Another great article, thanks.
My ISA Firewall is already in service. In your article you tell us to install the third NIC before installing ISA. What kind of problems will I run into if I add the third NIC now and work through the configurations you describe? Or, would it be better to start over?
I really appreciate these articles in addition to the great ISA 2004 book. TheyĂre teaching me step by step so much more about ISA / firewalls and general networking. (un)fortunately there are always questions not being answered since every environment is different.
IĂm applying this setup (untrusted DMZ) to my environment, I also want to use a split DNS infrastructure because we, are publishing internal websites and the OWA server I assume on the isa server resolving the internal IP addresses for these server needs to be done.
I found that:
(This is the only interface that has a DNS server configured on it. The DNS server should be a DNS server on the Default Internal Network, and that DNS server should be configured to resolve Internet host names, either by performing recursion itself, or by using a Forwarder (such as your ISP). This interface does not have a default gateway.)
DoesnĂt work in my situation, If I limit the DNS listener to the Wireless DMZ segment external DNS queries fail because clients and the other DNS servers use the LAN NIC on the ISA to resolve external IP addresses. Like this they only can resolve host on the Wireless DMZ segment.
Since the sDSLS router is on another subnet I could make a persistent route on the router or allow the dns server on the ISA to listen on all the LAN Nic to keep resolving working
We were having similar problem. Followed all the steps in the article minus the internal rule and the exchange / smtp directions (did not need) but could not get internet access from wireless DMZ and also could not get access to wireless router from isa on DMZ. Only change made from directions was to let internal (isa) dns (which serves DMZ and has diff subnet than internal network / dns) listen in internal interface as well as dmz interface. Now all works. Do not know if this means I have a conflict in my exisitng firewall rules (pretty complex - running SurfControl and requiring auth for most traffic, which force custom protocols and special rules for any traffic needed to be passed anonymous) or a problem with my internal (isa) dns but this works. If someone knows of a reason why I should not do this and a better solution please advise. Otherwise, we will continue in our happy little working environment. ...
Similar problem here also. Trying to create guest wireless access with no local network access.
ISA2006, member of domain WAN IP = x.x.x.x, has no dns ip LAN IP = 192.168.3.1, no gateway ip, dns = 192.168.3.12 DMZ IP = 10.10.10.1, no gateway ip, no dns ip
WAP WAN IP = 10.10.10.2, gw = 10.10.10.1, dns = 10.10.10.1 LAN IP = 10.10.10.3 DHCP server to 10.10.10.11+
Win2003 Domain Controller & DNS server, IP = 192.168.3.12 Forwards to ISP's DNS servers. Internal network clients browse ok.
Added DNS to ISA box, only listens to 10.10.10.1, forwarders set to ISP DNS servers, created rev/fwd lookup zones and ISA Access Rule to allow DNS from DMZ to local host along with HTTP from DMZ to External.
Logging shows DNS traffic coming from DMZ trying to go to 192.168.3.12 which gets blocked giving wireless browser a timeout error. Shouldn't ISA be forwarding it to the ISP DNS servers?