I'm currently in a possition where I have to implement an ISA server in an existing LAN. The LAN uses at the moment a D-Link DFL-800 firewall with 2 WAN ports, 1 DMZ port and 7 LAN ports. It is not an option to discard this box. We need to implement a ISA firewall for secure publishing of OWA and variouse websites. The way I see it, I have 2 options.
1) Use ISA with a singel NIC, located in the DMZ where I use it to publish the OWA sites, and the variouse websites. This is all good, but with limitations.
2) Use ISA with 2 NICs. One NIC in the DMZ, and 1 NIC on the LAN. I guess this setup will be the same as a "back to back" configuration. All hosts on the LAN will have the ISA server's internal IP adresse as their default gateway, and the ISA server then routes all traffic through the D-Link firewall. VPN clients will connect to the D-Link firewall, and use the D-Link as their default gateway.
Does option 2 look like a doable alternative, or will this only give me more headaches down the road?
Thanks for your reply. So, how would I go about this to make this as secure as possible?
What I'm now thinking is something along the following lines:
1) Put the DFL-800 firewall directly to the net. Use this as front firewall, and VPN server for the VPN clients. 2)Hook the ISA's external firewall interface on the DFL's DMZ interface. Establish all publishing rules for OWA, clients and such on the ISA, and hook the ISA's internal interface on one of the DFL's LAN ports. Forward all relevant ports from the DFL to the ISA's external interface. 3) Block all trafikk to the internett from the LAN and through the DFL. Instead use the internal interface of the ISA server as default gateway for all internal clients. So I can use the ISA great filtering and proxy features. 4) Establish only rules for the VPN clients through the DFL. They use the DFL as their default gateway to the internet and never now about the ISA, since they connect directly to the DFL.