• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

how to install in this layout.

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> how to install in this layout. Page: [1]
Login
Message << Older Topic   Newer Topic >>
how to install in this layout. - 3.Mar.2009 9:21:00 PM   
madmonkey

 

Posts: 14
Joined: 3.Mar.2009
Status: offline
Hi All,
Please help me what solution I should install in this case:
SecureNAT or Web Proxy? and how to install ISA with SecureNAT
 
Post #: 1
RE: how to install in this layout. - 3.Mar.2009 9:55:06 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
If possible, configuring the ISA firewall as an explicit forward proxy is always desirable, both from a security and performance perspective.  You get improved security because with web proxy clients you can enforce strong user and group based access controls on Internet communication.  Also, when configured as an explicit forward proxy, you get the advantage of TCP connection reuse, which results in reduced resource utilization (memory and processor) on the ISA firewall as well.

Keep in mind that SecureNAT and Web Proxy clients are not mutually exclusive.  You may have some traffic (perhaps from non web-based applications) that will route through your ISA firewall (but remember you can't enforce user/group permissions on SecureNAT communication), and some traffic that will use the proxy (e.g. Internet Explorer).

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to madmonkey)
Post #: 2
RE: how to install in this layout. - 3.Mar.2009 10:32:27 PM   
madmonkey

 

Posts: 14
Joined: 3.Mar.2009
Status: offline
under my understanding, If I use SecureNAT I can't  get user/gourp base from domain controller. But is I use Web proxy it will take time to configure each client manually. does ISA 2006 support to configure each client to detect ISA automatically. If it does how can I set this? 

(in reply to richardhicks)
Post #: 3
RE: how to install in this layout. - 4.Mar.2009 11:29:56 AM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
That's correct.  You cannot enforce user and group based restrictions on access for SecureNAT clients.  Rule for SecureNAT clients should always apply to 'all users'.  With regard to configuring your web proxy clients, there are numerous ways to do that.  You can use DNS, DHCP, group policy, or just old-fashioned manual configuration.  If you have a lot of clients, automatic configuration is much easier, of course.  Refer to this document for detailed information about automatic client configuration.

http://technet.microsoft.com/en-us/library/bb794779.aspx

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to madmonkey)
Post #: 4
RE: how to install in this layout. - 4.Mar.2009 9:57:29 PM   
madmonkey

 

Posts: 14
Joined: 3.Mar.2009
Status: offline
Thank richardhicks. it's very usefull. BTW I would like to know I should use DHCP or DNS only or I  have to use both of them. If I use only DHCP is it ok?

(in reply to richardhicks)
Post #: 5
RE: how to install in this layout. - 4.Mar.2009 11:22:17 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
You can use either one, or both...doesn't matter.  Your clients will look to DHCP first (provided they are using DHCP, of course!) and if that fails they'll look to DNS.  If you have only one internet connection, DNS is quick and simple.  If you have multiple locations, each with different internet connections, you can use DHCP to specify different ISA firewalls or arrays per location.

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to madmonkey)
Post #: 6
RE: how to install in this layout. - 10.Mar.2009 11:52:13 PM   
madmonkey

 

Posts: 14
Joined: 3.Mar.2009
Status: offline
Based on the layout, can I set the internal NIC with ip 192.168.1.1 and external NIC with 192.168.1.2? it's the same subnet. any ideas for this concern?
Thanks, 

(in reply to richardhicks)
Post #: 7
RE: how to install in this layout. - 11.Mar.2009 12:02:44 AM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
No...that won't work.  You can't have IP addresses from the same subnet on different network interfaces.  You can subnet the 192.168.1.0 network smaller than /24 if you like, but they definitely can't belong to the same subnet.

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to madmonkey)
Post #: 8
RE: how to install in this layout. - 11.Mar.2009 12:42:05 AM   
madmonkey

 

Posts: 14
Joined: 3.Mar.2009
Status: offline

On this layout, what solution should i deploy ISA server which it doesn't take me a lot changes on Cisco ASA Firewall(This appliance uses for VPN site-to-site connection and routing). ISA's role uses as Web proxy and Caching server which uses users and groups based from Domain controller.

< Message edited by madmonkey -- 11.Mar.2009 12:43:54 AM >

(in reply to richardhicks)
Post #: 9
RE: how to install in this layout. - 11.Mar.2009 11:08:04 AM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
There are many different ways you could do this.  One way would be to assign 192.168.4.0 to the internal interface of the ISA firewall, then use a different private range (172.16.1.0/24) for the network between the ISA firewall and your ASA.  When you configure the internal network interface on your ISA firewall, don't use a default gateway but instead create persistent static routes to each of your internal networks.  The default gateway should be configured on the ISA firewall's external interfaces and should point to the internal interface of the ASA.

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to madmonkey)
Post #: 10
RE: how to install in this layout. - 11.Mar.2009 9:32:53 PM   
madmonkey

 

Posts: 14
Joined: 3.Mar.2009
Status: offline
Is it possible to assign to internal interface of ISA firewall with ip 192.168.1.0 (VLAN1) or i have to use 192.168.4.0?

(in reply to richardhicks)
Post #: 11
RE: how to install in this layout. - 11.Mar.2009 9:35:40 PM   
richardhicks

 

Posts: 477
Joined: 20.Jan.2009
From: Southern California
Status: offline
Since the drawing depicts that the ISA firewall is on the other side of a layer 3 switch I chose a new network.  The internal interface could easily be placed on the 192.168.1.0 network, however.  Make sure to include the other 192.168.x.x networks in the Internal network definition in ISA though.

_____________________________

Richard Hicks - Forefront MVP
http://tmgblog.richardhicks.com/
http://directaccess.richardhicks.com/

(in reply to madmonkey)
Post #: 12
RE: how to install in this layout. - 11.Mar.2009 9:49:00 PM   
madmonkey

 

Posts: 14
Joined: 3.Mar.2009
Status: offline
quote:

ORIGINAL: richardhicks

Make sure to include the other 192.168.x.x networks in the Internal network definition in ISA though.

Could you please explain more about this? how can i do that?

(in reply to richardhicks)
Post #: 13
RE: how to install in this layout. - 12.Mar.2009 3:25:50 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
quote:

ORIGINAL: madmonkey

quote:

ORIGINAL: richardhicks

Make sure to include the other 192.168.x.x networks in the Internal network definition in ISA though.

Could you please explain more about this? how can i do that?


Hi,

Check Tom's article for more information: Network Behind A Network (2004) - v1.1

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to madmonkey)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> how to install in this layout. Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts