?
Solved

Changing DMZ IP address on ISA Server 2004 Proxy Array

Posted on 2008-10-09
9
Medium Priority
?
1,061 Views
Last Modified: 2012-05-05
Due to certain requirements, our DMZ IP addresses are being required to be changed.  I wanted to get an overview of what impact this might have on our ISA proxy array.

We have two servers in a proxy array, and both of their DMZ IP addresses will be changing.  Offhand, I don't see any specific changes that I will have to make to go along with this change, but I am no ISA expert.

Any ideas or assistance of what I should be aware of prior would be appreciated.
0
Comment
Question by:sjones925
  • 6
  • 3
9 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22680800
Hi there.
I am assuming here you actually mean the DMZ interface rather than the external isa nic.

Fairly straight forward. ISA is not a router - regardless of what others think so this breaks down into a few stages.

1. Changes at the nic level - the ip address (and mask if necesary) need to be changed to reflect the new details on the ISA dmz nic interface. This may require similar changes for any port forwarding rules etc you may have on your external firewall/router/inbound NAT confiurations.

IP addresses of any devices currently in the DMZ will naturally need to be redone to reflect the new range.

2. Changes in the Local Address Table (LAT) for the dmz interface. Check in the isa gui - configuration - networks - dmz (or perimeter) - properties - addresses. Change the LAT addresses to reflect the new subnet that will be associated with this interface. Remember that you need to include the network ID and broadcast address for example, on a class C subnet then you need to include the .0 and the .255 in the range.

3. Changes to the rules in the firewall and system policy. If you have created any subnet ranges, computer objects etc that used the old ip addresses then these will need to be updated.

Any publishing rules etc that accessed services in the DMZ will also need be changed to get the new IP addresses from step 1.

4. run up the ISA best practice analyser to get the heads up that you have covered this off.

Keith
0
 

Author Comment

by:sjones925
ID: 22680935
Keith,

As always, thanks for the quick reply.  In your steps for #2, under config - networks - I assume you are referring to the "Internal" network listed?

If so, on the Addresses tab, we have all the internal (non dmz) subnets listed.  I am confused where I would add or change the DMZ address range.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22681127
This was the point I made at the beginning of my first post. Some people refer to the DMZ as the space betwwen ISA server and another firewall whilst others refer to the DMZ when they have a third nic on the ISA server.

Is your DMZ a third interface on ISA OR the space between ISA's external nic and your external router/firewall OR the space between ISA's internal nic and the external nic of your internal firewall?
0
Get expert help—faster!

Need expert help—fast? Use the Help Bell for personalized assistance getting answers to your important questions.

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22681134
Bottom line, I was getting you to check that the new subnet to be assigned to the dmz was not already listed in the LAT for the internal nic - else you would get conflicts by seeing spoofing errors in the logs etc.
0
 

Author Comment

by:sjones925
ID: 22681157
Sorry, I didn't quite follow your question.  I am refering to the DMZ as the space between my ISA's external NIC and the external facing firewall.  There is no 3rd NIC.  

I follow what you mean as to making sure the new DMZ addressing is not in the local LAT for internal traffic and i'll make sure that is the case.  I wasn't sure if there were any other configuration changes required.  From your responses, it appears that there isn't.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 2000 total points
ID: 22681205
Then that is fine.

Everyone has their own interpretation of what a dmz is. Some people see it as you see it. - the space between my ISA's external NIC and the external facing firewall

in other configurations, the dmz could be formed by using a third nic on the ISA server

yet other confiurations could be where the ISA is the external firewall.

As I didn't know your configuration, I gave you all the options. As your configuration uses ISA as the internal firewall and the dmz is on the external nic then the LAT table is irrelevant - ie the external isa nic does not have a LAT table.

In your situation then, on the external firewall, as well as changing any port forwarding rules you may need to change any static routes to the internal network as the interface (ISA external nic IP) will have changed.

Keith :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22681211
No other changes I can think of for ISA - unless you are running VPN's etc as well with ISA as the endpoint lol
0
 

Author Comment

by:sjones925
ID: 22681229
Nope, no VPN's.  Our Network guys get the fun of making all required changes on the firewalls, etc.  Thanks again for the quick response.  Answers and resonses like these are what make this site worthwhile!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22681246
Always here mate :)

Keith
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Scenerio: You have a server running Server 2003 and have applied a retail pack of Terminal Server Licenses.  You want to change servers or your server has crashed and you need to reapply the Terminal Server Licenses. When you enter the 16-digit lic…
This article provides a convenient collection of links to Microsoft provided Security Patches for operating systems that have reached their End of Life support cycle. Included operating systems covered by this article are Windows XP,  Windows Server…
The video will let you know the exact process to import OST/PST files to the cloud based Office 365 mailboxes. Using Kernel Import PST to Office 365 tool, one can quickly import numerous OST/PST files to Office 365. Besides this, the tool also comes…
Watch the video to learn how one can deal with PST file corruption issue with an outstanding Kernel for Outlook PST Repair Tool easily. Using this tool, non-technical users can swiftly perform the repair process to restore their essential data witho…
Suggested Courses

592 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question