kirk_lesser
asked on
Using ISA 2006 AND Demand Dial interface on single Nic
I have a system (VMWare ESX with single virtual NIC available) with Server 2003 and ISA 2006. This client is moving in a month and need to setup an inbound proxy between the internet and inside. I can set firewall rules for HTTPS (for OWA and RPC over HTTP), SMTP, etc and have them go to the DMZ port (on a Snapgear) where it is routed the following way:
OWA/Mobile Mail/HTTPS = .2 (ISA)
Anything else = .3 (RRAS)
So now the .2 will proxy and be a forwarder inside. Anything else is then set to go to RRAS where a demand dial L2TP connection is established and it is shot internally to a RRAS server there.
An ASCII diagram:
INTERNET ----- Firewall ------ Internal (192.168.5.0)
|
|
|
DMZ (192.168.4.0)
|
ISA (.4.2)
Demand Dial (.4.3)
So traffic comes in through internet, Firewall points it to the DMZ to a specific IP depending on port, DMZ then pushes to the mail server on the .5 subnet.
Questions:
1) I know I can setup two IP addresses on one NIC. Can I define ISA to listen to only ONE of those IP addresses for the OWA part?
2) I know I can filter the traffic on demand dial connections. Can I have it listen only on one IP address?
3) Is this possible on one NIC? If not, do questions 1 and 2 still work in a 2 NIC/1 subnet solution?
4) If not to #1-3 (or if it is easier), can you tell me a way to get this done with a proxy solution, etc?
Thanks.
OWA/Mobile Mail/HTTPS = .2 (ISA)
Anything else = .3 (RRAS)
So now the .2 will proxy and be a forwarder inside. Anything else is then set to go to RRAS where a demand dial L2TP connection is established and it is shot internally to a RRAS server there.
An ASCII diagram:
INTERNET ----- Firewall ------ Internal (192.168.5.0)
|
|
|
DMZ (192.168.4.0)
|
ISA (.4.2)
Demand Dial (.4.3)
So traffic comes in through internet, Firewall points it to the DMZ to a specific IP depending on port, DMZ then pushes to the mail server on the .5 subnet.
Questions:
1) I know I can setup two IP addresses on one NIC. Can I define ISA to listen to only ONE of those IP addresses for the OWA part?
2) I know I can filter the traffic on demand dial connections. Can I have it listen only on one IP address?
3) Is this possible on one NIC? If not, do questions 1 and 2 still work in a 2 NIC/1 subnet solution?
4) If not to #1-3 (or if it is easier), can you tell me a way to get this done with a proxy solution, etc?
Thanks.
ASKER
On #1) Where can I do this? I open up properties for the rule, go to networks, select the external network, click on addresses, click on the specific addresses checkbox but it doesn't let me pick IP addresses. I have set two on the NIC already...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
I am going to repost the question as the situation has changed.
OK - will watch out for it :)
2. Don't think so - the second IP is a virtual one ( an arp effectively) so I doubt it would differentiate that way.
3 - As above.
4. personally I have never used a demand-dial so cannot comment on its operation - ISA is my bag and the only demand-dial parts have been for outbound.
Keith