Solved

Changing internal IP address of ISA firewall/proxy

Posted on 2007-11-21
9
1,047 Views
Last Modified: 2012-08-13
Just a general question this - at the moment the default gateway of our LAN is the firewall (which like all the servers has some static routes pointing to a cisco router to get to remote offices)
We are upgrading the network and the default gate way will be a cisco core and we will change the internal IP address of the ISA/Proxy - otherwise nothing much else will change, we are keeping the same subnet. Can anyone think of any consequences for this eg will I have to change firewall rules, anything on Exchange server 2003 etc
I can handle proxy address and port via group policy - anything else I need to address anyone ?
0
Comment
Question by:sasdaniels
  • 5
  • 2
9 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20330233
1. If you are assigning the proxy address for the browser through wpad or group policy, this will need to change.
2. So ISA is proxy only, not firewall as well? - make sure you have removed (assuming you had used before) the ISA firewall client.
3. If you are introducing any new subnets that would appear on ISA's horizon, make sure these are added to the local LAT table in the ISA gui.
4. make sure you have updated the ISA2004 to SP3 anyway - adds some neat troubleshooting functionality.
5. If the Cisco core is the new default gateway, consider adding an ACl to the Cisco boxes to only allow http/https access from ther ISA ip address to avoid people bypassing the proxy - maybe add servers to the group of these need direct access also.

Just a few starter points.

Keith
0
 
LVL 1

Expert Comment

by:HiddenOne
ID: 20330585
Between the "core" and the ISA you will a have a new subnet. So that is basically all that is going to change.
On ISA you do as instructed by keith. (Change IP, administer internal netwok....)
One VERY important thing. Add a STATIC PERMANENT  route to your internal IP segment on the ISA server. This is a must. (use command promt: route add x.x.x.x mask y.y.y.y routerip -permanent)

Other thant this small thing it is preety straight forward.

Btw, do not remove the firewall client, no need for that.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 20330652
No offence but that is not correct.

As ISA will be acting as a proxy only, it can only use one nic so the default gateway on the ISA box will have to point to the internal ip on the Cisco core anyway. The ISA network wizard will need to be re-run to select the single-nic network template. As the Cisco core is on the same subnet as ISA then a static route is not required.

Also, if the isa firewall client is left on the workstations then all traffic will be passed to the ISA as this will overide the local clients gateway. As ISA will be acting as proxy only, not as a firewall, you would not want ISA trying to deal with dns requests, icmp requests etc as
a) this is additional administrative overhead;
b) additional network traffic between the clients to ISA and then the target servers;

Keith
ISA MVP

0
 
LVL 1

Expert Comment

by:HiddenOne
ID: 20331058
None taken,
The design I immagined the author of the question is undertaking, is to upgrade the core switch and implment it as a layer 3 gateway for just the users. In such a design the ISA would stil be the actual Internet gateway, acting as a firewall and proxy. The ISA would be positioned "behind" the router (Ly3 switch).

ISA would in such scenario have two NICs...

Damijan
NOT and ISA MVP, just an user since it was Proxy II :)

0
New My Cloud Pro Series - organize everything!

With space to keep virtually everything, the My Cloud Pro Series offers your team the network storage to edit, save and share production files from anywhere with an internet connection. Compatible with both Mac and PC, you're able to protect your content regardless of OS.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20331126
Understood - hopefuilly the asker will clarify. I had understood the comment 'on the same subnet' to mean on the same subnet as the 'internal interface' rather than on the external interface ie ISA was going to be kust a proxy server now and would use the core as an alternative route out. - if your understanding is the correct one then I apologise now. lol - don't you apologise - wouldn't be the first time that I've got it wrong :)

Regards
keith

0
 

Author Comment

by:sasdaniels
ID: 20339381
Hi Guys
Thanks guys for those tips: From what the Cisco guys said (I await final design write up) there would be a subnet between core layer 3 switch(s) and the WAN router
We have a Juniper front end firewall that hosts a DMZ (a Citrix Secure Gateway sits on there to authenticate Citrix Web Access), the ISA is backend firewall and proxy - eg I have a rule on there for Outlook Mobile Access. Then we have a WAN router (a LAN extension really) and the four remote offices are on different subnets - they are all citrix desktop so effectively sit behind ISA because the citrix servers are on same subnet as ISA. So I can add all these networks as you suggest.
Good point about people using http/https it is possible to bypass this at moment (although I have locked out settings in IE via group policy that point to proxy)
Thanks again for the tips
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20340107
:) - welcome

Keith
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20345151
Any update?
0

Featured Post

New! My Passport Wireless Pro Wi-Fi Mobile Storage

Portable wireless storage to offload, edit, and stream anywhere.

High-capacity, wireless mobile storage designed to accompany professional photographers and videographers in the field to easily offload, edit and stream captured photos and high-definition videos.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
The DROP (Spamhaus Don't Route Or Peer List) is a small list of IP address ranges that have been stolen or hijacked from their rightful owners. The DROP list is not a DNS based list.  It is designed to be downloaded as a file, with primary intention…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

932 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now