I would like to setup a back-to-back configuration as follows:
External - ISA1 - DMZ (containing Web Server) - DMZ (containing App Server) - ISA2 - Internal inc DB Server
I currently have ISA1 - DMZ (webserver) in place but need to add in ISA2 and App Server. How do I connect the two? Are there any issues I should be aware of?
Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
If the inner ISA (2) is not inplace yet then you don't have a DMZ and it is impossble for the Web Server and the App Server to already be inplace. So I really don't know what you mean by that.
To create a Back to back DMZ the two Firewalls (ISA) need to be the first thing put in place. You have to create a new private subnet that will be in between the two firewalls. You need a hub or switch between them on this new subnet and you would connect the Web Server and the App Server to it.
Once done the Web Server and the App Server will be "cut off" from the LAN and will no longer be able to communicate with the LAN without the LAN initiating the communication and having Access Rules on the inner ISA (2) to allow it. From the LAN's perspective,...and ISA2's perspective the DMZ is the Internet. But from the outer ISA (1) the DMZ is the LAN and the outer ISA will have no concept that the real LAN even exists.
What happens after that with Access Rules or Publishing Rules is up to you and your skills at being able to properly deal with the characteristics of a Back-to-Back DMZ.
Thankyou for coming back to me. As you can see, I'm extremely new to ISA. I've had experience in setting up publishing and access rules etc on our existing server but adding an additional server is completely new. Apologies.
We have 2 firewalls at present. One existing with a 3 legged template, the other is completely new and hasn't even been touched yet (too scared :o))...
The existing server has 3 nic's (internal, external, dmz). We have internet traffic coming in, our web server on what we term the dmz nic and our internal network.
What we want to do is add in an application server along with the 2nd ISA. Looking around, it appears that the recommendation is a back-to-back configuration.
I'm happy with this but struggle with the connection between the two.
I understand that I connect the web and apps server to a hub or switch and that this hub is connected to both of the ISA's dmz nic. Is this correct?
The front end isa is connected externally and to the dmz and the back end isa is connected internally and to the dmz. Is this correct?
I'm suffering with information overload at present and really need something very simple that I can get my head around. Apologies!!
Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
What we want to do is add in an application server along with the 2nd ISA. Looking around, it appears that the recommendation is a back-to-back configuration.
Ok
I understand that I connect the web and apps server to a hub or switch and that this hub is connected to both of the ISA's dmz nic. Is this correct?
Yes
The front end isa is connected externally and to the dmz and the back end isa is connected internally and to the dmz. Is this correct?
Yes
Just remember: To the the inner ISA the DMZ is the Internet (even though it really isn't). To the outer ISA the DMZ is the internal LAN (even though it really isn't).
The back to back dmz configuration appears a little bit of a waste of 2 firewalls when ideally we would like a 3 tier setup between our web server, app server and internal network using the 2 firewalls.
Is there any way we minimise disruption to what we have at present?
Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
The back to back dmz configuration appears a little bit of a waste of 2 firewalls when ideally we .......
It's just me,... but I think DMZs are a waiste of time to begin with,...I don't use one,...don't care to use one,...and propably will never use one.
Is there any way we minimise disruption to what we have at present?
Leave things the way they are and don't waiste money on a second Firewall. Personally, I would not even have the "third-nic DMZ",...but again,...that's just me.
We have the 2 servers and would like to have a three tier environment, ideally using 2 three legged isa environments. Is this possible? How would you do it?
Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
We have the 2 servers and would like to have a three tier environment,
"Three tier environment" is just a buzz-word to me. I don't even know what that means specifically.
ideally using 2 three legged isa environments. Is this possible?
Yes, it possible to create a Back-to-Back DMZ and then hang an additional "third-leg" DMZ off of each ISA. To me it is pointless, and overcomplicating things needlessly for no good reason.
How would you do it?
Like I said. I would never do it. I could easily go my entire career and never create a DMZ. I don't "believe" in DMZs and I believe I can have an equally secure setup without ever creating one,...and it will be more dependable and a whole lot more easier to maintain.
Posts: 2228
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
There is a Forum on this site devoted to DMZs with your version of ISA. You might want to ask the guys in that Forum. They would be folks who actually like DMZs and have more direct experience with using them.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> 2nd ISA setup 
2nd ISA setup - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread