Does anyone have any easy to follow guides on a domain install of ISA 2006 in a Win 2003 environment?

Does anyone have any easy to follow guides on a domain install of ISA 2006 in a Win 2003 environment?
gpersandAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

pwindellCommented:
I know of no guide beyond any Deployment Guides you might find on MS's site, and I don't even know what they contain.  The problem is that there are three and half dozen ways to deploy an ISA.  There are some good things on www.isaserver.org too. But the problem with any of that is that you have to already know what your goal is and must know what you are looking for.
It doesn't matter if it is a Domain with NT4.0, 2000, 2003, or 2008.  It changes nothing,..a Domain is a Domain.  Assuming you aren't going to waste your money on a single nic ISA,...then...
You configure a machine with the proper Nic arrangment,...make it a Domain Member,...install ISA.  There isn't that much to it.
The External Nic is the only one that can have a Default Gateway,...but the DNS setting must be blank.  In the BInding unbind everything except TCP/IP.
The Internal Nic has a DNS setting and it must be the Internal AD/DNS and nothing else.  It must never have a Default Gateway.   The Internal nic must be first in the Adapter binding order,...which has nothing to do with the kind of binding order mention concerning the External Nic.  This binding order is in the Advanced Settings in "Network Places",...the bindings for the External nic is in the Properties of the Nic.
The first Access Rule you create should be a DNS Rule that allows the AD/DNS to make anonymous outbound DNS queries to the Forwarders listed in the Config of the DNS Server.   Whatever rules you create after that are up to you.
0
gpersandAuthor Commented:
Thanks for the info. I have a few more questions regarding the setup. I am new to ISA and primarily need it to secure an OWA setup on my LAN.
Below is a diagram of what I want to achieve:

                                                    Internet
                                                          |
                                                          |
                                             PIX external Nic
                                                          |-----------PIX Dmz Nic --------------
                                                          |                                                 |                                          
                                             PIX Internal Nic                            web server                              
                                                          |
                                                          |
                                             ISA External Nic
                                                          |
                                             ISA Internal nic
                                                          |
                          ---------------------------------------  internal LAN --------------------------------------
                                      |                                                                 |
                                 Servers                                                 Work Stations

My network is setup as the above but excuding the ISA.

1.My internal LAN uses the 134.127.0.0 address range. I assume the INTERNAL NIC of the ISA will have an address from this range. Please correct me if I am wrong.

2.From what address range should the EXTERNAL ISA NIC come from?

3.When I first install the ISA will it lock down all communication through the PIX? If so will plan to do the job after working hours.
0
pwindellCommented:
1. My lord man!  You're running Public IP# on your LAN??  I don't know if I even want to get involved in this.  I'm morally against assisted suicide.
1.a.  It gets even worse if you arbitrarily chose those addresses and do not actually own them,...which means someone else owns them,...which means you would be in an Addrerss Conflict with any Public Internet Location that uses those same addresses.   RFC Private Address Ranges were invented for a reason.
2. You have to make up a new IP Segment just for this "middle" segment.  This will become your Back-to Back DMZ,...which kinda makes the Tri-Homed DMZ hanging off the side of the PIX a pointless thing.
3. ISA denies everything be default.  You then have to specify everything you want it to allow after that.  The only exception is the ISA's System Policies that is creates automatically for authentication purposes and domain interaction with the DC.  Hence,...why the machine needs to be a Domain Member before the ISA software is installed.  The installation detects the machine is a domain member and creates the proper policies during the installation.  A lot of Admin hair-pulling happens because they don't make the machine a domain member before installing the ISA.
0
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

pwindellCommented:
Anyway,...I think you have a reasonable idea how to insert ISA into the LAN.  I didn't give these three links eariler but they should be of some help with getting the Access Rules correct.  The first one describe how they work,...the second one described how to troubleshoot them when they don't work as expected,...the third one is just general documentation from MS's site.
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html
Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
ISA2006
http://technet.microsoft.com/en-us/library/bb898433(TechNet.10).aspx
 
0
gpersandAuthor Commented:
1. My lord man!  You're running Public IP# on your LAN??  I don't know if I even want to get involved in this.  I'm morally against assisted suicide.

This address range was already used by my firm before I started here so nothing I can do about it now. I believe it belongs to a French university so we shouldnt be connecting to any of those addresses from my stockbroking firm anyhow.

2. You have to make up a new IP Segment just for this "middle" segment.  This will become your Back-to Back DMZ,...which kinda makes the Tri-Homed DMZ hanging off the side of the PIX a pointless thing.

Can you expand on this please.
My DMZ holding the webserver currently uses the 10.18.0.0 address range. Shall I create a range of eg 10.19.0.0 for the back to back DMZ or can I use the 10.18.0.0 range which already exists?


0
pwindellCommented:
The #1.   It is never too late to fix things.  All you have to do is first have permission to proceed with it or course,..but then just start adding a subnet or two onto the LAN with RFC Private Addresses,..then over time move equipment into the new subnets.  When the old subnets are finally empty retire them
The #2    I just mean you have two DMZs after this.  It is just excess complexity.  In my system the ISA would have just simply replced the PIX or I would have put it "side-by-side" with the PIX so they would be independent.  Then use each for different jobs.  But that is just me.
0
gpersandAuthor Commented:
I cannot change the IP range as my director does not want that unfortunately.
The eventual goal is to get rid of the DMZ zone (with the webserver) in the PIX and move it to an ISA DMZ but thats way in the future.

Really all we want the ISA for is to secure OWA and OMA. Thats it for now.
Can the ISA do this without interfering with the currrent network setup?
0
pwindellCommented:
Really all we want the ISA for is to secure OWA and OMA. Thats it for now.
Can the ISA do this without interfering with the currrent network setup?
It will make OWA and OMA avialble in about any configuration, so yes.  
But note that I did not say "secure OWA and OMA" because that is a matter of perspective. It implies that OMA and OWA are not secure to start with and that ISA does some kind of "magic" to make insecure products secure.  It does not.  OWA and OMA are no more or no less secure with ISA than without,...but ISA does prevent the rest of the Exchange box from being available, which can be considered a security step, and it can pre-authenticate the users before they get to OWA, which can be considered another security step,..and is in fact more than the PIX or ASA could ever hope to do..  
0
gpersandAuthor Commented:
Thats great news. I will be using the ISA for more things in the future but for now thats all I need.

Back to one of my older questions:

My DMZ holding the webserver currently uses the 10.18.0.0 address range. Shall I create a range of eg 10.19.0.0 for the back to back DMZ or can I use the 10.18.0.0 range which already exists?
0
pwindellCommented:
My DMZ holding the webserver currently uses the 10.18.0.0 address range. Shall I create a range of eg 10.19.0.0 for the back to back DMZ or can I use the 10.18.0.0 range which already exists?
No it has to be a new distinct IP segment that is not used anywhere else.  It is just normal networking principles.
I noticed that your examples all end with *.*.0.0.  You do know that ethernet IP segments (aka Broadcast Domains) should not go over 250-300 hosts?  Ethernet efficiency begins to degrade after that point.  Keeping your segments to nothing larger than *.*.*.0 is the perfect size.  Just estmate that for every 200 hosts you will want another IP segment. That gives a 54 host buffer for each in that estrimate.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft Forefront ISA Server

From novice to tech pro — start learning today.