usslindstrom
asked on
Transparent Firewall/Content Filter for ISA 2006?
Experts,
I've watched the CBTs on this topic, and am a little familiar with the baseline concepts in dealing with ISA Server. Unfortunately, I'm not seeing information for my particular scenario - which leads me to believe that it's not possible.
What I'd like to do, is the following (very crude example):
ISP <-- Router <-- PLACE ISA SERVER HERE <-- Internal L3 Switch <-- Multiple Subnets
In this scenario, I already have all my address space defined, and I'm not wanting to be bothered with changing any of it... But I'd like to drop the ISA server in the network where I said - as a transparent bridge.
If it can, then of course provide a firewall, WebCache, ContentFiltering, etc. As I wouldn't be doing any NAT in this topology scenario, I'm almost certain that I couldn't do any of the items I mentioned.
But if anybody else has any information, please don't hessitate to share.
As always - thanks for helping.
I've watched the CBTs on this topic, and am a little familiar with the baseline concepts in dealing with ISA Server. Unfortunately, I'm not seeing information for my particular scenario - which leads me to believe that it's not possible.
What I'd like to do, is the following (very crude example):
ISP <-- Router <-- PLACE ISA SERVER HERE <-- Internal L3 Switch <-- Multiple Subnets
In this scenario, I already have all my address space defined, and I'm not wanting to be bothered with changing any of it... But I'd like to drop the ISA server in the network where I said - as a transparent bridge.
If it can, then of course provide a firewall, WebCache, ContentFiltering, etc. As I wouldn't be doing any NAT in this topology scenario, I'm almost certain that I couldn't do any of the items I mentioned.
But if anybody else has any information, please don't hessitate to share.
As always - thanks for helping.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
So, in saying all these examples, what is usually the best option for deploying an ISA server?
Should I bring the ISA back into some of the Internal Subnets. In this scenario, I would imagine I would make an ACL at the router that only allowed the ISA out to the net over http, etc, and blocked everybody else.
Or, drop the ISA on the outside interface of the router, and likewise only allow the ISA back into my internal network (published servers) - blocking everybody else.
Sorry if I'm slow in picking up this, Just trying to get the most out of the situation. :)
Should I bring the ISA back into some of the Internal Subnets. In this scenario, I would imagine I would make an ACL at the router that only allowed the ISA out to the net over http, etc, and blocked everybody else.
Or, drop the ISA on the outside interface of the router, and likewise only allow the ISA back into my internal network (published servers) - blocking everybody else.
Sorry if I'm slow in picking up this, Just trying to get the most out of the situation. :)
SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Understood. Thank you very much for the assistance guys. I really appreciate it.
Thanks
-Amit.
-Amit.
ASKER
So, for all of those features, the web proxy / firewall gateway is the best solution.
I would still like to drop the ISA in the same position, however, I then lose my VPN setup inside the router. (Currently I have a cisco device providing point-to-point and remote access VPN). If the ISA is placed in the same spot as the diagram I hashed out in the first post, the router basically just becomes a pointless waste of electricity.
I know the ISA supports VPN, however it just seems craptastic to me to have a windows box provide these services. (The odds of having a router crash versus a server are like a gazillion to one).
What's your guys' take on the VPN side of ISA?