?
Solved

How To Configure ISA 2006 With External NIC routing To Juniper Firewall - NO INTERNAL ISA INTERFACE

Posted on 2010-11-18
4
Medium Priority
?
1,095 Views
Last Modified: 2013-11-29
My client has a Juniper firewall with one leg on the private/internal network, one leg on the public and one leg on the DMZ.  So think of it being a "T-shape" logically.
My problem is that the client does not have a secondary firewall sort-of-speak so they refuse to get an executive exception to allow the ISA2K6 server to have a leg into
the private network from the DMZ.  It freaks them out, no matter how much I tell them (and show them) that it's secure if done correctly.  Anyway, I cannot have an internal
and external interface on the ISA2K6 server, which is acting as a revers proxy for the OCS2K7 environment, specifically it communicates with the OCS CWA server that sits
on the the internal/private network.

The ISA2K6 reverse proxy server is a virtual machine, on which I've created two NICs - both with IPs sitting on the DMZ.  I'm trying to get ISA2K6 to allow me specify both
NICs (NIC-A is supposed to be the internally facing one, but can't face internally so it's externally IP sitting on the DMZ).  NIC-B is normal...external and NATs to the public IP
that corresponds to the reverse proxy URL published to anonymous Internet Live Meeting/IM/Address Book users.

My difficulty is in telling ISA that there are no internally-facing interfaces and that NIC-A has to route its traffic to and from the OCS2K7 CWA server (on the internal
network) through the firewall address (the DMZ gateway) so that internal resolution will occur.  In theory this should work...two external interfaces...tell ISA that NIC-A must
route between its own IP which is in the DMZ to the firewall (it's gateway IP) and I can just let the Juniper firewall figure out the best way to route those packets from NIC-A
(on the DMZ) to the CWA server (on the private network)...all without having a specified internal interface as ISA2K6 neatly expects.

Any ideas on how I can pull this off??  Because I am going to be asked to do the same thing to the OCS2K7 Edge Server sitting in the DMZ also.  HELP!!
0
Comment
Question by:Monterio
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 1

Accepted Solution

by:
Monterio earned 0 total points
ID: 34168338
Here's what I'm looking at now...  
OCS-Instate.png
0
 
LVL 29

Expert Comment

by:pwindell
ID: 34181948
There is no such thing as a Single-Nic ISA with only an external Interface.  The Interface on an ISA is always an Internal Interface it is can only be used as a Web-caching proxy and nothing else.  ISA/TMG was invented and designed to be a full high-end Enterprise Firewall Product.  A single-nic ISA/TMG is pretty much a waste of money and a waste of time (IMO).
0
 
LVL 12

Expert Comment

by:Jeff_Schertz
ID: 34217667
The best approach for your client is to have them define a second perimeter network subnet using a 4th interface on the JUniper if possible.  This way you can put two interfaces on both the Edge and and ISA servers as each interface needs to be in a separate IP subnetwork.

If this is not possible (inflexible customer or no remaining interfaces on Juniper) then you can still use a single interface on the ISA server.  A single interface on the Edge server though is more difficult to pull off: http://blogs.pointbridge.com/Blogs/schertz_jeff/Lists/Posts/ViewPost.aspx?ID=33
0
 
LVL 1

Author Closing Comment

by:Monterio
ID: 34224674
there was no solution proposed that helped me.  Only one person replied and it was an opinion...no technical information that could help me with my problem.  so I'm accepting my answer and bowing out, since it's been two days and no one else has responded.
0

Featured Post

Office 365 Training for IT Pros

Learn how to provision tenants, synchronize on-premise Active Directory, implement Single Sign-On, customize Office deployment, and protect your organization with eDiscovery and DLP policies.  Only from Platform Scholar.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Problem Description: Actually I found the below issue with some customers after migration from SMS 2003 to SCCM 2007 and epically if they change site code, some clients may appear in the console with old site code, plus old sites still appearing …
There are several problems reported according slow link speeds or poor performance in TMG 2010, UAG 2010 or ISA 2006. I want to collect here some of the common issues together to give a brief overview what can be the reason. Nevertheless, not all of…
Michael from AdRem Software explains how to view the most utilized and worst performing nodes in your network, by accessing the Top Charts view in NetCrunch network monitor (https://www.adremsoft.com/). Top Charts is a view in which you can set seve…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…

762 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question