Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Two ISA Servers: One Inbound, one Outbound
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Two ISA Servers: One Inbound, one Outbound - 30.Apr.2007 2:13:05 PM
|
|
|
Philgn
Posts: 8
Joined: 31.Oct.2002
From: Dubuque, Iowa
Status: offline
|
I am going to upgrade to ISA Server 2006 from 2004. Currently we use another firewall product at the perimeter with ISA behind it. I am thinking about changing this configuration when I upgrade by adding another ISA server so that one is used for inbound traffic and the other for outbound with both behind the perimeter firewall. Rather than buying the more expensive Enterprise license I would like to use two standard edition ISA servers. My reason for wanting to segregate traffic is that we publish three web servers, two ftp servers, our mail server (both smtp traffic and for access over rpc and OWA), and two Citrix servers (for use by two small remote offices). On the outbound side we have several users accessing a CRM web site as well as normal web traffic. Altogether we have around 325 users behind the ISA server. I'd like to know if this scenario sounds reasonable or if anyone sees where I could run into trouble with this setup.
Thanks in advance for your comments.
Phil
|
|
|
|
|
RE: Two ISA Servers: One Inbound, one Outbound - 30.Apr.2007 2:20:37 PM
|
|
|
elmajdal
Posts: 5103
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
Each ISA Server will be connected to a different router ??
you Have 2 DSL connections or they both will share the same internet connection ?? ( 1 Router & Both ISA Servers behind it )
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: Two ISA Servers: One Inbound, one Outbound - 30.Apr.2007 2:25:42 PM
|
|
|
Philgn
Posts: 8
Joined: 31.Oct.2002
From: Dubuque, Iowa
Status: offline
|
Our current setup is T1 --> Router -- > Edge Firewall --> ISA Server 2004 --> Internal Network
Phil
|
|
|
|
|
RE: Two ISA Servers: One Inbound, one Outbound - 30.Apr.2007 2:27:01 PM
|
|
|
Philgn
Posts: 8
Joined: 31.Oct.2002
From: Dubuque, Iowa
Status: offline
|
To clarify, I would keep the same setup but add in another ISA Server behind the perimeter firewall.
Phil
|
|
|
|
|
RE: Two ISA Servers: One Inbound, one Outbound - 30.Apr.2007 2:47:30 PM
|
|
|
elmajdal
Posts: 5103
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
|
I see no point of using 2 ISA servers if you are going to use 1 router and 1 edge firewall infront of both ISA Servers !!
if you seperated each ISA with a dedicated router i would understand that you are reserving the bandwidth for each ISA, but if your going to share the same router and the same Edge Firewall, then what made you think ISA wont handle the traffic that the Edge Firewall is handling ??
_____________________________
Tarek Majdalani
MS Forefront Edge Security MVP
Website : http://www.elmajdal.net/ISAServer
New Section : http://www.elmajdal.net/Win2k8
|
|
|
|
|
RE: Two ISA Servers: One Inbound, one Outbound - 30.Apr.2007 3:05:47 PM
|
|
|
Philgn
Posts: 8
Joined: 31.Oct.2002
From: Dubuque, Iowa
Status: offline
|
One reason I thought about doing this was for easier manageability of inbound and outbound rules, not just performance. But we also use Surf Control, which adds to the load on the ISA Server (uses an msde database).
Phil
|
|
|
|
|
RE: Two ISA Servers: One Inbound, one Outbound - 25.May2007 6:42:07 PM
|
|
|
Jason Jones
Posts: 2247
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
|
Hi Phil,
Separating inbound and outbound services is generally a good idea in my opinion and can provide several benefits like:
- Performance - by separating load between two systems you will ultimately allow each to perform better.
- Availability - in the event that one server fails, it will only affect one service e.g. if your outbound proxy fails, people will still be able to get to your published applications.
- Maintenance - if you need to work on the servers, you will only affect one service at a time.
- Management - rather than a single rule set with both inbound and outbound rules, different servers allows the respective rule sets to be much simpler and hence there is less likelihood of rule error (in theory!)
Whether this approach is vlaid for 325 users, I would perhaps question. It is likely a better scenario for an Enterprise deployment with several thousand users. However, if you have the need, and the cash, go for it!
If you look at the Windows Server System Reference Architecture (WSSRA) on the Microsoft website you will see an example of using multiple ISA server in paralel to separate different services like VPN, proxy etc. The doc is for ISA2000, but the general perimeter theory is still valid.
In terms of problems, you will need to consider which server will be your default gateway. You can eleviate the need for a DG for many clients by using web proxy and firewall clients, but it still needs consideration for SecureNAT clients like servers.
I have used a similar topology a couple of times, but with two pairs of EE arrays. One array was for edge firewall, VPN and publishing, the other array was for outbound proxy. Each ISA server was in parallel to each other, but the edge firewalls also had additional interfaces for perimeter networks. Based upon the customers paranoia they also placed a pair of Cisco ASA in front of all the ISA servers, as the primary network border firewalls.
Cheers
JJ
< Message edited by Jason Jones -- 25.May2007 6:48:35 PM >
_____________________________
Jason Jones (MVP)
Silversands Limited http://www.silversands.co.uk
My Blog: http://blog.msfirewall.org.uk/
Get our NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
