• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on part 5 of the network services firewall article

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Discussion about article on part 5 of the network services firewall article Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion about article on part 5 of the network servi... - 17.Nov.2005 3:50:12 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing part 5 of the article series on using the ISA firewall as a network services firewall to protect network services segments at http://isaserver.org/tutorials/Configure-ISA-2004-Network-Services-Segment-Perimeter-Firewall-Part5.html

Thanks!
Tom

< Message edited by tshinder -- 17.Nov.2005 3:53:51 PM >


_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: Discussion about article on part 5 of the network s... - 12.Dec.2005 3:59:03 AM   
podexperfectussum

 

Posts: 7
Joined: 12.Dec.2005
Status: offline
Article was great help for setting up auto configure. I'd done it once before but unfortunately, my memory isn't so good.

The one thing that I am curious about is if I can use autoconfigure to specify a different proxy other than the ISA cache.

I have an ad filtering proxy installed on a second server that I've manually configured my clients to connect to. it listens on port 8118 and forwards to 8080 on the ISA server where ISA's caching proxy listens. ISA then retrieves the content from the internet. what I'd like to do is leverage auto configure to configure clients to connect to the ad filtering proxy rather than specifying the proxy cserver manually on each.

Basically, I'd rather just let DHCP, DNS, and ISA configure my clients' web browsers rather than walk up to each machine and do it manually, but I can't find any evidence that anyone's ever done this, which means either there's a better way or it's not possible, and I can't find anything that tells me either way.

It'd be nice to eventually move the ad filter to the same machine as ISA, but I want to get this going first (because then it makes it very easy to reconfigure at any point in the future).

(in reply to tshinder)
Post #: 2
RE: Discussion about article on part 5 of the network s... - 12.Dec.2005 6:14:18 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Pod,

You can enter the alternate URL in the Web browser configuration if you like. The ISA firewall will then deliver that entry when the Firewall client config refreshes.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to podexperfectussum)
Post #: 3
RE: Discussion about article on part 5 of the network s... - 5.May2006 11:40:16 PM   
kjman

 

Posts: 63
Joined: 2.Jun.2005
From: So cal
Status: offline
Hi Tom
On Page 4 on the article you mentioned that a static route needs to be configured on the Edge firewall for the network services segment. I'm confused with this part only because the network services firewall external ip address is in the same range as the Edge ISA firewalls ip address thats assigned to the internal nic, so if this is true then couldnt the Edge ISA firewall just do an ARP to hit the services ISA firewall?

Thanks

(in reply to tshinder)
Post #: 4
RE: Discussion about article on part 5 of the network s... - 6.May2006 10:10:32 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi KJ,

You need the routing table entry to provide the ISA firewall the gateway address from the network services segment's network ID.

ARP doesn't provide routing information, just IP address.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to kjman)
Post #: 5
RE: Discussion about article on part 5 of the network s... - 18.Jul.2006 7:05:37 PM   
thecoffeeguy

 

Posts: 165
Joined: 28.Aug.2005
Status: offline
Question on the last portion, on rolling out the FWC through GP.

I'm a little confused.

I understand I can create a new OU, which I did and named as you suggested.

I am really confused on steps 4 and 5. What exactly am I moving into the new OU? Am I actually moving the computers that are currently located in the default 'Computers OU' within AD?

This is my stumbling block.

Appreciate the help.

(in reply to tshinder)
Post #: 6
RE: Discussion about article on part 5 of the network s... - 18.Jul.2006 8:48:59 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi CG,

Yes.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to thecoffeeguy)
Post #: 7
RE: Discussion about article on part 5 of the network s... - 26.Jul.2006 11:38:38 PM   
st3v3

 

Posts: 1
Joined: 26.Jul.2006
Status: offline
Hi Tom

I'm a new comer in ISA Server world. I have read and implement your article series on using the ISA firewall as a network services firewall to protect network services segments. It was a great article and I've done all with the implementation except the part 3 of your article (because at this moment I don't have plan to create any OWA,SMTP, or POP3 server so that's why I skip them). And I skipped also in Part 4 (only in section "Creating Publishing Rules on the edge ISA Firewall to allow Inbound Connections to the Exchange Server Mail services"). In Part 5, I did implement only the section "Create COnfigure DNS Entries in the DOmain DNS, including WPAD Entries" and "Configure the Firewall Client settings on the edge ISA Firewall".

After implementation, I got one problem anyway and it is about the Internet Inbound connectivity. Even the edge firewall could not get connected to the internet. Before moving to this back-to-back firewall design, I was using the edge firewall design and the internet connectivity works fine.

Here is my network diagram:

           (Internet)
               ||
               ||
       (Front-End ISA) ----> External NIC:63.199.199.20, GW:63.199.199.10
               ||                Internal NIC:172.16.5.20,DNS:192.168.3.3,192.168.3.4
               ||
         (L2-Switch)
               ||
               ||
        (Back-End ISA) ----> External NIC:172.16.5.30, GW:172.16.5.20
               ||               Internal NIC:192.168.5.20,DNS:192.168.3.3,192.168.3.4
               ||VLAN 4
               ||
         (L3-Switch) ----> All VLANs are routable
               ||            IP Route 0.0.0.0 0.0.0.0 192.168.5.20
               /\            IP Route 172.16.5.0 255.255.255.0 192.168.5.20
             /    \        
           /        \
       (VLAN 2)  (VLAN 3)
           /      \
          /        \
         /          \
(192.168.3.3)    (192.168.3.4)   
Primary DC        Secondary DC
DNS,DHCP Server   DNS Server

Info:
-The Front-End and the Back-End are the member of the domain behind the back-end ISA
-Front-End ISA is configured with persistent route to reach the network 192.168.x.x behind the back-end ISA.
-Back-End ISA is configured with persistent route to reach other network in the different VLAN.
-Access rule is defined in the front-end ISA to allow the perimeter to access the internet.

All the Server could ping each other even from the Front-End ISA to the Primary DC in VLAN 2 and vice versa.
But when I try to connect the front-end ISA with the Internet, the front-end ISA could not reach any internet connection or open any webpages. But when I tried to connect the Internet directly with the back-end ISA (and of course modify some setting in the external interface,etc), The internet works and all the clients in the VLAN 2 and 3 could browse to the internet.
So actually what wrong with my back-to-back configuration? If anyone could help me with this I'll really appreciate it. Thank You.

Steve

(in reply to tshinder)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Discussion about article on part 5 of the network services firewall article Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts