ISA 2006 INSTALLED ON WIN 2003 SP2 - QUERY

Hi Ive been reading 'url' http://technet.microsoft.com/en-us/library/bb838661.aspx - Shows eg of 3 nics

Qns1. I wanted to know if I can install SP2 on my Win 2003 standalone server to then install ISA 2006 ?

Qns2. What Ip address should I use for 2 nics instead of 3 nics ?

It was advised that installing IS 2006 as a standalone server was preferable, unless another firewall was also being used!
mikey250Asked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Keith AlabasterEnterprise ArchitectCommented:
1. Yes - the Windows should be fully patched before installing the ISA server platform. Once the base ISA is operational you can upgrade it to SP2 as well.
2. What ever IP addresses you want. By default, ISA expects 1, 2 3 or four nics - up to your config. If just 2, then a public IP address externally and a private ip internally. If you have an external firewall that is providing NAT capability then you can also use private ip addresses on the ISA external interface as well, you just need to change the network relationship within the ISA gui from NAT to route for internal to external.

Lastly, absolute rubbish. ISA and the new TMG server that replaced ISA Server should ALWAYS be domain connected, wherever possible. There are certain exceptions - for example using ISA as a proxy only server within a DMZ environment. You will find this expalined in every 'official' install guide, manual or training course. ANYONE who advises different is mis-informed.

Keith_alabaster
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jakethecatukCommented:
Q1. Minimum requirements are 2003 SP1 or 2003 R2 (http://technet.microsoft.com/en-us/library/cc304520.aspx)
Q2. The third NIC would be used if you wanted to have a DMZ.  If you don't want that zone, you can use two NICS - one for the external address, one for the internal address.

0
mikey250Author Commented:
Qns1. OK I have installed Sp2 first and was going to then install ISA 2006 is this ok ?
0
Acronis Data Cloud 7.8 Enhances Cyber Protection

A closer look at five essential enhancements that benefit end-users and help MSPs take their cloud data protection business further.

mikey250Author Commented:
Hi

Qns1. I thought ISA 2006 could NOT be part of a 'dc' as I have left it as a standalone server, but 'static ip address has been added pointing to the master dc dns/dhcp server ?
0
mikey250Author Commented:
Qns1. Im aware the comments raised by the expert that best practise is to install ISA 2006 is preferred to be installed on standalone instead of as a member server - So Im assuming this is because from my reading that adding as a member server means more ports accessable to a hacker, so more admin is needed.  Hence preferable installed as a standalone server.?
0
Keith AlabasterEnterprise ArchitectCommented:
Other way around - installing on a domain makes it more secure - the reason being that you do NOT need to open so many ports that can pass THROUGH the ISA server to the internal network. By joining the domain traffic arrives at the ISA and is STOPPED. ISA will then decide whether to pass traffic inwards based on a number of criteria. When used standalone you specifically have to open x number of additional ports and it is these that can become compromised.

You've asked for best-practice guidance.
I have been a Microsoft Most Valued Professional (MVP) for these products for many years, I am a Microsoft Certified Trainer (MCT) for both ISA Server and the newer Forefront TMG. I am one of the three Moderators for both Microsoft ISA and TMG on TechNet and MSDN. I am the Page Editor here on Experts-Exchange for the topics and lastly I have some 300+ installations behind my belt. I can give you the advice, up to you if you want to take it.

Interesting choice of URL link you have given. Firstly, if you look at the bottom of the 'Accepted' answer highlighted in green, you will see my name :)
Second, this is a completely different question and is related to using a Domain Controller to host the ISA Server (not supported), not related to whether the server is domain joined otr not.

Keith
0
Keith AlabasterEnterprise ArchitectCommented:
.... You did not mention the box being a DC in your initial post.... we are over-typing methinks with each other.
If the box is a domain controller, an ISA installation is not supported. There are two exceptions to this rule:

1. If the DC is running SBS 2003 Premium, ISA 2004 is available for use and can co-exist on the same server. It was designed to work that way.
2. If you are using TMG (rather than ISA), TMG can be installed on a 2008 read-only DC.

You will need a 2003 non-DC, domain joined server for the ISA 2006.
Keith
0
mikey250Author Commented:
Hi keith,  Ok I did not spot this about the 'url' I sent and accept your advice. I will follow any advice that ensures I can install ISA 2006.  Ive never installed before and wish to learn practically and then I can start to take on board other reading!!!!!!!!!!!!:)

As I have already installed SP2 on my Win 2003 standalone I will now join as a member server to be part of the domain and then install ISA 2006 and let you know if your available!!!!!!!!!!!!:)

Qns1. One more thing are there any Windows components I should install in advance prior to starting install of ISA 2006 ?
0
mikey250Author Commented:
Hi jake, my apologies, yes my master dc/sp2/dns/dhcp install up and running and separately I currently have a Win 2003 standalone which I am going to now install ISA 2006.

