Goals: Replace a single sonicwall pro 200 firewall that has a flaky NIC. Increase security using the app filtering Ease VPN connection setup tied into my AD Add redundacy (most important) and do this with the least complication I can.
My original plan: Replace the sonicwall with a pair of ISA 2004 boxes, either hardware load balanced, or using EE when it is released.
The current set up: A radware Linkproof loadbalancing IP blocks. This devices exposes a private IP class as a transient network, which in turn become the public IPs on the sonicwall.
The sonicwall uses NAT for both a LAN and a DMZ network, with the DMZ being a private set of IP addresses.
The issues I see: As i read the tutorials and docs, it seems that ISA is expecting a public set of IPs on the DMZ.
So, that would require either changing the IPs on all my machines and internal DNS servers (we host a lot of mail servers so it is a bit more complicated than it may seem), and has a lot of room for manual entry errors that may not show up easily.
using a back to back ISA setup. But for redundancy this will a total of 4 boxes. The expense isn't as much an issue as the added complexity of this setup.
Do the issues I state here seem to be true? Am i missing something in the docs?
If the second option will work, does a back to back setup offer enough benefit (perhaps adding a honeypot between) to justify the expense and complexity.
I'm open to all comments, but my main goal is to add redundancy and security.
Thanks for any info you can provide.
[ January 06, 2005, 04:50 PM: Message edited by: Steve Z ]