gbarnas
Posts: 155
Joined: 27.Apr.2005
From: New Jersey
Status: offline
|
I've helped a few local associates get jump started with ISA, and created a document to "jump-start" the initial setup so they could get experimental quickly. You can find it at http://www.innotechcg.com/tech/howto/main.asp?BODY=ISA%20Server%20Installation%20Basics.htm Keep in mind that this document is only to get a small environment operational, and the rules defined allow fairly generic access. You'll most likely want to fine tune them as you gain experience. ISAServer.ORG has a wealth of how-to's as well (as you know, since you're here!), from simple to the complex. As for DDNS, I've been very happy with ChangeIP for my lab. Domain registration includes DDNS service with secure updates, mail relay, and URL redirection. I purchased the commercial version of DirectUpdate (www.directupdate.net) - it runs as a service and monitors/registers the DDNS records. Highly recommended. I'd also strongly recommend that whatever product you use to register your DDNS records, you obtain one that runs as a service. Your ISA Firewall should connect between the cable modem and your internal network. If you plan to secure the wireless using some form of WPA encryption, simply plug the internal interface into one of the LAN ports on the router, and ignore the WAN port. On the other hand, you can add a NIC to the ISA firewall and use a crossover cable to connect to the WAN port, creating a perimeter network for wireless users. This can allow you to run an open wireless hotspot, with one rule to grant outbound access. Wireless access to the LAN would be through VPN. That's a more complex configuration, with the need for additional subnets, routes, and rules, but I find it's well worth the learning experience at some point in your lab. To put the above into perspective, the ISA Firewall is also a router.. as is the wireless device. In a basic configuration, you will use the wireless router simply as a Wireless Access Point, with access only from the "LAN" side. The ISA should be the default gateway for all internal devices. In the WiFi hotspot config, the wireless device is used as a router, to route traffic between the wireless (and wireless LAN ports) and the ISA. For now, I'd suggest you keep it simple and ignore the WAN port. Here's a very simple configuration "W" is the WAN port, "L" are the LAN ports W WRT54G LLLL | |______internal network devices | ISA | Cable Modem ISA uses the external interface as it's gateway. All internal devices use the ISA Internal interface as their gateway. That should be enough to get you moving in the right direction. One final comment - RESIST the temptation to create an "Allow All Outbound" rule.. it's very bad practice. During the initial development of your lab, it's OK to define such a rule temporarily to confirm that A) you have proper outbound routing, and B) you don't have a rule configured properly to allow access when the "allow all" rule is disabled. Once you get your lab operational and feel comfortable with rulesets, REMOVE the allow all rule so it doesn't get enabled unintentionally. Glenn
< Message edited by gbarnas -- 5.Aug.2008 8:51:38 AM >
|