You suggest 'TMG instead of ISA' - Well as I have no experience I wished to learn ISA 2006 first of all and will then evolve over to 'TMG'..!!Trying to do things basic one step at a time.

Im only doing this to gain practical understanding so I can cope with experts endless experience as I have never ever install any MS firewall product before and being told by those that use it and presumably down to cost availabilty that ISA 2006 is secure at least this way I can round off my experiences and can then progress to 'TMG' for example!!
0
mikey250Author Commented:
Qns1. One more thing currently I have no users installed on host pc yet or accounts created on dc, but intend to between now and tomorrow, so not sure if I should do this first of all prior to installing ISA 2006.!!?
0
Keith AlabasterEnterprise ArchitectCommented:
Jake - removed my post and the comment. Agree there was a mixture of views by the community for a while. :)

Mike - It doesn't matter which way. When you set the ISA up and start to create rules, you will have the option to add entries from the AD. If you can, you should create AD groups and assign these to rules rather than assigning individual user names. Then you can add users to these groups as and when you need to.

If you decide that you DO want to use just user names then obviously you will need to have created the user entity before you can associate it with a rule.

Keith
0
mikey250Author Commented:
Hi keith, I can add a 'group name' and then create my first user once finished installing my host pc wit xp for eg.

I may just stick with 1 user to assign first of all and once I know I will then add a new group and add the single user in this group!!

Ok will do!

Qns1. Are there any components I should install on my potential ISA 2006 server first of all ?
0
mikey250Author Commented:
Thanks jake!!
0
mikey250Author Commented:
Hi keith,  I forgot to mention as this is currently a test network.

Qns1. As I have a 'residential netgear/vmdg280' router/box which uses 'dhcp' to allow internal users ip address.  I have 'disabled' this and have 'INSTEAD' my Win 2003 dc/sp2/dns/dhcp server & potential ISA 2006/sp2 server attached to my default settings 'cisco switch'.  The 'netgear' box is also plugged into the 'cisco switch' which provides the internet connection to my ISP.

Im using the same 'single subnet'

I will have a go with 'nat' later but wanted to use 'dhcp' anyway!!
0
Keith AlabasterEnterprise ArchitectCommented:
Jake - comments removed as requested (needs Admin permissions) :)

Mike, just to be clear.
You CANNOT use the same subnet on both sides of the ISA - they need to be different. i.e. ISA cannot act as a 'man-in-the-middle' for a subnet. For example, if you have the 192.168.0.0/24 internally, then the external interface of the ISA (and the internal IP of the Netgear) would need to be on a totally separate subnet such as 192.168.100.0/24.

0
mikey250Author Commented:
Oh yes you are right!!!!!!!!:( Ok!!

0
mikey250Author Commented:
I understand what you mean but trying to think of how to do this!! inview of my already ISP ip addresses in place!! As my netgear box is configured with: dg: 92.237.52.1 etc and has a built-in dhcp allocating: 192.168.0.x/24, which I have switched to my win 2003 dc/dns/dhcp server!!!

Im assuming Im going to have to use: 92.237.52.1

so my internal win 2003 dc/dns/dhcp can stay as: 192.168.0.x/24
but my external will have to be set to default gateway: 92.237.51.1

Is this ok ?
0
Keith AlabasterEnterprise ArchitectCommented:
The external on the Netgear has a default gateway of 92.237.52.1 so the external IP address on the Netgear must be something like .2 or .3 or whatever - that is fine.
The internal IP address on the Netgear is configurable - it has to be else it would be useless as it would only work in one situation which would be nonsensical.

Set the INTERNAL IP address of the Netgear to 192.168.100.1, the mask to 255.255.255.0 and leave the default gateway for the Netgear INTERNAL nic blank.
You will turn off the DHCP for the internal subnet on the Netgear - yes.
You will need to add a static route on the Netgear informing it that to get to the 192.168.0.0/24 network, it should forward packets to 192.168.100.2

The external IP address of the ISA will be 192.168.100.2, the mask will be 255.255.255.0 and the default gateway will be 192.168.100.1
You will leave the DNS entry on the ISA external nic BLANK.

Make sure that the ISA internal nic is listed ABOVE the ISA external nic in the binding order.

The internal IP address of the ISA will be 192.168.0.x/24 where x is a spare IP address on that subnet. There will be NO default gateway on the ISA internal nic.

The rest you can get from my articles rather than me typing it all out again here.

0
mikey250Author Commented:
Hi
Qns1. Ive attached my 'screenshot' below and read through your comments, but 'enabled' just to show you the ip address of my ISP but when I disable these details will dissappear as will be added to my built-in Master dc ie some of it as below ?

