Changing DMZ IP address on ISA Server 2004 Proxy Array

Posted on 2008-10-09
Last Modified: 2012-05-05
Due to certain requirements, our DMZ IP addresses are being required to be changed.  I wanted to get an overview of what impact this might have on our ISA proxy array.

We have two servers in a proxy array, and both of their DMZ IP addresses will be changing.  Offhand, I don't see any specific changes that I will have to make to go along with this change, but I am no ISA expert.

Any ideas or assistance of what I should be aware of prior would be appreciated.
Question by:sjones925
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 3
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22680800
Hi there.
I am assuming here you actually mean the DMZ interface rather than the external isa nic.

Fairly straight forward. ISA is not a router - regardless of what others think so this breaks down into a few stages.

1. Changes at the nic level - the ip address (and mask if necesary) need to be changed to reflect the new details on the ISA dmz nic interface. This may require similar changes for any port forwarding rules etc you may have on your external firewall/router/inbound NAT confiurations.

IP addresses of any devices currently in the DMZ will naturally need to be redone to reflect the new range.

2. Changes in the Local Address Table (LAT) for the dmz interface. Check in the isa gui - configuration - networks - dmz (or perimeter) - properties - addresses. Change the LAT addresses to reflect the new subnet that will be associated with this interface. Remember that you need to include the network ID and broadcast address for example, on a class C subnet then you need to include the .0 and the .255 in the range.

3. Changes to the rules in the firewall and system policy. If you have created any subnet ranges, computer objects etc that used the old ip addresses then these will need to be updated.

Any publishing rules etc that accessed services in the DMZ will also need be changed to get the new IP addresses from step 1.

4. run up the ISA best practice analyser to get the heads up that you have covered this off.


Author Comment

ID: 22680935

As always, thanks for the quick reply.  In your steps for #2, under config - networks - I assume you are referring to the "Internal" network listed?

If so, on the Addresses tab, we have all the internal (non dmz) subnets listed.  I am confused where I would add or change the DMZ address range.
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22681127
This was the point I made at the beginning of my first post. Some people refer to the DMZ as the space betwwen ISA server and another firewall whilst others refer to the DMZ when they have a third nic on the ISA server.

Is your DMZ a third interface on ISA OR the space between ISA's external nic and your external router/firewall OR the space between ISA's internal nic and the external nic of your internal firewall?
Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

LVL 51

Expert Comment

by:Keith Alabaster
ID: 22681134
Bottom line, I was getting you to check that the new subnet to be assigned to the dmz was not already listed in the LAT for the internal nic - else you would get conflicts by seeing spoofing errors in the logs etc.

Author Comment

ID: 22681157
Sorry, I didn't quite follow your question.  I am refering to the DMZ as the space between my ISA's external NIC and the external facing firewall.  There is no 3rd NIC.  

I follow what you mean as to making sure the new DMZ addressing is not in the local LAT for internal traffic and i'll make sure that is the case.  I wasn't sure if there were any other configuration changes required.  From your responses, it appears that there isn't.
LVL 51

Accepted Solution

Keith Alabaster earned 500 total points
ID: 22681205
Then that is fine.

Everyone has their own interpretation of what a dmz is. Some people see it as you see it. - the space between my ISA's external NIC and the external facing firewall

in other configurations, the dmz could be formed by using a third nic on the ISA server

yet other confiurations could be where the ISA is the external firewall.

As I didn't know your configuration, I gave you all the options. As your configuration uses ISA as the internal firewall and the dmz is on the external nic then the LAT table is irrelevant - ie the external isa nic does not have a LAT table.

In your situation then, on the external firewall, as well as changing any port forwarding rules you may need to change any static routes to the internal network as the interface (ISA external nic IP) will have changed.

Keith :)
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22681211
No other changes I can think of for ISA - unless you are running VPN's etc as well with ISA as the endpoint lol

Author Comment

ID: 22681229
Nope, no VPN's.  Our Network guys get the fun of making all required changes on the firewalls, etc.  Thanks again for the quick response.  Answers and resonses like these are what make this site worthwhile!
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22681246
Always here mate :)


Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Server Login Issue 4 71
home folder path for users 4 112
Generate HTML report about DHCP server 2003 1 63
Raising Forest Functional Level 9 67
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
ADCs have gained traction within the last decade, largely due to increased demand for legacy load balancing appliances to handle more advanced application delivery requirements and improve application performance.
A short tutorial showing how to set up an email signature in Outlook on the Web (previously known as OWA). For free email signatures designs, visit If you want to manage em…
In a recent question ( here at Experts Exchange, a member asked how to run an AutoHotkey script (.AHK) directly from Notepad++ (aka NPP). This video…

739 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question