Welcome to ISAserver.org

ISA 2004 - New

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 General ] >> Installation >> ISA 2004 - New

Page: [1] 2 next > >>

Message

<< Older Topic Newer Topic >>

ISA 2004 - New - 13.Jun.2005 3:03:00 PM

WildPacket

Posts: 72
Joined: 24.Mar.2004
From: Canada
Status: offline

Can ISA 2004 installed on a member server or it have to be active directory?

Post #: 1

Featured Links*

RE: ISA 2004 - New - 13.Jun.2005 3:08:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi WildPacket,

ISA should be installed on a member server only, *not* on a DC, unless you are using SBS 2003 SP1.

HTH,
Stefaan

(in reply to WildPacket)

Post #: 2

RE: ISA 2004 - New - 13.Jun.2005 6:18:00 PM

WildPacket

Posts: 72
Joined: 24.Mar.2004
From: Canada
Status: offline

Spouseele:

I was thinking to have it on the member server on which my Exchange Server is running.

It has 2 NIC's in it one for Intranet and the other for Internet.

Is it fine to have it on the same as Exchange Server?

(in reply to WildPacket)

Post #: 3

RE: ISA 2004 - New - 14.Jun.2005 9:04:00 AM

leonhughes

Posts: 149
Joined: 19.Mar.2001
From: UK
Status: offline

No!

ISA server should run on a server all by itself! You wouldn't run Exchange on a Checkpoint server would you?

Leon.

(in reply to WildPacket)

Post #: 4

RE: ISA 2004 - New - 14.Jun.2005 10:03:00 AM

WildPacket

Posts: 72
Joined: 24.Mar.2004
From: Canada
Status: offline

My manager is pushing me to install it on the Exchange Server and I am strictly against this.

Cannot convience him. We do have a seperate server where we could install ISA btu he say's he does not want to waste a machine.

[Mad]

[ June 14, 2005, 11:46 AM: Message edited by: WildPacket ]

(in reply to WildPacket)

Post #: 5

RE: ISA 2004 - New - 14.Jun.2005 2:40:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi WildPacket,

ISA 2004 is just like any other firewall in that respect. So as Lean said, ask him if he could/would install Exchange on a Checkpoint, Netscreen, PIX, etc...

HTH,
Stefaan

(in reply to WildPacket)

Post #: 6

RE: ISA 2004 - New - 15.Jun.2005 12:50:00 AM

WildPacket

Posts: 72
Joined: 24.Mar.2004
From: Canada
Status: offline

Ok .. let's say I get him to have the ISA installed on a seperate box.

Here is a picture of the setup I plan...

Server A - Windows 2003 Server AD on the Intranet
Server B - Member Server (Exchange 2003) with 2 NICS, one for Intranet other for Internet.

Now where ISA goes in here?

I want all traffic coming in and going out including Mail/OWA/SSL/Outlook/WWW etc through the ISA.

Please advise.

[ June 15, 2005, 12:55 AM: Message edited by: WildPacket ]

(in reply to WildPacket)

Post #: 7

RE: ISA 2004 - New - 15.Jun.2005 3:23:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi WildPacket,

ISA *must* be on his own box! If not, it is a non-supported config by Microsoft, unless you live in the SBS world. So, you have two options:

1. setup a third box for ISA only and remove that second adapter from the Exchange box. [Razz]

2. move the Exchange onto the Windows 2003 Server AD on the Intranet and do a clean install (OS + ISA) of the ISA server on this one.

HTH,
Stefaan

(in reply to WildPacket)

Post #: 8

RE: ISA 2004 - New - 15.Jun.2005 4:10:00 PM

WildPacket

Posts: 72
Joined: 24.Mar.2004
From: Canada
Status: offline

spouseele

Ok .. So ISA Server will be on its own box I agree.

I want to have Exchange Server on member server not on the Widows AD Server.

I remove the WAN card from Exchange Server agree.

Now do I have to have 2 NICs in the ISA server one for Intranet and other for Inet?

(in reply to WildPacket)

Post #: 9

RE: ISA 2004 - New - 15.Jun.2005 4:25:00 PM

spouseele

Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline

Hi WildPacket,

yes! ISA should have two nics and be a member server of the internal domain. Check out http://www.isaserver.org/tutorials/2004rightstart.html for a good starting point.

