• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 579
  • Last Modified:

ISA Server 2006 configuration


One of my clients is a software house - they design and develop software.

There current infrastructure using ISA 2006 Server, divided into two zones - internet and internal. This has worked very well until recently.

The problem is that the development team has been performing testing that affects the production network in  a negative way. There run several Virtual Machine's (VM) and one of the VM is a a rogue DHCP server.

I would like to create a zone on ISA server just for R & D and call it the "Dev" zone.  I would like Dev to have the same rules as internal zone.

I would also like to have almost full communication between the "Dev" and Internal zones (with a few exceptions on specific protocals) and I will use firewall rules to adjsut communication between the zones.

The ISA server has enough network ports, so creating the Dev zone should not be an issue.

I treid creating the Dev zone with its own distinxt ipo range, and encountered a few problems.

After creating the new DEV zone, firewall policies (not rules) prevent it from communicating with the internal zone although surfing the internet works; If I include the Dev ip range into the internal zone,  communicating with the internal zone works but not internet.

Does anyone know how I can resolve these issues?

Thanks in advance.

1 Solution
Bruno PACIIT ConsultantCommented:

There's a point you have to know about ISA is that communications between distinct networks is impossible through ISA until you create a network rule between these networks. Creating the network rule you'll have to indicate if you want to do NAT or routing between the networks.

Of course a network rule is not sufficient but it is mandatory.

After have created the network rule that links the networks by a routing rule you'll have to create access rules to allow protocols to pass through ISA.

Added to that, if you want your new network to be able to access internet you'll also have to create another network rule that links this new network with external network by a NAT rule.

Have a good day.
How have you configured this zone? Is it a perimeter network or just another Internal network?

Also, what is the relationship between the internal network and the DEV zone? If you want it to work like you want it to it has to be "Route" and not NAT.
mbudmanAuthor Commented:
Thank you for your assistance.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

We Need Your Input!

WatchGuard is currently running a beta program for our new macOS Host Sensor for our Threat Detection and Response service. We're looking for more macOS users to help provide insight and feedback to help us make the product even better. Please sign up for our beta program today!

Tackle projects and never again get stuck behind a technical roadblock.
Join Now