Welcome to ISAserver.org

Upgrade from Tri-Homed to Back-2-Back Configuration

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Upgrade from Tri-Homed to Back-2-Back Configuration

Page: [1]

Message

<< Older Topic Newer Topic >>

Upgrade from Tri-Homed to Back-2-Back Configuration - 24.May2006 4:31:57 PM

waynewhittle

Posts: 96
Joined: 21.Apr.2004
From: Cardiff
Status: offline

Hi,

We've got to the point where we need to upgrade our current ISA 2004 configuration . What we want is similar to the Back2Back setup as detailed by Tom in his excellent Back2Back ISA four part series but: this is slightly different in that we must facilitate x2 of our own public facing DNS servers for access to publicly available web resources. The scenario we thought best was as follows (simplified version):

EXTERNAL-----FE ISA-----DMZ (x2 DNS Servers - split brain for acces to web servers below)
                  |
                  |-------HUB---FE Exchange                      (Perimeter Network)
              |                      x2 Web Servers (Public Facing)
            BE ISA
                  |
                 |
            BE Exchange
           Domain Controllers and other servers

So, the FE ISA is Tri-Homed and shares the internal segment with the external segment of the BE ISA - both segments are plugged into a hub, which also has x2 public facing web servers and our FE Exchange. All the network relationships are routed with the exception of the External to Internal (on theperimeter network) on the FE ISA, which is NAT.

With this setup I have a few questions which I'm hoping someone can shed some light on:

1. We use PPTP VPN's to facilitate Site2Site connections to x2 other sites. With the new configuration above I understand I have to publish the
external interface of the BE ISAto facilitate VPN clients onto our internal network. What about Site2Site connections from the BE ISA ? I am
assuming that all I would have to do is allow PPTP through the FE ISA and set up the connection from the BE ISA. Also what about Site2Site
connections to the BE ISA. Would this already be possible through the publishing rule that allows client VPN conenctions ? The only reason I
ask this is because for Site2Site VPNs to work you have to name the VPN interfaces and accounts the same.

2. FE Exchange Setup - this used to be on our internal network in a tri-homed setup and was published for secure OWA access. I now want to
move this into the perimeter network (still a member of our domain). OWA will be published securely on the FE ISA. What I'm a little unsure
about is what ports to open for AD communication and access to BE Exchanges.

3. Web servers - Is there any advantage leaving these as standalone rather than members of the domain ?

4. For the Web servers and the FE Exchange in the Perimeter network, which is also our inbound Smart Host I will have to configure their G/W
as the external interface of the BE ISArather than the internal interface of the FE ISA for domain communication between the perimeter
network and our internal network. However these servers will also need to be able to receive Microsoft Updates and thus need to be able to
G/W to the internal interface of the FE ISA. How do I achieve this ? Could I just configure the G/W as the internal interface of the FE ISA
and put a static route on all the perimeter hosts that allows intra domain communication between the perimeter network and internal networks ?
Will this affect FE Exchange communications ? Will I also have to put in static routes to the other BE Exchange in the remote site that is linked
by the Site2Site VPN - in which case the static route would be to the BE ISA in order to facilitate OWA (HTTP) and mail handling (SMTP).

Changing from a tri-Homed setup to one like this does pose just a few questions. These are just for starters!

Best regards

Wayne

< Message edited by waynewhittle -- 26.May2006 2:29:37 PM >