Solved

Using ISA 2006 AND Demand Dial interface on single Nic

Posted on 2008-10-29
5
417 Views
Last Modified: 2013-11-16
I have a system (VMWare ESX with single virtual NIC available) with Server 2003 and ISA 2006. This client is moving in a month and need to setup an inbound proxy between the internet and inside. I can set firewall rules for HTTPS (for OWA and RPC over HTTP), SMTP, etc and have them go to the DMZ port (on a Snapgear) where it is routed the following way:

OWA/Mobile Mail/HTTPS = .2 (ISA)
Anything else = .3 (RRAS)

So now the .2 will proxy and be a forwarder inside. Anything else is then set to go to RRAS where a demand dial L2TP connection is established and it is shot internally to a RRAS server there.


An ASCII diagram:

                               INTERNET ----- Firewall ------ Internal (192.168.5.0)
                                                          |
                                                          |
                                                          |
                                                      DMZ (192.168.4.0)
                                                          |

                                                       ISA (.4.2)
                                                       Demand Dial (.4.3)

So traffic comes in through internet, Firewall points it to the DMZ to a specific IP depending on port, DMZ then pushes to the mail server on the .5 subnet.


Questions:
1) I know I can setup two IP addresses on one NIC. Can I define ISA to listen to only ONE of those IP addresses for the OWA part?
2) I know I can filter the traffic on demand dial connections. Can I have it listen only on one IP address?
3) Is this possible on one NIC? If not, do questions 1 and 2 still work in a 2 NIC/1 subnet solution?
4) If not to #1-3 (or if it is easier), can you tell me a way to get this done with a proxy solution, etc?


Thanks.
0
Comment
Question by:kirk_lesser
  • 3
  • 2
5 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22836140
1. Yes. Once you have the second IP address bound on the ISA nic, when you run the publishing rule and select the external interface to listen on, you will see the addresses tab - in here you can select the specific ip to listen on.
2. Don't think so - the second IP is a virtual one ( an arp effectively) so I doubt it would differentiate that way.
3 - As above.
4. personally I have never used a demand-dial so cannot comment on its operation - ISA is my bag and the only demand-dial parts have been for outbound.

Keith
0
 

Author Comment

by:kirk_lesser
ID: 22871627
On #1) Where can I do this? I open up properties for the rule, go to networks, select the external network, click on addresses, click on the specific addresses checkbox but it doesn't let me pick IP addresses. I have set two on the NIC already...

0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 22880182
So you can ping both addresses that are now added to the tcpip settings on the ISA external nic?
When you open the addresses tab - can you actually see both addresses listed when editing the publishing rule ? If you can then you should be able to pick the option to select to listen to one address (the default is to listen on ALL listed IP addresses) and then pick the individual address you want that listener associated with.
0
 

Author Closing Comment

by:kirk_lesser
ID: 31511432
I am going to repost the question as the situation has changed.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22888229
OK - will watch out for it :)
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Do you have a windows based Checkpoint SmartCenter for centralized Checkpoint management?  Have you ever backed up the firewall policy residing on the SmartCenter?  If you have then you know the hassles of connecting to the server, doing an upgrade_…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This tutorial demonstrates a quick way of adding group price to multiple Magento products.

747 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

14 Experts available now in Live!

Get 1:1 Help Now