RE: DMZ Setup With ISA 2004

How secure would this solution be?

"Asher_N" wrote:

If I understand correctly, you want an ISA server in fronto of the web
server, which is to remain internal.

I'd connect T1-1 to ISA-1 and ISA-1 to LAN. I'd point all my LAN clients
to use ISA-1 as the gateway. Then I'd connect T1-2 to ISA-2 and ISA-2 to
web server. I'd put a second NIC in the web server and connect that to
the LAN. That way, you can get to your web server from your LAN, but any
external traffic would stop at the web server.

=?Utf-8?B?SmFjayBvZiBhbGwgSVQgdHJhZGVzIDp8?=
<JackofallITtrades@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in
news:76840897-214E-4065-8684-7C214F2B7E7A@xxxxxxxxxxxxx:

Thanks Shijaz for the response:

However, one thing I neglected to mention is that I wanted to utilize
the cross-over connection for DNS/AD/RDP.

Bearing in mind what you menitoned about the cross-over connection,
would it be more feasible to attach the desginated Cross-over
connection NIC on ISA2 to the internal lan for DNS/AD/RDP. Let me know
if I'm barking up the wrong tree or have any other suggestions.

Again, thanks for any assistance.






"Shijaz" wrote:

Since you have two separate external connections, and have two ISA
Servers, isolation is pretty easy. Connect the first T1 line to your
ISA1 and use it for internal internet access, etc.

Connect the second T1 line to ISA2 and use it for publishing your web
server on a separate DMZ network.

ISA Server 2004 does not support multiple external connections.

The cross-over connection is used between two ISA 2004 *Enterprise
Edition* servers for intra-array communication, i.e. sharing the
configuration, cache, etc between the servers.

--
Shijaz
MCSE:Security, CCNA
www.shijaz.com/isaserver


"Jack of all IT trades :|" wrote:

Sorry....I hit the enter button too soon:


Hello;

I've been tasked to create a new ISA server to isolate the traffic
going into our webserver; unfortuntely this is all new to me :)

BackGround:
Anyways, we have an existing ISA 2004 server which is configured as
a edge firewall (which is connected to a T1 line) and provides
firewall and VPN services to our internal LAN.

Just recently we had another T1 line installed as we want to
isolate the web (web server is internal) traffic from the internal
LAN due to expected an huge increase to our website.

Each of the ISA servers has 3 NICs installed:

ISA1 (Existing Production)
NIC1 - External Access
NIC2 - Interal Access
NIC3 - Cross Connect to ISA2 IP address set to 192.168.1.1

ISA2
NIC1 - External Access
NIC2 - DMZ
NIC3 - Crossover Connect to ISA1 IP address set to 192.168.1.2

My Questions are:

1) How to I configure the second ISA server using the cross over
connection(which Firewall rules, network settings) to communicate
with ISA1, to route incoming traffic to the internal webserver

2) Are the alternatives to the cross over connection to get the
same results I want to achieve?

Thanks for all your help




"Jack of all IT trades :|" wrote:

Hello;

I've been tasked to create a new ISA server to isolate the
traffic going into our webserver; unfortuntely this is all new to
me :)

BackGround:
Anyways, we have an existing ISA 2004 server which is configured
as a edge firewall (which is connected to a T1 line) and provides
firewall and VPN services to our internal LAN.

Just recently we had another T1 line installed as we want to
isolate the web (web server is internal) traffic from the
internal LAN due to expected an huge increase to our website.






.