Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Discussion about article on teaching the boss about the ISA Firewall
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Discussion about article on teaching the boss about the... - 27.Jan.2008 12:42:10 PM
|
|
|
tshinder
Posts: 46637
Joined: 10.Jan.2001
From: Texas
Status: offline
|
This thread is for discussing the aritcle series on how to teach the boss about the ISA Firewall.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
MVP -- ISA Firewalls
|
|
|
|
|
RE: Discussion about article on teaching the boss about... - 8.Feb.2008 5:42:07 AM
|
|
|
harme020
Posts: 38
Joined: 5.Jul.2004
From: Netherlands
Status: offline
|
This article is right on time for me ;-)
I've worked with ISA in the past. Now i've changed jobs and am in the process of getting ISA server in here.
I want to make it a back end firewall with a third party (juniper) in front.
The ISA will be used for VPN clients termination and to build a few site 2 site connections. Is this combination possible?
I somehow always thought that this isn't possible..
Peter
< Message edited by harme020 -- 8.Feb.2008 5:49:06 AM >
|
|
|
|
|
RE: Discussion about article on teaching the boss about... - 9.Feb.2008 1:14:05 PM
|
|
|
tshinder
Posts: 46637
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Peter,
Sure, it's possible. I do it all the time. I often have NAT devices in front of the ISA Firewall and terminate VPN connections behind the NAT devices at the ISA Firewall.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
MVP -- ISA Firewalls
|
|
|
|
|
RE: Discussion about article on teaching the boss about... - 8.Mar.2008 7:56:33 AM
|
|
|
Eptalofos75
Posts: 14
Joined: 3.Nov.2006
Status: offline
|
Hi Thomas,
Your article is really great! I use the ISA 2004 as a back-end firewall behind the Netscreen, the Netscreen has 3 interfaces, Trust (192.x.x.x), Untrust (Internet) and DMZ (172.x.x.x). The ISA has 2 NIC, one connected to the internal LAN and one external connected to DMZ. I have a policy on the Netscreen thats allows everything from Untrust to DMZ, i have only the ISA in my DMZ. The clients can use the ISA or the Netscreen for Internet access. I have to say here that i have used the network template of Edge firewall on the ISA. It works fine but i have 1 question:
I have published a Mailserver to provide OWA access over the internet, i have created a VIP on the Untrust interface of the Netscreen to port SSL requests to the 172.x.x.x ip adrress of the ISA Nic connected to DMZ. This doesn`t work, the external clients receive a DNS error. To give more details: When the clients type www.companyname.com/webmail then they get redirected to https://publicipaddress/owa The Netscreen knows, because of the VIP, that it has to port it to 172.x.x.x which is the address of the NIC ISA uses for internet access. ISA should know, because i have published the Mail server, that SSL requests with /owa will be redirected to the Exchangeserver/owa folder? Do you think that ISA denies the request because it comes from publicaddress/owa instead of www.companyname.com?
Thank you very much!
|
|
|
|
|
RE: Discussion about article on teaching the boss about... - 9.Mar.2008 1:39:51 PM
|
|
|
tshinder
Posts: 46637
Joined: 10.Jan.2001
From: Texas
Status: offline
|
If the request is going to an IP address instead of a FQDN, that could cause a connection problem. Is the Web Publishing Rule forward to a FQDN?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
MVP -- ISA Firewalls
|
|
|
|
|
RE: Discussion about article on teaching the boss about... - 10.Mar.2008 4:13:57 AM
|
|
|
Eptalofos75
Posts: 14
Joined: 3.Nov.2006
Status: offline
|
Yes, the Web Publishing forwards to webmail.companyname.com, this is the public fqdn, i have modified the hosts file so that the ISA can resolve the public fqdn using the internal IP address of the Exchange server.
Do you mean that ISA blocks the request because it comes as ip address, 194.x.x.x instead of the fqdn? Does ISA accept only requests for the server he published? The ISA must secure the network of course! Could this be what causes the problem?
To give more info, the Netscreen firewall maps all incoming SSL traffic to the IP address of the ISA NIC used to access the internet. I don`t have to create a extra rule on the isa to allow SSL traffic from the internal host to Local (ISA itself) host, do i? The ISA sees this SSL traffic as coming from the external network, right?
Thanks for your help!
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
