?
Solved

ISA Server 2006 with WAN and 2 LANs

Posted on 2007-07-25
11
Medium Priority
?
430 Views
Last Modified: 2008-11-17
Hi,
We have purchased ISA server 2006 Std. and it is installed in a box with 3 NICs.

NIC-A is connected to the Internet
NIC-B is connected to a local network with a w2003 domain controller
NIC-C is connected to another local subnet with no domain controller

We want to force any internet user on NIC-B and NIC-C to authenticate against AD at NIC-B's DC before they are allowed any internet access.  

Also we need to restrict IM and P2P usage and finally impose weekly download quotas for the users.

Thanks a lot for some tips and comments on how to set up the ISA server in this scenario.

best regards

Geir
0
Comment
Question by:geir056
  • 5
  • 3
9 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19567247
No issue at all although you need to make a few amendments I expect.

You should have selected the three-legged template when you set the box up.
You need to change the network rules (configuration - networks from the gui) to make the relationship between each of the internal NICs is a route relationship and both internal nics to external is a NAT relationship. Edit the properties of the two internal nics and make sure that you set the lat (local address table) to include all of the internal ips accessible through that nic including the id and the broadcast. for example, if nic c covers 10.6.6.x network then the lat for that nic should be 10.6.6.0 - 10.6.6.255. You should also add any other subnets that may also come through that nic from elsewhere on your infrastructure. Same with nic b.

Proxy settings for nic c users will be the ip address of nic b on port 8080 (default). proxy users on nic a will be its ip and port 8080.

Make sure you have rules in the firewall policy for both nics & local host to external for the protocols you want to allow out.
If these are all the same infrastructure, also make sure you have a rule that allows traffic in both directions between nic b & nic c.

keith

0
 

Author Comment

by:geir056
ID: 19569198
Thanks for the tips ;-)

With the three legged template do you mean the one with one WAN, one perimeter (DMZ) NIC and one LAN NIC?

How do I cancel the current template and apply the right one..?

I really need some help with the routing and firewall rules, I'd appreciate very much if you could show how this should be set up.

WAN NIS IP 192.160.80.4
LAN-A NIC IP 172.25.100.8 (the one with access to AD for auth)
LAN-B NIC IP: 172.27.100.8

No traffic is supposed to go between LAN-A and LAN-B.  This scenario covers only those two LANs' access to the internet via the WAN NIC.

Thanks again for your willingness to help

best regards

Geir
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19569625
Just rerun it. It will deal with it for you but you will need to edit as I have outlined.
0
Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

 

Author Comment

by:geir056
ID: 19570035
Anybody having a couple of minutes to provide some routing and fw rules for this scenario?

regards

Tor
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19570088
its nearly 11pm here so bedtime soon. Really that is another question but what do you want to do?
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 19570138
Remember ISA is not a router. You need to set the routing up on the windows server hosting ISA. ISA just controls packets thorugh the interfaces.

lets assume you now have a network called internal and also assuming you have renamed the perimeter interface to netB.
I'll finally assume you have performed the network rule relationship changes I have mentioned.
As above, I would expect to see access rules for:

allow http/https/ftp internal to external
allow http/https/ftp netB to external
allow internal & local host to internal & local host
allow all protocols netB & local host to netB & local host
allow dns from internal & netb to external assuming both have dns that resolve external addresses
allow smtp from internal and net b to external assuming both have smtp servers

Fun starts if you need to allow inbound smtp and you have a mail server on both subnets. You will need two external ip addresses to accomplish that as you will need two publishing rules.
0
 

Author Comment

by:geir056
ID: 19587533
Keith,

I'll be one week of vacation.  Will repost status in 9 days.

regards

Tor
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 19587572
No sweat.

Just remember one limitation on ISA. Although you can have multiple IP addresses on the ISA exteral nic, th outbound NAT always uses the first IP address - you cannot select which it will be.

Have a good vacation.
Keith
0
 
LVL 1

Expert Comment

by:Computer101
ID: 20324365
Forced accept.

Computer101
EE Admin
0

Featured Post

Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Despite its rising prevalence in the business world, "the cloud" is still misunderstood. Some companies still believe common misconceptions about lack of security in cloud solutions and many misuses of cloud storage options still occur every day. …
Screencast - Getting to Know the Pipeline
Suggested Courses

580 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question