Gavin Tech
asked on
Does anyone have any easy to follow guides on a domain install of ISA 2006 in a Win 2003 environment?
Does anyone have any easy to follow guides on a domain install of ISA 2006 in a Win 2003 environment?
ASKER
Thanks for the info. I have a few more questions regarding the setup. I am new to ISA and primarily need it to secure an OWA setup on my LAN.
Below is a diagram of what I want to achieve:
Internet
|
|
PIX external Nic
|-----------PIX Dmz Nic --------------
| |
PIX Internal Nic web server
|
|
ISA External Nic
|
ISA Internal nic
|
-------------------------- ---------- --- internal LAN -------------------------- ---------- --
| |
Servers Work Stations
My network is setup as the above but excuding the ISA.
1.My internal LAN uses the 134.127.0.0 address range. I assume the INTERNAL NIC of the ISA will have an address from this range. Please correct me if I am wrong.
2.From what address range should the EXTERNAL ISA NIC come from?
3.When I first install the ISA will it lock down all communication through the PIX? If so will plan to do the job after working hours.
Below is a diagram of what I want to achieve:
Internet
|
|
PIX external Nic
|-----------PIX Dmz Nic --------------
| |
PIX Internal Nic web server
|
|
ISA External Nic
|
ISA Internal nic
|
--------------------------
| |
Servers Work Stations
My network is setup as the above but excuding the ISA.
1.My internal LAN uses the 134.127.0.0 address range. I assume the INTERNAL NIC of the ISA will have an address from this range. Please correct me if I am wrong.
2.From what address range should the EXTERNAL ISA NIC come from?
3.When I first install the ISA will it lock down all communication through the PIX? If so will plan to do the job after working hours.
1. My lord man! You're running Public IP# on your LAN?? I don't know if I even want to get involved in this. I'm morally against assisted suicide.
1.a. It gets even worse if you arbitrarily chose those addresses and do not actually own them,...which means someone else owns them,...which means you would be in an Addrerss Conflict with any Public Internet Location that uses those same addresses. RFC Private Address Ranges were invented for a reason.
2. You have to make up a new IP Segment just for this "middle" segment. This will become your Back-to Back DMZ,...which kinda makes the Tri-Homed DMZ hanging off the side of the PIX a pointless thing.
3. ISA denies everything be default. You then have to specify everything you want it to allow after that. The only exception is the ISA's System Policies that is creates automatically for authentication purposes and domain interaction with the DC. Hence,...why the machine needs to be a Domain Member before the ISA software is installed. The installation detects the machine is a domain member and creates the proper policies during the installation. A lot of Admin hair-pulling happens because they don't make the machine a domain member before installing the ISA.
1.a. It gets even worse if you arbitrarily chose those addresses and do not actually own them,...which means someone else owns them,...which means you would be in an Addrerss Conflict with any Public Internet Location that uses those same addresses. RFC Private Address Ranges were invented for a reason.
2. You have to make up a new IP Segment just for this "middle" segment. This will become your Back-to Back DMZ,...which kinda makes the Tri-Homed DMZ hanging off the side of the PIX a pointless thing.
3. ISA denies everything be default. You then have to specify everything you want it to allow after that. The only exception is the ISA's System Policies that is creates automatically for authentication purposes and domain interaction with the DC. Hence,...why the machine needs to be a Domain Member before the ISA software is installed. The installation detects the machine is a domain member and creates the proper policies during the installation. A lot of Admin hair-pulling happens because they don't make the machine a domain member before installing the ISA.
Anyway,...I think you have a reasonable idea how to insert ISA into the LAN. I didn't give these three links eariler but they should be of some help with getting the Access Rules correct. The first one describe how they work,...the second one described how to troubleshoot them when they don't work as expected,...the third one is just general documentation from MS's site.
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/a rticles/IS A2004_Acce ssRules.ht ml
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft. com/downlo ad/9/1/8/9 18ed2d3-71 d0-40ed-8e 6d-fd6eeb6 cfa07/ts_r ules.doc
ISA2006
http://technet.microsoft.c om/en-us/l ibrary/bb8 98433(Tech Net.10).as px
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/a
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.
ISA2006
http://technet.microsoft.c
ASKER
1. My lord man! You're running Public IP# on your LAN?? I don't know if I even want to get involved in this. I'm morally against assisted suicide.
This address range was already used by my firm before I started here so nothing I can do about it now. I believe it belongs to a French university so we shouldnt be connecting to any of those addresses from my stockbroking firm anyhow.
2. You have to make up a new IP Segment just for this "middle" segment. This will become your Back-to Back DMZ,...which kinda makes the Tri-Homed DMZ hanging off the side of the PIX a pointless thing.
Can you expand on this please.
