Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
2nd ISA setup
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
2nd ISA setup - 23.Jan.2008 11:12:49 AM
|
|
|
kateh
Posts: 16
Joined: 21.Nov.2007
Status: offline
|
Dear All,
Please can you help?
I would like to setup a back-to-back configuration as follows:
External - ISA1 - DMZ (containing Web Server) - DMZ (containing App Server) - ISA2 - Internal inc DB Server
I currently have ISA1 - DMZ (webserver) in place but need to add in ISA2 and App Server. How do I connect the two? Are there any issues I should be aware of?
Any help would be appreciated.
Many thanks
Kate
|
|
|
|
|
RE: 2nd ISA setup - 25.Jan.2008 2:43:47 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
If the inner ISA (2) is not inplace yet then you don't have a DMZ and it is impossble for the Web Server and the App Server to already be inplace. So I really don't know what you mean by that.
To create a Back to back DMZ the two Firewalls (ISA) need to be the first thing put in place. You have to create a new private subnet that will be in between the two firewalls. You need a hub or switch between them on this new subnet and you would connect the Web Server and the App Server to it.
Once done the Web Server and the App Server will be "cut off" from the LAN and will no longer be able to communicate with the LAN without the LAN initiating the communication and having Access Rules on the inner ISA (2) to allow it. From the LAN's perspective,...and ISA2's perspective the DMZ is the Internet. But from the outer ISA (1) the DMZ is the LAN and the outer ISA will have no concept that the real LAN even exists.
What happens after that with Access Rules or Publishing Rules is up to you and your skills at being able to properly deal with the characteristics of a Back-to-Back DMZ.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: 2nd ISA setup - 31.Jan.2008 7:21:59 AM
|
|
|
kateh
Posts: 16
Joined: 21.Nov.2007
Status: offline
|
Hi Philip,
Thankyou for coming back to me. As you can see, I'm extremely new to ISA. I've had experience in setting up publishing and access rules etc on our existing server but adding an additional server is completely new. Apologies.
We have 2 firewalls at present. One existing with a 3 legged template, the other is completely new and hasn't even been touched yet (too scared :o))...
The existing server has 3 nic's (internal, external, dmz). We have internet traffic coming in, our web server on what we term the dmz nic and our internal network.
What we want to do is add in an application server along with the 2nd ISA. Looking around, it appears that the recommendation is a back-to-back configuration.
I'm happy with this but struggle with the connection between the two.
I understand that I connect the web and apps server to a hub or switch and that this hub is connected to both of the ISA's dmz nic. Is this correct?
The front end isa is connected externally and to the dmz and the back end isa is connected internally and to the dmz. Is this correct?
I'm suffering with information overload at present and really need something very simple that I can get my head around. Apologies!!
Regards
Kate
|
|
|
|
|
RE: 2nd ISA setup - 31.Jan.2008 10:54:21 AM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
What we want to do is add in an application server along with the 2nd ISA. Looking around, it appears that the recommendation is a back-to-back configuration.
Ok
I understand that I connect the web and apps server to a hub or switch and that this hub is connected to both of the ISA's dmz nic. Is this correct?
Yes
The front end isa is connected externally and to the dmz and the back end isa is connected internally and to the dmz. Is this correct?
Yes
Just remember:
To the the inner ISA the DMZ is the Internet (even though it really isn't).
To the outer ISA the DMZ is the internal LAN (even though it really isn't).
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: 2nd ISA setup - 31.Jan.2008 11:44:11 AM
|
|
|
kateh
Posts: 16
Joined: 21.Nov.2007
Status: offline
|
Hi Philip,
Thankyou for all your help.
The back to back dmz configuration appears a little bit of a waste of 2 firewalls when ideally we would like a 3 tier setup between our web server, app server and internal network using the 2 firewalls.
Is there any way we minimise disruption to what we have at present?
Thanks
Kate
|
|
|
|
|
RE: 2nd ISA setup - 31.Jan.2008 6:12:47 PM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
The back to back dmz configuration appears a little bit of a waste of 2 firewalls when ideally we .......
It's just me,... but I think DMZs are a waiste of time to begin with,...I don't use one,...don't care to use one,...and propably will never use one.
Is there any way we minimise disruption to what we have at present?
Leave things the way they are and don't waiste money on a second Firewall. Personally, I would not even have the "third-nic DMZ",...but again,...that's just me.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: 2nd ISA setup - 1.Feb.2008 5:03:51 AM
|
|
|
kateh
Posts: 16
Joined: 21.Nov.2007
Status: offline
|
Hi Philip,
Thankyou for coming back to me.
We have the 2 servers and would like to have a three tier environment, ideally using 2 three legged isa environments. Is this possible? How would you do it?
Kind regards
Kate
|
|
|
|
|
RE: 2nd ISA setup - 1.Feb.2008 10:30:12 AM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
We have the 2 servers and would like to have a three tier environment,
"Three tier environment" is just a buzz-word to me. I don't even know what that means specifically.
ideally using 2 three legged isa environments. Is this possible?
Yes, it possible to create a Back-to-Back DMZ and then hang an additional "third-leg" DMZ off of each ISA. To me it is pointless, and overcomplicating things needlessly for no good reason.
How would you do it?
Like I said. I would never do it. I could easily go my entire career and never create a DMZ. I don't "believe" in DMZs and I believe I can have an equally secure setup without ever creating one,...and it will be more dependable and a whole lot more easier to maintain.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
|
RE: 2nd ISA setup - 1.Feb.2008 10:33:17 AM
|
|
|
pwindell
Posts: 802
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
|
There is a Forum on this site devoted to DMZs with your version of ISA. You might want to ask the guys in that Forum. They would be folks who actually like DMZs and have more direct experience with using them.
_____________________________
Phillip Windell
www.wandtv.com
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
