I currently have an ISA 2004 firewall(single-nic) installed on my network the is being used as a web-proxy for my OWA. The ISA firewall is sitting behind my PIX 515, and is a member of the domain. I am using the PIX in conjunction with a TACACS server to authenticate requests to the Internet. I have a static IP address that is assigned by my ISP and my PIX is currently configured as my gateway for Internal devices.
I would like to route all internal users and possibly servers through the ISA firewall and have the ISA firewall do the authentication of Internet requests, using Microsoft Authentication. I have several websites that are published through the PIX that are connected to via static external IP addresses. I am using the PIX to NAT the addresses.
So on to the questions.
1. Since I already have the ISA Firewall programmed in Single-Nic mode what issues am I likely to see by trying to change to multi-homed mode(probably 2 nics, 1 Internal, 1 External)? 2. Management wants me to test this with just a handful of people first, is that possible if I change to multi-homed mode. 3. I am wanting to create 3 groups in Active Directory a RestrictedInternet, GeneralInternet and UnRestrictedInternet then use whitelist control of websites rather than blacklists; does this make sense? 4. My current web servers host webpages and secure ftp servers I want the change to be transparent to external users, is this possible and if so how? 5. Would I be better off just keeping my ISA firewall single-nic and using it as a web-proxy. I have the flexibility to go either direction as long as it works and doesn't impact performance. 6. Did I miss anything else that I should be concerned with.
I appreciate any assistance that you can provide. If you believe I am to far gone to do this myself I am in Ohio and open to working with a consultant.
Your options for a migration depend a little bit on your internal layer 3 network design as well as the hardware configuration of your PIX..
If you have 3 NIC PIX, you can put the outside interface of the ISA server on the DMZ, and leave the inside interface of the PIX in production. You would just have to add the NIC, reconfigure ISA to operate in multi-home mode, and change your default gateway on your ISA Server. Then, when you are happy with the configuration, you can deactivate the inside interface of the PIX.
If you have a 2 NIC PIX, you will most likely need to move the ISA to be inline with your PIX. This means that all internet traffic will be going through the ISA Server and the PIX. Obviously, this method is a little more painful in the short run if you have configuration issues. In the long run, this is where you need to be, but the 3 NIC PIX configuration allows you to get to this point without impacting existing users.
If you have a single layer 3 network, you are limited to changing the default gateway of machines that you want to test with so all internet traffic routes out through the ISA server.
In either case, you will need to put deny statements for the IP's of the test machines at the top of the access-list on the PIX that is forcing HTTP(S) traffic to be authenticated against ACS and then remove that authentication configuration entirely once you have moved to routing all traffic through ISA.
I know I have talked a lot without really saying much here, but if you provide a more detailed network description, I could provide a more conclusive answer! In general, you can leave the PIX in place, but you definitely want to get out of the uni-homed mode into a scenario where your ISA server is inline behind your PIX so that all of your inbound and outbound traffic goes through the ISA Server.
First off I would like to thank you for the response.
My PIX has 6 interfaces, 4 are in use. My ISA server already has a second nic in it, but is currently disabled. If I moved my ISA Server to one of the Open interfaces on the PIX how would this affect my OWA traffic?
I am not sure what you mean by a single layer 3 network, sorry my brain just isn't functioning. I have a single VLAN with my primary site using a 10.x.x.x with 3 satellite sites using 192.168.x.x
I am also confused as to what happens to my gateway. Currently the internal interface of the PIX is 10.1.x.x I remember reading the external interface on the ISA server can't be the same IP range as my other NIC. If you current internal NIC is 10.1.x.x and I make my external nic 10.2.x.x doesn't the internal interface on the Pix need to be 10.2.x.x? If so does that mean I would need to change the gateway on all of my systems?
External NIC ISA (?) ISA Server Internal NIC ISA (10.1.x.x)
Also, my web servers are all assigned valid IP addresses that are NATed in the PIX ie... static (inside,outside) X.X.X.X 10.1.X.1 netmask 255.255.255.255 0 0
Now the way my ISA server is publish through the PIX is static (inside,outside) tcp x.x.x.x www 10.1.x.2 www netmask 255.255.255.255 0 0 and static (inside,outside) tcp x.x.x.x https 10.1.x.2 https netmask 255.255.255.255 0 0
So when I have everything routing through the ISA server do I need to get rid of all of the old valid IP addresses because as best as I can tell the PIX won't let a many to one relationship be created.
I have setup an ISA server with 2 NICs. I have given the Internal NIC an Internal IP address and made up a new range for my External NIC. I have directly connected the external NIC to the PIX. The PIX's interface has a matching IP address to the external NIC
PIX External Interface 10.2.x.1
External Interface 10..2.x.2 ISA Internal Interface 10.1.x.x
I have set the network template to back end firewall. I then set one of my computers gateway to 10.1.x.x and can no longer reach the Internet.
I am seeing connection initiated, connection closed and failed connection attempt.
I have an access list applied to my outside interface on my PIX. I read in the article that Mr. Shinder sent that the said to allow all inbound and outbound traffic to the PIX DMZ interface. I have found the outbound command but do not see an inbound command. I would appreciate some help with this.
I am assuming connection is being blocked by the PIX at this point, is that a correct assumption?
My intent is to test the system all the way through in DMZ configuration and then change to back to from mode for production.