• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Need Configuration advice

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Installation >> Need Configuration advice Page: [1]
Login
Message << Older Topic   Newer Topic >>
Need Configuration advice - 28.Sep.2006 7:45:41 PM   
sandtiger

 

Posts: 15
Joined: 28.Sep.2006
Status: offline
I currently have an ISA 2004 firewall(single-nic) installed on my network the is being used as a web-proxy for my  OWA.  The ISA firewall is sitting behind my PIX 515, and is a member of the domain.  I am using the PIX in conjunction with a TACACS server to authenticate requests to the Internet.  I have a static IP address that is assigned by my ISP and my PIX is currently configured as my gateway for Internal devices. 

I would like to route all internal users and possibly servers through the ISA firewall and have the ISA firewall do the authentication of Internet requests, using Microsoft Authentication.  I have several websites that are published through the PIX that are connected to via static external IP addresses.  I am using the PIX to NAT the addresses.


So on to the questions.

1. Since I already have the ISA Firewall programmed in Single-Nic mode what issues am I likely to see by trying to change to multi-homed mode(probably 2 nics, 1 Internal, 1 External)?
2. Management wants me to test this with just a handful of people first, is that possible if I change to multi-homed mode.
3. I am wanting to create 3 groups in Active Directory a RestrictedInternet, GeneralInternet and UnRestrictedInternet then use whitelist control of websites rather than blacklists; does this make sense?
4. My current web servers host webpages and secure ftp servers I want the change to be transparent to external users, is this possible and if so how?
5. Would I be better off just keeping my ISA firewall single-nic and using it as a web-proxy.  I have the flexibility to go either direction as long as it works and doesn't impact performance.
6. Did I miss anything else that I should be concerned with.

I appreciate any assistance that you can provide.  If you believe I am to far gone to do this myself I am in Ohio and open to working with a consultant.
Post #: 1
RE: Need Configuration advice - 28.Sep.2006 8:19:11 PM   
tonygauderman

 

Posts: 107
Joined: 6.Feb.2006
Status: offline
Your options for a migration depend a little bit on your internal layer 3 network design as well as the hardware configuration of your PIX..

If you have 3 NIC PIX, you can put the outside interface of the ISA server on the DMZ, and leave the inside interface of the PIX in production.  You would just have to add the NIC, reconfigure ISA to operate in multi-home mode, and change your default gateway on your ISA Server.  Then, when you are happy with the configuration, you can deactivate the inside interface of the PIX.

If you have a 2 NIC PIX, you will most likely need to move the ISA to be inline with your PIX.  This means that all internet traffic will be going through the ISA Server and the PIX.  Obviously, this method is a little more painful in the short run if you have configuration issues.  In the long run, this is where you need to be, but the 3 NIC PIX configuration allows you to get to this point without impacting existing users.

If you have a single layer 3 network, you are limited to changing the default gateway of machines that you want to test with so all internet traffic routes out through the ISA server.

In either case, you will need to put deny statements for the IP's of the test machines at the top of the access-list on the PIX that is forcing HTTP(S) traffic to be authenticated against ACS and then remove that authentication configuration entirely once you have moved to routing all traffic through ISA.

I know I have talked a lot without really saying much here, but if you provide a more detailed network description, I could provide a more conclusive answer!  In general, you can leave the PIX in place, but you definitely want to get out of the uni-homed mode into a scenario where your ISA server is inline behind your PIX so that all of your inbound and outbound traffic goes through the ISA Server.

HTH
Tony

(in reply to sandtiger)
Post #: 2
RE: Need Configuration advice - 28.Sep.2006 8:42:17 PM   
sandtiger

 

Posts: 15
Joined: 28.Sep.2006
Status: offline
Tony,

First off I would like to thank you for the response. 

My PIX has 6 interfaces, 4 are in use.  My ISA server already has a second nic in it, but is currently disabled.  If I moved my ISA Server to one of the Open interfaces on the PIX how would this affect my OWA traffic?

I am not sure what you mean by a single layer 3 network, sorry my brain just isn't functioning.  I have a single VLAN with my primary site using a 10.x.x.x with 3 satellite sites using 192.168.x.x


(in reply to tonygauderman)
Post #: 3
RE: Need Configuration advice - 28.Sep.2006 9:35:57 PM   
sandtiger

 

Posts: 15
Joined: 28.Sep.2006
Status: offline
I am also confused as to what happens to my gateway.  Currently the internal interface of the PIX is 10.1.x.x  I remember reading the external interface on the ISA server can't be the same IP range as my other NIC.  If you current internal NIC is 10.1.x.x and I make my external nic 10.2.x.x doesn't the internal interface on the Pix need to be 10.2.x.x?  If so does that mean I would need to change the gateway on all of my systems?

    External Interface (ISP granted IP)
         Pix
   Internal Interface (10.1.x.x default gateway)

   External NIC ISA (?)
        ISA Server
   Internal NIC ISA (10.1.x.x)


Also, my web servers are all assigned valid IP addresses that are NATed in the PIX ie...  static (inside,outside) X.X.X.X 10.1.X.1 netmask 255.255.255.255 0 0

Now the way my ISA server is publish through the PIX is static (inside,outside) tcp x.x.x.x www 10.1.x.2 www netmask 255.255.255.255 0 0 and static (inside,outside) tcp x.x.x.x https 10.1.x.2 https netmask 255.255.255.255 0 0

So when I have everything routing through the ISA server do I need to get rid of all of the old valid IP addresses because as best as I can tell the PIX won't let a many to one relationship be created.

Such as:

static (inside,outside) X.X.X.1 10.1.X.1 netmask 255.255.255.255 0 0
static (inside,outside) X.X.X.2 10.1.X.1 netmask 255.255.255.255 0 0
static (inside,outside) X.X.X.3 10.1.X.1 netmask 255.255.255.255 0 0

(in reply to sandtiger)
Post #: 4
RE: Need Configuration advice - 29.Sep.2006 2:59:03 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
http://www.isaserver.org/tutorials/2004isapixdmz.html

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to sandtiger)
Post #: 5
RE: Need Configuration advice - 2.Oct.2006 8:59:30 PM   
sandtiger

 

Posts: 15
Joined: 28.Sep.2006
Status: offline
I have setup an ISA server with 2 NICs.  I have given the Internal NIC an Internal IP address and made up a new range for my External NIC.  I have directly connected the external NIC to the PIX.  The PIX's interface has a matching IP address to the external NIC

IE...

PIX
External Interface  10.2.x.1

External Interface 10..2.x.2
ISA
Internal Interface
10.1.x.x

I have set the network template to back end firewall.  I then set one of my computers gateway to 10.1.x.x and can no longer reach the Internet.

I am seeing connection initiated, connection closed and failed connection attempt.

I have an access list applied to my outside interface on my PIX.  I read in the article that Mr. Shinder sent that the said to allow all inbound and outbound traffic to the PIX DMZ interface.  I have found the outbound command but do not see an inbound command. I would appreciate some help with this.

I am assuming connection is being blocked by the PIX at this point, is that a correct assumption?

My intent is to test the system all the way through in DMZ configuration and then change to back to from mode for production.

(in reply to tshinder)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Installation >> Need Configuration advice Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts