Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Staged Migration to ISA?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Staged Migration to ISA? - 15.Sep.2004 3:51:00 PM
|
|
|
bedpan
Posts: 34
Joined: 15.Sep.2004
From: canada
Status: offline
|
Hey Folks,
New user.. New question... Hopefully not to general, or complicated ;-)
We are currently using a single Hardware based Firewall to protect our network and route our DSL connection. We are looking at setting up ISA either as a second firewall (creating a DMZ), or as a replacement for the hardware firewall.
We have an assortment of websites and servers running through the firewall right now and everything is working well.
What I am trying to come up with is a staged plan that I can cut in ISA without doing a mass migration. Ideally I would like to setup ISA and start cutting over a single website/server at a time, followed by VPN, users, and then proxy services, firewall clients etc.
Just looking for some input on what others have done, or might suggest. We do have a few extra external IP's available that we can use for the migration.
I suspect I am just going to have to book a weekend at the office and make this happen but I would really prefer a staged cut over to help prevent all the problems Monday morning that will come up.
Anyways, your thoughts and suggestions are greatly apprecaited!
Mike
|
|
|
|
|
RE: Staged Migration to ISA? - 17.Sep.2004 4:50:00 AM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Mike,
What I do is bind the addresses that were on the external interface of the packet filter that the ISA firewall is replacing. Then I create the Web and Server Publishing Rules. Once the config is complete, I unplug the packet filter and replace it with the ISA firewall.
HTH,
Tom
|
|
|
|
|
RE: Staged Migration to ISA? - 20.Sep.2004 2:58:00 PM
|
|
|
bedpan
Posts: 34
Joined: 15.Sep.2004
From: canada
Status: offline
|
I guess the advantage of this type of migration is that if there is any problems its a quick swap back to the original box..
What about if I am trying to maintain the existing firewall and use if for the external facing firewall of a DMZ? Any quick thoughts on this?
I guess more importantly, what are your thoughts on this type of config? Mang. here wants to maintain the existing firewall. I know ISA is capable of a single box DMZ.. Do you think this is sufficient? Or is maintaining the old firewall a good idea?
Oye..
Thanks kindly!
Mike
|
|
|
|
|
RE: Staged Migration to ISA? - 21.Sep.2004 4:44:00 PM
|
|
|
tshinder
Posts: 47659
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Mike,
No problem keeping the packet filter box in front of the ISA firewall. While the packet filters aren't exactly what I'd call industrial strength security, every little bit helps. So go ahead and make the boss happy and put it in front of the ISA firewall. That keeps the strongest protection closest to the core business assets.
HTH,
Tom
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
