Solved

ISA Server Basic Configuration Cont??

Posted on 2008-06-10
10
272 Views
Last Modified: 2010-04-21
I followed the explanation by keith_alabaster on question ID  22454299 on the basic configuration on ISA server 2006, the server has two nic cards, one is for internet access and the other is for handling internal traffic to our programs. The server allows users access to the internet depending on the proxy configuration or denies it by proxy misconfiguration on group policies, but now we want to use ISA server to allow limited access. What kind of network template should I use when configuring ISA? As soon as I install it the server loses internet access because I only declare the internal network the nic card without gateway nor dns info. I don't know how to declare the other card that allows the internet and has all the router info. Is there a second part to that question?
0
Comment
Question by:carloslaso
  • 5
  • 5
10 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21754852
Depends on your configuration - If there is another firewall between ISA and the Internet then select the back-end firewall. If ISA is the first firewall that traffic will hit as it comes in through your router/gateway then select front-end.

The main difference is that as a front-end firewall ISA will provide the NAT function to 'hide' the internal IP addresses by default. To be honest, this is the option I always use when I do not have DMZ interfaces involved on the ISA itself.

Keith
0
 

Author Comment

by:carloslaso
ID: 21754879
So I should not declare the nic I use to handle internal traffic? Should I declare the one that has internet access as the internal and use the Front-end template?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21754921
??

The NIC that has internet access is the external, the other is the internal. When you run the template, you will be asked to give ip addresses on the internal card only - and MUST include ALL internal addresses. So do NOT add all private addresses, just enter those relevant to your internal network.

For example, if you have 192.168.10.200 as the ip address on the uinternal nic, you would enter 192.168.10.0 - 192.168.10.255. All addresses includes the Network ID and the broadcast address. ALL IP addresses NOT entered into the LAT, when it prompts, will be treated as external from your inside network.
0
Microsoft Certification Exam 74-409

Veeam® is happy to provide the Microsoft community with a study guide prepared by MVP and MCT, Orin Thomas. This guide will take you through each of the exam objectives, helping you to prepare for and pass the examination.

 

Author Comment

by:carloslaso
ID: 21755797
I configures ISA using the EDGE network template and i am able to ping yahoo and google but i cannot do anything more, i noticed that the DHCP server disconnects as soon as i close that window.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21757004
The internal nic MUST have dns info - it must point to the internal dns server.
The internal nic does not have a default gateway.

The external nic MUST NOT have dns info
The external nic WILL have a default gateway of the external router.

The Internal DNS server MUST have its forwarders set to point at the external (ISP) dns servers.

What DHCP server? ISA nics (internal & external) should have static ip addresses or their respective subnets.
0
 

Author Comment

by:carloslaso
ID: 21757177
I will try some of those MUSTs and WILLs, I may have put something wrong there.

As for the DHCP server, is that needed to assign IPs to the PCs being protected or controlled by ISA Server or they also have to have Static IP Addresses?

I only have one server where I installed Windows 2003 and ISA 2006, is that allowed or should I have a different server just for ISA? If so, can it be installed on a virtual pc or a separate box (server) is required?
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 21757201
OK - the dhcp server can set the internal client IP's - thats fine. I read your post as saying that the dhcp server was supplying the ISA server withis internal ip address.

ISA should not be run on a domain controller unless you are using windows SBS server. Best practice states that ISA should not be run on a virtual machine in a production environment but i have seen it done and it seems to work OK. MS will not support that installation though. Personally I always use a separate box for customers as it is best practice. In my test labs though? - always on Virtual PC (not virtual server).

0
 

Author Comment

by:carloslaso
ID: 21757215
I forgot to mention that I got Internet explorer to work on the server (not on the PCs), using the info on the last post of the following link: http://tinyurl.com/6cxgsm , but not firefox, tzo  and some other apps.  I still need to check some of the IPs that I may have put wrong in the DNS of the nics
0
 

Author Closing Comment

by:carloslaso
ID: 31465921
I'm accepting this as an answer because all of what the author posted helped me get Internet to the server, Internet access to the rest of the programs can be investigated on different questions on this forum or using the search option.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21761851
Thanks :)
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Enterprise networks where VoIP phones have been deployed frequently use port configurations that allow both a computer and an IP phone to be plugged into the same switch port but use different VLANs. On Cisco equipment I'm referring to the "native V…
So the following errors occurs in 2 ways that I am aware of at this stage, and you receive one of the following error messages: ERROR 1. When trying to save a rule: No Web listener is specified for the Web publishing rule Autodiscovery Publishin…
This Micro Tutorial hows how you can integrate  Mac OSX to a Windows Active Directory Domain. Apple has made it easy to allow users to bind their macs to a windows domain with relative ease. The following video show how to bind OSX Mavericks to …
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…

773 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question