Question :

I know card 1 goes to the LAN and card 2 goes to the perimeter and card 3 goes to the Internet, but what will be the IP Address settings of card 2 ???

If this is a stupid question, please forgive me, I'm new to this ?

------------------
Paul Crisp
Snr Network Support

If you want a REAL headache try splitting your registered IP range in half. Move the subnet bit over one and use half the range on the outside of the firewall and the other half on the inside. This kind of setup actually had its uses in the past to get past problems with IPSEC and NAT and so on.. I haven't fully tried all possible combo's of VPN's and ISA so its possible this could be usefull here as well. Be sure to get a slightly larger range of IP's though....

------------------
Jeff Tabian
Senior Network Analyst - MCSE+I, MCT, MCDBA, CNE, CCNA, CCA
Sentinel Technologies

Jeff has the main concepts covered, so I'll just add a couple of things and reinforce what he had to say.

When you configure a DMZ on a trihomed ISA Server, you need to use public IP addresses, and you need to keep that segment's IP addresses off the LAT. You will also need to configure packet filters for inbound and outbound traffic for the DMZ, since you can't use Protocol Rules to control access to the DMZ.

You'll also need to make sure that you have the machines on the DMZ on a different network ID as the external interface, since ISA needs to route packets from one adapter to the other.

Don't set a default gateway on on either the internal network interface or the DMZ interface connected to the ISA Server. Only the external interface should have a gateway configured.

HTH,
Tom

quote:

---

Originally posted by Paul:
I'm will shortly be attempting to setup ISA standard edition using a three-homed network setup.

Question :

I know card 1 goes to the LAN and card 2 goes to the perimeter and card 3 goes to the Internet, but what will be the IP Address settings of card 2 ???

If this is a stupid question, please forgive me, I'm new to this ?

---

------------------
Tom Shinder
http://www.isaserver.org/shinder/

I'll let you know how I get on.

------------------
Jeff Tabian
Senior Network Analyst - MCSE+I, MCT, MCDBA, CNE, CCNA, CCA
Sentinel Technologies

You could use a back-to-back configuration with ISA Server on the front and back end, and make the network between them your DMZ. In that way, you can use NAT. You could also put another network interface on the ISA Server that uses a private IP address, and then just connect your published servers to that network. That way you restrict the public traffic to that segment and no Internet traffic passes through your internal network.

From all that I have read and heard, its not possible to support IPSec behind the Win2k/ISA NAT. Now, I have heard about this other guys somehow being able to tunnel the IPSec packets inside a UDP segment, but what I do not know if there is something on their Firewall (such as an application filter) that help make this work. I'll be interested to find out if MS has anything in the works that will support this type of configuration.

As it stands now, you can created a gateway-to-gateway L2TP/IPSec solution, though.

HTH,
Tom

HTH,
Tom

------------------
Tom Shinder
http://www.isaserver.org/shinder/

Can you elaborate on this and describe what you mean by a back-to-back on both ends?

"You could also put another network
interface on the ISA Server that uses a private IP address, and then just connect your published servers to that network. That way you restrict the public traffic to that segment and no Internet traffic passes through your internal network"

Isn't this the tri-homed approach he originally described?

Thanks...

[This message has been edited by jgraham (edited 28 March 2001).]

Thanks for asking. Let me elaborate, because its a little more complex than what might be inferred from what I said earlier.

You can configure a back to back ISA Server configuration and have the network between the ISA Servers be your DMZ segment. There are two way to configure the DMZ:

1. Use public IP addresses and configure it as a traditional DMZ so that you must use packet filters to control traffic into and out of the DMZ, or

2. Use public or private IP addresses on the DMZ segment between the two ISA Servers and have the ISA Server translate the requests into and out of the DMZ segment.

The problem is that ISA Server requires that you have an entry in the LAT in order for it to install. If there is no LAT entry, it will not install.

Now, if you include your public IP addresses in the DMZ segment, but include those machines in the LAT, then ISA Server will translate those addresses. In this way, it acts like an internal network that is using private IP addresses and the ISA Server does not directly route requests. You can publish servers in this environment using regular server and web publishing rules.

However, if you want the DMZ to act like a normal DMZ, you can get around the LAT problem by installing the MS Loopback adapter and use a dummy private IP address on it, and then put that IP address in the LAT.

HTH,
Tom

quote:

---

Originally posted by jgraham:
"You could use a back-to-back configuration with ISA Server on the front and back end, and make the network between them your DMZ. In that way, you can use NAT."

Can you elaborate on this and describe what you mean by a back-to-back on both ends?

"You could also put another network
interface on the ISA Server that uses a private IP address, and then just connect your published servers to that network. That way you restrict the public traffic to that segment and no Internet traffic passes through your internal network"

Isn't this the tri-homed approach he originally described?

Thanks...

---

[This message has been edited by tshinder (edited 28 March 2001).]