Welcome to ISAserver.org

Multiple ISA 2006 SP1 in single domain

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 General] >> Installation and Planning >> Multiple ISA 2006 SP1 in single domain

Page: [1]

Message

<< Older Topic Newer Topic >>

Multiple ISA 2006 SP1 in single domain - 8.Aug.2008 4:56:55 AM

Liby

Posts: 3
Joined: 3.Nov.2007
Status: offline

Hi All,
I am in situation where i require to install 2 ISA 2006 SP1 standand servers in a single domain.

I need the first ISA server to host the exchange 2007 OWA, RPC, POP3, IMAP etc. This server will also host a AD site-to-site VPN across geographical location.
The site supernets are 192.168.0.0/20 and 192.168.16.0/20.

I need the second server to provide internet access to all our domain users.
Is this a supported solution?. If so, how can I accomlish this configuration?

192.168.0.1-192.168.0.254 will be exclusively used for servers.
The gateway on above 254 IP in site will be server 1.
The gateway for all others will be server 2.

One of my major concern is, how this will affect the site-tosite VPN.

Is this a supported solution?. If so, how can I accomlish this configuration?
Regards
liby

Post #: 1

Featured Links*

RE: Multiple ISA 2006 SP1 in single domain - 8.Aug.2008 7:37:25 AM

gbarnas

Posts: 147
Joined: 27.Apr.2005
From: New Jersey
Status: offline

I can't say it's an "officially supported" configuration, but it's quite similar to the configuration we use here.

We use ISA-EE in 2-server arrays. One array is our proxy firewall and handles all outbound user traffic - http/https/ftp only. It's got a fair size cache. Our network is hightly segmented and widely distributed, so the ISA is not anyone's default gateway. It is accessed only as a proxy as we don't allow any other protocols outbound from the clients. Internet traffic from both HQ buildings and our nearly 300 branch locations is proxied through this array.

Our second array is used to publish applications such as OWA, and some back-end B2B applications. The same B2B servers use this ISA array for all outbound traffic via HTTP Proxy. Only servers are permitted to connect to this firewall array, and it's referred to as our "application gateway".

Aside from both arrays sharing the "Enterprise Internal" network definition and the two CSS servers, the two arrays are totally independent. I'd treat your two servers the same way, as even though they are both firewalls / proxies, they perform totally different and unique functions with regard to your network. Of course, you'll need a router on the internet connection with multiple IPs in your Internet subnet, and both ISA's external interfaces will need to be in that subnet, using the router as the default gateway. Your public DNS will point to your application ISA for inbound traffic, and there's no reason to identify the proxy ISA external address in DNS at all.

Mind you, a single ISA could handle this capability, but some organizations and compliance standards do require isolation between user and commerce networks. The primary reason we have an application gateway is to simplify our PCI compliance requirement.

Glenn

(in reply to Liby)

Post #: 2

RE: Multiple ISA 2006 SP1 in single domain - 8.Aug.2008 8:08:24 AM

Jason Jones

Posts: 2140
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

The parallel split ISA services model is actually a very good design IMHO, and one of my favourites

Not only does it provide good security isolation, it also helps with availability as loss of a single server (for SE) or an array (for EE) minimises impact to all services.

I personally like the inbound/outbound approach with dedicated servers/arrays for outbound or inbound traffic.

There is no reason I could see why MS would not see this as a fully supported environment...

Cheers

JJ

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to gbarnas)

Post #: 3

RE: Multiple ISA 2006 SP1 in single domain - 8.Aug.2008 9:09:12 AM

paulo.oliveira

Posts: 820
Joined: 3.Jan.2008
From: Amazonas, Brazil
Status: offline

Hi Jason,

sorry, but need to ask what�s IMHO?

Regards,
Paulo Oliveira.

(in reply to Jason Jones)

Post #: 4

RE: Multiple ISA 2006 SP1 in single domain - 8.Aug.2008 9:18:42 AM

Jason Jones

Posts: 2140
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

IMHO = In My Humble Opinion

A world of TLAs (that's Three Letter Acronyms)

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to paulo.oliveira)

Post #: 5

RE: Multiple ISA 2006 SP1 in single domain - 8.Aug.2008 2:06:41 PM

gbarnas

Posts: 147
Joined: 27.Apr.2005
From: New Jersey
Status: offline

Isn't "IMHO" technically an "FLA"? (Four Letter Acronym) :D

Funny, but true story about TLAs..
It's 1982, working for IBM, and I'm reading a new service manual for the 4300 mainframe processor. It says "be sure to remove the AMD before replacing the planar card...". "AMD"? Nobody knows... flip to the glossary... AMD: Air Movement Device.
WHAT? Isn't that a fancy name for a fan? F-A-N??? We've replaced a 3-letter word with three words and shortened it to a TLA. Pathetic!

Next to the last entry at http://www.acronymfinder.com/AMD.html

Glenn

(in reply to Jason Jones)

Post #: 6

RE: Multiple ISA 2006 SP1 in single domain - 13.Aug.2008 8:21:57 AM

Jason Jones

Posts: 2140
Joined: 30.Jul.2002
From: United Kingdom
Status: offline

Ooops! It appears I couldn't even count that day!

Looks like you got my drift...

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to gbarnas)

Post #: 7