I have 3 buildings. My main building has a 2003 domain. i want to connect in two more buildings using ISA 2006 server. How do i setup the two ISA servers that will be at building 2 and 3? If I build them on those buildings they will need to be in a workgroup since the domain in building one is not reachable. Once the buildings are connected I'm going to put a domain controller in building 2 and 3. Now there is no servers in either building.
Would I be better off connecting the buildings with a Cisco router or ASA firewall? What is the down side to having ISA servers in building 2 and three that are not active directory intergrated?
Hi Scott, After all what's the exact problem you are facing? If I remember correctly you already asked about this design. Where are you stuck? What have you tried so far? Who says that building 2 and 3 will remain in workgroup mode?
I'm ok in building one. In building two I'm not sure what to do with the server. Workgroup or domain member. I really have no way to make it a domain member until we are connected... Do I connect them and then make the ISA server a domain member? Do I leave the USA server in a workgroup? Does it matter that it is in a workgroup since no one will be using it for VPN or OWA? It's just there to connect the buildings and allow the users to browse the internet.
I have never done this before. I typically connect the building with 2800 series routers. This takes 5 minutes. I then put an ISA server behind the router for extra protection. I looked at the article explaining how to connect an ISA server using IPSec and it looked very complicated! Do ISA servers work well in scenario?
Scott, Well, if you can transport the ISA server from building two and three into the building 1 you can do the job there. If not you can add to the domain after you connect. So connect first. Make sure you allow the protocols needed from local host to the domain controller in building 1 and you give ISA the correct DNS server IP address. Or you can install an additional domain controller(with DNS server) in building 2 and the use this one for joining ISA. If they are browsing Internet then you might want to log the usernames, if so it is good to make ISA a domain member. Maybe add some restriction based on users names(no messenger to X but ok to Y). If do not need any user filtering then you do not need to make ISA a domain member. If ISA is a domain member you can play more easy with certificates, for example from your enterprise CA for ISA. And so on. Check this article to see where your needs fit: http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html Why is that so complicated? You can use a long complicated pre-shared key(known only by you and maybe another network admin) until you join ISA and get a certificate from your Ent CA or even better you can use an offline machine one for the start phase. Actually you can use an user one for IPsec IKE authentication(don't forget to add the CA certificate to Trusted Root Store). Just use the site-to-site VPN wizard and you are done. Yes, ISA servers work fine. That full mesh topology is not available(I was never able to get it working). Only the partial one. I think I have read something about this too in Tom's blog. The hub and spoke one works(I've done this too). Remember to uncheck that register this connection's address in DNS on every ISA in RRAS. Since this is the first time, just give it a go and see what's happening.
Hi Scott, Since you will have a DC in building two and three I supposed that on these DCs you will have an active directory integrated DNS. If so the only thing to do is to configure these DNS servers to use as forwarders the ISP DNS servers. On ISA's internal interface put the IP address of your local DNS server. You will have a good performance like so. ISA resolves names on behalf web proxy clients for example. Do not install any DNS services on ISA. Are you having any problems with the ISP DNS servers? You can build on an ISA DMZ network your own DNS forwarders(caching only DNS servers). I suppose you can install such a DNS server on ISA, but personnaly I do not like the idea of installing any additional services on ISA. ISA is a firewal and must do what a firewall will do. Why would you need to buy a certificate? Actually having your own CA gives your more flexibility and in my opinion more security since you can customise the certificate to fit your needs(long keys...). Since you do not publish a web server which will be accessible by, say, public people, you do not need a commercial certificate(you do not worry about the CA being untrusted thus being MITM-ed). It is very good to have your own PKI. I do not advertise the use of pre-shared keys. If you read my previoulsy posts you will find some reasons. If you use them make sure they remain secret and they are complicated(not guessible) Regards!
Yes I will set the DNS servers up as you say. That has worked well for me in the past.
My ISP DNS servers are fine.
I have never seen the need to publish my own CA. You can buy a certificate cheap or use a 32 character pre-shared key that know one will no accept me. If you use symbols, numbers, upper case and lower case characters they are virtually impossible to crack.
I have always wanted to setup a terminal server environment. That I guess would be where I would need a CA?