Solved

Changing internal IP address of ISA firewall/proxy

Posted on 2007-11-21
9
1,059 Views
Last Modified: 2012-08-13
Just a general question this - at the moment the default gateway of our LAN is the firewall (which like all the servers has some static routes pointing to a cisco router to get to remote offices)
We are upgrading the network and the default gate way will be a cisco core and we will change the internal IP address of the ISA/Proxy - otherwise nothing much else will change, we are keeping the same subnet. Can anyone think of any consequences for this eg will I have to change firewall rules, anything on Exchange server 2003 etc
I can handle proxy address and port via group policy - anything else I need to address anyone ?
0
Comment
Question by:sasdaniels
  • 5
  • 2
9 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20330233
1. If you are assigning the proxy address for the browser through wpad or group policy, this will need to change.
2. So ISA is proxy only, not firewall as well? - make sure you have removed (assuming you had used before) the ISA firewall client.
3. If you are introducing any new subnets that would appear on ISA's horizon, make sure these are added to the local LAT table in the ISA gui.
4. make sure you have updated the ISA2004 to SP3 anyway - adds some neat troubleshooting functionality.
5. If the Cisco core is the new default gateway, consider adding an ACl to the Cisco boxes to only allow http/https access from ther ISA ip address to avoid people bypassing the proxy - maybe add servers to the group of these need direct access also.

Just a few starter points.

Keith
0
 
LVL 1

Expert Comment

by:HiddenOne
ID: 20330585
Between the "core" and the ISA you will a have a new subnet. So that is basically all that is going to change.
On ISA you do as instructed by keith. (Change IP, administer internal netwok....)
One VERY important thing. Add a STATIC PERMANENT  route to your internal IP segment on the ISA server. This is a must. (use command promt: route add x.x.x.x mask y.y.y.y routerip -permanent)

Other thant this small thing it is preety straight forward.

Btw, do not remove the firewall client, no need for that.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 20330652
No offence but that is not correct.

As ISA will be acting as a proxy only, it can only use one nic so the default gateway on the ISA box will have to point to the internal ip on the Cisco core anyway. The ISA network wizard will need to be re-run to select the single-nic network template. As the Cisco core is on the same subnet as ISA then a static route is not required.

Also, if the isa firewall client is left on the workstations then all traffic will be passed to the ISA as this will overide the local clients gateway. As ISA will be acting as proxy only, not as a firewall, you would not want ISA trying to deal with dns requests, icmp requests etc as
a) this is additional administrative overhead;
b) additional network traffic between the clients to ISA and then the target servers;

Keith
ISA MVP

0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 1

Expert Comment

by:HiddenOne
ID: 20331058
None taken,
The design I immagined the author of the question is undertaking, is to upgrade the core switch and implment it as a layer 3 gateway for just the users. In such a design the ISA would stil be the actual Internet gateway, acting as a firewall and proxy. The ISA would be positioned "behind" the router (Ly3 switch).

ISA would in such scenario have two NICs...

Damijan
NOT and ISA MVP, just an user since it was Proxy II :)

0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20331126
Understood - hopefuilly the asker will clarify. I had understood the comment 'on the same subnet' to mean on the same subnet as the 'internal interface' rather than on the external interface ie ISA was going to be kust a proxy server now and would use the core as an alternative route out. - if your understanding is the correct one then I apologise now. lol - don't you apologise - wouldn't be the first time that I've got it wrong :)

Regards
keith

0
 

Author Comment

by:sasdaniels
ID: 20339381
Hi Guys
Thanks guys for those tips: From what the Cisco guys said (I await final design write up) there would be a subnet between core layer 3 switch(s) and the WAN router
We have a Juniper front end firewall that hosts a DMZ (a Citrix Secure Gateway sits on there to authenticate Citrix Web Access), the ISA is backend firewall and proxy - eg I have a rule on there for Outlook Mobile Access. Then we have a WAN router (a LAN extension really) and the four remote offices are on different subnets - they are all citrix desktop so effectively sit behind ISA because the citrix servers are on same subnet as ISA. So I can add all these networks as you suggest.
Good point about people using http/https it is possible to bypass this at moment (although I have locked out settings in IE via group policy that point to proxy)
Thanks again for the tips
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20340107
:) - welcome

Keith
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 20345151
Any update?
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
How to scan rdp  ''only'' open port 3333? 5 116
Need a cheap RFID setup 10 81
Windows Server Firewall Configuration 2 43
domain controllers numbers 4 72
Resolve DNS query failed errors for Exchange
An article on effective troubleshooting
Microsoft Active Directory, the widely used IT infrastructure, is known for its high risk of credential theft. The best way to test your Active Directory’s vulnerabilities to pass-the-ticket, pass-the-hash, privilege escalation, and malware attacks …
This video shows how to quickly and easily add an email signature for all users on Exchange 2016. The resulting signature is applied on a server level by Exchange Online. The email signature template has been downloaded from: www.mail-signatures…

775 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question