Solved

ISA Server 2004 setup

Posted on 2009-05-13
3
1,769 Views
Last Modified: 2012-05-06
Hi,

May I please trouble someone to provide some advice and guidance with my ISA Server 2004 installation?

Before I jump into it, here is a bit of history... please be patient with me as I am still learning so may not fully understand all concepts.

This is my ISA Server 2004 setup, in an ISA server back topology.

3 Network Interfaces are setup on the ISA Server:
INTERNAL:  192.168.1.1
DMZ:  192.168.2.1
EXTERNAL:  192.168.3.1

The INTERNAL Interface has the same IP subnet as my internal network -- that is the 192.168.1.x range.  The internal network has a DC which I also use for internal DNS resolution and DHCP.

The DMZ interface I am going to add the 192.168.2.x range.

The EXTERNAL interface is going to be in the 192.168.3.x range, already has firewall and NAT enabled and will serve as a gateway to the Internet.

Now I have also posted a Visio diagram of how it looks like.

So what I am trying to accomplish is hide my internal network using ISA have  DMZ for exchange front end servers, web/ftp etc... and still keep my hardware firewall active with NAT enabled on the hardware firewall.

I would like to know a few things...

1) Have I gone the right way about setting us ISA for what I want to accomplish in terms of having a DMZ and properly hiding my Internal Network?
2) Is there a better solution?
3) Am I using the right network template (Back Firewall Template) or should I use something like (3-Leg Perimeter template) or some hybrid combination of the two.  
4) I am getting a bunch of errors below in the error log constantly!  I don't understand why.

If someone could provide some help and guidance it would be very much appreciated.  Thanks for you patience.

Denied Connection ISA01 14/05/2009 12:25:12 AM
Log type: Firewall service
Status: A packet was dropped because ISA Server determined that the source IP address is spoofed.
Rule:  
Source: Internal ( 192.168.1.1:138)
Destination: Internal ( 192.168.1.255:138)
Protocol: NetBios Datagram
User:  
 Additional information
Number of bytes sent: 0 Number of bytes received: 0
Processing time: 0ms Original Client IP: 192.168.1.1
Client agent:
Denied Connection ISA01 14/05/2009 12:26:30 AM
Log type: Firewall service
Status: The policy rules do not allow the user request.
Rule: Default rule
Source: Internal ( 192.168.1.1:138)
Destination: Local Host ( 192.168.1.255:138)
Protocol: NetBios Datagram
diag.jpg
0
Comment
Question by:janjsr
  • 2
3 Comments
 
LVL 6

Expert Comment

by:Hisham_Elkouha
Comment Utility
1) Have I gone the right way about setting us ISA for what I want to accomplish in terms of having a DMZ and properly hiding my Internal Network?
yes, it is better to use DMZ to protect your Internal Network


2) Is there a better solution?
NO

3) Am I using the right network template (Back Firewall Template) or should I use something like (3-Leg Perimeter template) or some hybrid combination of the two.  
3-Leg is the best chise for you.


0
 
LVL 51

Accepted Solution

by:
Keith Alabaster earned 500 total points
Comment Utility
As always, I would disagree. If you tell the asker that there is not a better solution that he can have selected then it is somewhat confusing to tell him to use the three-legged template rather than the back-end firewall instead - the two are conflicting.

your setup is absolutely fine and works perfectly OK as you have configured it. the cause of your error message is likely because you have not included ALL of the internal IP addresses in the internal LAT.

open the ISA gui, select configuration - networks - internal - properties - addresses. What is listed here? For example, if you have only the 192.168.1.0 subnet on the inside of ISA then the only entries listed should be 192.168.1.0 - 192.168.1.255 - do you have others? Did you miss out the .0 and the .255?

if you have missed them then a broadcast - such as a netbios datagram that uses the .255 broadcast address will appear as a spoof attack and be reported as such in the logs and alerts.

Keith
ISA MVP
0
 
LVL 51

Expert Comment

by:Keith Alabaster
Comment Utility
Thanks :)
0

Featured Post

6 Surprising Benefits of Threat Intelligence

All sorts of threat intelligence is available on the web. Intelligence you can learn from, and use to anticipate and prepare for future attacks.

Join & Write a Comment

This is an article about Leadership and accepting and adapting to new challenges. It focuses mostly on upgrading to Windows 10.
Possible fixes for Windows 7 and Windows Server 2008 updating problem. Solutions mentioned are from Microsoft themselves. I started a case with them from our Microsoft Silver Partner option to open a case and get direct support from Microsoft. If s…
Windows 8 comes with a dramatically different user interface known as Metro. Notably missing from the new interface is a Start button and Start Menu. Many users do not like it, much preferring the interface of earlier versions — Windows 7, Windows X…
With the advent of Windows 10, Microsoft is pushing a Get Windows 10 icon into the notification area (system tray) of qualifying computers. There are many reasons for wanting to remove this icon. This two-part Experts Exchange video Micro Tutorial s…

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

10 Experts available now in Live!

Get 1:1 Help Now