From: Toronto, ON
I am trying to implement ISA 2004 in a domain. The domain itself has not been setup. I was thinking of setting up the ISA Server as a DNS and possibly the DHCP server as well (This would be in a multihomed network).
On the internal network there is DC and BDC as well as an Exchnage Server.
1. Is it better to setup the DC first with DNS and DHCP on the internal network and then the ISA Server. a) If I do this then how will DNS work on the ISA Server. b) How will I have to setup the internet connection for the DC? (I am using an ADSL connection that will be connected to the External interface on the ISA Server.)
2. I was thinking that it would be better to setup the ISA server first with DNS and DHCP and then the others. a) If I were to do this then when I setup AD on the DC how will that work? b) Should I put the ISA server on the domain as well?
3. How do i setup an ADSL connection on the ISA Server and then have the internet through the internal interface to the rest of the network?
I am a newbie and I am trying to setup ISA, would really appreciate it if anyone could help me out.
1. Is it better to setup the DC first with DNS and DHCP on the internal network and then the ISA Server. TOM: Better to set up the domain first.
a) If I do this then how will DNS work on the ISA Server. TOM: Configure the DC a DNS server on the internal network that can perform both internal and Internet host name resolution.
b) How will I have to setup the internet connection for the DC? (I am using an ADSL connection that will be connected to the External interface on the ISA Server.) TOM: Configure the DC as a SecureNAT client.
2. I was thinking that it would be better to setup the ISA server first with DNS and DHCP and then the others. TOM: No setup the DC first, then join the ISA firewall to the domain.
a) If I were to do this then when I setup AD on the DC how will that work? b) Should I put the ISA server on the domain as well? TOM: Yes, create the domain first, then join the ISA firewall to the domain.
3. How do i setup an ADSL connection on the ISA Server and then have the internet through the internal interface to the rest of the network? TOM: Get the book!
Put a second NIC in your ISA server and connect your ADSL modem/router to that. It depends on the type of connection you have with your ISP (bridged, PPPoE, etc) as to how you configure things.
If it is PPPoE then you will either need the modem to authenticate (be careful of running NAT on both the router and ISA however as this can impact VPN connectivity) or the ISA server will need to authenticate.
If the router has a private IP address (if it runs NAT for example) then you will need to ensure that subnet this IP is in is not included in the Internal (or any other) network in ISA. That way it will reside in External and ISA will work fine.
If it is a bridged connection then your second NIC will have the IP assigned by your ISP and will be in the External network by default.
You will now be able to setup rules between the Internal, localhost, External networks, etc.
If you must use a USB ADSL modem then this will be a dial up device and you will need to setup dialling from ISA. Under Configuration, General open up Dial-up Preferences and configure the External connection.
From: Toronto, ON
It is a PPPoE connection and I will be connecting the ADSL modem directly to the External card on the ISA Server.
I was just wondering too, when I am setting up the DC, would it be right to make the ISA server the default gateway from the beginning itself? Also if I am not mistaken I should install ISA on the server (gateway) after adding it to the domain (DC) right?
Also if I were to make the system connect directly to the ADSL modem I would have problems later on (Currently the DC has 2 NIC's, previously it was acting as the router with an external and internal NIC). I am talking about the initial setup of the DC. When setting up the machine it needs an internet connection to quesry the Root DNS servers, or the ISP DNS servers right?
If anything I am saying does not make sense, I will be glad to send you a Visio diag of my network.
You should not need an Internet connection when setting up your AD (you mentioned you had a BDC but I am assuming this was a typo? - if not what versions of Windows are you setting up?).
I would actually say that until you have your server setup and patched, etc. That you would want to have limited connectivity with the outside world. If you are setting up a satellite office and joining an existing forest or domain then you may need to setup ISA first, but I would need more information to give any reasonable advice.
From: Toronto, ON
I am starting up an entirely new domain, once I have the DC (Windows Server 2003 Standard Edition) setup and running I well then add the ISA server (Windows Server 2003 Standard Edition), get the internet running and then implement the Secondary DC (Windows Server 2003 Standard Edition - once I know everything is working properly).
I just wanted to make sure about the IP scheme if you dont mind.
For the DC: IP: 192.168.16.2 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.16.1 DNS1:192.168.1.2 DNS2:192.168.1.x
For the DNS setup I would forward the DNS to the ISP's servers right?
Internal adapter of the ISA server: IP: 192.168.16.1 Subnet Mask: 255.255.255.0 Default Gateway: ? (If I am not mistaken this should be blank) DNS1:192.168.1.2 DNS2:192.168.1.x
Would this be right?
There is only one location right now. Everything will be done from here and then later on I will implement a VPN solution as well.
I have to say it very much sounds like you need someone who knows what they are doing to help you set things up.
Windows 2003 does not have PDCs or BDCs, all domain controllers are peers but you can assign verious roles to them, etc. A lot to go into that is not really right for this forum.
AD needs DNS to work, so you will set that up at the same time as setting up your first server or when you promote it. When you have your Internet connection working you can then set DNS forwarding for all external requests to your ISPs DNS server.
Once again, I think you should get someone in to help that has the experience and will make sure that things are setup correctly.
From: Toronto, ON
If I sounded like i dont know what I am doing doing I do appologise. I do have a pretty good idea of how things work. Its just that I would like to get a few aspects of the entire installation addressed.
I should have used the right terms. I am aware that there are no PDC's and BDC's in Win2K3. What I meant was that I will have a primary DC and a secondary DC. I guess that sounds a lot better.
I know i am asking a lot of questions. I just want to be on the safe side and get a better idea of different possibilities.
Its just that setting up ISA is not as simple as I thought it might be. There is a lot to think about it. I will check the ISA and Win2K3 documentation for help on both of them. Hopefully whatever I am thinking will be addressed in them. Thank you for all your help.
I was not meaning to not be helpful, just that it sounded like you needed more help than could be provided here. You seemed to misunderstand some basic fundamentals of Windows 2003 and ISA configuration, and that can only be addressed by reading, getting help from someone, practice, more reading, more practice, etc.
Good luck with things. ISA 2004 is a very decent firewall and proxy server. You should never just set it up and hope for the best, you should always do a good security audit and profile and set your policies accordingly. Then you map those policies into ISA and Windows configurations. The problem when this software gets easier to install and get running is people (me included) tend to shortcut things they shouldn't.