Changing internal IP address of ISA firewall/proxy

Posted on 2007-11-21
Medium Priority
Last Modified: 2012-08-13
Just a general question this - at the moment the default gateway of our LAN is the firewall (which like all the servers has some static routes pointing to a cisco router to get to remote offices)
We are upgrading the network and the default gate way will be a cisco core and we will change the internal IP address of the ISA/Proxy - otherwise nothing much else will change, we are keeping the same subnet. Can anyone think of any consequences for this eg will I have to change firewall rules, anything on Exchange server 2003 etc
I can handle proxy address and port via group policy - anything else I need to address anyone ?
Question by:sasdaniels
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 5
  • 2
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20330233
1. If you are assigning the proxy address for the browser through wpad or group policy, this will need to change.
2. So ISA is proxy only, not firewall as well? - make sure you have removed (assuming you had used before) the ISA firewall client.
3. If you are introducing any new subnets that would appear on ISA's horizon, make sure these are added to the local LAT table in the ISA gui.
4. make sure you have updated the ISA2004 to SP3 anyway - adds some neat troubleshooting functionality.
5. If the Cisco core is the new default gateway, consider adding an ACl to the Cisco boxes to only allow http/https access from ther ISA ip address to avoid people bypassing the proxy - maybe add servers to the group of these need direct access also.

Just a few starter points.


Expert Comment

ID: 20330585
Between the "core" and the ISA you will a have a new subnet. So that is basically all that is going to change.
On ISA you do as instructed by keith. (Change IP, administer internal netwok....)
One VERY important thing. Add a STATIC PERMANENT  route to your internal IP segment on the ISA server. This is a must. (use command promt: route add x.x.x.x mask y.y.y.y routerip -permanent)

Other thant this small thing it is preety straight forward.

Btw, do not remove the firewall client, no need for that.
LVL 51

Accepted Solution

Keith Alabaster earned 1500 total points
ID: 20330652
No offence but that is not correct.

As ISA will be acting as a proxy only, it can only use one nic so the default gateway on the ISA box will have to point to the internal ip on the Cisco core anyway. The ISA network wizard will need to be re-run to select the single-nic network template. As the Cisco core is on the same subnet as ISA then a static route is not required.

Also, if the isa firewall client is left on the workstations then all traffic will be passed to the ISA as this will overide the local clients gateway. As ISA will be acting as proxy only, not as a firewall, you would not want ISA trying to deal with dns requests, icmp requests etc as
a) this is additional administrative overhead;
b) additional network traffic between the clients to ISA and then the target servers;


Four New Appliances. Same Industry-leading Speeds.

But don't take it from us.  The Firebox M370 is Miercom tested and Miercom approved, outperforming its competitors for stateless and stateful traffic throughput scenarios.  Learn more about the M370, M470, M570 and M670 and find the right solution for your organization today!


Expert Comment

ID: 20331058
None taken,
The design I immagined the author of the question is undertaking, is to upgrade the core switch and implment it as a layer 3 gateway for just the users. In such a design the ISA would stil be the actual Internet gateway, acting as a firewall and proxy. The ISA would be positioned "behind" the router (Ly3 switch).

ISA would in such scenario have two NICs...

NOT and ISA MVP, just an user since it was Proxy II :)

LVL 51

Expert Comment

by:Keith Alabaster
ID: 20331126
Understood - hopefuilly the asker will clarify. I had understood the comment 'on the same subnet' to mean on the same subnet as the 'internal interface' rather than on the external interface ie ISA was going to be kust a proxy server now and would use the core as an alternative route out. - if your understanding is the correct one then I apologise now. lol - don't you apologise - wouldn't be the first time that I've got it wrong :)



Author Comment

ID: 20339381
Hi Guys
Thanks guys for those tips: From what the Cisco guys said (I await final design write up) there would be a subnet between core layer 3 switch(s) and the WAN router
We have a Juniper front end firewall that hosts a DMZ (a Citrix Secure Gateway sits on there to authenticate Citrix Web Access), the ISA is backend firewall and proxy - eg I have a rule on there for Outlook Mobile Access. Then we have a WAN router (a LAN extension really) and the four remote offices are on different subnets - they are all citrix desktop so effectively sit behind ISA because the citrix servers are on same subnet as ISA. So I can add all these networks as you suggest.
Good point about people using http/https it is possible to bypass this at moment (although I have locked out settings in IE via group policy that point to proxy)
Thanks again for the tips
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20340107
:) - welcome

LVL 51

Expert Comment

by:Keith Alabaster
ID: 20345151
Any update?

Featured Post

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I have been asked to explain on many, many occasions the correct way to setup network cards and DNS settings on ISA Server 2004, 2006 and forefront Threat management gateway (FTMG) and have willing done so. I have also promised my self everytime tha…
We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
Monitoring a network: how to monitor network services and why? Michael Kulchisky, MCSE, MCSA, MCP, VTSP, VSP, CCSP outlines the philosophy behind service monitoring and why a handshake validation is critical in network monitoring. Software utilized …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question