versions. We have a licensed copy of ISA 2000 which has never been used.
1. I am talking about DNS used to resolve Internet names. Currently we use forwarders to IP DNS. Local clients point there DNS to the Internal DC/DNS servers for local resolution and forward out to ISP for Internet resolution.
I would like to perform tests with the ISA in the production network. Maybe like conducting only on a group of computers within the domain (possibly 5 to 10). This is where my question comes into play.
I was going to install the ISA in integrated mode and perform a one to one NAT route on the firewall to the external interface.
2. At this time I wanted to route Internet traffic on the non-testing computers through the normal method of the DC/DNS forwarders and the testing-clients through the ISA and out to the Internet and again I will have a NAT route at the HW firewall. On the ISA external Nic I will place the ISP DNS IP address. Internal routing will still occur via the DC/DNS servers, but Internet traffic will flow through the ISA by means of proxy settings in IE.
Can I test this way without experiencing resolutions problems?
1. I am talking about DNS used to resolve Internet names. Currently we use forwarders to IP DNS. Local clients point there DNS to the Internal DC/DNS servers for local resolution and forward out to ISP for Internet resolution.
I would like to perform tests with the ISA in the production network. Maybe like conducting only on a group of computers within the domain (possibly 5 to 10). This is where my question comes into play.
I was going to install the ISA in integrated mode and perform a one to one NAT route on the firewall to the external interface.
2. At this time I wanted to route Internet traffic on the non-testing computers through the normal method of the DC/DNS forwarders and the testing-clients through the ISA and out to the Internet and again I will have a NAT route at the HW firewall. On the ISA external Nic I will place the ISP DNS IP address. Internal routing will still occur via the DC/DNS servers, but Internet traffic will flow through the ISA by means of proxy settings in IE.
Can I test this way without experiencing resolutions problems?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Excellent. Thanks for the response
You're welcome :)
Anything else i can tell you vivo or do you want to close the question?
Firstly, I would point out that ISA2000 has been replaced by ISA2004 and ISA2006 is due for release quite soon. Its already available for a 6 month trial (in beta format) by download from MS.
Anyway, to answer your questions with questions of my own:
1. Is there a problem running both DNS together or should I block the dns forwards from the DC/DNS servers at the firewall and only route via the ISA.
Are you talking about DNS that will be used by the internet to resolve names/ip's for your domain or is this simply your internal DNS?
You mention routing. Are you expecting to route traffic out through ISA or NAT it?
2. Can they both route out at the same time or will this cause issues?
Isa will not care. It will treat the traffic as different streams as they will be coming from different source IP's. remember that DNS is not proxy traffic; it runs as udp port 53 for normal name resolution and tcp port 53 for zone transfers. The DNS boxes will either have to be SecureNAT clients whereby you point their default gateways at the internal NIC of the ISA server or standard boxes that must have an internal route that will get them to the ISA server so that DNS traffic can be sent out. Assuming you WANT to send DNS traffic out that is.