Solved

Does anyone have any easy to follow guides on a domain install of ISA 2006 in a Win 2003 environment?

Posted on 2009-07-08
10
315 Views
Last Modified: 2012-08-14
Does anyone have any easy to follow guides on a domain install of ISA 2006 in a Win 2003 environment?
0
Comment
Question by:gpersand
  • 6
  • 4
10 Comments
 
LVL 29

Expert Comment

by:pwindell
ID: 24804650
I know of no guide beyond any Deployment Guides you might find on MS's site, and I don't even know what they contain.  The problem is that there are three and half dozen ways to deploy an ISA.  There are some good things on www.isaserver.org too. But the problem with any of that is that you have to already know what your goal is and must know what you are looking for.
It doesn't matter if it is a Domain with NT4.0, 2000, 2003, or 2008.  It changes nothing,..a Domain is a Domain.  Assuming you aren't going to waste your money on a single nic ISA,...then...
You configure a machine with the proper Nic arrangment,...make it a Domain Member,...install ISA.  There isn't that much to it.
The External Nic is the only one that can have a Default Gateway,...but the DNS setting must be blank.  In the BInding unbind everything except TCP/IP.
The Internal Nic has a DNS setting and it must be the Internal AD/DNS and nothing else.  It must never have a Default Gateway.   The Internal nic must be first in the Adapter binding order,...which has nothing to do with the kind of binding order mention concerning the External Nic.  This binding order is in the Advanced Settings in "Network Places",...the bindings for the External nic is in the Properties of the Nic.
The first Access Rule you create should be a DNS Rule that allows the AD/DNS to make anonymous outbound DNS queries to the Forwarders listed in the Config of the DNS Server.   Whatever rules you create after that are up to you.
0
 

Author Comment

by:gpersand
ID: 24818229
Thanks for the info. I have a few more questions regarding the setup. I am new to ISA and primarily need it to secure an OWA setup on my LAN.
Below is a diagram of what I want to achieve:

                                                    Internet
                                                          |
                                                          |
                                             PIX external Nic
                                                          |-----------PIX Dmz Nic --------------
                                                          |                                                 |                                          
                                             PIX Internal Nic                            web server                              
                                                          |
                                                          |
                                             ISA External Nic
                                                          |
                                             ISA Internal nic
                                                          |
                          ---------------------------------------  internal LAN --------------------------------------
                                      |                                                                 |
                                 Servers                                                 Work Stations

My network is setup as the above but excuding the ISA.

1.My internal LAN uses the 134.127.0.0 address range. I assume the INTERNAL NIC of the ISA will have an address from this range. Please correct me if I am wrong.

2.From what address range should the EXTERNAL ISA NIC come from?

3.When I first install the ISA will it lock down all communication through the PIX? If so will plan to do the job after working hours.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24818395
1. My lord man!  You're running Public IP# on your LAN??  I don't know if I even want to get involved in this.  I'm morally against assisted suicide.
1.a.  It gets even worse if you arbitrarily chose those addresses and do not actually own them,...which means someone else owns them,...which means you would be in an Addrerss Conflict with any Public Internet Location that uses those same addresses.   RFC Private Address Ranges were invented for a reason.
2. You have to make up a new IP Segment just for this "middle" segment.  This will become your Back-to Back DMZ,...which kinda makes the Tri-Homed DMZ hanging off the side of the PIX a pointless thing.
3. ISA denies everything be default.  You then have to specify everything you want it to allow after that.  The only exception is the ISA's System Policies that is creates automatically for authentication purposes and domain interaction with the DC.  Hence,...why the machine needs to be a Domain Member before the ISA software is installed.  The installation detects the machine is a domain member and creates the proper policies during the installation.  A lot of Admin hair-pulling happens because they don't make the machine a domain member before installing the ISA.
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24818519
Anyway,...I think you have a reasonable idea how to insert ISA into the LAN.  I didn't give these three links eariler but they should be of some help with getting the Access Rules correct.  The first one describe how they work,...the second one described how to troubleshoot them when they don't work as expected,...the third one is just general documentation from MS's site.
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx
 
0
 

Author Comment

by:gpersand
ID: 24821378
1. My lord man!  You're running Public IP# on your LAN??  I don't know if I even want to get involved in this.  I'm morally against assisted suicide.

