?
Solved

Using ISA 2006 AND Demand Dial interface on single Nic

Posted on 2008-10-29
5
Medium Priority
?
424 Views
Last Modified: 2013-11-16
I have a system (VMWare ESX with single virtual NIC available) with Server 2003 and ISA 2006. This client is moving in a month and need to setup an inbound proxy between the internet and inside. I can set firewall rules for HTTPS (for OWA and RPC over HTTP), SMTP, etc and have them go to the DMZ port (on a Snapgear) where it is routed the following way:

OWA/Mobile Mail/HTTPS = .2 (ISA)
Anything else = .3 (RRAS)

So now the .2 will proxy and be a forwarder inside. Anything else is then set to go to RRAS where a demand dial L2TP connection is established and it is shot internally to a RRAS server there.


An ASCII diagram:

                               INTERNET ----- Firewall ------ Internal (192.168.5.0)
                                                          |
                                                          |
                                                          |
                                                      DMZ (192.168.4.0)
                                                          |

                                                       ISA (.4.2)
                                                       Demand Dial (.4.3)

So traffic comes in through internet, Firewall points it to the DMZ to a specific IP depending on port, DMZ then pushes to the mail server on the .5 subnet.


Questions:
1) I know I can setup two IP addresses on one NIC. Can I define ISA to listen to only ONE of those IP addresses for the OWA part?
2) I know I can filter the traffic on demand dial connections. Can I have it listen only on one IP address?
3) Is this possible on one NIC? If not, do questions 1 and 2 still work in a 2 NIC/1 subnet solution?
4) If not to #1-3 (or if it is easier), can you tell me a way to get this done with a proxy solution, etc?


Thanks.
0
Comment
Question by:kirk_lesser
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22836140
1. Yes. Once you have the second IP address bound on the ISA nic, when you run the publishing rule and select the external interface to listen on, you will see the addresses tab - in here you can select the specific ip to listen on.
2. Don't think so - the second IP is a virtual one ( an arp effectively) so I doubt it would differentiate that way.
3 - As above.
4. personally I have never used a demand-dial so cannot comment on its operation - ISA is my bag and the only demand-dial parts have been for outbound.

Keith
0
 

Author Comment

by:kirk_lesser
ID: 22871627
On #1) Where can I do this? I open up properties for the rule, go to networks, select the external network, click on addresses, click on the specific addresses checkbox but it doesn't let me pick IP addresses. I have set two on the NIC already...

0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 1500 total points
ID: 22880182
So you can ping both addresses that are now added to the tcpip settings on the ISA external nic?
When you open the addresses tab - can you actually see both addresses listed when editing the publishing rule ? If you can then you should be able to pick the option to select to listen to one address (the default is to listen on ALL listed IP addresses) and then pick the individual address you want that listener associated with.
0
 

Author Closing Comment

by:kirk_lesser
ID: 31511432
I am going to repost the question as the situation has changed.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22888229
OK - will watch out for it :)
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I've always wanted to allow a user to have a printer no matter where they login. The steps below will show you how to achieve just that. In this Article I'll show how to deploy printers automatically with group policy and then using security fil…
This article offers some helpful and general tips for safe browsing and online shopping. It offers simple and manageable procedures that help to ensure the safety of one's personal information and the security of any devices.
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
Add bar graphs to Access queries using Unicode block characters. Graphs appear on every record in the color you want. Give life to numbers. Hopes this gives you ideas on visualizing your data in new ways ~ Create a calculated field in a query: …
Suggested Courses

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question