- Dg ip: 92.237.52.1/22
- Wan ip: 92.237.54.14 - Im assuming this is the internal ip which is already set as per screenshot attached..!
- Dhcp built-in Netgear box I have disabled - as using currently my master Win 2003 dc server
- Dhcp - Ive also already added manually in the dns:
194.168.4.100
194.168.8.100
- static route - Ive disabled my builit-in Netgear/dhcp 192.168.0.x/24 address, as using my Win 2003 dc/sp2/dns/dhcp server with same range. So not sure where I add a static route that is if I still do in this case...!????
- ISA server - Has static address: 192.168.0.9/24
- Master dc - Has static address 192.168.0.10/24
- Binding order - Ok
Internal IP - same range as Master dc ie: 192.168.0.50/24 - for eg - Ok

netgear-gui.docx
0
mikey250Author Commented:
Ive read through your 'urls'

Ive done the following:

Master dc: x 1 nic
192.168.0.10
255.255.255.0
no dg

ISA 2006 firewall - x 2 nic
Internal Nic 1 - 192.168.0.9
255.255.255.0
no dg

External Nic 2 - 92.237.56.62 - My ISP changed for first time last night
255.255.252.0
dg: 92.237.52.1

My Netgear box directly connected to Internet has the dhcp 'DISABLED' as addresses allocated via 'Master dc' above.

All internal addresses are pingable.!!!
My ISP address: 92.237.52.1 or 92.237.54.62 - Not pingable so I assume because ISA 2006 not configured yet OR need a static route..!! Not sure yet.

Any help would be appreciated!!!!!!!!!!!!!
0
mikey250Author Commented:
Forgot to mention on my ISA 2006 Ive also set 'binding order' to 'Internal first & External 2nd'..!!

Only 1 default-gateway on External NIC 2 ISA server added.!
0
mikey250Author Commented:
Forgot to mention all Servers have Internal dns server ip added on:

Master dc
ISA 2006 server
0
mikey250Author Commented:
Step 1- I have copied the 'ISA.exe' file to my potential ISA server.
Step 2 - I then added this potential ISA server to the domain as a member server.
Step 3 - I then logged onto the domain and tried to locate my ISA.exe file but it was not there.
Qns1. Step 4 - I then logged off the domain and onto the local server and have started to install ISA 2006 here... Is this correct ?
0
mikey250Author Commented:
Qns1.  Can anyone assist with my issue below: ?

Ive attempted to install my 'ISA 2006.exe' and the server has prompted an ip address conflict...
Ive double-checked all ip adresses allocated on both servers and all ok.

It must be something to do with my ISA ip addresses added..!!

ISA 2006 server:
Internal Nic 1: 192.168.0.9
255.255.255.0
dns: 192.168.0.10 - pointing to my master dc

External Nic 2: 92.237.54.62
255.255.252.0
dns primary: 194.168.4.100
dns secondary: 194.168.8.100

Binding set to Nic 1 then Nic 2
0
mikey250Author Commented:
Hi, IT APPEARS I HAVE CONFIGURED ISA 2006 CORRECTLY:

Qns1. I followed these instructions at 'url' - http://www.youtube.com/watch?v=BRCeqaGW_eA  -  to install and configure ISA 2006 and it appears that my laptop Win 7 will now ' NOT' give me internet access, so Im assuming I have configured the ISA 2006 correctly.

As I do not know how to allow a single user or 'group' Ive had to unplug ISA cables and reset my Netgear router back to default settings just so I can get back on the internet to ask this question..?

0
mikey250Author Commented:
Hi,

Qns1. Just out of curiousity, you mentioned on: 37279476 - that if ISA was not on domain then too many ports would be exposed.  Could the 'SCW' be used to secure this ?
0
mikey250Author Commented:
Qns1. Just out of curiosity as per your comments below, I assume within the firmware these ISP ip addresses are set as Ive looked through the 'netgear gui' and cannot see these entries ?

"The external on the Netgear has a default gateway of 92.237.52.1 so the external IP address on the Netgear must be something like .2 or .3 or whatever - that is fine.  The internal IP address on the Netgear is configurable - it has to be else it would be useless as it would only work in one situation which would be nonsensical."
0
mikey250Author Commented:
Correction to my last statement - Yes My netgear Internal address 'CAN' be changed which uses a 'dhcp' but Ive disabled anyhow.  But the Netgear External I assume is located within the 'firmware' or something as not in 'GUI' as I cannot see!!
0
mikey250Author Commented:
My host pc's have access to the internet via ISA 2006.  Now I can look to be more specific later on.  Sound advice!!
0
Keith AlabasterEnterprise ArchitectCommented:
Glad to hear it. Nice one :)
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2003

From novice to tech pro — start learning today.