I'm trying to setup a small network (50 clients max) to use ISA-Server:

Right now the clients are all connected to the ISP/Internet via a Router.
The Router has the IP Address 212.84.212.65 (Subnet 255.255.255.192) and has a permanent Internetconection. All Clients are on 212.84.212.66 to 212.84.212.126 (Subnet 255.255.255.192).

What IP-Adress, default gateway and subnet-mask should I assign to
a) the internal interface?
b) the external interface?

I would like some computers to have "transparent" access to the Internet. Is it possible to use the official Internet IP-Adresses for all client-computers and servers internal with the ISA Server and assign "all In- and Out-Rights" to some machines?

Any help is appreciated =)

Tobias

You can give your network clients transparent access by configuring their default gateways so that they route internet requests to the internal interface of the ISA Server. If the clients are on the same network ID as the internal interface of the ISA Server, you can configure their default gateway as the internal interface of the ISA Server. Otherwise, you'll have to configure it as the IP address of a router that will route to the ISA Server's internal IP address.

SecureNAT clients do not require any software installation. You miss out on user/group based access controls, and some protocols that require secondary connections, but otherwise, the vast majority of users will never no the difference.

HTH,

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

>>On the external interface of the ISA Server, set up the default gateway as your router's IP address.

ok. Should I use any special IP-Adress for this interface (Router is 212.84.212.65 which will be default gateway. We have IP's from .66 to .126 for server and clients. I think I must use one of these).

>>For the ISA Server's internal IP address, assign it an IP address in a private network ID and give it host ID 1.

- How Do I assign a host ID 1?

- Then I will have to change the IP's of the clients to private ID's too (i.e. 192.168.0.x). Right? My hope was that I can use the official internet adresses we were assigned for the clients, because we do have a Web- and Mailserver too. We do have enough IP adresses, I was just hoping to get more controll over the traffic in and out.

Regards,
Tobias

You could use the public IP addresses on the internal network, as long as they are on the LAT. However, for security reasons, you're better off using the private IP addresses. Although packet filtering will protect you, you get even more security by using non-routable addresses on your internal network.

A host ID of 1 just refers to using the first IP address in your block. For example, if you use the private network ID 192.168.0.0, host ID 1 would have the IP address 192.168.0.1.

You can still create a DMZ network and place your publicly available mail and web servers on the DMZ segment. In that way, your internal network is protected from Internet access, and the public network can still access your mail and web servers. You can use the public address block you have now, but you'll have to subnet the block, because the DMZ can't have the same network ID as the interface connected to the internet for routing reasons.

HTH,

Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

thank you very much for your answers. I'm back to the Testserver now :-)

Regards,
Tobias