ISA Server 2006 with WAN and 2 LANs

Hi,
We have purchased ISA server 2006 Std. and it is installed in a box with 3 NICs.

NIC-A is connected to the Internet
NIC-B is connected to a local network with a w2003 domain controller
NIC-C is connected to another local subnet with no domain controller

We want to force any internet user on NIC-B and NIC-C to authenticate against AD at NIC-B's DC before they are allowed any internet access.  

Also we need to restrict IM and P2P usage and finally impose weekly download quotas for the users.

Thanks a lot for some tips and comments on how to set up the ISA server in this scenario.

best regards

Geir
geir056Asked:
Who is Participating?
 
Keith AlabasterEnterprise ArchitectCommented:
Remember ISA is not a router. You need to set the routing up on the windows server hosting ISA. ISA just controls packets thorugh the interfaces.

lets assume you now have a network called internal and also assuming you have renamed the perimeter interface to netB.
I'll finally assume you have performed the network rule relationship changes I have mentioned.
As above, I would expect to see access rules for:

allow http/https/ftp internal to external
allow http/https/ftp netB to external
allow internal & local host to internal & local host
allow all protocols netB & local host to netB & local host
allow dns from internal & netb to external assuming both have dns that resolve external addresses
allow smtp from internal and net b to external assuming both have smtp servers

Fun starts if you need to allow inbound smtp and you have a mail server on both subnets. You will need two external ip addresses to accomplish that as you will need two publishing rules.
0
 
Keith AlabasterEnterprise ArchitectCommented:
No issue at all although you need to make a few amendments I expect.

You should have selected the three-legged template when you set the box up.
You need to change the network rules (configuration - networks from the gui) to make the relationship between each of the internal NICs is a route relationship and both internal nics to external is a NAT relationship. Edit the properties of the two internal nics and make sure that you set the lat (local address table) to include all of the internal ips accessible through that nic including the id and the broadcast. for example, if nic c covers 10.6.6.x network then the lat for that nic should be 10.6.6.0 - 10.6.6.255. You should also add any other subnets that may also come through that nic from elsewhere on your infrastructure. Same with nic b.

Proxy settings for nic c users will be the ip address of nic b on port 8080 (default). proxy users on nic a will be its ip and port 8080.

Make sure you have rules in the firewall policy for both nics & local host to external for the protocols you want to allow out.
If these are all the same infrastructure, also make sure you have a rule that allows traffic in both directions between nic b & nic c.

keith

0
 
geir056Author Commented:
Thanks for the tips ;-)

With the three legged template do you mean the one with one WAN, one perimeter (DMZ) NIC and one LAN NIC?

How do I cancel the current template and apply the right one..?

I really need some help with the routing and firewall rules, I'd appreciate very much if you could show how this should be set up.

WAN NIS IP 192.160.80.4
LAN-A NIC IP 172.25.100.8 (the one with access to AD for auth)
LAN-B NIC IP: 172.27.100.8

No traffic is supposed to go between LAN-A and LAN-B.  This scenario covers only those two LANs' access to the internet via the WAN NIC.

Thanks again for your willingness to help

best regards

Geir
0
Ultimate Tool Kit for Technology Solution Provider

Broken down into practical pointers and step-by-step instructions, the IT Service Excellence Tool Kit delivers expert advice for technology solution providers. Get your free copy now.

 
Keith AlabasterEnterprise ArchitectCommented:
Just rerun it. It will deal with it for you but you will need to edit as I have outlined.
0
 
geir056Author Commented:
Anybody having a couple of minutes to provide some routing and fw rules for this scenario?

regards

Tor
0
 
Keith AlabasterEnterprise ArchitectCommented:
its nearly 11pm here so bedtime soon. Really that is another question but what do you want to do?
0
 
geir056Author Commented:
Keith,

I'll be one week of vacation.  Will repost status in 9 days.

regards

Tor
0
 
Keith AlabasterEnterprise ArchitectCommented:
No sweat.

Just remember one limitation on ISA. Although you can have multiple IP addresses on the ISA exteral nic, th outbound NAT always uses the first IP address - you cannot select which it will be.

Have a good vacation.
Keith
0
 
Computer101Commented:
Forced accept.

Computer101
EE Admin
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.