This article is right on time for me ;-) I've worked with ISA in the past. Now i've changed jobs and am in the process of getting ISA server in here.
I want to make it a back end firewall with a third party (juniper) in front. The ISA will be used for VPN clients termination and to build a few site 2 site connections. Is this combination possible? I somehow always thought that this isn't possible..
< Message edited by harme020 -- 8.Feb.2008 5:49:06 AM >
Your article is really great! I use the ISA 2004 as a back-end firewall behind the Netscreen, the Netscreen has 3 interfaces, Trust (192.x.x.x), Untrust (Internet) and DMZ (172.x.x.x). The ISA has 2 NIC, one connected to the internal LAN and one external connected to DMZ. I have a policy on the Netscreen thats allows everything from Untrust to DMZ, i have only the ISA in my DMZ. The clients can use the ISA or the Netscreen for Internet access. I have to say here that i have used the network template of Edge firewall on the ISA. It works fine but i have 1 question:
I have published a Mailserver to provide OWA access over the internet, i have created a VIP on the Untrust interface of the Netscreen to port SSL requests to the 172.x.x.x ip adrress of the ISA Nic connected to DMZ. This doesn`t work, the external clients receive a DNS error. To give more details: When the clients type www.companyname.com/webmail then they get redirected to https://publicipaddress/owa The Netscreen knows, because of the VIP, that it has to port it to 172.x.x.x which is the address of the NIC ISA uses for internet access. ISA should know, because i have published the Mail server, that SSL requests with /owa will be redirected to the Exchangeserver/owa folder? Do you think that ISA denies the request because it comes from publicaddress/owa instead of www.companyname.com? Thank you very much!
Yes, the Web Publishing forwards to webmail.companyname.com, this is the public fqdn, i have modified the hosts file so that the ISA can resolve the public fqdn using the internal IP address of the Exchange server. Do you mean that ISA blocks the request because it comes as ip address, 194.x.x.x instead of the fqdn? Does ISA accept only requests for the server he published? The ISA must secure the network of course! Could this be what causes the problem? To give more info, the Netscreen firewall maps all incoming SSL traffic to the IP address of the ISA NIC used to access the internet. I don`t have to create a extra rule on the isa to allow SSL traffic from the internal host to Local (ISA itself) host, do i? The ISA sees this SSL traffic as coming from the external network, right? Thanks for your help!