Control flow of ISA traffic out the front-end interface to the internet

From: Enrico <nricko@xxxxxxxxx>
Date: Sun, 22 Jul 2007 20:16:56 -0700

Hello,

I currently have 4 ISA server firewalls (2006 EE) configured in an
array.
These servers are not network load balanced and sit behind a firewall.
All traffic from the internal network goes through the back end IP
addresses of the ISA servers (which are also part of the Internal
network defined in ISA network configuration tool). Each Front end
network card of each ISA server has 2 IP addresses. The IP addresses
server the purpose listed below:

Function1: DNS
Function2: HTTP traffic via ISA as outbound proxy

Ideally, I would like to assign 1 IP address of each ISA server for
each function. This would essentially make the traffic run through
the front end firewall as follows:

IP1: DNS (incoming/outbound port 53)
IP2: HTTP proxy (outbound port 80)

To do this, I did the following on my ISA servers, but with no avail.
I am not sure if the problem is in my understanding of how ISA
networks are defined or how traffic flows out of ISA front-end
interface:

1. Created a new external network (DNS) which contained IP1 of each
ISA server.
2. Created an access rule (Internal to DNS) with source: internal
network, destination: DNS network
3. Created an access rule (DNS to Internet) with source: DNS,
destination: external
4. Created a new external network (Proxy) which contained IP2 of each
ISA server.
5. Created an access rule (Internal to Proxy) with source: internal
network, destination: DNS network
6. Created an access rule (Proxy to Internet) with source: DNS,
destination: external

-------------------------------------------------------------------------------------------------------
Is it possible for me to control which IP addresses on the front End
network cards of ISA traffic can flow out of based on an access rule
that uses a specific protocol?

Or does ISA randomly choose an IP address from the pool of external
IPs on the front-end traffic to send traffic out of to the internet?
-------------------------------------------------------------------------------------------------------------------
Please let me know if you have any addition questions.

Thanks

Enrico

.

Prev by Date: Allow access to all sites
Next by Date: Re: View entire network via vpn
Previous by thread: Allow access to all sites
Next by thread: Re: Gateway Time out Issue Single NIC Web Proxy Config
Index(es):
- Date
- Thread

Relevant Pages

Re: ISA Server 2004 and Application Events 14147
... This newsgroup only focuses on SBS technical issues. ... | any Internet access restriction from either the server or the internal ... |> Server computer is different from the ISA Server configuration. ... and add your internal network adapter. ...
(microsoft.public.windows.server.sbs)
RE: ISA Server lost domain
... 172.16.18.131 is my External Network. ... Domian from the ISA server. ... adapter configuration for ISA server: ... >Intranet & the second one is used for internet, ...
(microsoft.public.isaserver)
Re: Eventid 15108... spoof address ????
... clicked this and the 169 address appeared just after an IP on the network. ... > 2) Extract all files to a folder on ISA server ... > 'Microsoft Firewall' service. ... > |> server could receive some spoof attacks from the internet. ...
(microsoft.public.windows.server.sbs)
Re: isa 2004 in testlab
... We have a VMS server behind an ISA 2004 firewall. ... ISA server or you get nowhere with an incoming telnet. ... if dns is not on the isa server, it seems resolution fails to get ... the external interface), which returns the internet IP for mail, web, ftp, ...
(microsoft.public.isaserver)
Re: ISA 2006 Basic Configuration
... Did you create the Rule for DNS properly? ... Troubleshooting Client Authentication on Access Rules in ISA Server 2004 ... Microsoft ISA Server Partners: Partner Hardware Solutions ... The routing table for the network adapter Internal ...
(microsoft.public.isa.configuration)