This address range was already used by my firm before I started here so nothing I can do about it now. I believe it belongs to a French university so we shouldnt be connecting to any of those addresses from my stockbroking firm anyhow.

2. You have to make up a new IP Segment just for this "middle" segment.  This will become your Back-to Back DMZ,...which kinda makes the Tri-Homed DMZ hanging off the side of the PIX a pointless thing.

Can you expand on this please.
My DMZ holding the webserver currently uses the 10.18.0.0 address range. Shall I create a range of eg 10.19.0.0 for the back to back DMZ or can I use the 10.18.0.0 range which already exists?


0
IT, Stop Being Called Into Every Meeting

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

 
LVL 29

Expert Comment

by:pwindell
ID: 24822893
The #1.   It is never too late to fix things.  All you have to do is first have permission to proceed with it or course,..but then just start adding a subnet or two onto the LAN with RFC Private Addresses,..then over time move equipment into the new subnets.  When the old subnets are finally empty retire them
The #2    I just mean you have two DMZs after this.  It is just excess complexity.  In my system the ISA would have just simply replced the PIX or I would have put it "side-by-side" with the PIX so they would be independent.  Then use each for different jobs.  But that is just me.
0
 

Author Comment

by:gpersand
ID: 24822962
I cannot change the IP range as my director does not want that unfortunately.
The eventual goal is to get rid of the DMZ zone (with the webserver) in the PIX and move it to an ISA DMZ but thats way in the future.

Really all we want the ISA for is to secure OWA and OMA. Thats it for now.
Can the ISA do this without interfering with the currrent network setup?
0
 
LVL 29

Expert Comment

by:pwindell
ID: 24823150
Really all we want the ISA for is to secure OWA and OMA. Thats it for now.
Can the ISA do this without interfering with the currrent network setup?
It will make OWA and OMA avialble in about any configuration, so yes.  
But note that I did not say "secure OWA and OMA" because that is a matter of perspective. It implies that OMA and OWA are not secure to start with and that ISA does some kind of "magic" to make insecure products secure.  It does not.  OWA and OMA are no more or no less secure with ISA than without,...but ISA does prevent the rest of the Exchange box from being available, which can be considered a security step, and it can pre-authenticate the users before they get to OWA, which can be considered another security step,..and is in fact more than the PIX or ASA could ever hope to do..  
0
 

Author Comment

by:gpersand
ID: 24823204
Thats great news. I will be using the ISA for more things in the future but for now thats all I need.

Back to one of my older questions:

My DMZ holding the webserver currently uses the 10.18.0.0 address range. Shall I create a range of eg 10.19.0.0 for the back to back DMZ or can I use the 10.18.0.0 range which already exists?
0
 
LVL 29

Accepted Solution

by:
pwindell earned 500 total points
ID: 24823376
My DMZ holding the webserver currently uses the 10.18.0.0 address range. Shall I create a range of eg 10.19.0.0 for the back to back DMZ or can I use the 10.18.0.0 range which already exists?
No it has to be a new distinct IP segment that is not used anywhere else.  It is just normal networking principles.
I noticed that your examples all end with *.*.0.0.  You do know that ethernet IP segments (aka Broadcast Domains) should not go over 250-300 hosts?  Ethernet efficiency begins to degrade after that point.  Keeping your segments to nothing larger than *.*.*.0 is the perfect size.  Just estmate that for every 200 hosts you will want another IP segment. That gives a 54 host buffer for each in that estrimate.
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Forefront is the brand name for Microsoft's major security product. Forefront covers a number of specific security areas and has 'swallowed' a number of applications under this umbrella including Antigen, ISA Server, the Integrated Access Gateway (t…
Forefront Threat Management Gateway 2010 or FTMG comes with some very neat troubleshooting tools built-in when trying to identify what is actually happening behind the scenes within the product when traffic is passing through its interfaces. To the …
This video gives you a great overview about bandwidth monitoring with SNMP and WMI with our network monitoring solution PRTG Network Monitor (https://www.paessler.com/prtg). If you're looking for how to monitor bandwidth using netflow or packet s…
This video explains how to create simple products associated to Magento configurable product and offers fast way of their generation with Store Manager for Magento tool.

757 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

22 Experts available now in Live!

Get 1:1 Help Now