HTH,
Stefaan

(in reply to WildPacket)

Post #: 10

RE: ISA 2004 - New - 15.Jun.2005 7:07:00 PM

Sunny.C

Posts: 800
Joined: 5.Apr.2005
From: sydney
Status: offline

A good way to get a ok from your boss is, "Ok i will do what you would like but i am not responsable for what may happen". That always works with me [Wink]

hehe

(in reply to WildPacket)

Post #: 11

RE: ISA 2004 - New - 16.Jun.2005 1:19:00 AM

WildPacket

Posts: 72
Joined: 24.Mar.2004
From: Canada
Status: offline

Stefaan,

I put 2 NIC's on my ISA and assigend a dedicated WAN IP.

I guess now I have to point my MX Record in the DNS to the ISA Server's WAN NIC - right?

Please advise.. getting confused.

[ June 16, 2005, 01:28 AM: Message edited by: WildPacket ]

(in reply to WildPacket)

Post #: 12

RE: ISA 2004 - New - 16.Jun.2005 4:46:00 AM

tomdane

Posts: 12
Joined: 16.Jun.2005
From: Denmark
Status: offline

ISA should be alone for a few reasons:

Security: ISA should be the edge, and have as small a footprint as possible. The more roles and services, the more entry points for an intruder.
Performance: Exchange is hard enough on a server performancewise, you do not need to add more roles.
Startup/shutdown: You need to be able to shut down your firewall without crippling the organisation. Being without internet access for a limited time can be justified, but try to take people's e-mail away from them for more than 2 minutes.

It sounds like your manager has very little appreciation for your work.

(in reply to WildPacket)

Post #: 13

RE: ISA 2004 - New - 16.Jun.2005 8:03:00 AM

Sunny.C

Posts: 800
Joined: 5.Apr.2005
From: sydney
Status: offline

Yes you have to point your mx record to your external isa nic.

(in reply to WildPacket)

Post #: 14

RE: ISA 2004 - New - 16.Jun.2005 3:13:00 PM

WildPacket

Posts: 72
Joined: 24.Mar.2004
From: Canada
Status: offline

After telling him all, he has decided not to go with ISA because he think's it's a waste of a Computer.

[Mad]

[ June 16, 2005, 03:13 PM: Message edited by: WildPacket ]

(in reply to WildPacket)

Post #: 15

RE: ISA 2004 - New - 16.Jun.2005 7:21:00 PM

Sunny.C

Posts: 800
Joined: 5.Apr.2005
From: sydney
Status: offline

Sorry to hear that. What has he decided to go with?

(in reply to WildPacket)

Post #: 16

RE: ISA 2004 - New - 16.Jun.2005 8:00:00 PM

WildPacket

Posts: 72
Joined: 24.Mar.2004
From: Canada
Status: offline

Sunny.c:

D-LINK [Mad]

Within the the next 3-5 years we might need site-to-site VPN connectivity to/from other brances and I keep telling my him about this but he does not listen.

[ June 16, 2005, 10:56 PM: Message edited by: WildPacket ]

(in reply to WildPacket)

Post #: 17

RE: ISA 2004 - New - 17.Jun.2005 9:52:00 AM

Sunny.C

Posts: 800
Joined: 5.Apr.2005
From: sydney
Status: offline

which dlink router?? just keep it up to date and do your best with what you have, Try and get a watch guard firewall if you can [Smile]

(in reply to WildPacket)

Post #: 18

RE: ISA 2004 - New - 21.Jun.2005 8:04:00 AM

amireh

Posts: 19
Joined: 10.Sep.2004
From: Iran
Status: offline

Dear WildPacket;
I think you can easily present ISA for your manager.It is the most cost efective firewall in the world. Can I ask you the number of users that you have in your network? If your network is not an enterprise or medium size network you can use other solutions.

reagrds
Amireh

(in reply to WildPacket)

Post #: 19

RE: ISA 2004 - New - 21.Jun.2005 10:27:00 PM

WildPacket

Posts: 72
Joined: 24.Mar.2004
From: Canada
Status: offline

Amireh,

No. of users is 120.

****************************

Sunny.C - he is thinking D-Link DFL 1100.

[ June 23, 2005, 08:34 PM: Message edited by: WildPacket ]

(in reply to WildPacket)

Post #: 20