geir056
asked on
ISA Server 2006 with WAN and 2 LANs
Hi,
We have purchased ISA server 2006 Std. and it is installed in a box with 3 NICs.
NIC-A is connected to the Internet
NIC-B is connected to a local network with a w2003 domain controller
NIC-C is connected to another local subnet with no domain controller
We want to force any internet user on NIC-B and NIC-C to authenticate against AD at NIC-B's DC before they are allowed any internet access.
Also we need to restrict IM and P2P usage and finally impose weekly download quotas for the users.
Thanks a lot for some tips and comments on how to set up the ISA server in this scenario.
best regards
Geir
We have purchased ISA server 2006 Std. and it is installed in a box with 3 NICs.
NIC-A is connected to the Internet
NIC-B is connected to a local network with a w2003 domain controller
NIC-C is connected to another local subnet with no domain controller
We want to force any internet user on NIC-B and NIC-C to authenticate against AD at NIC-B's DC before they are allowed any internet access.
Also we need to restrict IM and P2P usage and finally impose weekly download quotas for the users.
Thanks a lot for some tips and comments on how to set up the ISA server in this scenario.
best regards
Geir
ASKER
Thanks for the tips ;-)
With the three legged template do you mean the one with one WAN, one perimeter (DMZ) NIC and one LAN NIC?
How do I cancel the current template and apply the right one..?
I really need some help with the routing and firewall rules, I'd appreciate very much if you could show how this should be set up.
WAN NIS IP 192.160.80.4
LAN-A NIC IP 172.25.100.8 (the one with access to AD for auth)
LAN-B NIC IP: 172.27.100.8
No traffic is supposed to go between LAN-A and LAN-B. This scenario covers only those two LANs' access to the internet via the WAN NIC.
Thanks again for your willingness to help
best regards
Geir
With the three legged template do you mean the one with one WAN, one perimeter (DMZ) NIC and one LAN NIC?
How do I cancel the current template and apply the right one..?
I really need some help with the routing and firewall rules, I'd appreciate very much if you could show how this should be set up.
WAN NIS IP 192.160.80.4
LAN-A NIC IP 172.25.100.8 (the one with access to AD for auth)
LAN-B NIC IP: 172.27.100.8
No traffic is supposed to go between LAN-A and LAN-B. This scenario covers only those two LANs' access to the internet via the WAN NIC.
Thanks again for your willingness to help
best regards
Geir
Just rerun it. It will deal with it for you but you will need to edit as I have outlined.
ASKER
Anybody having a couple of minutes to provide some routing and fw rules for this scenario?
regards
Tor
regards
Tor
its nearly 11pm here so bedtime soon. Really that is another question but what do you want to do?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Keith,
I'll be one week of vacation. Will repost status in 9 days.
regards
Tor
I'll be one week of vacation. Will repost status in 9 days.
regards
Tor
No sweat.
Just remember one limitation on ISA. Although you can have multiple IP addresses on the ISA exteral nic, th outbound NAT always uses the first IP address - you cannot select which it will be.
Have a good vacation.
Keith
Just remember one limitation on ISA. Although you can have multiple IP addresses on the ISA exteral nic, th outbound NAT always uses the first IP address - you cannot select which it will be.
Have a good vacation.
Keith
Forced accept.
Computer101
EE Admin
Computer101
EE Admin
You should have selected the three-legged template when you set the box up.
You need to change the network rules (configuration - networks from the gui) to make the relationship between each of the internal NICs is a route relationship and both internal nics to external is a NAT relationship. Edit the properties of the two internal nics and make sure that you set the lat (local address table) to include all of the internal ips accessible through that nic including the id and the broadcast. for example, if nic c covers 10.6.6.x network then the lat for that nic should be 10.6.6.0 - 10.6.6.255. You should also add any other subnets that may also come through that nic from elsewhere on your infrastructure. Same with nic b.
Proxy settings for nic c users will be the ip address of nic b on port 8080 (default). proxy users on nic a will be its ip and port 8080.
Make sure you have rules in the firewall policy for both nics & local host to external for the protocols you want to allow out.
If these are all the same infrastructure, also make sure you have a rule that allows traffic in both directions between nic b & nic c.
keith