Solved

ISA Server Basic Configuration Cont??

Posted on 2008-06-10
10
270 Views
Last Modified: 2010-04-21
I followed the explanation by keith_alabaster on question ID  22454299 on the basic configuration on ISA server 2006, the server has two nic cards, one is for internet access and the other is for handling internal traffic to our programs. The server allows users access to the internet depending on the proxy configuration or denies it by proxy misconfiguration on group policies, but now we want to use ISA server to allow limited access. What kind of network template should I use when configuring ISA? As soon as I install it the server loses internet access because I only declare the internal network the nic card without gateway nor dns info. I don't know how to declare the other card that allows the internet and has all the router info. Is there a second part to that question?
0
Comment
Question by:carloslaso
  • 5
  • 5
10 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21754852
Depends on your configuration - If there is another firewall between ISA and the Internet then select the back-end firewall. If ISA is the first firewall that traffic will hit as it comes in through your router/gateway then select front-end.

The main difference is that as a front-end firewall ISA will provide the NAT function to 'hide' the internal IP addresses by default. To be honest, this is the option I always use when I do not have DMZ interfaces involved on the ISA itself.

Keith
0
 

Author Comment

by:carloslaso
ID: 21754879
So I should not declare the nic I use to handle internal traffic? Should I declare the one that has internet access as the internal and use the Front-end template?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21754921
??

The NIC that has internet access is the external, the other is the internal. When you run the template, you will be asked to give ip addresses on the internal card only - and MUST include ALL internal addresses. So do NOT add all private addresses, just enter those relevant to your internal network.

For example, if you have 192.168.10.200 as the ip address on the uinternal nic, you would enter 192.168.10.0 - 192.168.10.255. All addresses includes the Network ID and the broadcast address. ALL IP addresses NOT entered into the LAT, when it prompts, will be treated as external from your inside network.
0
 

Author Comment

by:carloslaso
ID: 21755797
I configures ISA using the EDGE network template and i am able to ping yahoo and google but i cannot do anything more, i noticed that the DHCP server disconnects as soon as i close that window.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21757004
The internal nic MUST have dns info - it must point to the internal dns server.
The internal nic does not have a default gateway.

The external nic MUST NOT have dns info
The external nic WILL have a default gateway of the external router.

The Internal DNS server MUST have its forwarders set to point at the external (ISP) dns servers.

What DHCP server? ISA nics (internal & external) should have static ip addresses or their respective subnets.
0
Threat Intelligence Starter Resources

Integrating threat intelligence can be challenging, and not all companies are ready. These resources can help you build awareness and prepare for defense.

 

Author Comment

by:carloslaso
ID: 21757177
I will try some of those MUSTs and WILLs, I may have put something wrong there.

As for the DHCP server, is that needed to assign IPs to the PCs being protected or controlled by ISA Server or they also have to have Static IP Addresses?

I only have one server where I installed Windows 2003 and ISA 2006, is that allowed or should I have a different server just for ISA? If so, can it be installed on a virtual pc or a separate box (server) is required?
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 21757201
OK - the dhcp server can set the internal client IP's - thats fine. I read your post as saying that the dhcp server was supplying the ISA server withis internal ip address.

ISA should not be run on a domain controller unless you are using windows SBS server. Best practice states that ISA should not be run on a virtual machine in a production environment but i have seen it done and it seems to work OK. MS will not support that installation though. Personally I always use a separate box for customers as it is best practice. In my test labs though? - always on Virtual PC (not virtual server).

0
 

Author Comment

by:carloslaso
ID: 21757215
I forgot to mention that I got Internet explorer to work on the server (not on the PCs), using the info on the last post of the following link: http://tinyurl.com/6cxgsm , but not firefox, tzo  and some other apps.  I still need to check some of the IPs that I may have put wrong in the DNS of the nics
0
 

Author Closing Comment

by:carloslaso
ID: 31465921
I'm accepting this as an answer because all of what the author posted helped me get Internet to the server, Internet access to the rest of the programs can be investigated on different questions on this forum or using the search option.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 21761851
Thanks :)
0

Featured Post

Why You Should Analyze Threat Actor TTPs

After years of analyzing threat actor behavior, it’s become clear that at any given time there are specific tactics, techniques, and procedures (TTPs) that are particularly prevalent. By analyzing and understanding these TTPs, you can dramatically enhance your security program.

Join & Write a Comment

We recently endured a series of broadcast storms that caused our ISP to shut us down for brief periods of time. After going through a multitude of tests, we determined that the issue was related to Intel NIC drivers on some new HP desktop computers …
This is the first one of a series of articles I’ll be writing to address technical issues that are always referred to as network problems. The network boundaries have changed, therefore having an understanding of how each piece in the network  puzzl…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…
This video demonstrates how to create an example email signature rule for a department in a company using CodeTwo Exchange Rules. The signature will be inserted beneath users' latest emails in conversations and will be displayed in users' Sent Items…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now