Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Planning ISA when External is Internal

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Planning ISA when External is Internal Page: [1]
Login
Message << Older Topic   Newer Topic >>
Planning ISA when External is Internal - 26.Aug.2008 3:17:48 PM   
hasdou

 

Posts: 4
Joined: 26.Aug.2008
Status: offline 		hi everyone,

I would like to plan an ISA in my network that is separating my trusted lan (after the ISA there is FW) and a DMZ lan (not internet, only a couple of servers for temporary workers).
In this case, I cannot configure the Internal (into ISA) as internal but as the DMZ lan (no default gateway, the ISA is the DG). In this case also, my trusted network is the External (into ISA).

How do I configure my ISA in this original topology ?

Thank you for helping,
Post #: 1
RE: Planning ISA when External is Internal - 26.Aug.2008 4:06:05 PM   
keiichi25

 

Posts: 10
Joined: 15.Jul.2008
Status: offline 		So to clarify, what you want to have is the following:

Firewall
    ||
  ISA=DMZ
    ||
LAN

Correct?

(in reply to hasdou)
Post #: 2
RE: Planning ISA when External is Internal - 26.Aug.2008 4:39:09 PM   
hasdou

 

Posts: 4
Joined: 26.Aug.2008
Status: offline 		not exactly :


DMZ servers (without DG - private ip's)
  ||
ISA
  ||
FW
  ||
Lan (trusted area)

(in reply to keiichi25)
Post #: 3
RE: Planning ISA when External is Internal - 26.Aug.2008 6:51:15 PM   
Jason Jones

 

Posts: 2119
Joined: 30.Jul.2002
From: United Kingdom
Status: online 		Place you ISA Server external interface facing the FW (towards your trusted LAN) and place the Internal interface towards your DMZ servers. You ISA Server "Internal" network will then be the DMZ subnet used to host your temp worker servers.

With this topology, you will protect the DMZ servers from your LAN (and vice versa) and you can provide access to the protected servers using web and server publishing as necessary. If you create a route relationship between Internal and External, you could then also use access rules for control if web/server publishing doesn't meet your needs.

I have used this setup when customers want to protect servers from the LAN *and* the Internet but have an existing firewall at the edge that needs to remain for primary perimeter network duties...

Cheers

JJ

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to hasdou)
Post #: 4
RE: Planning ISA when External is Internal - 26.Aug.2008 11:09:12 PM   
hasdou

 

Posts: 4
Joined: 26.Aug.2008
Status: offline 		I configured the FW as you said ... when the FW service is up the packets are "denied" in the FW (when I stop ISA service, everything is OK).
I create a first rule that allows averything to everything ... without success.

1) is there any "system Policy" I have to change in that configuration ?
2) is there any article that explains how to configure ISA in this type of topology ?
3) is there a network template better than "Edge Firewall" in that configuration ? (maybe "Front Firewall" ?)

Thank you for helping.

< Message edited by hasdou -- 27.Aug.2008 12:37:35 AM >

(in reply to Jason Jones)
Post #: 5
RE: Planning ISA when External is Internal - 27.Aug.2008 3:52:23 AM   
Jason Jones

 

Posts: 2119
Joined: 30.Jul.2002
From: United Kingdom
Status: online 		What are you actually trying to do with ISA? Can you provide more detail on the firewall policy you hav created?

The edge firewall template should be fine - are you using the default network rules from this template?

By default, system policy will define a lot of elements using the "Internal" network object, however in your setup Internal is the protected network and unlikely to contains the normal infrastucture servers. Hence you will need to work your way through the system policies and modify them to reflect you trusted LAN infrastructure like DNS servers, AD etc. and remove the references to Internal as these will likely be irrelevant for your topology.

This series of articles might provide some good background...

http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-Segment-Perimeter-Firewall-Part1.html

Cheers

JJ



_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to hasdou)
Post #: 6
RE: Planning ISA when External is Internal - 27.Aug.2008 4:01:31 AM   
hasdou

 

Posts: 4
Joined: 26.Aug.2008
Status: offline 		I found the solution of my problem : I just had to configure a new network into ISA (before I used "external" as the network for my trusted area).

Thank you all for he help.

(in reply to Jason Jones)
Post #: 7
RE: Planning ISA when External is Internal - 27.Aug.2008 4:04:02 AM   
Jason Jones

 

Posts: 2119
Joined: 30.Jul.2002
From: United Kingdom
Status: online 		Cool

_____________________________

Jason Jones (MVP)

Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/

Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to hasdou)
Post #: 8

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Planning ISA when External is Internal Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts