Welcome to ISAserver.org

Deployment Scenario

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA Server 2004 Misc.] >> Tom's ISA Firewall Blog Discussion >> Deployment Scenario

Page: [1]

Message

<< Older Topic Newer Topic >>

Deployment Scenario - 25.Jan.2008 10:51:17 AM

kateh

Posts: 16
Joined: 21.Nov.2007
Status: offline

Hi Tom,

I wonder if you could help.

I have 1 ISA setup with a 3 legged template. I now want to add an additional ISA server but have the web server and the application server on different DMZ's.

Is there a way to have the web server on ISA1 dmz and the App server on ISA2 dmz but connect the two together?

Many thanks
Kate

Post #: 1

Featured Links*

RE: Deployment Scenario - 26.Jan.2008 1:53:41 PM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Kate,

Are you wanting to add a second ISA Firewall to the array, or just a second ISA SE firewall?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to kateh)

Post #: 2

RE: Deployment Scenario - 30.Jan.2008 6:31:38 AM

kateh

Posts: 16
Joined: 21.Nov.2007
Status: offline

Hi Tom,

I want to add another ISA SE Firewall.

We currently have a 3 legged template setup using 3 nic's - internal, external and Perimeter (DMZ).

The web server is on the DMZ.

I want to use the existing 3 legged setup I have at the minute with external clients coming in to our web server on the dmz. Without changing this, using a 2nd ISA SE firewall I would like to create an additional layer of security between the web server and an application server then into our internal network.

Ideally, I require a three tier environment disrupting as little as possible of our current setup.

Can I continue with our existing setup, keeping the web server on the original dmz, add the additional ISA SE Firewall (with 3 nic's) and create it's own dmz for the application server? then connect the two using publishing rules?

Is this possible or will I need to use the back-to-back dmz scenario and have both app and web server on same dmz?

Also, one of my ISA servers is 2004 and one is 2006. Is this advisable?

I'm really new to ISA so I hope this makes sense

Many Thanks
Kate

< Message edited by kateh -- 30.Jan.2008 11:03:45 AM >

(in reply to tshinder)

Post #: 3

RE: Deployment Scenario - 31.Jan.2008 10:23:33 AM

tshinder

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Kate,

I see what you're getting at. The second ISA Firewall would be behind the DMZ, with an interface in the DMZ and an interface on the Internal Network. However, this really isn't required, since your current ISA Firewall is separating the DMZ from the Internal Network.

However, if your application server is not on the Internal Network, that's a different story. Please confirm.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to kateh)

Post #: 4

RE: Deployment Scenario - 31.Jan.2008 10:35:58 AM

kateh

Posts: 16
Joined: 21.Nov.2007
Status: offline

Hi Tom,

Yes, this is it exactly. The current ISA Firewall is seperating the DMZ from the Internal Network with the web server on the DMZ being accessed from external clients.

Unfortunately, my application server isn't on any of our networks yet. I don't want it to go on the Internal Network but want to add it on to a dmz of it's own using the 2nd ISA Firewall but trying to slot it in with the current setup.

I'm also not sure whether my current ISA 2004 will play happily with the new ISA 2006 if I have it in a back-to-back dmz.

Thankyou for all your help.

Kind regards
Kate

(in reply to tshinder)

Post #: 5