Solved

Using ISA 2006 AND Demand Dial interface on single Nic

Posted on 2008-10-29
5
420 Views
Last Modified: 2013-11-16
I have a system (VMWare ESX with single virtual NIC available) with Server 2003 and ISA 2006. This client is moving in a month and need to setup an inbound proxy between the internet and inside. I can set firewall rules for HTTPS (for OWA and RPC over HTTP), SMTP, etc and have them go to the DMZ port (on a Snapgear) where it is routed the following way:

OWA/Mobile Mail/HTTPS = .2 (ISA)
Anything else = .3 (RRAS)

So now the .2 will proxy and be a forwarder inside. Anything else is then set to go to RRAS where a demand dial L2TP connection is established and it is shot internally to a RRAS server there.


An ASCII diagram:

                               INTERNET ----- Firewall ------ Internal (192.168.5.0)
                                                          |
                                                          |
                                                          |
                                                      DMZ (192.168.4.0)
                                                          |

                                                       ISA (.4.2)
                                                       Demand Dial (.4.3)

So traffic comes in through internet, Firewall points it to the DMZ to a specific IP depending on port, DMZ then pushes to the mail server on the .5 subnet.


Questions:
1) I know I can setup two IP addresses on one NIC. Can I define ISA to listen to only ONE of those IP addresses for the OWA part?
2) I know I can filter the traffic on demand dial connections. Can I have it listen only on one IP address?
3) Is this possible on one NIC? If not, do questions 1 and 2 still work in a 2 NIC/1 subnet solution?
4) If not to #1-3 (or if it is easier), can you tell me a way to get this done with a proxy solution, etc?


Thanks.
0
Comment
Question by:kirk_lesser
  • 3
  • 2
5 Comments
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22836140
1. Yes. Once you have the second IP address bound on the ISA nic, when you run the publishing rule and select the external interface to listen on, you will see the addresses tab - in here you can select the specific ip to listen on.
2. Don't think so - the second IP is a virtual one ( an arp effectively) so I doubt it would differentiate that way.
3 - As above.
4. personally I have never used a demand-dial so cannot comment on its operation - ISA is my bag and the only demand-dial parts have been for outbound.

Keith
0
 

Author Comment

by:kirk_lesser
ID: 22871627
On #1) Where can I do this? I open up properties for the rule, go to networks, select the external network, click on addresses, click on the specific addresses checkbox but it doesn't let me pick IP addresses. I have set two on the NIC already...

0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 22880182
So you can ping both addresses that are now added to the tcpip settings on the ISA external nic?
When you open the addresses tab - can you actually see both addresses listed when editing the publishing rule ? If you can then you should be able to pick the option to select to listen to one address (the default is to listen on ALL listed IP addresses) and then pick the individual address you want that listener associated with.
0
 

Author Closing Comment

by:kirk_lesser
ID: 31511432
I am going to repost the question as the situation has changed.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 22888229
OK - will watch out for it :)
0

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Common practice undertaken by most system administrators is to document the configurations and final solutions of anything performed by them for their future use and reference. So here I am going to explain how to export ISA Server 2004 Firewall pol…
Learn about cloud computing and its benefits for small business owners.
In an interesting question (https://www.experts-exchange.com/questions/29008360/) here at Experts Exchange, a member asked how to split a single image into multiple images. The primary usage for this is to place many photographs on a flatbed scanner…

765 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question