First off, my setup is kinda confusing to explain. It's a cross between a Tri-homed setup and a back-to-back setup. We have a Sonicwall Router in the front, and ISA server on the back. And we have a seperate (private) DMZ connected on our OPT port on the Sonicwall router. So it looks something like this:
Sonicwall--DMZ (10.1.1.x) | ISA (192.168.2.x)
Now my question is this. What would be easier to setup?
1. Setting up the VPN on Sonicwall--from there, access either the DMZ or internal network (which would require it to pass through ISA, (and how would I do that?)).
2. Moving the DMZ onto a 3rd NIC on ISA, and just let ISA handle all VPN connections for both internal and DMZ (also, how do I do that?)
As it stands right now, It's setup as option 1, but I'm having connectivity issues (I can't RDP into the Internal network)--which makes me also ask--Can the RDP be defined as one of the internal servers, or does it have to be ISA which it RD's into?
1. Setting up the VPN on Sonicwall--from there, access either the DMZ or internal network (which would require it to pass through ISA, (and how would I do that?)). TOM: Terminating the VPN at the ISA Firewall would be more secure, and not require using the horked Sonicwall VPN client. Access to the DMZ could be done from a client on the Internal network, or you could port forward at the Sonicwall.
2. Moving the DMZ onto a 3rd NIC on ISA, and just let ISA handle all VPN connections for both internal and DMZ (also, how do I do that?) TOM: This would be the superior solution, because the ISA Firewall's access controls and logging for VPN connections is much better than Sonicwalls. HTH, Tom
I have to agree with Tom, Replace that pesky Sonicwall with a ISA server instead. You get so much for free in the ISa firewall..
Just a quick tip though. My experience is that any people with harware firewall use the inside of their FW as their default Gateway, but still have a router on the inside to other remote site networks. Don't make this mistake with the isa. The stateful inspection will go haywire(as it should) when traffic comes from the remote site through the router directly to your machine on the network. When that machine answers, it sends the packet to ISA, but since the ISA server never heared the original message, it will drop the packet.
As of right now, the dmz is on sonicwall though, we need to get a new mobo for the ISA server, it only carries 2 pci slots (which are used for int & ext), although it has a 3rd onboard nic, this nic will be used for a secondary lan that we must setup. so for right now, dmz is stuck on the hardware firewall.
But you are absolutly right about the packet inspection, because isa sees most requests as the hardware firewall's gateway ip, and not the original source.
One area where this was obvious was with users that have blackberries, it was being caught by sonicwall's intrusion prevention module. But we've sorted that out by allowing low level risks only (med & high are still enabled).
Our main purpose for having the sonicwall in front is really for it's AV scanning and content filtering. At least until we get a new mobo for isa...then we can move the sonicwall out all together. woohoo!