Improve company productivity with a Business Account.Sign Up

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 1880
  • Last Modified:

ISA Server 2004 setup

Hi,

May I please trouble someone to provide some advice and guidance with my ISA Server 2004 installation?

Before I jump into it, here is a bit of history... please be patient with me as I am still learning so may not fully understand all concepts.

This is my ISA Server 2004 setup, in an ISA server back topology.

3 Network Interfaces are setup on the ISA Server:
INTERNAL:  192.168.1.1
DMZ:  192.168.2.1
EXTERNAL:  192.168.3.1

The INTERNAL Interface has the same IP subnet as my internal network -- that is the 192.168.1.x range.  The internal network has a DC which I also use for internal DNS resolution and DHCP.

The DMZ interface I am going to add the 192.168.2.x range.

The EXTERNAL interface is going to be in the 192.168.3.x range, already has firewall and NAT enabled and will serve as a gateway to the Internet.

Now I have also posted a Visio diagram of how it looks like.

So what I am trying to accomplish is hide my internal network using ISA have  DMZ for exchange front end servers, web/ftp etc... and still keep my hardware firewall active with NAT enabled on the hardware firewall.

I would like to know a few things...

1) Have I gone the right way about setting us ISA for what I want to accomplish in terms of having a DMZ and properly hiding my Internal Network?
2) Is there a better solution?
3) Am I using the right network template (Back Firewall Template) or should I use something like (3-Leg Perimeter template) or some hybrid combination of the two.  
4) I am getting a bunch of errors below in the error log constantly!  I don't understand why.

If someone could provide some help and guidance it would be very much appreciated.  Thanks for you patience.

Denied Connection ISA01 14/05/2009 12:25:12 AM
Log type: Firewall service
Status: A packet was dropped because ISA Server determined that the source IP address is spoofed.
Rule:  
Source: Internal ( 192.168.1.1:138)
Destination: Internal ( 192.168.1.255:138)
Protocol: NetBios Datagram
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.168.1.1
Client agent:
Denied Connection ISA01 14/05/2009 12:26:30 AM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Internal ( 192.168.1.1:138)
Destination: Local Host ( 192.168.1.255:138)
Protocol: NetBios Datagram
diag.jpg
0
janjsr
Asked:
janjsr
  • 2
1 Solution
 
Hisham_ElkouhaCommented:
1) Have I gone the right way about setting us ISA for what I want to accomplish in terms of having a DMZ and properly hiding my Internal Network?
yes, it is better to use DMZ to protect your Internal Network


2) Is there a better solution?
NO

3) Am I using the right network template (Back Firewall Template) or should I use something like (3-Leg Perimeter template) or some hybrid combination of the two.  
3-Leg is the best chise for you.


0
 
Keith AlabasterEnterprise ArchitectCommented:
As always, I would disagree. If you tell the asker that there is not a better solution that he can have selected then it is somewhat confusing to tell him to use the three-legged template rather than the back-end firewall instead - the two are conflicting.

your setup is absolutely fine and works perfectly OK as you have configured it. the cause of your error message is likely because you have not included ALL of the internal IP addresses in the internal LAT.

open the ISA gui, select configuration - networks - internal - properties - addresses. What is listed here? For example, if you have only the 192.168.1.0 subnet on the inside of ISA then the only entries listed should be 192.168.1.0 - 192.168.1.255 - do you have others? Did you miss out the .0 and the .255?

if you have missed them then a broadcast - such as a netbios datagram that uses the .255 broadcast address will appear as a spoof attack and be reported as such in the logs and alerts.

Keith
ISA MVP
0
 
Keith AlabasterEnterprise ArchitectCommented:
Thanks :)
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now