Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
?
Solved

Using ISA 2006 AND Demand Dial interface on single Nic

Posted on 2008-10-29
5
Medium Priority
?
427 Views
Last Modified: 2013-11-16
I have a system (VMWare ESX with single virtual NIC available) with Server 2003 and ISA 2006. This client is moving in a month and need to setup an inbound proxy between the internet and inside. I can set firewall rules for HTTPS (for OWA and RPC over HTTP), SMTP, etc and have them go to the DMZ port (on a Snapgear) where it is routed the following way:

OWA/Mobile Mail/HTTPS = .2 (ISA)
Anything else = .3 (RRAS)

So now the .2 will proxy and be a forwarder inside. Anything else is then set to go to RRAS where a demand dial L2TP connection is established and it is shot internally to a RRAS server there.


An ASCII diagram:

                               INTERNET ----- Firewall ------ Internal (192.168.5.0)
                                                          |
                                                          |
                                                          |
                                                      DMZ (192.168.4.0)
                                                          |

                                                       ISA (.4.2)
                                                       Demand Dial (.4.3)

So traffic comes in through internet, Firewall points it to the DMZ to a specific IP depending on port, DMZ then pushes to the mail server on the .5 subnet.


Questions:
1) I know I can setup two IP addresses on one NIC. Can I define ISA to listen to only ONE of those IP addresses for the OWA part?
2) I know I can filter the traffic on demand dial connections. Can I have it listen only on one IP address?
3) Is this possible on one NIC? If not, do questions 1 and 2 still work in a 2 NIC/1 subnet solution?
4) If not to #1-3 (or if it is easier), can you tell me a way to get this done with a proxy solution, etc?


Thanks.
0
Comment
Question by:kirk_lesser
  • 3
  • 2
5 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22836140
1. Yes. Once you have the second IP address bound on the ISA nic, when you run the publishing rule and select the external interface to listen on, you will see the addresses tab - in here you can select the specific ip to listen on.
2. Don't think so - the second IP is a virtual one ( an arp effectively) so I doubt it would differentiate that way.
3 - As above.
4. personally I have never used a demand-dial so cannot comment on its operation - ISA is my bag and the only demand-dial parts have been for outbound.

Keith
0
 

Author Comment

by:kirk_lesser
ID: 22871627
On #1) Where can I do this? I open up properties for the rule, go to networks, select the external network, click on addresses, click on the specific addresses checkbox but it doesn't let me pick IP addresses. I have set two on the NIC already...

0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1500 total points
ID: 22880182
So you can ping both addresses that are now added to the tcpip settings on the ISA external nic?
When you open the addresses tab - can you actually see both addresses listed when editing the publishing rule ? If you can then you should be able to pick the option to select to listen to one address (the default is to listen on ALL listed IP addresses) and then pick the individual address you want that listener associated with.
0
 

Author Closing Comment

by:kirk_lesser
ID: 31511432
I am going to repost the question as the situation has changed.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22888229
OK - will watch out for it :)
0

Featured Post

Who's Defending Your Organization from Threats?

Protecting against advanced threats requires an IT dream team – a well-oiled machine of people and solutions working together to defend your organization. Download our resource kit today to learn more about the tools you need to build you IT Dream Team!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Microsoft's ISA Server has been its pre-eminent security product for about a decade and is still regarded amongst the well-informed as one of the best software firewalls and application gateways ever released, by any manufacturer. ISA Server has bee…
On July 14th 2015, Windows Server 2003 will become End of Support, leaving hundreds of thousands of servers around the world that still run this 12 year old operating system vulnerable and potentially out of compliance in many organisations around t…
This video shows how to quickly and easily deploy an email signature for all users in Office 365 and prevent it from being added to replies and forwards. (the resulting signature is applied on the server level in Exchange Online) The email signat…
When cloud platforms entered the scene, users and companies jumped on board to take advantage of the many benefits, like the ability to work and connect with company information from various locations. What many didn't foresee was the increased risk…

581 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question