Solved

ISA Server Basic Configuration Cont??

Posted on 2008-06-10
10
273 Views
Last Modified: 2010-04-21
I followed the explanation by keith_alabaster on question ID  22454299 on the basic configuration on ISA server 2006, the server has two nic cards, one is for internet access and the other is for handling internal traffic to our programs. The server allows users access to the internet depending on the proxy configuration or denies it by proxy misconfiguration on group policies, but now we want to use ISA server to allow limited access. What kind of network template should I use when configuring ISA? As soon as I install it the server loses internet access because I only declare the internal network the nic card without gateway nor dns info. I don't know how to declare the other card that allows the internet and has all the router info. Is there a second part to that question?
0
Comment
Question by:carloslaso
  • 5
  • 5
10 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21754852
Depends on your configuration - If there is another firewall between ISA and the Internet then select the back-end firewall. If ISA is the first firewall that traffic will hit as it comes in through your router/gateway then select front-end.

The main difference is that as a front-end firewall ISA will provide the NAT function to 'hide' the internal IP addresses by default. To be honest, this is the option I always use when I do not have DMZ interfaces involved on the ISA itself.

Keith
0
 

Author Comment

by:carloslaso
ID: 21754879
So I should not declare the nic I use to handle internal traffic? Should I declare the one that has internet access as the internal and use the Front-end template?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21754921
??

The NIC that has internet access is the external, the other is the internal. When you run the template, you will be asked to give ip addresses on the internal card only - and MUST include ALL internal addresses. So do NOT add all private addresses, just enter those relevant to your internal network.

For example, if you have 192.168.10.200 as the ip address on the uinternal nic, you would enter 192.168.10.0 - 192.168.10.255. All addresses includes the Network ID and the broadcast address. ALL IP addresses NOT entered into the LAT, when it prompts, will be treated as external from your inside network.
0
Portable, direct connect server access

The ATEN CV211 connects a laptop directly to any server allowing you instant access to perform data maintenance and local operations, for quick troubleshooting, updating, service and repair.

 

Author Comment

by:carloslaso
ID: 21755797
I configures ISA using the EDGE network template and i am able to ping yahoo and google but i cannot do anything more, i noticed that the DHCP server disconnects as soon as i close that window.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21757004
The internal nic MUST have dns info - it must point to the internal dns server.
The internal nic does not have a default gateway.

The external nic MUST NOT have dns info
The external nic WILL have a default gateway of the external router.

The Internal DNS server MUST have its forwarders set to point at the external (ISP) dns servers.

What DHCP server? ISA nics (internal & external) should have static ip addresses or their respective subnets.
0
 

Author Comment

by:carloslaso
ID: 21757177
I will try some of those MUSTs and WILLs, I may have put something wrong there.

As for the DHCP server, is that needed to assign IPs to the PCs being protected or controlled by ISA Server or they also have to have Static IP Addresses?

I only have one server where I installed Windows 2003 and ISA 2006, is that allowed or should I have a different server just for ISA? If so, can it be installed on a virtual pc or a separate box (server) is required?
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 21757201
OK - the dhcp server can set the internal client IP's - thats fine. I read your post as saying that the dhcp server was supplying the ISA server withis internal ip address.

ISA should not be run on a domain controller unless you are using windows SBS server. Best practice states that ISA should not be run on a virtual machine in a production environment but i have seen it done and it seems to work OK. MS will not support that installation though. Personally I always use a separate box for customers as it is best practice. In my test labs though? - always on Virtual PC (not virtual server).

0
 

Author Comment

by:carloslaso
ID: 21757215
I forgot to mention that I got Internet explorer to work on the server (not on the PCs), using the info on the last post of the following link: http://tinyurl.com/6cxgsm , but not firefox, tzo  and some other apps.  I still need to check some of the IPs that I may have put wrong in the DNS of the nics
0
 

Author Closing Comment

by:carloslaso
ID: 31465921
I'm accepting this as an answer because all of what the author posted helped me get Internet to the server, Internet access to the rest of the programs can be investigated on different questions on this forum or using the search option.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21761851
Thanks :)
0

Featured Post

Free Tool: IP Lookup

Get more info about an IP address or domain name, such as organization, abuse contacts and geolocation.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Many of us in IT utilize a combination of roaming profiles and folder redirection to ensure user information carries over from one workstation to another; in my environment, it was to enable virtualization without needing a separate desktop for each…
Are you one of those front-line IT Service Desk staff fielding calls, replying to emails, all-the-while working to resolve end-user technological nightmares? I am! That's why I have put together this brief overview of tools and techniques I use in o…
The Email Laundry PDF encryption service allows companies to send confidential encrypted  emails to anybody. The PDF document can also contain attachments that are embedded in the encrypted PDF. The password is randomly generated by The Email Laundr…

828 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question