• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Blue Coat SG Fornt-ending ISA2006

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Blue Coat SG Fornt-ending ISA2006 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Blue Coat SG Fornt-ending ISA2006 - 17.Aug.2007 3:21:49 PM   
cingram

 

Posts: 2
Joined: 20.Mar.2002
From: Salina
Status: offline
Existing Internet connectivity from our site is for email and web access for internal users, only. Therefore, all current incoming Internet traffic (except for email) is in response to an outgoing request. We are using a BlueCoat SG in proxy mode (set in IE configuration) for all outgoing traffic and website filtering.   Our existing Internet firewall is a packet filter device.

Within the next 6 months we'll have to begin hosting from our location which means creation of a DMZ and the addition of a second firewall. I'd like to implement an ISA2006 server between the current firewall and the SG.  I need to keep the SG in place.  Can ISA work without a Proxy client connecting to it (such as the SG)?  I realize ISA would do most of what the SG is currently doing, but I don't have an option to remove it.  The new structure would look like this:

 
Internet <--> Existing FW <--> DMZ & Web Svrs <--> ISA <--> SG Proxy out <--> SG

One more question: We also have an extensively VLAN'ed backbone (> 25 VLANs) so this will add additional complicating factors to ISA because of all the routes I'd have to create on ISA.  Is this correct?

Thanks.
Post #: 1
RE: Blue Coat SG Fornt-ending ISA2006 - 20.Aug.2007 8:42:06 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The ISA Firewall supports VLANs as long as your NIC driver on the ISA Firewall is VLANable.

I wouldn't put the BC box inline with the ISA Firewall. Since the BC box is not a firewall, you're best to use the BC box in a unihomed config somewhere behind the ISA Firewall.

You can use a back to back config with the ISA Firewall located behind the packet filter.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to cingram)
Post #: 2
RE: Blue Coat SG Fornt-ending ISA2006 - 20.Aug.2007 11:56:52 AM   
cingram

 

Posts: 2
Joined: 20.Mar.2002
From: Salina
Status: offline
I agree.  Actually, my brief drawing was over simplistic.  We're proxying all user Internet traffic via the BC but it's not actually "in-line".  However, upon further review, I'm thinking of placing the ISA2006 firewall on the perimeter and moving the existing packet filter to the interior.  We'll be able to use ISA Web publishing and the other features of ISA to their fullest, while keeping the DMZ isolated from the backbone with the older, packet filter, FW.  Does this sound reasonable? 

The only issue I can see is VPN termination on ISA and getting it through the 2nd FW to the backbone.

Thank you.

(in reply to cingram)
Post #: 3
RE: Blue Coat SG Fornt-ending ISA2006 - 21.Aug.2007 11:43:01 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
That sounds like a good plan. You don't need to worry about terminating the VPN connections at the ISA Firewall. Just make sure you define the default internal network correctly and that you have routing table entries on the ISA Firewall to point to the correct gateways for each internal network ID the VPN clients will need to connect to.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to cingram)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Blue Coat SG Fornt-ending ISA2006 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts