Well, after typing for ten minutes I closed IE by mistake, so let me start over
Thank you for responding first and foremost. I understand most of the concepts, though the detail is somewhat of a mystery. To answer the question about what to handle first, that is tricky and I think I need to backtrack first to address a couple things regarding our netwrok config before I proceed to ISA.
The most important is our current DNS configuration, and while I figure this maybe isn't the place to address that, perhaps you still can assist. I suspect that our current DNS is not configured properly or is over configured if that makes sense. We have DNS running on the ISA 2000 server, and we have DSN installed on all 3 domain controllers though it is only configured on 2 of them. All three forward to Qwest's DNS servers. All three appear to be configured to use root hint servers. And all three have what I guess are the requesite forward and reverse lookup zones. In addition, I do not see any DNS errors in the event logs. BUT what I do see happen is:
1) When I run simple tests on the monitoring tab all three DNS servers pass. When I run recursive tests, the two internal servers fail.
2) While root hint servers are listed on the root hints tab, I cannot get any of them to resolve on the two internal servers when I click the edit button and then click to resolve the name.
Internal resolution works however, and I am pointing to on of the internal DNS servers right now. Is what I described above an issue to be concerned about?
EDIT I don't know that it matters, but our internal and external domain names are different. For example, internal might be Shmoe.com and external is JoeSchmoe.com
To the ISA question, I don't really now where to starts. I did manage to get 2004 media, since it is downloadable from the MVLS site, so I will likely upgrade to 2004 first - or should I note waste my time?
The next step is whether to pull the web server behind or put it in a DMZ, And that is really the question to answer before I worry about the configuration too much, no?
Based on my needs listed about, what makes more sense. Let me add that I am not 100% sure I need to fret about protecting the web server, I really want to plug the hole it is currently making in our network AND still be able to access it from my desk. By that I mean I need to be able to move files and folders over to it and not have to monkey around too much to do that. With it behind the ISA that is easy breezy, but with it out in the DMZ, how simple is that process? The worry is that as confusing as this all is to me, think of how confused my coworkers will be if they have to jump through hoops to move files out onto the web server for our clients to access from their respective private web folders.
The next consideration is - with the web server out in the DMZ it is completely out in the public space, correct? With it behind ISA it is in our private space, but we have to set up rules to allow traffic from the outside to access it. Which is safer for my network and secondarily for the web server? Or which makes more sense from a practicle standpoint?
As long as I can: easily allow FTP access for uploading and downloading using authentication fo some sort, allow our clients to access their private sites with authentication, and make sure Webtrends will properly record hits and where they are coming from then I will be pretty happy.
Do I need to focus a bit, are is there enough there to start? Basically, to DMZ or pull behind ISA?
I have more questions than this one post can handle, like why the guy who originally set up our web server and the ISA server has about 5 IPs configured on each of the network cards, but we can address that later.
< Message edited by manning -- 12.Oct.2006 4:16:15 PM >
I only do this because I have to.
ISA 2006 standard on Server 2k3 R2