Transparent Firewall/Content Filter for ISA 2006?


I've watched the CBTs on this topic, and am a little familiar with the baseline concepts in dealing with ISA Server.  Unfortunately, I'm not seeing information for my particular scenario - which leads me to believe that it's not possible.

What I'd like to do, is the following (very crude example):

ISP <-- Router <--      PLACE ISA SERVER HERE     <-- Internal L3 Switch  <--  Multiple Subnets

In this scenario, I already have all my address space defined, and I'm not wanting to be bothered with changing any of it...  But I'd like to drop the ISA server in the network where I said - as a transparent bridge.

If it can, then of course provide a firewall, WebCache, ContentFiltering, etc.  As I wouldn't be doing any NAT in this topology scenario, I'm almost certain that I couldn't do any of the items I mentioned.

But if anybody else has any information, please don't hessitate to share.

As always - thanks for helping.
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

In my Mind, there is no way to make ISA or TMG Transparent (menas, with no IP).

What you can do is, add more internal NICs for each Subnet. Internal Routing is only limited possible behind NAT (and i think, you are using privat adresses internal).


Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Amit BhatnagarTechnology Consultant - SecurityCommented:
Yep Martin is correct and Yes, Martin there is no doubt about it..:)

It is NOT possible to run ISA\TMG in a passthrough\filter only \transparent mode. Although, what you can do is to run the TMG\ISA2006 in a single NIC proxy Mode. This way, you will not be required to change any of the IP address\Network but still forward some of the traffic to ISA for filtering. Although, please note that this is only limited to any rule which is web based...Not for any Server Publishing based rules.

Also, TMG can do virus\malware check now so using it as a proxy will be more beneficial.
usslindstromAuthor Commented:
Very much thank you for the information.  It is more than appreciated.

So, for all of those features, the web proxy / firewall gateway is the best solution.

I would still like to drop the ISA in the same position, however, I then lose my VPN setup inside the router.  (Currently I have a cisco device providing point-to-point and remote access VPN).  If the ISA is placed in the same spot as the diagram I hashed out in the first post, the router basically just becomes a pointless waste of electricity.

I know the ISA supports VPN, however it just seems craptastic to me to have a windows box provide these services.  (The odds of having a router crash versus a server are like a gazillion to one).

What's your guys' take on the VPN side of ISA?  
Big Business Goals? Which KPIs Will Help You

The most successful MSPs rely on metrics – known as key performance indicators (KPIs) – for making informed decisions that help their businesses thrive, rather than just survive. This eBook provides an overview of the most important KPIs used by top MSPs.

Amit BhatnagarTechnology Consultant - SecurityCommented:
ISP <-- Router <--      PLACE ISA SERVER HERE     <-- Internal L3 Switch  <--  Multiple Subnets

Well, I would still suggest TMG\ISA in a 'SINGLE NIC' configuration. If CISCO is handling Site to Site, then I am assuming it is IPSEC and then to end it on an ISA would be mean NAT'ing IPSEC which is possible now as per the new RFC but not recommended. So let's simply rule out the above example unless you are willing to either run the TMG\ISA in single NIC mode or terminate the connection on ISA\TMG rather than CISCO which is not so bright idea..:)
usslindstromAuthor Commented:
So, in saying all these examples, what is usually the best option for deploying an ISA server?

Should I bring the ISA back into some of the Internal Subnets.  In this scenario, I would imagine I would make an ACL at the router that only allowed the ISA out to the net over http, etc, and blocked everybody else.

Or, drop the ISA on the outside interface of the router, and likewise only allow the ISA back into my internal network (published servers) - blocking everybody else.

Sorry if I'm slow in picking up this, Just trying to get the most out of the situation.  :)
Amit BhatnagarTechnology Consultant - SecurityCommented:
Double NAT is not recommended unless you have a good reason. In most cases, ISA is used as backend firewall, if at all otherwise a proxy. Never really seen as the frontend firewall in front of a Cisco.
usslindstromAuthor Commented:
Understood.  Thank you very much for the assistance guys.  I really appreciate it.
Amit BhatnagarTechnology Consultant - SecurityCommented:
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Microsoft IIS Web Server

From novice to tech pro — start learning today.