I own both of Tom's ISA 2000 books (just ordered the newer one) and was wondering if it would be easier to just install ISA 2004 as my Internet side firewall instead of 2000. I heard its a lot easier to setup a DMZ in 2004.. Any comments? Thanks
No problem with trihomed, back to back, or even back to back trihomed ISA firewalls. I've done it all those ways. It all depends on how you want to segment and secure your network. And the really cool thing is you get stateful filtering and stateful application layer inspection for ALL networks!
Thanks for your reply Tom. In reading your ISA Server and Beyond book, it seems as though the back to back would be a lot easier to configure. My questions are: (Forgive me if these questions are low level)
1. What is the purpose/advantage of having a trihomed ISA server as opposed to the back to back? 2. Do you have to use 3 (or 2) separate network cards for these solutions? (As opposed to just adding the IP Addresses to 1 NIC). I am thinking yes due to all of the other settings, but want to make sure. 3. Is there an advantage to using a public IP Address DMZ vs. a Private Address range? 4.. Is there a write up anywhere as to the ideal physical connectivity of this solution? (eg. Should the DMZ be isolated on its own Switch) 5. I know you said 2004 is easier to implement a tri home solution, but is 2004 easier to implement a back to back solution? or should I stick with 2000? I haven't purchased either yet for the 2nd firewall. Thanks
Proposed Connectivity: Internet-->ISA-->DMZ WEB SERVER-->ISA-->Citrix Server