Solved

ISA Server 2004 setup

Posted on 2009-05-13
3
1,811 Views
Last Modified: 2012-05-06
Hi,

May I please trouble someone to provide some advice and guidance with my ISA Server 2004 installation?

Before I jump into it, here is a bit of history... please be patient with me as I am still learning so may not fully understand all concepts.

This is my ISA Server 2004 setup, in an ISA server back topology.

3 Network Interfaces are setup on the ISA Server:
INTERNAL:  192.168.1.1
DMZ:  192.168.2.1
EXTERNAL:  192.168.3.1

The INTERNAL Interface has the same IP subnet as my internal network -- that is the 192.168.1.x range.  The internal network has a DC which I also use for internal DNS resolution and DHCP.

The DMZ interface I am going to add the 192.168.2.x range.

The EXTERNAL interface is going to be in the 192.168.3.x range, already has firewall and NAT enabled and will serve as a gateway to the Internet.

Now I have also posted a Visio diagram of how it looks like.

So what I am trying to accomplish is hide my internal network using ISA have  DMZ for exchange front end servers, web/ftp etc... and still keep my hardware firewall active with NAT enabled on the hardware firewall.

I would like to know a few things...

1) Have I gone the right way about setting us ISA for what I want to accomplish in terms of having a DMZ and properly hiding my Internal Network?
2) Is there a better solution?
3) Am I using the right network template (Back Firewall Template) or should I use something like (3-Leg Perimeter template) or some hybrid combination of the two.  
4) I am getting a bunch of errors below in the error log constantly!  I don't understand why.

If someone could provide some help and guidance it would be very much appreciated.  Thanks for you patience.

Denied Connection ISA01 14/05/2009 12:25:12 AM
Log type: Firewall service
Status: A packet was dropped because ISA Server determined that the source IP address is spoofed.
Rule:  
Source: Internal ( 192.168.1.1:138)
Destination: Internal ( 192.168.1.255:138)
Protocol: NetBios Datagram
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.168.1.1
Client agent:
Denied Connection ISA01 14/05/2009 12:26:30 AM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Internal ( 192.168.1.1:138)
Destination: Local Host ( 192.168.1.255:138)
Protocol: NetBios Datagram
diag.jpg
0
Comment
Question by:janjsr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 6

Expert Comment

by:Hisham_Elkouha
ID: 24386970
1) Have I gone the right way about setting us ISA for what I want to accomplish in terms of having a DMZ and properly hiding my Internal Network?
yes, it is better to use DMZ to protect your Internal Network


2) Is there a better solution?
NO

3) Am I using the right network template (Back Firewall Template) or should I use something like (3-Leg Perimeter template) or some hybrid combination of the two.  
3-Leg is the best chise for you.


0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 24388283
As always, I would disagree. If you tell the asker that there is not a better solution that he can have selected then it is somewhat confusing to tell him to use the three-legged template rather than the back-end firewall instead - the two are conflicting.

your setup is absolutely fine and works perfectly OK as you have configured it. the cause of your error message is likely because you have not included ALL of the internal IP addresses in the internal LAT.

open the ISA gui, select configuration - networks - internal - properties - addresses. What is listed here? For example, if you have only the 192.168.1.0 subnet on the inside of ISA then the only entries listed should be 192.168.1.0 - 192.168.1.255 - do you have others? Did you miss out the .0 and the .255?

if you have missed them then a broadcast - such as a netbios datagram that uses the .255 broadcast address will appear as a spoof attack and be reported as such in the logs and alerts.

Keith
ISA MVP
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24565586
Thanks :)
0

Featured Post

Free Webinar: AWS Backup & DR

Join our upcoming webinar with experts from AWS, CloudBerry Lab, and the Town of Edgartown IT to discuss best practices for simplifying online backup management and cutting costs.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get continual lockouts after changing your Active Directory password, there are several possible reasons.  Two of the most common are using other devices to access your email and stored passwords in the credential manager of windows.
How to record audio from input sources to your PC – connected devices, connected preamp to record vinyl discs, streaming media, that play through your audio card: Vista, Windows 7, Windows 8, Windows 8.1 and Windows 10 – both 32 bit & 64.
This is used to tweak the memory usage for your computer, it is used for servers more so than workstations but just be careful editing registry settings as it may cause irreversible results. I hold no responsibility for anything you do to the regist…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question