Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Where to place NIC's in ISA server residing in DMZ

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2000 General] >> Installation >> Where to place NIC's in ISA server residing in DMZ Page: [1]
Login
Message << Older Topic   Newer Topic >>
Where to place NIC's in ISA server residing in DMZ - 18.Feb.2004 9:01:00 PM   
Kopman

 

Posts: 5
Joined: 2.Dec.2003
From: Canada
Status: offline 		Hi

I'm looking at adding an ISA server into our DMZ zone so that I can publish OWA. Currently we are using a Cisco Firewall.

Our internal ISA server has both NIC's inside the firewall though one is configured as being an external NIC for the purposes of ISA configuration. We then have the config on the PIX allowing the web traffic from ISA to pass through the firewall.

If I add a new ISA server into the DMZ should I follow the same logic and include both NICS physically in the DMZ, but configure one in ISA as an external and the other internal , or should I place one NIC inside the firewall and one in the DMZ?

Thanks
Peter
Post #: 1
RE: Where to place NIC's in ISA server residing in DMZ - 20.Feb.2004 6:52:00 AM   
bdh113s

 

Posts: 9
Joined: 18.Feb.2004
Status: offline 		Peter,

I have learned that leveraging hardware firewalls while also leveraging the use of ISA as a firewall/proxy is very difficult in most networks. Several things you should keep in mind:

1. The NICs need to be on different subnets in order to function properly.
2. The external NIC should not be able to reach your internal network.
3. The internal NIC should not be able to reach the external network (Internet).

The best method I have seen for setting this up is the following. (Forgive the horrible diagram and remember this is a logical flow diagram)

Internet
|
PIX Firewall
|
DMZ
|
ISA
|
Secondary DMZ or Secondary Private Network
|
Pix Firewall
|
Private Network

This is assuming your network is being run under a Tri-Homed configuration with your current PIX firewall. You can set up a secondary DMZ through subnetting or you can set up a different subnet on your private network to accomplish the same outcome. The only difference is that if you create a secondary DMZ you will be wasting part of your IP pool you purchased for the internet on NICs that will never be published externally.

If this is confusing let me know, I can write something a bit more detailed or perhaps a picture at work tomorrow.

(in reply to Kopman)
Post #: 2

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2000 General] >> Installation >> Where to place NIC's in ISA server residing in DMZ Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts