Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1060
  • Last Modified:

Changing DMZ IP address on ISA Server 2004 Proxy Array

Due to certain requirements, our DMZ IP addresses are being required to be changed.  I wanted to get an overview of what impact this might have on our ISA proxy array.

We have two servers in a proxy array, and both of their DMZ IP addresses will be changing.  Offhand, I don't see any specific changes that I will have to make to go along with this change, but I am no ISA expert.

Any ideas or assistance of what I should be aware of prior would be appreciated.
0
sjones925
Asked:
sjones925
  • 6
  • 3
1 Solution
 
Keith AlabasterCommented:
Hi there.
I am assuming here you actually mean the DMZ interface rather than the external isa nic.

Fairly straight forward. ISA is not a router - regardless of what others think so this breaks down into a few stages.

1. Changes at the nic level - the ip address (and mask if necesary) need to be changed to reflect the new details on the ISA dmz nic interface. This may require similar changes for any port forwarding rules etc you may have on your external firewall/router/inbound NAT confiurations.

IP addresses of any devices currently in the DMZ will naturally need to be redone to reflect the new range.

2. Changes in the Local Address Table (LAT) for the dmz interface. Check in the isa gui - configuration - networks - dmz (or perimeter) - properties - addresses. Change the LAT addresses to reflect the new subnet that will be associated with this interface. Remember that you need to include the network ID and broadcast address for example, on a class C subnet then you need to include the .0 and the .255 in the range.

3. Changes to the rules in the firewall and system policy. If you have created any subnet ranges, computer objects etc that used the old ip addresses then these will need to be updated.

Any publishing rules etc that accessed services in the DMZ will also need be changed to get the new IP addresses from step 1.

4. run up the ISA best practice analyser to get the heads up that you have covered this off.

Keith
0
 
sjones925Author Commented:
Keith,

As always, thanks for the quick reply.  In your steps for #2, under config - networks - I assume you are referring to the "Internal" network listed?

If so, on the Addresses tab, we have all the internal (non dmz) subnets listed.  I am confused where I would add or change the DMZ address range.
0
 
Keith AlabasterCommented:
This was the point I made at the beginning of my first post. Some people refer to the DMZ as the space betwwen ISA server and another firewall whilst others refer to the DMZ when they have a third nic on the ISA server.

Is your DMZ a third interface on ISA OR the space between ISA's external nic and your external router/firewall OR the space between ISA's internal nic and the external nic of your internal firewall?
0
NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

 
Keith AlabasterCommented:
Bottom line, I was getting you to check that the new subnet to be assigned to the dmz was not already listed in the LAT for the internal nic - else you would get conflicts by seeing spoofing errors in the logs etc.
0
 
sjones925Author Commented:
Sorry, I didn't quite follow your question.  I am refering to the DMZ as the space between my ISA's external NIC and the external facing firewall.  There is no 3rd NIC.  

I follow what you mean as to making sure the new DMZ addressing is not in the local LAT for internal traffic and i'll make sure that is the case.  I wasn't sure if there were any other configuration changes required.  From your responses, it appears that there isn't.
0
 
Keith AlabasterCommented:
Then that is fine.

Everyone has their own interpretation of what a dmz is. Some people see it as you see it. - the space between my ISA's external NIC and the external facing firewall

in other configurations, the dmz could be formed by using a third nic on the ISA server

yet other confiurations could be where the ISA is the external firewall.

As I didn't know your configuration, I gave you all the options. As your configuration uses ISA as the internal firewall and the dmz is on the external nic then the LAT table is irrelevant - ie the external isa nic does not have a LAT table.

In your situation then, on the external firewall, as well as changing any port forwarding rules you may need to change any static routes to the internal network as the interface (ISA external nic IP) will have changed.

Keith :)
0
 
Keith AlabasterCommented:
No other changes I can think of for ISA - unless you are running VPN's etc as well with ISA as the endpoint lol
0
 
sjones925Author Commented:
Nope, no VPN's.  Our Network guys get the fun of making all required changes on the firewalls, etc.  Thanks again for the quick response.  Answers and resonses like these are what make this site worthwhile!
0
 
Keith AlabasterCommented:
Always here mate :)

Keith
0

Featured Post

Technology Partners: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 6
  • 3
Tackle projects and never again get stuck behind a technical roadblock.
Join Now