My DMZ holding the webserver currently uses the 10.18.0.0 address range. Shall I create a range of eg 10.19.0.0 for the back to back DMZ or can I use the 10.18.0.0 range which already exists?
This address range was already used by my firm before I started here so nothing I can do about it now. I believe it belongs to a French university so we shouldnt be connecting to any of those addresses from my stockbroking firm anyhow.
2. You have to make up a new IP Segment just for this "middle" segment. This will become your Back-to Back DMZ,...which kinda makes the Tri-Homed DMZ hanging off the side of the PIX a pointless thing.
Can you expand on this please.
My DMZ holding the webserver currently uses the 10.18.0.0 address range. Shall I create a range of eg 10.19.0.0 for the back to back DMZ or can I use the 10.18.0.0 range which already exists?
The #1. It is never too late to fix things. All you have to do is first have permission to proceed with it or course,..but then just start adding a subnet or two onto the LAN with RFC Private Addresses,..then over time move equipment into the new subnets. When the old subnets are finally empty retire them
The #2 I just mean you have two DMZs after this. It is just excess complexity. In my system the ISA would have just simply replced the PIX or I would have put it "side-by-side" with the PIX so they would be independent. Then use each for different jobs. But that is just me.
The #2 I just mean you have two DMZs after this. It is just excess complexity. In my system the ISA would have just simply replced the PIX or I would have put it "side-by-side" with the PIX so they would be independent. Then use each for different jobs. But that is just me.
ASKER
I cannot change the IP range as my director does not want that unfortunately.
The eventual goal is to get rid of the DMZ zone (with the webserver) in the PIX and move it to an ISA DMZ but thats way in the future.
Really all we want the ISA for is to secure OWA and OMA. Thats it for now.
Can the ISA do this without interfering with the currrent network setup?
The eventual goal is to get rid of the DMZ zone (with the webserver) in the PIX and move it to an ISA DMZ but thats way in the future.
Really all we want the ISA for is to secure OWA and OMA. Thats it for now.
Can the ISA do this without interfering with the currrent network setup?
Really all we want the ISA for is to secure OWA and OMA. Thats it for now.
Can the ISA do this without interfering with the currrent network setup?
It will make OWA and OMA avialble in about any configuration, so yes.
But note that I did not say "secure OWA and OMA" because that is a matter of perspective. It implies that OMA and OWA are not secure to start with and that ISA does some kind of "magic" to make insecure products secure. It does not. OWA and OMA are no more or no less secure with ISA than without,...but ISA does prevent the rest of the Exchange box from being available, which can be considered a security step, and it can pre-authenticate the users before they get to OWA, which can be considered another security step,..and is in fact more than the PIX or ASA could ever hope to do..
Can the ISA do this without interfering with the currrent network setup?
It will make OWA and OMA avialble in about any configuration, so yes.
But note that I did not say "secure OWA and OMA" because that is a matter of perspective. It implies that OMA and OWA are not secure to start with and that ISA does some kind of "magic" to make insecure products secure. It does not. OWA and OMA are no more or no less secure with ISA than without,...but ISA does prevent the rest of the Exchange box from being available, which can be considered a security step, and it can pre-authenticate the users before they get to OWA, which can be considered another security step,..and is in fact more than the PIX or ASA could ever hope to do..
ASKER
Thats great news. I will be using the ISA for more things in the future but for now thats all I need.
Back to one of my older questions:
My DMZ holding the webserver currently uses the 10.18.0.0 address range. Shall I create a range of eg 10.19.0.0 for the back to back DMZ or can I use the 10.18.0.0 range which already exists?
Back to one of my older questions:
My DMZ holding the webserver currently uses the 10.18.0.0 address range. Shall I create a range of eg 10.19.0.0 for the back to back DMZ or can I use the 10.18.0.0 range which already exists?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
It doesn't matter if it is a Domain with NT4.0, 2000, 2003, or 2008. It changes nothing,..a Domain is a Domain. Assuming you aren't going to waste your money on a single nic ISA,...then...
You configure a machine with the proper Nic arrangment,...make it a Domain Member,...install ISA. There isn't that much to it.
The External Nic is the only one that can have a Default Gateway,...but the DNS setting must be blank. In the BInding unbind everything except TCP/IP.
The Internal Nic has a DNS setting and it must be the Internal AD/DNS and nothing else. It must never have a Default Gateway. The Internal nic must be first in the Adapter binding order,...which has nothing to do with the kind of binding order mention concerning the External Nic. This binding order is in the Advanced Settings in "Network Places",...the bindings for the External nic is in the Properties of the Nic.
The first Access Rule you create should be a DNS Rule that allows the AD/DNS to make anonymous outbound DNS queries to the Forwarders listed in the Config of the DNS Server. Whatever rules you create after that are up to you.