Replacing Internet connection controlled by ISA

Replacing Internet connection controlled by ISA (Full Version)

All Forums >> [ISA Server 2004 General ] >> General

Message

rayleask -> Replacing Internet connection controlled by ISA (19.Jun.2008 10:03:47 AM)
Hi, bit of advice needed. We run ISA 2004 in a DMZ which is used both as a proxy for our users and as a Security gateway controlling which of our AD users are allowed to surf the Internet. Our current Internet link comes in as ADSL through a modem onto the DMZ. We now have a replacement direct link which comes in as ethernet. The new link comes in as an IP address, say 123.123.123.123 so I cant plug straight into the DMZ without some intermediate box. I did think I could plug it into a secondary card on the ISA. That seemed to work fine but only the internal network is defined on the ISA. A Pen test revealed that Windows ports were open, I guess because the connection is considered an Internal one? The link is only used for outgoing surfing. Can anyone suggest what approach I should be taking? Other security boxes sit on the DMZ so I cant change the subnet number of the DMZ. Thanks, Ray

Rotorblade -> RE: Replacing Internet connection controlled by ISA (19.Jun.2008 10:41:08 AM)
[quote Our current Internet link comes in as ADSL through a modem onto the DMZ. We now have a replacement direct link which comes in as ethernet. [/quote] Hi Ray, I’m a little confused when you say you’re now running “Ethernet” when actually you should already be connected using “Ethernet” from your ADSL service modem. There should be no difference because you still need an IP for things to work. How many NIC’s are you utilizing with your ISA setup? Typically with a DMZ, you can configure ISA for a “3-leg” perimeter configuration which would require 3 NIC’s installed on the ISA server and a network switch for the DMZ network. A front to back firewall configuration can also be used, but you will also need a network switch for your DMZ (perimeter) network. HTH RB

rayleask -> RE: Replacing Internet connection controlled by ISA (19.Jun.2008 11:06:47 AM)
Hi David, thanks for your email. Apologies for using the term ethernet, I was a bit unsure about using it myself. Our old link comes in as ASDL. We have an all in one modem/switch/router which connects it to the DMZ. The ADSL side has the provided IP Address, our side of that box uses the DMZ subnet address. The new link comes in as IP directly with another provided IP address so I have no way of directly connecting it to the DMZ. We currently only use one NIC in the ISA which is defined as Internal which connects it to the DMZ. We have another one unused. The reason for this is historical. The ISA used to be our primary Firewall/Security Appliance with no DMZ in the organisation. One NIC faced internally, the others the Internet and two external organisations. We installed a Cisco Firewall to give us reliable VPNs. We moved the ISA to the DMZ on the outside of the new Firewall. This was on the recommendation of the Cisco Installing company. The ISA controls who is allowed out to surf. This seems to work fine apart from getting my head around how the whole lot works. We now have a much faster link to the Internet but I have no straightforward way it seems to connect the new link to either the DMZ or the ISA. Thanks, Ray

rayleask -> RE: Replacing Internet connection controlled by ISA (19.Jun.2008 11:20:38 AM)
Hi, thought I had better add that we might not have a traditional DMZ. This is how our typology looks - Incoming Internet \| ISA Server ----------DMZ---------Another security box \| Cisco Firewall \| Internal Network Thanks, Ray

Rotorblade -> RE: Replacing Internet connection controlled by ISA (19.Jun.2008 3:49:37 PM)
Ray, Wow! To start, with ISA running in “hork mode” (single NIC) you are only limited to Web protocols and no firewall services which you are probably aware of. Secondly, placing ISA in the DMZ (in my opinion) as you kindly diagramed is probably not a wise thing to do. How are you allowing AD lookup access to the internal domain? Your Cisco firewall, acting as the edge firewall would have to have rules configured to allow and being in the DMZ would most likely open you up to compromise! With your current configuration, ISA should be placed behind the Cisco security device not in front! Thoughts Anyone? RB

Jason Jones -> RE: Replacing Internet connection controlled by ISA (19.Jun.2008 6:57:00 PM)
Would agree with David that ISA should be closest to your internal network. However, this is quite a big change to you perimeter network topology and would likely need a big bang migration in reality. Another option is to put ASA and ISA in parallel and let each do their own thing. I am a bit confused though, are you planning on keeping both Internet connections?

rayleask -> RE: Replacing Internet connection controlled by ISA (20.Jun.2008 5:42:07 AM)
Hi, thanks for your two replies. Theres certainly food for thought here, least of all "Hork mode" which I havent come across before. My current thought is to use a bridge between the DMZ and the new Internet link. This though makes what I realise now is at best a complex setup even more complex and hence unsatisfactory. "limited to Web protocols and no firewall services". No I was not aware of this, no Firewall services, this sounds serious as the box faces the Internet. What I was aware of though is that AD traffic must be passing into the DMZ and is therefore a risk. Not as bad as it seems though as we have the modem/router/switch stopping all inbound traffic coming into the DMZ anyway. "ISA should be placed behind the Cisco security device not in front", yes this seems obvious. I dont know why this was done this way. The new faster link will replace the slower. We have a third on which email, VPNs and support companies come in, these will eventually be migrated over to this one faster link. Yes, overall it will be a large task. Thanks for your input, Ray

Page: [1]