OCS edge & ISA DMZ (Full Version)

All Forums >> [ISA 2006 Firewall] >> DMZ



Message

ufgeorge -> OCS edge & ISA DMZ (15.Jun.2008 12:09:13 PM)

Hi,

I've read the article (http://www.isaserver.org/tutorials/OCS-2007-ISA-2006-Firewall-Design-Architecture.html) . But I have some questions I can't understand.

The Edge OCS A/V need routable IP address. In this article, there are two ISP link. One(ISP1) connect to external and the other(ISP2) connect to DMZ.

Communicator clients(or PING) on internet resolve IP of edge ocs FQDN and get IP in DMZ. The network package will direct send to DMZ IP from ISP2 link. But the reply package will try to send back through ISP1 because there is no default gateway on DMZ NIC.

I am confuce about this knids of configuration. Since ISA is statusful firewall, will ISA reject to reply package?

The picture can not know how to connect the cable from ISP.Can anyone explain?

Correct me if I am wrong. TKS.

George



Jason Jones -> RE: OCS edge & ISA DMZ (16.Jun.2008 5:38:28 AM)

Why do you think there are two ISP links?

There is just one link and two Public IP addresses ranges. One Public range is used by the ISA external interface and the other is routed to the DMZ and external interface of the OCS edge server.

Ignore the private addresses in the diagram, this is done as an example only and all external addresses would need to be valid public addresses in the real world...

Cheers

JJ



ufgeorge -> RE: OCS edge & ISA DMZ (26.Jun.2008 11:44:29 AM)

It is because you use 2 different IP ranges...

I think it is hard if you use one ISP link and get 2 different IP range.

I suggest you can use one ip range and subnet this range, it is more like real world.

One more thing to discuss. Before read this article, I connect real ip on external nic and dmz ip connect to inside ocs server through ISA. Is it possible combine both your idea and mine, use one nic bind 2 ips and both through ISA...Do you understand what I am talking about?



Jason Jones -> RE: OCS edge & ISA DMZ (26.Jun.2008 12:45:21 PM)

It's not my article, but the key thing to understand is that IP ranges are examples and public IP addresses are needed on BOTH the ISA external interface and the OCS edge external interface. 



Page: [1]