Solved

ISA Server 2004 setup

Posted on 2009-05-13
3
1,797 Views
Last Modified: 2012-05-06
Hi,

May I please trouble someone to provide some advice and guidance with my ISA Server 2004 installation?

Before I jump into it, here is a bit of history... please be patient with me as I am still learning so may not fully understand all concepts.

This is my ISA Server 2004 setup, in an ISA server back topology.

3 Network Interfaces are setup on the ISA Server:
INTERNAL:  192.168.1.1
DMZ:  192.168.2.1
EXTERNAL:  192.168.3.1

The INTERNAL Interface has the same IP subnet as my internal network -- that is the 192.168.1.x range.  The internal network has a DC which I also use for internal DNS resolution and DHCP.

The DMZ interface I am going to add the 192.168.2.x range.

The EXTERNAL interface is going to be in the 192.168.3.x range, already has firewall and NAT enabled and will serve as a gateway to the Internet.

Now I have also posted a Visio diagram of how it looks like.

So what I am trying to accomplish is hide my internal network using ISA have  DMZ for exchange front end servers, web/ftp etc... and still keep my hardware firewall active with NAT enabled on the hardware firewall.

I would like to know a few things...

1) Have I gone the right way about setting us ISA for what I want to accomplish in terms of having a DMZ and properly hiding my Internal Network?
2) Is there a better solution?
3) Am I using the right network template (Back Firewall Template) or should I use something like (3-Leg Perimeter template) or some hybrid combination of the two.  
4) I am getting a bunch of errors below in the error log constantly!  I don't understand why.

If someone could provide some help and guidance it would be very much appreciated.  Thanks for you patience.

Denied Connection ISA01 14/05/2009 12:25:12 AM
Log type: Firewall service
Status: A packet was dropped because ISA Server determined that the source IP address is spoofed.
Rule:  
Source: Internal ( 192.168.1.1:138)
Destination: Internal ( 192.168.1.255:138)
Protocol: NetBios Datagram
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.168.1.1
Client agent:
Denied Connection ISA01 14/05/2009 12:26:30 AM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Internal ( 192.168.1.1:138)
Destination: Local Host ( 192.168.1.255:138)
Protocol: NetBios Datagram
diag.jpg
0
Comment
Question by:janjsr
  • 2
3 Comments
 
LVL 6

Expert Comment

by:Hisham_Elkouha
ID: 24386970
1) Have I gone the right way about setting us ISA for what I want to accomplish in terms of having a DMZ and properly hiding my Internal Network?
yes, it is better to use DMZ to protect your Internal Network


2) Is there a better solution?
NO

3) Am I using the right network template (Back Firewall Template) or should I use something like (3-Leg Perimeter template) or some hybrid combination of the two.  
3-Leg is the best chise for you.


0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 24388283
As always, I would disagree. If you tell the asker that there is not a better solution that he can have selected then it is somewhat confusing to tell him to use the three-legged template rather than the back-end firewall instead - the two are conflicting.

your setup is absolutely fine and works perfectly OK as you have configured it. the cause of your error message is likely because you have not included ALL of the internal IP addresses in the internal LAT.

open the ISA gui, select configuration - networks - internal - properties - addresses. What is listed here? For example, if you have only the 192.168.1.0 subnet on the inside of ISA then the only entries listed should be 192.168.1.0 - 192.168.1.255 - do you have others? Did you miss out the .0 and the .255?

if you have missed them then a broadcast - such as a netbios datagram that uses the .255 broadcast address will appear as a spoof attack and be reported as such in the logs and alerts.

Keith
ISA MVP
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24565586
Thanks :)
0

Featured Post

NAS Cloud Backup Strategies

This article explains backup scenarios when using network storage. We review the so-called “3-2-1 strategy” and summarize the methods you can use to send NAS data to the cloud

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
no GUI domain controller 2 39
form builder not starting 3 38
sleep laptop 20 59
"Recent" shortcut button missing in Windows 10 7 42
When you start your Windows 10 PC and got an "Operating system not found" error or just saw  "Auto repair for startup" or a blinking cursor with black screen. A loop for Auto repair will start but fix nothing.  You will be panic as there are no back…
In this article, I will show you HOW TO: Perform a Physical to Virtual (P2V) Conversion the easy way from a computer backup (image).
As developers, we are not limited to the functions provided by the VBA language. In addition, we can call the functions that are part of the Windows operating system. These functions are part of the Windows API (Application Programming Interface). U…
Windows 8 came with a dramatically different user interface known as Metro. Notably missing from that interface was a Start button and Start Menu. Microsoft responded to negative user feedback of the Metro interface, bringing back the Start button a…

803 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question