Solved

Changing DMZ IP address on ISA Server 2004 Proxy Array

Posted on 2008-10-09
9
1,013 Views
Last Modified: 2012-05-05
Due to certain requirements, our DMZ IP addresses are being required to be changed.  I wanted to get an overview of what impact this might have on our ISA proxy array.

We have two servers in a proxy array, and both of their DMZ IP addresses will be changing.  Offhand, I don't see any specific changes that I will have to make to go along with this change, but I am no ISA expert.

Any ideas or assistance of what I should be aware of prior would be appreciated.
0
Comment
Question by:sjones925
  • 6
  • 3
9 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22680800
Hi there.
I am assuming here you actually mean the DMZ interface rather than the external isa nic.

Fairly straight forward. ISA is not a router - regardless of what others think so this breaks down into a few stages.

1. Changes at the nic level - the ip address (and mask if necesary) need to be changed to reflect the new details on the ISA dmz nic interface. This may require similar changes for any port forwarding rules etc you may have on your external firewall/router/inbound NAT confiurations.

IP addresses of any devices currently in the DMZ will naturally need to be redone to reflect the new range.

2. Changes in the Local Address Table (LAT) for the dmz interface. Check in the isa gui - configuration - networks - dmz (or perimeter) - properties - addresses. Change the LAT addresses to reflect the new subnet that will be associated with this interface. Remember that you need to include the network ID and broadcast address for example, on a class C subnet then you need to include the .0 and the .255 in the range.

3. Changes to the rules in the firewall and system policy. If you have created any subnet ranges, computer objects etc that used the old ip addresses then these will need to be updated.

Any publishing rules etc that accessed services in the DMZ will also need be changed to get the new IP addresses from step 1.

4. run up the ISA best practice analyser to get the heads up that you have covered this off.

Keith
0
 

Author Comment

by:sjones925
ID: 22680935
Keith,

As always, thanks for the quick reply.  In your steps for #2, under config - networks - I assume you are referring to the "Internal" network listed?

If so, on the Addresses tab, we have all the internal (non dmz) subnets listed.  I am confused where I would add or change the DMZ address range.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22681127
This was the point I made at the beginning of my first post. Some people refer to the DMZ as the space betwwen ISA server and another firewall whilst others refer to the DMZ when they have a third nic on the ISA server.

Is your DMZ a third interface on ISA OR the space between ISA's external nic and your external router/firewall OR the space between ISA's internal nic and the external nic of your internal firewall?
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22681134
Bottom line, I was getting you to check that the new subnet to be assigned to the dmz was not already listed in the LAT for the internal nic - else you would get conflicts by seeing spoofing errors in the logs etc.
0
 

Author Comment

by:sjones925
ID: 22681157
Sorry, I didn't quite follow your question.  I am refering to the DMZ as the space between my ISA's external NIC and the external facing firewall.  There is no 3rd NIC.  

I follow what you mean as to making sure the new DMZ addressing is not in the local LAT for internal traffic and i'll make sure that is the case.  I wasn't sure if there were any other configuration changes required.  From your responses, it appears that there isn't.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 22681205
Then that is fine.

Everyone has their own interpretation of what a dmz is. Some people see it as you see it. - the space between my ISA's external NIC and the external facing firewall

in other configurations, the dmz could be formed by using a third nic on the ISA server

yet other confiurations could be where the ISA is the external firewall.

As I didn't know your configuration, I gave you all the options. As your configuration uses ISA as the internal firewall and the dmz is on the external nic then the LAT table is irrelevant - ie the external isa nic does not have a LAT table.

In your situation then, on the external firewall, as well as changing any port forwarding rules you may need to change any static routes to the internal network as the interface (ISA external nic IP) will have changed.

Keith :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22681211
No other changes I can think of for ISA - unless you are running VPN's etc as well with ISA as the endpoint lol
0
 

Author Comment

by:sjones925
ID: 22681229
Nope, no VPN's.  Our Network guys get the fun of making all required changes on the firewalls, etc.  Thanks again for the quick response.  Answers and resonses like these are what make this site worthwhile!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22681246
Always here mate :)

Keith
0

Featured Post

Three Reasons Why Backup is Strategic

Backup is strategic to your business because your data is strategic to your business. Without backup, your business will fail. This white paper explains why it is vital for you to design and immediately execute a backup strategy to protect 100 percent of your data.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
This Micro Tutorial will give you a basic overview how to record your screen with Microsoft Expression Encoder. This program is still free and open for the public to download. This will be demonstrated using Microsoft Expression Encoder 4.

822 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question