How To Configure ISA 2006 With External NIC routing To Juniper Firewall - NO INTERNAL ISA INTERFACE
Posted on 2010-11-18
My client has a Juniper firewall with one leg on the private/internal network, one leg on the public and one leg on the DMZ. So think of it being a "T-shape" logically.
My problem is that the client does not have a secondary firewall sort-of-speak so they refuse to get an executive exception to allow the ISA2K6 server to have a leg into
the private network from the DMZ. It freaks them out, no matter how much I tell them (and show them) that it's secure if done correctly. Anyway, I cannot have an internal
and external interface on the ISA2K6 server, which is acting as a revers proxy for the OCS2K7 environment, specifically it communicates with the OCS CWA server that sits
on the the internal/private network.
The ISA2K6 reverse proxy server is a virtual machine, on which I've created two NICs - both with IPs sitting on the DMZ. I'm trying to get ISA2K6 to allow me specify both
NICs (NIC-A is supposed to be the internally facing one, but can't face internally so it's externally IP sitting on the DMZ). NIC-B is normal...external and NATs to the public IP
that corresponds to the reverse proxy URL published to anonymous Internet Live Meeting/IM/Address Book users.
My difficulty is in telling ISA that there are no internally-facing interfaces and that NIC-A has to route its traffic to and from the OCS2K7 CWA server (on the internal
network) through the firewall address (the DMZ gateway) so that internal resolution will occur. In theory this should work...two external interfaces...tell ISA that NIC-A must
route between its own IP which is in the DMZ to the firewall (it's gateway IP) and I can just let the Juniper firewall figure out the best way to route those packets from NIC-A
(on the DMZ) to the CWA server (on the private network)...all without having a specified internal interface as ISA2K6 neatly expects.
Any ideas on how I can pull this off?? Because I am going to be asked to do the same thing to the OCS2K7 Edge Server sitting in the DMZ also. HELP!!