Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


Changing internal IP address of ISA firewall/proxy

Posted on 2007-11-21
Medium Priority
Last Modified: 2012-08-13
Just a general question this - at the moment the default gateway of our LAN is the firewall (which like all the servers has some static routes pointing to a cisco router to get to remote offices)
We are upgrading the network and the default gate way will be a cisco core and we will change the internal IP address of the ISA/Proxy - otherwise nothing much else will change, we are keeping the same subnet. Can anyone think of any consequences for this eg will I have to change firewall rules, anything on Exchange server 2003 etc
I can handle proxy address and port via group policy - anything else I need to address anyone ?
Question by:sasdaniels
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20330233
1. If you are assigning the proxy address for the browser through wpad or group policy, this will need to change.
2. So ISA is proxy only, not firewall as well? - make sure you have removed (assuming you had used before) the ISA firewall client.
3. If you are introducing any new subnets that would appear on ISA's horizon, make sure these are added to the local LAT table in the ISA gui.
4. make sure you have updated the ISA2004 to SP3 anyway - adds some neat troubleshooting functionality.
5. If the Cisco core is the new default gateway, consider adding an ACl to the Cisco boxes to only allow http/https access from ther ISA ip address to avoid people bypassing the proxy - maybe add servers to the group of these need direct access also.

Just a few starter points.


Expert Comment

ID: 20330585
Between the "core" and the ISA you will a have a new subnet. So that is basically all that is going to change.
On ISA you do as instructed by keith. (Change IP, administer internal netwok....)
One VERY important thing. Add a STATIC PERMANENT  route to your internal IP segment on the ISA server. This is a must. (use command promt: route add x.x.x.x mask y.y.y.y routerip -permanent)

Other thant this small thing it is preety straight forward.

Btw, do not remove the firewall client, no need for that.
LVL 51

Accepted Solution

Keith Alabaster earned 1500 total points
ID: 20330652
No offence but that is not correct.

As ISA will be acting as a proxy only, it can only use one nic so the default gateway on the ISA box will have to point to the internal ip on the Cisco core anyway. The ISA network wizard will need to be re-run to select the single-nic network template. As the Cisco core is on the same subnet as ISA then a static route is not required.

Also, if the isa firewall client is left on the workstations then all traffic will be passed to the ISA as this will overide the local clients gateway. As ISA will be acting as proxy only, not as a firewall, you would not want ISA trying to deal with dns requests, icmp requests etc as
a) this is additional administrative overhead;
b) additional network traffic between the clients to ISA and then the target servers;


Q2 2017 - Latest Malware & Internet Attacks

WatchGuard’s Threat Lab is a group of dedicated threat researchers committed to helping you stay ahead of the bad guys by providing in-depth analysis of the top security threats to your network.  Check out our latest Quarterly Internet Security Report!


Expert Comment

ID: 20331058
None taken,
The design I immagined the author of the question is undertaking, is to upgrade the core switch and implment it as a layer 3 gateway for just the users. In such a design the ISA would stil be the actual Internet gateway, acting as a firewall and proxy. The ISA would be positioned "behind" the router (Ly3 switch).

ISA would in such scenario have two NICs...

NOT and ISA MVP, just an user since it was Proxy II :)

LVL 51

Expert Comment

by:Keith Alabaster
ID: 20331126
Understood - hopefuilly the asker will clarify. I had understood the comment 'on the same subnet' to mean on the same subnet as the 'internal interface' rather than on the external interface ie ISA was going to be kust a proxy server now and would use the core as an alternative route out. - if your understanding is the correct one then I apologise now. lol - don't you apologise - wouldn't be the first time that I've got it wrong :)



Author Comment

ID: 20339381
Hi Guys
Thanks guys for those tips: From what the Cisco guys said (I await final design write up) there would be a subnet between core layer 3 switch(s) and the WAN router
We have a Juniper front end firewall that hosts a DMZ (a Citrix Secure Gateway sits on there to authenticate Citrix Web Access), the ISA is backend firewall and proxy - eg I have a rule on there for Outlook Mobile Access. Then we have a WAN router (a LAN extension really) and the four remote offices are on different subnets - they are all citrix desktop so effectively sit behind ISA because the citrix servers are on same subnet as ISA. So I can add all these networks as you suggest.
Good point about people using http/https it is possible to bypass this at moment (although I have locked out settings in IE via group policy that point to proxy)
Thanks again for the tips
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20340107
:) - welcome

LVL 51

Expert Comment

by:Keith Alabaster
ID: 20345151
Any update?

Featured Post

What does it mean to be "Always On"?

Is your cloud always on? With an Always On cloud you won't have to worry about downtime for maintenance or software application code updates, ensuring that your bottom line isn't affected.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

The Need In an Active Directory enviroment, the PDC emulator provide time synchronization for the domain. This is important since Active Directory uses Kerberos for authentication.  By default, if the time difference between systems is off by more …
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Sometimes it takes a new vantage point, apart from our everyday security practices, to truly see our Active Directory (AD) vulnerabilities. We get used to implementing the same techniques and checking the same areas for a breach. This pattern can re…
Suggested Courses

610 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question