We help IT Professionals succeed at work.

Check out our new AWS podcast with Certified Expert, Phil Phillips! Listen to "How to Execute a Seamless AWS Migration" on EE or on your favorite podcast platform. Listen Now

x

Does anyone have any easy to follow guides on a domain install of ISA 2006 in a Win 2003 environment?

Medium Priority
344 Views
Last Modified: 2012-08-14
Does anyone have any easy to follow guides on a domain install of ISA 2006 in a Win 2003 environment?
Comment
Watch Question

Most Valuable Expert 2011

Commented:
I know of no guide beyond any Deployment Guides you might find on MS's site, and I don't even know what they contain.  The problem is that there are three and half dozen ways to deploy an ISA.  There are some good things on www.isaserver.org too. But the problem with any of that is that you have to already know what your goal is and must know what you are looking for.
It doesn't matter if it is a Domain with NT4.0, 2000, 2003, or 2008.  It changes nothing,..a Domain is a Domain.  Assuming you aren't going to waste your money on a single nic ISA,...then...
You configure a machine with the proper Nic arrangment,...make it a Domain Member,...install ISA.  There isn't that much to it.
The External Nic is the only one that can have a Default Gateway,...but the DNS setting must be blank.  In the BInding unbind everything except TCP/IP.
The Internal Nic has a DNS setting and it must be the Internal AD/DNS and nothing else.  It must never have a Default Gateway.   The Internal nic must be first in the Adapter binding order,...which has nothing to do with the kind of binding order mention concerning the External Nic.  This binding order is in the Advanced Settings in "Network Places",...the bindings for the External nic is in the Properties of the Nic.
The first Access Rule you create should be a DNS Rule that allows the AD/DNS to make anonymous outbound DNS queries to the Forwarders listed in the Config of the DNS Server.   Whatever rules you create after that are up to you.

Author

Commented:
Thanks for the info. I have a few more questions regarding the setup. I am new to ISA and primarily need it to secure an OWA setup on my LAN.
Below is a diagram of what I want to achieve:

                                                    Internet
                                                          |
                                                          |
                                             PIX external Nic
                                                          |-----------PIX Dmz Nic --------------
                                                          |                                                 |                                          
                                             PIX Internal Nic                            web server                              
                                                          |
                                                          |
                                             ISA External Nic
                                                          |
                                             ISA Internal nic
                                                          |
                          ---------------------------------------  internal LAN --------------------------------------
                                      |                                                                 |
                                 Servers                                                 Work Stations

My network is setup as the above but excuding the ISA.

1.My internal LAN uses the 134.127.0.0 address range. I assume the INTERNAL NIC of the ISA will have an address from this range. Please correct me if I am wrong.

2.From what address range should the EXTERNAL ISA NIC come from?

3.When I first install the ISA will it lock down all communication through the PIX? If so will plan to do the job after working hours.
Most Valuable Expert 2011

Commented:
1. My lord man!  You're running Public IP# on your LAN??  I don't know if I even want to get involved in this.  I'm morally against assisted suicide.
1.a.  It gets even worse if you arbitrarily chose those addresses and do not actually own them,...which means someone else owns them,...which means you would be in an Addrerss Conflict with any Public Internet Location that uses those same addresses.   RFC Private Address Ranges were invented for a reason.
2. You have to make up a new IP Segment just for this "middle" segment.  This will become your Back-to Back DMZ,...which kinda makes the Tri-Homed DMZ hanging off the side of the PIX a pointless thing.
3. ISA denies everything be default.  You then have to specify everything you want it to allow after that.  The only exception is the ISA's System Policies that is creates automatically for authentication purposes and domain interaction with the DC.  Hence,...why the machine needs to be a Domain Member before the ISA software is installed.  The installation detects the machine is a domain member and creates the proper policies during the installation.  A lot of Admin hair-pulling happens because they don't make the machine a domain member before installing the ISA.
Most Valuable Expert 2011

Commented:
Anyway,...I think you have a reasonable idea how to insert ISA into the LAN.  I didn't give these three links eariler but they should be of some help with getting the Access Rules correct.  The first one describe how they work,...the second one described how to troubleshoot them when they don't work as expected,...the third one is just general documentation from MS's site.
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx
 

Author

Commented:
1. My lord man!  You're running Public IP# on your LAN??  I don't know if I even want to get involved in this.  I'm morally against assisted suicide.

This address range was already used by my firm before I started here so nothing I can do about it now. I believe it belongs to a French university so we shouldnt be connecting to any of those addresses from my stockbroking firm anyhow.

2. You have to make up a new IP Segment just for this "middle" segment.  This will become your Back-to Back DMZ,...which kinda makes the Tri-Homed DMZ hanging off the side of the PIX a pointless thing.

Can you expand on this please.
My DMZ holding the webserver currently uses the 10.18.0.0 address range. Shall I create a range of eg 10.19.0.0 for the back to back DMZ or can I use the 10.18.0.0 range which already exists?


Most Valuable Expert 2011

Commented:
The #1.   It is never too late to fix things.  All you have to do is first have permission to proceed with it or course,..but then just start adding a subnet or two onto the LAN with RFC Private Addresses,..then over time move equipment into the new subnets.  When the old subnets are finally empty retire them
The #2    I just mean you have two DMZs after this.  It is just excess complexity.  In my system the ISA would have just simply replced the PIX or I would have put it "side-by-side" with the PIX so they would be independent.  Then use each for different jobs.  But that is just me.

Author

Commented:
I cannot change the IP range as my director does not want that unfortunately.
The eventual goal is to get rid of the DMZ zone (with the webserver) in the PIX and move it to an ISA DMZ but thats way in the future.

Really all we want the ISA for is to secure OWA and OMA. Thats it for now.
Can the ISA do this without interfering with the currrent network setup?
Most Valuable Expert 2011

Commented:
Really all we want the ISA for is to secure OWA and OMA. Thats it for now.
Can the ISA do this without interfering with the currrent network setup?
It will make OWA and OMA avialble in about any configuration, so yes.  
But note that I did not say "secure OWA and OMA" because that is a matter of perspective. It implies that OMA and OWA are not secure to start with and that ISA does some kind of "magic" to make insecure products secure.  It does not.  OWA and OMA are no more or no less secure with ISA than without,...but ISA does prevent the rest of the Exchange box from being available, which can be considered a security step, and it can pre-authenticate the users before they get to OWA, which can be considered another security step,..and is in fact more than the PIX or ASA could ever hope to do..  

Author

Commented:
Thats great news. I will be using the ISA for more things in the future but for now thats all I need.

Back to one of my older questions:

My DMZ holding the webserver currently uses the 10.18.0.0 address range. Shall I create a range of eg 10.19.0.0 for the back to back DMZ or can I use the 10.18.0.0 range which already exists?
Most Valuable Expert 2011
Commented:
Unlock this solution with a free trial preview.
(No credit card required)
Get Preview
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a free trial preview!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.