good article but i have yet to find an answer to being able to allow internal access to the FBA. looping back through the isa server isnt very practical. i would rather let my exchange FE handle the FBA for both internal and external instead of looping back through the firewall. Is this considered a bad implementation and how much security do i loose?
You lose a bit of security for your remote access connections, but you avoid looping back through the ISA firewall for internal clients. If you have a very busy Exchange Server with hundreds of OWA connections all the time, then I would definitely avoid the loop back -- if your OWA server only has a few dozen OWA connections at a time, then you should be able to handle the performance hit for the "loop backers" who need to use the ISA firewall's FBA.
well i have a very busy exchange server so i guess i will be passing authentication through to the ISA. i may end up with another server for internal and one for external/ISA. then i will put FBA back on isa. thanks for info. i should be getting your book today in mail. look forward to the reading
In your article you mention configuring the routing table on the ISA firewall for the internal subnets 192.168.2.0/24 and 192.168.3.0/24 since they are not directly connected. Can this be done with the 'Route add <subnet> mask <netmask> <gateway> metric <metric> if <interface>' command or does RRAS need to be turned on and configured on the ISA box? I am having trouble with Internal networks communicating on different subnets.
quote:Originally posted by neteng: well i have a very busy exchange server so i guess i will be passing authentication through to the ISA. i may end up with another server for internal and one for external/ISA. then i will put FBA back on isa. thanks for info. i should be getting your book today in mail. look forward to the reading
Great! Let me know if you have any questions on what you read in the book.
I can get the two Internal networks to work just fine talking to each other, but only the subnets on NIC1 can reach the Internet. I've tried all sorts of combinations, but haven't found any way to reach the outside world from half of our network. I first created NIC2 as a seperate network with associated network rules, but that didn't seem to work, so I added it to the internal network configuration, but that didn't work either.
It seems like some sort of routing problem, where any packet destined for an external address from the 10.6.x.x network just seems to disappear...
Any help you can give will be greatly appreciated!
From: New York
I am tired of banging my head against the wall. It hurts now. I need assistance. I have follow your settings in the article but I not sure how the configure Access Point Router setting to work with the DMZ network card on my firewall. IÆm not sure what settings I should input for the router. Any help would be greatly appreciated.
Network Layout: Cable Modem - ISA Server 2004 with 3 NIC cards 1. External NIC Plugs into the modem 2. Internal NIC plugs into a 10/100 switch 3. DMZ NIC plugs into USR8054 10/100 hub wan port.
ISA Perimeter Settings: Sleeted DMZ card with address range 192.168.123.0 û 192.168.123.255 Network rule is set for NAT from WLAN (source) to External (destination)
Here are my network card settings on my ISA 2004 Firewall Running on Windows 2003 Enterprise Server:
After configuring the ISA Firewall (ISA 2000)now we have a conflict with the Firewall Service when we enable the Server Publishing Rules for INBOUD/OUTBOUND for Transfer Zone (from the external IP tp the Internakle IP) and the DNS Service. First it was working fine but now they can not work together.
If I enable the Publishing Rules: 1) If I start the Fireewall Service first, the DNS service gives me an arror (Event ID: 2012) because the UDP Port 53 is being used by another application. 2) If I start the DNS first, it runs O.K. but the Firewall Service, gives me the errors (can't remember right now the Event ID No).
If I Disable the Publishing Rules: the DNS service runs fine but I don't have access to OWA.
I also lost our VPN access.
Any sugestions? I will greatly appreciate any feedback.