I have trouble to find a good plan for our network! we want to deploy an ISA server 2006 for caching and content filtering and monitoring the traffic in this network :
Internet --->Router1---> Firewall--->Router2--->Campos1(LAN) Intranet ^--->Router3--->Campos2(LAN)
defult gateway for all clients is router2. we have a VPN intranet also and the firewall only allow specific IP range to be passed!it mean that I have only one subnet to config my ISA(255.255,254.0) I know that it's possible to break it into separate networks but because of some reasons we can't do any change in our IP addressing! We have also FTP,HTTP,Terminal service... servers which must be accessible from Intranet! So please help me about this and tell me how can I config my ISA to achieve the services I explained?
Place the ISA Firewall either behind the current firewall or in parallel. The parallel configuration is probably more secure, because you can fully take advantage of the ISA Firewall's security model and capabiliteis.
Hi again Dr.shinder and thank you so much for your kind help :)
Your document was so helpfull , I'm trying to install my ISA 2006 in back to back scenario which I thought it's best scenario for our network. but I need little more help about that;) let me explain more detail: We have a Checkpoint firewall as gateway and internal interface IP of that is (10.206.28.1/255.255.254.0) and I configure ISA external interface with IP addres(10.206.28.2/255.255.254.0) and the internal interface IP is (10.206.28.3/255.255.254.0) now the internet connection for LAN clients is ok but our intranet is inaccessible! I cant use NAT in my configuration becouse of Intranet Netmeeting users and other application's which will fail to work if NAT proccess applied. The only IP range that Firewall allow to be transfer is (10.206.28.0-10.206.31.255). when I deploy ISA based on this scenario it gives me an alert about configuration! I know that it's because both interfaces are in the same network ID but I can't change my IP addressing! I need my ISA to work as a router and not using NAT... and also my FTP server still inaccessible from intranet even when I published it!:(
Please help me about this :( I'm new to ISA server :(
You can create an ISA Firewall Network for the Network ID representing the DMZ between the ISA Firewall and the Check Point device, and create a Network Rule set to Route between the ISA Firewall's default Internal Network and that DMZ Network. That should solve some of the VoIP issues.