• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on teaching the boss about the ISA Firewall

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> Discussion about article on teaching the boss about the ISA Firewall Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion about article on teaching the boss about the... - 27.Jan.2008 12:42:10 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the aritcle series on how to teach the boss about the ISA Firewall.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: Discussion about article on teaching the boss about... - 8.Feb.2008 5:42:07 AM   
harme020

 

Posts: 39
Joined: 5.Jul.2004
From: Netherlands
Status: offline
This article is right on time for me ;-)
I've worked with ISA in the past. Now i've changed jobs and am in the process of getting ISA server in here.

I want to make it a back end firewall with a third party (juniper) in front.
The ISA will be used for VPN clients termination and to build a few site 2 site connections. Is this combination possible?
I somehow always thought that this isn't possible..

Peter

< Message edited by harme020 -- 8.Feb.2008 5:49:06 AM >

(in reply to tshinder)
Post #: 2
RE: Discussion about article on teaching the boss about... - 9.Feb.2008 1:14:05 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Peter,

Sure, it's possible. I do it all the time. I often have NAT devices in front of the ISA Firewall and terminate VPN connections behind the NAT devices at the ISA Firewall.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to harme020)
Post #: 3
RE: Discussion about article on teaching the boss about... - 8.Mar.2008 7:56:33 AM   
Eptalofos75

 

Posts: 14
Joined: 3.Nov.2006
Status: offline
Hi Thomas,

Your article is really great! I use the ISA 2004 as a back-end firewall behind the Netscreen, the Netscreen has 3 interfaces, Trust (192.x.x.x), Untrust (Internet) and DMZ (172.x.x.x). The ISA has 2 NIC, one connected to the internal LAN and one external connected to DMZ. I have a policy on the Netscreen thats allows everything from Untrust to DMZ, i have only the ISA in my DMZ. The clients can use the ISA or the Netscreen for Internet access. I have to say here that i have used the network template of Edge firewall on the ISA. It works fine but i have 1 question:

I have published a Mailserver to provide OWA access over the internet, i have created a VIP on the Untrust interface of the Netscreen to port SSL requests to the 172.x.x.x ip adrress of the ISA Nic connected to DMZ. This doesn`t work, the external clients receive a DNS error. To give more details: When the clients type www.companyname.com/webmail  then they get redirected to https://publicipaddress/owa The Netscreen knows, because of the VIP, that it has to port it to 172.x.x.x which is the address of the NIC ISA uses for internet access. ISA should know, because i have published the Mail server, that SSL requests with /owa will be redirected to the Exchangeserver/owa folder? Do you think that ISA denies the request because it comes from publicaddress/owa instead of www.companyname.com?
Thank you very much!

(in reply to tshinder)
Post #: 4
RE: Discussion about article on teaching the boss about... - 9.Mar.2008 1:39:51 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
If the request is going to an IP address instead of a FQDN, that could cause a connection problem. Is the Web Publishing Rule forward to a FQDN?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Eptalofos75)
Post #: 5
RE: Discussion about article on teaching the boss about... - 10.Mar.2008 4:13:57 AM   
Eptalofos75

 

Posts: 14
Joined: 3.Nov.2006
Status: offline
Yes, the Web Publishing forwards to webmail.companyname.com, this is the public fqdn, i have modified the hosts file so that the ISA can resolve the public fqdn using the internal IP address of the Exchange server.
Do you mean that ISA blocks the request because it comes as ip address, 194.x.x.x instead of the fqdn? Does ISA accept only requests for the server he published? The ISA must secure the network of course! Could this be what causes the problem? 
To give more info, the Netscreen firewall maps all incoming SSL traffic to the IP address of the ISA NIC used to access the internet. I don`t have to create a extra rule on the isa to allow SSL traffic from the internal host to Local (ISA itself) host, do i? The ISA sees this SSL traffic as coming from the external network, right?
Thanks for your help!

(in reply to tshinder)
Post #: 6
RE: Discussion about article on teaching the boss about... - 15.Mar.2008 11:29:40 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
The incoming request should be to https://name.name.com, not https://10.10.10.10

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Eptalofos75)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> Discussion about article on teaching the boss about the ISA Firewall Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts