Solved

Changing internal IP address of ISA firewall/proxy

Posted on 2007-11-21
9
1,037 Views
Last Modified: 2012-08-13
Just a general question this - at the moment the default gateway of our LAN is the firewall (which like all the servers has some static routes pointing to a cisco router to get to remote offices)
We are upgrading the network and the default gate way will be a cisco core and we will change the internal IP address of the ISA/Proxy - otherwise nothing much else will change, we are keeping the same subnet. Can anyone think of any consequences for this eg will I have to change firewall rules, anything on Exchange server 2003 etc
I can handle proxy address and port via group policy - anything else I need to address anyone ?
0
Comment
Question by:sasdaniels
  • 5
  • 2
9 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
1. If you are assigning the proxy address for the browser through wpad or group policy, this will need to change.
2. So ISA is proxy only, not firewall as well? - make sure you have removed (assuming you had used before) the ISA firewall client.
3. If you are introducing any new subnets that would appear on ISA's horizon, make sure these are added to the local LAT table in the ISA gui.
4. make sure you have updated the ISA2004 to SP3 anyway - adds some neat troubleshooting functionality.
5. If the Cisco core is the new default gateway, consider adding an ACl to the Cisco boxes to only allow http/https access from ther ISA ip address to avoid people bypassing the proxy - maybe add servers to the group of these need direct access also.

Just a few starter points.

Keith
0
 
LVL 1

Expert Comment

by:HiddenOne
Comment Utility
Between the "core" and the ISA you will a have a new subnet. So that is basically all that is going to change.
On ISA you do as instructed by keith. (Change IP, administer internal netwok....)
One VERY important thing. Add a STATIC PERMANENT  route to your internal IP segment on the ISA server. This is a must. (use command promt: route add x.x.x.x mask y.y.y.y routerip -permanent)

Other thant this small thing it is preety straight forward.

Btw, do not remove the firewall client, no need for that.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
Comment Utility
No offence but that is not correct.

As ISA will be acting as a proxy only, it can only use one nic so the default gateway on the ISA box will have to point to the internal ip on the Cisco core anyway. The ISA network wizard will need to be re-run to select the single-nic network template. As the Cisco core is on the same subnet as ISA then a static route is not required.

Also, if the isa firewall client is left on the workstations then all traffic will be passed to the ISA as this will overide the local clients gateway. As ISA will be acting as proxy only, not as a firewall, you would not want ISA trying to deal with dns requests, icmp requests etc as
a) this is additional administrative overhead;
b) additional network traffic between the clients to ISA and then the target servers;

Keith
ISA MVP

0
 
LVL 1

Expert Comment

by:HiddenOne
Comment Utility
None taken,
The design I immagined the author of the question is undertaking, is to upgrade the core switch and implment it as a layer 3 gateway for just the users. In such a design the ISA would stil be the actual Internet gateway, acting as a firewall and proxy. The ISA would be positioned "behind" the router (Ly3 switch).

ISA would in such scenario have two NICs...

Damijan
NOT and ISA MVP, just an user since it was Proxy II :)

0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Understood - hopefuilly the asker will clarify. I had understood the comment 'on the same subnet' to mean on the same subnet as the 'internal interface' rather than on the external interface ie ISA was going to be kust a proxy server now and would use the core as an alternative route out. - if your understanding is the correct one then I apologise now. lol - don't you apologise - wouldn't be the first time that I've got it wrong :)

Regards
keith

0
 

Author Comment

by:sasdaniels
Comment Utility
Hi Guys
Thanks guys for those tips: From what the Cisco guys said (I await final design write up) there would be a subnet between core layer 3 switch(s) and the WAN router
We have a Juniper front end firewall that hosts a DMZ (a Citrix Secure Gateway sits on there to authenticate Citrix Web Access), the ISA is backend firewall and proxy - eg I have a rule on there for Outlook Mobile Access. Then we have a WAN router (a LAN extension really) and the four remote offices are on different subnets - they are all citrix desktop so effectively sit behind ISA because the citrix servers are on same subnet as ISA. So I can add all these networks as you suggest.
Good point about people using http/https it is possible to bypass this at moment (although I have locked out settings in IE via group policy that point to proxy)
Thanks again for the tips
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
:) - welcome

Keith
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Any update?
0

Featured Post

How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
NFS vs, iSCSI throughput ? 20 108
DNS Host A record or CName 3 56
internet access from windows servers 4 53
DDOS against DYN 9 81
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
A common practice in small networks is making file sharing easy which works extremely well when intra-network security is not an issue. In essence, everyone, that is "Everyone", is given access to all of the shared files - often the entire C: drive …
It is a freely distributed piece of software for such tasks as photo retouching, image composition and image authoring. It works on many operating systems, in many languages.
When you create an app prototype with Adobe XD, you can insert system screens -- sharing or Control Center, for example -- with just a few clicks. This video shows you how. You can take the full course on Experts Exchange at http://bit.ly/XDcourse.

772 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

11 Experts available now in Live!

Get 1:1 Help Now