Solved

ISA Server 2004 setup

Posted on 2009-05-13
3
1,824 Views
Last Modified: 2012-05-06
Hi,

May I please trouble someone to provide some advice and guidance with my ISA Server 2004 installation?

Before I jump into it, here is a bit of history... please be patient with me as I am still learning so may not fully understand all concepts.

This is my ISA Server 2004 setup, in an ISA server back topology.

3 Network Interfaces are setup on the ISA Server:
INTERNAL:  192.168.1.1
DMZ:  192.168.2.1
EXTERNAL:  192.168.3.1

The INTERNAL Interface has the same IP subnet as my internal network -- that is the 192.168.1.x range.  The internal network has a DC which I also use for internal DNS resolution and DHCP.

The DMZ interface I am going to add the 192.168.2.x range.

The EXTERNAL interface is going to be in the 192.168.3.x range, already has firewall and NAT enabled and will serve as a gateway to the Internet.

Now I have also posted a Visio diagram of how it looks like.

So what I am trying to accomplish is hide my internal network using ISA have  DMZ for exchange front end servers, web/ftp etc... and still keep my hardware firewall active with NAT enabled on the hardware firewall.

I would like to know a few things...

1) Have I gone the right way about setting us ISA for what I want to accomplish in terms of having a DMZ and properly hiding my Internal Network?
2) Is there a better solution?
3) Am I using the right network template (Back Firewall Template) or should I use something like (3-Leg Perimeter template) or some hybrid combination of the two.  
4) I am getting a bunch of errors below in the error log constantly!  I don't understand why.

If someone could provide some help and guidance it would be very much appreciated.  Thanks for you patience.

Denied Connection ISA01 14/05/2009 12:25:12 AM
Log type: Firewall service
Status: A packet was dropped because ISA Server determined that the source IP address is spoofed.
Rule:  
Source: Internal ( 192.168.1.1:138)
Destination: Internal ( 192.168.1.255:138)
Protocol: NetBios Datagram
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.168.1.1
Client agent:
Denied Connection ISA01 14/05/2009 12:26:30 AM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Internal ( 192.168.1.1:138)
Destination: Local Host ( 192.168.1.255:138)
Protocol: NetBios Datagram
diag.jpg
0
Comment
Question by:janjsr
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
3 Comments
 
LVL 6

Expert Comment

by:Hisham_Elkouha
ID: 24386970
1) Have I gone the right way about setting us ISA for what I want to accomplish in terms of having a DMZ and properly hiding my Internal Network?
yes, it is better to use DMZ to protect your Internal Network


2) Is there a better solution?
NO

3) Am I using the right network template (Back Firewall Template) or should I use something like (3-Leg Perimeter template) or some hybrid combination of the two.  
3-Leg is the best chise for you.


0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
ID: 24388283
As always, I would disagree. If you tell the asker that there is not a better solution that he can have selected then it is somewhat confusing to tell him to use the three-legged template rather than the back-end firewall instead - the two are conflicting.

your setup is absolutely fine and works perfectly OK as you have configured it. the cause of your error message is likely because you have not included ALL of the internal IP addresses in the internal LAT.

open the ISA gui, select configuration - networks - internal - properties - addresses. What is listed here? For example, if you have only the 192.168.1.0 subnet on the inside of ISA then the only entries listed should be 192.168.1.0 - 192.168.1.255 - do you have others? Did you miss out the .0 and the .255?

if you have missed them then a broadcast - such as a netbios datagram that uses the .255 broadcast address will appear as a spoof attack and be reported as such in the logs and alerts.

Keith
ISA MVP
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 24565586
Thanks :)
0

Featured Post

Optimizing Cloud Backup for Low Bandwidth

With cloud storage prices going down a growing number of SMBs start to use it for backup storage. Unfortunately, business data volume rarely fits the average Internet speed. This article provides an overview of main Internet speed challenges and reveals backup best practices.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

I was prompted to write this article after the recent World-Wide Ransomware outbreak. For years now, System Administrators around the world have used the excuse of "Waiting a Bit" before applying Security Patch Updates. This type of reasoning to me …
This article shows how to use a free utility called 'Parkdale' to easily test the performance and benchmark any Hard Drive(s) installed in your computer. We also look at RAM Disks and their speed comparisons.
This Micro Tutorial will give you a basic overview of Windows DVD Burner through its features and interface. This will be demonstrated using Windows 7 operating system.
The Task Scheduler is a powerful tool that is built into Windows. It allows you to schedule tasks (actions) on a recurring basis, such as hourly, daily, weekly, monthly, at log on, at startup, on idle, etc. This video Micro Tutorial is a brief intro…

689 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question