Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Which network template to use?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Which network template to use? - 13.Feb.2008 12:20:21 PM
|
|
|
mascalia
Posts: 36
Joined: 13.Feb.2008
Status: offline
|
Different spin on a common question...
We have a single-leg perimeter DMZ off our Internet firewall (i.e. only one
NIC off the firewall into the DMZ). In the DMZ, we have two ISA 2006 EE
servers on Win2K3/SP2, configured as workgroup members. Each ISA
server has three NICS, and the config store is on a separate domain
member server on the interior network.
Even though there are three NICS, we're only allowed to route traffic
through <one> NIC, since these servers will be exclusively used for web
application publishing (at least for now - I've learned the hard way that
nothing is ever certain :) ). Of the other two NICs, one connects to our
isolated server backup network, and the other has a crossover cable
connecting the two servers for use in an NLB (array) configuration.
Here's the question: What network template should be used to configure the
array?
My first guess would be to use the single-NIC option, since all inbound and
outbound traffic will go through the one "public" NIC. But is that possible
(or right), considering that I also have a crossover NIC dedicated for
intra-array communications? Would that template even work if there are three
active NICs in the box?
Conversely, if I go with any of the other templates, ISA will go into full
firewall mode, and start trying to move traffic from one network (interface)
to another, based on network rules. However, there will be no rules for
traffic on the other two networks other than to allow backup services to
connect from the backup network, and to allow intra-array traffic between the
array members. All the "real" traffic will still be going into - and out of
- the same NIC.
Going with an Edge or Three-leg/permiter template worries me because only
one NIC will handle all of the important work. In such configurations, does
ISA work well (or at all) if the interface/path from an external network to
an internal network uses the same NIC? I would think that, like a router or
other firewalls, there is an implied assumption that "internal" and
"external" networks have different interfaces (NICs). That doesn't mean it
wont work (our own Internet DMZ is such a configuration), but will it work
well? Will there be any limitations or other problems?
Sorry for the long post, but this is a vexing architecture question that I
have to answer ASAP so we can start on our Enterprise installation.
Thanks in advance to everyone.
Mike
|
|
|
|
|
RE: Which network template to use? - 13.Feb.2008 2:41:25 PM
|
|
|
gbarnas
Posts: 147
Joined: 27.Apr.2005
From: New Jersey
Status: offline
|
I don't believe you can reverse proxy in a single leg configuration. This config assumes that the connected interfaces is (only) in the trusted network.
Glenn
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
