Learn how to a build a cloud-first strategyRegister Now

  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 734
  • Last Modified:

ISA 2004, Perimeter networks, VLANS

Environ = Server 2003 domain with an ISA 2004/Surf Control 2004 firewall/proxy server.  

All of our domain clients use the MS Firewall to authenticate and they browse the web via our proxy server/firewall for content filtering purposes.  At the risk of sounding repetitive, no user can access our network w/out the FW client or w/out authenticating and w/out going thru our proxy server.

Our ISA is configured as a three-leg perimeter and it has three NICS.

NIC 1 is our public IP
NIC 2 is our LAN on 10.0.x.x
NIC 3 is our DMZ on 192.168.x.x

The only thing in our perimeter is our IIS server and it runs our ticketing tool on 192.168.x.x

Now the pastor wants an Internet café.  

What we thought wed do is set up a VLAN on the DMZ side of our network, drop in an AP and let the café users surf without having to authenticate and w/out having to join the domain.  The only things we want to do is control content and force all users to surf via our proxy server so its all run thru Surf Control.

So far, we took NIC 3 from our proxy and plugged it into the VLAN in our 3 COM switch and we plugged in a PC on the VLAN as well.  Our DMZ server has its second NIC plugged into the VLAN as well.  We set our DMZ server to DHCP the 192s and our PC is pulling an IP.  Our PC on the VLAN can also ping our DMZ and our proxy server and our DNS server.  Everyone is pinging everyone else and all is well with the world on the LAN side.  However, when we try to browse the Internet, we hit a wall.

The last rule in ISA, the default rule, is blocking our PCs request to get to the Internet and the protocol it lists in the block is DHCP.  I wrote a rule that allows ALL perimeter traffic out to the external network, but that didnt do it either.

The PC on our VLAN is pulling a 192.168.x.x IP.  Its gateway is our LAN gateway, the same gateway every other PC uses to surf and its DNS is our DNS server, the same one every other PC uses, but the default rule, the last rule in ISA, blocks it.

I think thats as much as I know.  Any ideas?

  • 5
  • 5
1 Solution
Keith AlabasterCommented:
Remember the basic rules anything which is accessible through the internal ISA nic is classed as internal and MUST be included in the LAT (configuration - networks - internal (properties) - addresses.

The dmz interface (the 192.x.y.z) on ISA will also have a lat (configuration - networks - dmz (properties) - addresses). Any IP contactable through this interface must be included.

IP subnets can ONLY be on one intrerface. That being the case, no machine can be on the 192.x.y.z dmz network and have their gateway set to the ISA internal nic; the gateway must be the ISA dmz nic ip
crp0499Author Commented:
Ok Keith...here we go...

Our 3COM switch has two vlans.  Vlan 1 is the default vlan and it's on 10.0.0.x.  Vlan2 is on 192.168.1.x.  The vlan interface for vlan2 is  I have a server in vlan2 handling dhcp to the 192s and it has two NICS (one on the 10s and one on the 192s).

When I plug a PC into vlan2, it gets an IP on the 192s and it can ping everything on the BOTH vlans.  That is, it can ping (our DNS) and (our switch) and everything seems ok.  ALL PCs on both vlans can ping every other PC on every other vlan.  That means the two vlans are talking on layer 3 as they should.


I cant ping the, which is the NIC in ISA.  I can ping the DMZ NIC in ISA ( and ISA can ping back to all PCs on either vlan, but so long as the PCs on the 192s can't ping ISA, they can't get out.

Any ideas?
Keith AlabasterCommented:
<<The PC on our VLAN is pulling a 192.168.x.x IP.  Its gateway is our LAN gateway, the same gateway every other PC uses to surf and its DNS is our DNS server, the same one every other PC uses, but the default rule, the last rule in ISA, blocks it.

This is the part that is confusing me I think.
If a box has got a dhcp address pulled from the 192.168.x.y dhcp server than that scope should have set the 003 (router) entry to a 192.168.x.y address (where x.y is the ip address on the dmz interface of the ISA.

The dhcp server on the 10.x.y.z network will have its 003 (router) entry set to the 10.x.y.z where 10.x.y.z is the ip on the internal lan  interface of ISA.

in the gui, configuration - networks - network rules,
there should be a route relationship between dmz and internal
and a nat relationship between internal and external
and a nat relationship between dmz and external

On the system policy rules and firewall policy rules of ISA,

In the system policy, have you added dmz to the list of networks that can ping ISA?
In the firewall policy, is there a rule that allows http/https from dmz to external?
In the configuration, networks - internal (properties) - web proxy have you enabled web proxy services?

In the client browser (on the 192.168 machines) have you set their proxy settings to 192.168.x.y 8080?
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

crp0499Author Commented:
Your last four questions may be what I'm looking for.  Yes, our 192.168.1.x machines are pulling DHCP IPs from our 192.168.1.x DMZ server.  That DMZ server can ping ISA but that may be cos it has a second NIC on the 10.0.0.x side.  The PCs that pull IPs from our DMZ server cannot ping ISA.    The 003 IP for those PCs is the vlan interface of vlan2, per 3COM.  They are supposed to look for the traffic on the vlan, and if not found, go out thru the vlan2 interface which communicates with vlan1 via layer 3.

I will look at the system policy to see if the DMZ can ping ISA (I don't think it can and it would make sense that it would not be able to).

There is the HTTP/HTTPS rule from DMZ to external.

WEB proxies are enabled.

Yes to the client machines and web proxy settings.  

I think it's the DMZ pinging ISA...will let you know.
Keith AlabasterCommented:
The dmz server should NOT have an interface onto the network really as it has the potential for creating a routing loop; it should go via the ISA but as long as their is no roting advertising performed by that box then you can probably get away with it - not recommended though.

I assume their is no default gateway set on the dmz interface of the IS server?
Open the isa gui - monitoring - logging - start query.
Open a connection in a dmz pc's browser to an external web site
What do you see in the log?

Confirm you have put seperate rules in for dmz traffic to external rather than tried to put in one rule for both internal & dmz traffic to external?

The fact that it is the default rule performing the block tells us that the traffic that ISA is seeing does not meet any of the conditions set in the existing access firewall rules.
crp0499Author Commented:
Bloody hell...there IS a system policy that allows DMZ to ping ISA.  All else you mentioned looks good.  Still have the issues that 192 PCs can't ping ISA.  Now, just as a reminder, ALL of our other 9 servers are on the 10.0.0.x address.  The 192 PCs can ping all of them.  They just can't ping ISA.
crp0499Author Commented:
OK, you wrote a lot...I'll read and digest it tomorrow and get back to you.
Keith AlabasterCommented:
Thanks :)

crp0499Author Commented:
Anytime...just posted a fun one for you in the ISA section!
Keith AlabasterCommented:
lol - thanks....

Featured Post

2017 Webroot Threat Report

MSPs: Get the facts you need to protect your clients.
The 2017 Webroot Threat Report provides a uniquely insightful global view into the analysis and discoveries made by the Webroot® Threat Intelligence Platform to provide insights on key trends and risks as seen by our users.

  • 5
  • 5
Tackle projects and never again get stuck behind a technical roadblock.
Join Now