ISA setup toghether with HW firewall (Full Version)

All Forums >> [ISA 2006 General] >> Installation and Planning


alphasec -> ISA setup toghether with HW firewall (6.Oct.2006 2:48:45 PM)


I'm currently in a possition where I have to implement an ISA server in an  existing LAN.
The LAN uses at the moment a D-Link DFL-800 firewall with 2  WAN ports, 1 DMZ port and 7 LAN ports. It is not an option to discard this  box.
We need to implement a ISA firewall for secure publishing of OWA and  variouse websites.
The way I see it, I have 2 options.

1) Use ISA with a singel NIC, located in the DMZ where I use it to publish the OWA sites, and the variouse websites. This is all good, but with  limitations.

2) Use ISA with 2 NICs. One NIC in the DMZ, and 1 NIC on the LAN. I guess  this setup will be the same as a "back to back" configuration. All hosts on the LAN will have the ISA server's internal IP adresse as their  default gateway, and the ISA server then routes all traffic through the  D-Link firewall.
VPN clients will connect to the D-Link firewall, and use the D-Link as their  default gateway.

Does option 2 look like a doable alternative, or will this only give me more
headaches down the road?

tshinder -> RE: ISA setup toghether with HW firewall (6.Oct.2006 5:45:35 PM)

Hi Alpha,


Never implement the ISA Firewall in single NIC, unless there are political reasons for doing so.

Just create a back to back Firewall config. The low sec firewall in front, the and high sec ISA Firewall in the back. That is a very simple config.


alphasec -> RE: ISA setup toghether with HW firewall (7.Oct.2006 5:08:41 AM)

Hi Tom

Thanks for your reply. So, how would I go about this to make this as secure as possible?

What I'm now thinking is something along the following lines:

1) Put the DFL-800 firewall directly to the net. Use this as front firewall, and VPN server for the VPN clients.
2)Hook the ISA's external firewall interface on the DFL's DMZ interface. Establish all publishing rules for OWA, clients and such on the ISA, and hook the ISA's internal interface on one of the DFL's LAN ports. Forward all relevant ports from the DFL to the ISA's external interface.
3) Block all trafikk to the internett from the LAN and through the DFL. Instead use the internal interface of the ISA server as default gateway for all internal clients. So I can use the ISA great filtering and proxy features.
4) Establish only rules for the VPN clients through the DFL. They use the DFL as their default gateway to the internet and never now about the ISA, since they connect directly to the DFL.

Is this the best solution for my problem?

I've actually considered this solution:
But since we only have on IP adresses in out public block this wouldn't work.

Hope you can provide me with some feedback, Tom. I've read most of your work and respect your opinions.


Page: [1]