ISA 2000 or 2004 for DMZ (Full Version)

All Forums >> [ISA Server 2004 General ] >> General


Compton -> ISA 2000 or 2004 for DMZ (31.Aug.2004 6:00:00 PM)


Im trying to install a DMZ with a web server in between two ISA servers. (one is already up and running as our current firewall)
My previous post:;f=3;t=004338

I own both of Tom's ISA 2000 books (just ordered the newer one) and was wondering if it would be easier to just install ISA 2004 as my Internet side firewall instead of 2000. I heard its a lot easier to setup a DMZ in 2004.. Any comments? Thanks

tshinder -> RE: ISA 2000 or 2004 for DMZ (1.Sep.2004 8:25:00 AM)

Hi Compton,

Yes, the new ISA firewall is a lot easier to create a trihomed DMZ segment. I'd definitely go with it if you have the chance.


Compton -> RE: ISA 2000 or 2004 for DMZ (6.Sep.2004 6:51:00 PM)

Would I have to a trihomed server? Or could I do a back to back DMZ?

tshinder -> RE: ISA 2000 or 2004 for DMZ (7.Sep.2004 2:38:00 AM)

Hi Compton,

No problem with trihomed, back to back, or even back to back trihomed ISA firewalls. I've done it all those ways. It all depends on how you want to segment and secure your network. And the really cool thing is you get stateful filtering and stateful application layer inspection for ALL networks!


Compton -> RE: ISA 2000 or 2004 for DMZ (7.Sep.2004 5:43:00 PM)

Thanks for your reply Tom. In reading your ISA Server and Beyond book, it seems as though the back to back would be a lot easier to configure. My questions are: (Forgive me if these questions are low level)

1. What is the purpose/advantage of having a trihomed ISA server as opposed to the back to back?
2. Do you have to use 3 (or 2) separate network cards for these solutions? (As opposed to just adding the IP Addresses to 1 NIC). I am thinking yes due to all of the other settings, but want to make sure.
3. Is there an advantage to using a public IP Address DMZ vs. a Private Address range?
4.. Is there a write up anywhere as to the ideal physical connectivity of this solution? (eg. Should the DMZ be isolated on its own Switch)
5. I know you said 2004 is easier to implement a tri home solution, but is 2004 easier to implement a back to back solution? or should I stick with 2000? I haven't purchased either yet for the 2nd firewall. Thanks

Proposed Connectivity:
Internet-->ISA-->DMZ WEB SERVER-->ISA-->Citrix Server

Thanks a lot for any help.

[ September 07, 2004, 05:51 PM: Message edited by: Compton ]

tshinder -> RE: ISA 2000 or 2004 for DMZ (8.Sep.2004 3:00:00 PM)

Hi Compton,

Thanks for getting the book! [Big Grin]

I think the back to back config is always more secure, and it most cases easier. So, if you have to the option to configure a back to back config, I'd go with that.


Page: [1]