I need to create and configure a DMZ segment on my ISA2K4 Firewall machine and place 1 existing web server and 1 new web server in this DMZ for security reasons.
My ISA server currently has 2 NIC's - an inside and an outside so I think I have to install a 3rd NIC for the DMZ. Once installed, what IP, subnet and GW will I assign to this Nic?
The ISA box is currently config'd as an edge firewall that is a domain member and has 4 static IP's bound to the external NIC - one for our Exchange email and VPN connections (SSL cert on Exchange server for webmail) one for the web site (SSL cert on this web server) one for our sharepoint server (not currently used and will be used new web server) one for an application server
The ISA server is not running DNS server services.
The external NIC is configured as follows: (which is connected to our modem/router) IP: 10.1.1.y Sub: 255.255.255.xxx GW: 10.1.1.x
The internal NIC is configured as follows: IP: 192.168.x.x Sub: 255.255.255.0 GW: None
If possible I would like to segment only the 2 web servers in the DMZ and leave our exchange server and sharepoint server as is. What I need to know is which rules I need to create and what needs to be configured accordingly to make this config work the way I intend.
If anyone is able to help I would greatly appreciate it.
Thank you Paulo, I relly appreciate your prompt response. Based on your response I have a few followup questions;
First, do I have to change the config of the ISA server from Edge to Perimeter? If so, is there a way to do this that limits downtime to my uesrs and web apps? I'll of course backup the current config before proceeding.
Second, I've looked for an article on this site for creating the publishing and access rules needed in a DMZ and have not found any, are you aware of any?
Phillip, Thanks for adding your comments to this post. Can you tell me if the above description by Paulo creates a DMZ? I need to segment the 2 servers mentioned to be separate from the rest of the network for PCI compliance reasons and I need to configure a DMZ.