Structure Improvements ISA (Full Version)

All Forums >> [ISA 2006 General] >> Installation and Planning



Message

haxxess -> Structure Improvements ISA (15.Jul.2008 9:20:16 PM)

Hey guys I would like some advice before I make the following changes, currently im running ISA Server 2006 with a Single Network Adapter. I would like to change the structure to be a little more secure, and make use to the second Ethernet card in the ISA Server.
A basic diagram of the current setup is here
http://www.pixieserver.com/public/viewset/27
The ISA Server is publishing OWA with FBA and running a proxy server for the internal workstations.
 
Are you able to give me some guidance or advice on the direction or approach I should take, the goal is to have ISA do the following ;
Proxy Server is internal Workstations
Publish OWA with FBA (using a sub-domain eg email.domainname.com )
Publish FTP Server (port 21)
Publish Web Based Training Server (using sub-domain training.domainname.com)
Publish Terminal Server (Windows Server 03) (accessible via default port 3389)
 
The problem is I only have one Public IP address on the Fibre Link, is this asking too much?
Thanks



paulo.oliveira -> RE: Structure Improvements ISA (16.Jul.2008 11:11:37 AM)

Hi,

I think Zulu wanted to post it here. Sorry Zulu for any inconvinience...

quote:

hi,

the diagram is missing something very important, "the Firewall", I will assume that you have it.
for your scenario, the best thing is to have your ISA box as a second level/Back-end Firewall.
on the Internet-facing firewall "PIX, ASA... or whatever" create a DMZ and connect your ISA server with on NIC to the Internal and once to the DMZ..

your ISA box will still act as a proxy, with some slight changes in the network configuration of the ISA box itself..
1- have the Internal NIC without a default gateway and use the "route -p ADD" command to make a static route to the internal network.
2- have the DMZ NIC with a default gateway.... and that is it.

for publishing your web services "tarining servers, ftp and OWA" you might need to acquire a Certificate, I suggest to go for a wildcard certificate.
you can then install it and use it for different services under your parent doamin.
see this link: http://support.microsoft.com/kb/840614

for publishing terminal service, I don't recommend it... one draw back is the Lose of "End point security"... Have your ISA box as a VPN device which has the facility of end-point security check....

I hope this was of good inof to you ...



_____________________________

Zulu



pwindell -> RE: Structure Improvements ISA (16.Jul.2008 12:04:58 PM)

quote:


Hey guys I would like some advice before I make the following changes, currently im running ISA Server 2006 with a Single Network Adapter. I would like to change the structure to be a little more secure, and make use to the second Ethernet card in the ISA Server.
A basic diagram of the current setup is here
http://www.pixieserver.com/public/viewset/27

The diagram would be better if you showed what you plan to do and not what is currently there.

ISA would be the Firewall.  Either replace the existing Firewall with the ISA,..or run the ISA side-by-side with the existing Firewall,...or create a back-to-back DMZ.
quote:


The ISA Server is publishing OWA with FBA and running a proxy server for the internal workstations.

OWA's Certificate needs to be specific (not a wildcard cert).  Other SSL sites can use a wildcard Cert.  Don't ask me why it is that way when using OWA, someone from MS explained it to me,..never really made sense to me,...never really understood,...so I had to take their word for it.
quote:

 
Proxy Server is internal Workstations

That is what ISA normally does
quote:


Publish OWA with FBA (using a sub-domain eg email.domainname.com )

No problem,..except that isn't a Sub-Domain. 
"email" = host name,..the name of the (A) Record or CNAME Record
"domainname.com" = Domain ,...the name of the DNS Zone.
quote:


Publish FTP Server (port 21)

No problem.
quote:


Publish Web Based Training Server (using sub-domain training.domainname.com)

No problem,...except that isn't a Sub-Domain.
"training" = host name,..the name of the (A) Record or CNAME Record
"domainname.com" = Domain ,...the name of the DNS Zone.
quote:


Publish Terminal Server (Windows Server 03) (accessible via default port 3389)

No problem, but VPN may be better,..then run the RDP over the VPN.  The ISA's Access Rules will control what the VPN User can actually get to and what protocols they can run.
quote:


The problem is I only have one Public IP address on the Fibre Link, is this asking too much?


It can all be done with a single IP#.



Page: [1]