ISA Deplyoment Scenario

Discussion in 'General Microsoft Certifications' started by DJ Prem, Dec 31, 2006.

  1. DJ Prem

    DJ Prem Bit Poster

    35
    2
    3
    Hey guys I need some help with some ISA as I'm just learning out of curiosity so please do explain and say if I'm wrong or I've something stupid.

    Diagram is attached.

    I'm trying to achieve this in a workgroup environment so no active directory. I'm going to make this like a scenario so people can actually understand what I'm trying to do.

    I own a block of flats and I provide free web access to my flat owners but to prevent abuse of the connection with P2P I've decided to implement a proxy.

    The ISA server has 2 network interfaces cards, one that connects to the modem; the second that connects to the switch both are static.

    NIC1: IP Removed for members privacy - Boyce (Public)
    NIC2: 10.10.10.1 (Private)

    So first off all I need IP addresses to connect locally, so I've deployed a DHCP on the ISA server. Now I would like to connect the clients on the web so would I need to deploy DNS, NAT and then ISA or should I install DNS and ISA and no NAT.

    Please do explain thank you and Happy New Year.
     

    Attached Files:

    • 1.JPG
      1.JPG
      File size:
      20.7 KB
      Views:
      16
  2. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    Firstly ISA can be installed as a proxy server only or as a proxy/firewall solution. With two NICs you are geared up for a proxy/firewall config. If you only had one NIC, ISA can only act as a web proxy, caching only server which basically would speed up the surfing experience of your users but not allow you much control of the content they receive.

    The ISA server when installed in proxy/firewall mode will use NAT by default and this is how it should be configured. NAT offers another layer of protection to your clients.

    Note; with ISA you do not close or open ports as such, you create rules which either permit or deny access to specific protocols by specific users or groups and to specific sites and specific content. You could create a rule, that allows all users to use any protocol to all destinations but that would defeat the object of what ISA is all about.

    By default all protocols are denied hence no web access for anyone, until you start to create some rules.
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)
  3. DJ Prem

    DJ Prem Bit Poster

    35
    2
    3
    Thank you for replying Bluerinse, just a few questions.

    1. I had my DNS use a forwarder to the ISP DNS would I disable this?

    2. As trying various configurations, I disabled NAT and the web access was still working so does that mean that the ISA is now a proxy only and not a proxy/firewall?

    3. If you were in this situtation how would you deploy this setup?

    Thanks and happy new year.
     
  4. Bluerinse
    Honorary Member

    Bluerinse Exabyte Poster

    8,878
    181
    256
    Q1 no that DNS setup is fine.

    Q2 not sure as I have never disabled NAT on an ISA server.

    Q3 That depends, ISA is very complex and what you are trying to achieve may not work. These P2P applications use complex port connections, meaning they vary depending on which P2P app the user is using. ISA on it's own may not deal with this scenario well - you might need to use a product like websense that works with ISA in order to achieve this goal, however websense will be quite expensive.

    If you want to really learn about ISA, I suggest you start trawling through http://www.isaserver.org there are many articles on there and a public forum which give help and good advice for setting up your ISA server. Firstly, you need to understand the three different client types and you need to understand how ISA deals with each one or a combination of the three.

    Here is a start..

    http://www.microsoft.com/technet/isa/2000/isafp1/isasct.mspx

    I studied ISA 2000 but since then ISA 2004 has been released and now ISA 2006, so you will find the info you require for the version you are playing with on isaserver.org. It's hard for me to give you definitive info as so much has changed since I really delved into it.

    ISA is a great product but there is a lot to learn in order to get it to do what you want it to and it is very easy to undermine the inherent security by mis-configuring the installation.
     
    Certifications: C&G Electronics - MCSA (W2K) MCSE (W2K)

Share This Page

Loading...
  1. This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
    By continuing to use this site, you are consenting to our use of cookies.