We have an existing Layer 3 network with multiple private subnets, interconnected by Layer 3 switches performing a full routing function. Currently we have an existing router-based NAT firewall performing stateful inspection. We have no direct control over the software on the client's machines.
Currently the clients perform DNS lookups against a public DNS server.
We hope to replace the NAT firewall with a dual NIC HP based DL320 ISA 2004 appliance to perform the same function as the NAT router but to provide in adddition: - DNS Forwarding/Cacheing - destination host logging (DNS logging against source IP) - url logging (with destination URL against source IP) - transparent cache to speed up frequently accessed sites
The hardware has not been purchased because I wanted to check what is achievable.
It's a really simple setup. No local hosting is required other than MS-RDC to an NMS server, no VPN access is required. There is no login and no domain controller. We have no control on the client OS being installed other than we hand out IP, DG & DNS via DHCP. We're thus restricted to using the ISA2004 in SecureNAT mode. We cannot use the Proxy Client.
We do not want to use a WPAD/PAC file, DHCP option 252 or manual config as this complexificates the configuration for the user. Although WPAD is elegant, we have no control over the host/domain name of the PC as sometimes this is manually overridden by the user. Users cannot be trusted to enter proxy credentials into browsers and the mix of Mac/gnuLinux machines/browsers/IMClients make this difficult to support for every app under the sun. We would like the ISA2004 to operate as a classical transparent HTTP cache (same as we have done for squid in the past), intercepting http/ftp/etc sessions (where appropriate) without the user aware that a cache is being used. This is purely to make most efficient use of available bandwidth.
I have some questions which I would be grateful of some advice from those of you with more experience with the ISA setup.
1) We will have to run Microsoft DNS services for Internet Lookups [Non-Recursive Caching-only DNS forwarder] on the underlying Windows Server 2003. We know this is not ideal to run services on the ISA (this is discussed in depth on plenty of 'net articles). We would like to find a way of easily reviewing the logs. Would the DNS logging be best performed as a function of the Microsoft DHCP Server or an ISA rule to log access to a file. Which mechanism presents the easiest log archiving/viewing process?
2) Does anyone have any advice as to the best way to log access to URLs for simple analysis? It looks like this is not possible with SecureNAT (sorry for the same old question, but if the info is in the cache file there must be a way of logging it?) Chould this be a rule within the firewall module or as part of the proxy config to output first section of payload to a file or interpretation module? I'm worried it's conclusive that ISA2004 can't log URLs like Squid can.
[go use proxy client is not an option]
I have purchased and read appropriate sections of Deb & Tom's ISA2004 book and read articles on SecureNAT and the complexities of different DNS setups, but many of these are overly complex for such a simple setup.
Any advice would be appreciated on how to NAT, DNS, Cache & log in the simplest configuration possible. I am sure this is a setup that many would share.
[ newbie on forums - didn't want to cross post in Logging & Reporting too ]
Thanks all for your responses. I have done a bit more research and I think I'm getting there.
I shall use an ISA2004 with Dual NIC configuration since I will be replacing a NAT router. (Don't worry Tom, wasn't considering a 1 NIC solution).
The server will run MS Win2003 DNS Server component as a Cache Only DNS. I'm afraid we are unable to put in a separate box for DNS. I'm hopefully gonna run in DNS Debug Logging mode, recording UDP DNS requests & responses to/from users. A batchfile script will archive this file every day off to a compressed folder. I am hoping that the whizzy processing power of the HP DL320 Appliance will not be affected too much. I'm rather surprised that DNS logging is considered a Debug. I would have thought that Log & Daily Archive would be standard practice for most.
As to firewall logging, it was not clear whether when using a SecureNAT client that you get any logs at all. It does now look like you get SourceIP / DestIP. LogHostName looks kinda cool - thanks very much Tinto.
Looks like because I'm using the SecureNAT client, I'm gonna need to use the HTTP redirector rule to send the flow to the Proxy. I'll have to investigate the HTTP Redirect / Site Content Rules Issue further.
I was kinda hoping that with all the Application Layer technology that the Web Proxy module is already aware of the URL & hostname visited and that would be logged but it doesn't look like it from the docs. I'll just have to test and see.