• Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

ISA setup toghether with HW firewall

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> ISA setup toghether with HW firewall Page: [1]
Message << Older Topic   Newer Topic >>
ISA setup toghether with HW firewall - 6.Oct.2006 2:48:45 PM   


Posts: 2
Joined: 6.Oct.2006
Status: offline

I'm currently in a possition where I have to implement an ISA server in an  existing LAN.
The LAN uses at the moment a D-Link DFL-800 firewall with 2  WAN ports, 1 DMZ port and 7 LAN ports. It is not an option to discard this  box.
We need to implement a ISA firewall for secure publishing of OWA and  variouse websites.
The way I see it, I have 2 options.

1) Use ISA with a singel NIC, located in the DMZ where I use it to publish the OWA sites, and the variouse websites. This is all good, but with  limitations.

2) Use ISA with 2 NICs. One NIC in the DMZ, and 1 NIC on the LAN. I guess  this setup will be the same as a "back to back" configuration. All hosts on the LAN will have the ISA server's internal IP adresse as their  default gateway, and the ISA server then routes all traffic through the  D-Link firewall.
VPN clients will connect to the D-Link firewall, and use the D-Link as their  default gateway.

Does option 2 look like a doable alternative, or will this only give me more
headaches down the road?


Regards A.
Post #: 1
RE: ISA setup toghether with HW firewall - 6.Oct.2006 5:45:35 PM   


Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Alpha,


Never implement the ISA Firewall in single NIC, unless there are political reasons for doing so.

Just create a back to back Firewall config. The low sec firewall in front, the and high sec ISA Firewall in the back. That is a very simple config.



Thomas W Shinder, M.D.

(in reply to alphasec)
Post #: 2
RE: ISA setup toghether with HW firewall - 7.Oct.2006 5:08:41 AM   


Posts: 2
Joined: 6.Oct.2006
Status: offline
Hi Tom

Thanks for your reply. So, how would I go about this to make this as secure as possible?

What I'm now thinking is something along the following lines:

1) Put the DFL-800 firewall directly to the net. Use this as front firewall, and VPN server for the VPN clients.
2)Hook the ISA's external firewall interface on the DFL's DMZ interface. Establish all publishing rules for OWA, clients and such on the ISA, and hook the ISA's internal interface on one of the DFL's LAN ports. Forward all relevant ports from the DFL to the ISA's external interface.
3) Block all trafikk to the internett from the LAN and through the DFL. Instead use the internal interface of the ISA server as default gateway for all internal clients. So I can use the ISA great filtering and proxy features.
4) Establish only rules for the VPN clients through the DFL. They use the DFL as their default gateway to the internet and never now about the ISA, since they connect directly to the DFL.

Is this the best solution for my problem?

I've actually considered this solution: http://www.isaserver.org/tutorials/Creating-Parallel-ISA-Firewall-Configuration-Netscreen-DMZ.html
But since we only have on IP adresses in out public block this wouldn't work.

Hope you can provide me with some feedback, Tom. I've read most of your work and respect your opinions.



Regards A.

(in reply to tshinder)
Post #: 3

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> ISA setup toghether with HW firewall Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts