Existing Internet connectivity from our site is for email and web access for internal users, only. Therefore, all current incoming Internet traffic (except for email) is in response to an outgoing request. We are using a BlueCoat SG in proxy mode (set in IE configuration) for all outgoing traffic and website filtering. Our existing Internet firewall is a packet filter device.
Within the next 6 months we'll have to begin hosting from our location which means creation of a DMZ and the addition of a second firewall. I'd like to implement an ISA2006 server between the current firewall and the SG. I need to keep the SG in place. Can ISA work without a Proxy client connecting to it (such as the SG)? I realize ISA would do most of what the SG is currently doing, but I don't have an option to remove it. The new structure would look like this:
Internet <--> Existing FW <--> DMZ & Web Svrs <--> ISA <--> SG Proxy out <--> SG
One more question: We also have an extensively VLAN'ed backbone (> 25 VLANs) so this will add additional complicating factors to ISA because of all the routes I'd have to create on ISA. Is this correct?
I agree. Actually, my brief drawing was over simplistic. We're proxying all user Internet traffic via the BC but it's not actually "in-line". However, upon further review, I'm thinking of placing the ISA2006 firewall on the perimeter and moving the existing packet filter to the interior. We'll be able to use ISA Web publishing and the other features of ISA to their fullest, while keeping the DMZ isolated from the backbone with the older, packet filter, FW. Does this sound reasonable?
The only issue I can see is VPN termination on ISA and getting it through the 2nd FW to the backbone.
That sounds like a good plan. You don't need to worry about terminating the VPN connections at the ISA Firewall. Just make sure you define the default internal network correctly and that you have routing table entries on the ISA Firewall to point to the correct gateways for each internal network ID the VPN clients will need to connect to.