Solved

Changing DMZ IP address on ISA Server 2004 Proxy Array

Posted on 2008-10-09
9
999 Views
Last Modified: 2012-05-05
Due to certain requirements, our DMZ IP addresses are being required to be changed.  I wanted to get an overview of what impact this might have on our ISA proxy array.

We have two servers in a proxy array, and both of their DMZ IP addresses will be changing.  Offhand, I don't see any specific changes that I will have to make to go along with this change, but I am no ISA expert.

Any ideas or assistance of what I should be aware of prior would be appreciated.
0
Comment
Question by:sjones925
  • 6
  • 3
9 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Hi there.
I am assuming here you actually mean the DMZ interface rather than the external isa nic.

Fairly straight forward. ISA is not a router - regardless of what others think so this breaks down into a few stages.

1. Changes at the nic level - the ip address (and mask if necesary) need to be changed to reflect the new details on the ISA dmz nic interface. This may require similar changes for any port forwarding rules etc you may have on your external firewall/router/inbound NAT confiurations.

IP addresses of any devices currently in the DMZ will naturally need to be redone to reflect the new range.

2. Changes in the Local Address Table (LAT) for the dmz interface. Check in the isa gui - configuration - networks - dmz (or perimeter) - properties - addresses. Change the LAT addresses to reflect the new subnet that will be associated with this interface. Remember that you need to include the network ID and broadcast address for example, on a class C subnet then you need to include the .0 and the .255 in the range.

3. Changes to the rules in the firewall and system policy. If you have created any subnet ranges, computer objects etc that used the old ip addresses then these will need to be updated.

Any publishing rules etc that accessed services in the DMZ will also need be changed to get the new IP addresses from step 1.

4. run up the ISA best practice analyser to get the heads up that you have covered this off.

Keith
0
 

Author Comment

by:sjones925
Comment Utility
Keith,

As always, thanks for the quick reply.  In your steps for #2, under config - networks - I assume you are referring to the "Internal" network listed?

If so, on the Addresses tab, we have all the internal (non dmz) subnets listed.  I am confused where I would add or change the DMZ address range.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
This was the point I made at the beginning of my first post. Some people refer to the DMZ as the space betwwen ISA server and another firewall whilst others refer to the DMZ when they have a third nic on the ISA server.

Is your DMZ a third interface on ISA OR the space between ISA's external nic and your external router/firewall OR the space between ISA's internal nic and the external nic of your internal firewall?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Bottom line, I was getting you to check that the new subnet to be assigned to the dmz was not already listed in the LAT for the internal nic - else you would get conflicts by seeing spoofing errors in the logs etc.
0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 

Author Comment

by:sjones925
Comment Utility
Sorry, I didn't quite follow your question.  I am refering to the DMZ as the space between my ISA's external NIC and the external facing firewall.  There is no 3rd NIC.  

I follow what you mean as to making sure the new DMZ addressing is not in the local LAT for internal traffic and i'll make sure that is the case.  I wasn't sure if there were any other configuration changes required.  From your responses, it appears that there isn't.
0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
Comment Utility
Then that is fine.

Everyone has their own interpretation of what a dmz is. Some people see it as you see it. - the space between my ISA's external NIC and the external facing firewall

in other configurations, the dmz could be formed by using a third nic on the ISA server

yet other confiurations could be where the ISA is the external firewall.

As I didn't know your configuration, I gave you all the options. As your configuration uses ISA as the internal firewall and the dmz is on the external nic then the LAT table is irrelevant - ie the external isa nic does not have a LAT table.

In your situation then, on the external firewall, as well as changing any port forwarding rules you may need to change any static routes to the internal network as the interface (ISA external nic IP) will have changed.

Keith :)
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
No other changes I can think of for ISA - unless you are running VPN's etc as well with ISA as the endpoint lol
0
 

Author Comment

by:sjones925
Comment Utility
Nope, no VPN's.  Our Network guys get the fun of making all required changes on the firewalls, etc.  Thanks again for the quick response.  Answers and resonses like these are what make this site worthwhile!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Always here mate :)

Keith
0

Featured Post

How to improve team productivity

Quip adds documents, spreadsheets, and tasklists to your Slack experience
- Elevate ideas to Quip docs
- Share Quip docs in Slack
- Get notified of changes to your docs
- Available on iOS/Android/Desktop/Web
- Online/Offline

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Can changing a server time affect Active Directory. 4 52
TMG 2010 Deployment 3 72
RDWeb 3 50
Question about AD permissions 2 49
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
This video discusses moving either the default database or any database to a new volume.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

16 Experts available now in Live!

Get 1:1 Help Now