Re: Back-to-Back Firewall Pix & ISA Server 2004

Tech Tip: Click here to run a free scan for Windows Errors and optimize PC performance

"Habibalby" <hms__25@xxxxxxxxxxx> wrote in message
news:8B47DF44-6762-4530-BA35-C89174580356@xxxxxxxxxxxxxxxx
Hi, I'm not using a DHCP, all clients and servers are statically
configured.


Phillip Windell ,

Why I\m doing in a backwords? and why the Back-to-Back Firewall Scenraio
is
working between 2 ISA's, but with the Pix is getting difficulties?

People normally put the "hardware" Firewall on the outer side and put the
ISA on the inner side of the DMZ.

DNS
DNS will mean nothing for your ISA. Your ISA is not going to be "aware" of
your Internal DNS that the LAN machines use. The ISA can operate without any
DNS in ths case but if you want it to use one then you will probably will
want to dd the ISP's DNS to the External Interface. The way you are running
the ISA,...the ISA will not be aware of the LAN and will have no real
control over the LAN.

DNS on the LAN
Every single machine on the LAN must use the AD/DNS and nothing else.
The ISP's DNS can be added to the Forwarders list in the DNS Service Config.
The PIX must allow the AD/DNS to make outbound DNS Queries
The ISA must allow the PIX to make outbound DNS Queries.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------


.

Relevant Pages

  • Re: Allow Remote Subnet to Authenticate
    ... LAN router doesn't have the ISA servers as it's gateway. ... The ISA server internal nic is in the 10.0 subnet and C/TS on that subnet ... DNS I don't see as being even relevant to this,...but the details of the ...
    (microsoft.public.isa.configuration)
  • Kostenpflichtige Wahlleitung und DNS (DMZ)
    ... ISDN Router mit einwahlverbindung, ... Auf dem nach dem ISA folgen zwei separate Netze. ... 1x Normales LAN und 1x ein relativ komplexes W-LAN. ... ein eigener DNS Server. ...
    (microsoft.public.de.german.isaserver)
  • Re: using my ISA for some routing
    ... Configure the LAN for Proxy Auto-detection ... The PIX needs to be the Default Gateway ... Your "NAT Clients" will have to use it instead of the ISA. ...
    (microsoft.public.isa.configuration)
  • Re: ipfw ?? DNAT ?? Help
    ... however on a PIX you have to 'doctor' the DNS ... My web server is on a dmz. ... > can do the same thing, but me, i can't do it from my lan, if i do, from my ...
    (comp.security.firewalls)
  • Re: ipfw ?? DNAT ?? Help
    ... however on a PIX you have to 'doctor' the DNS ... My web server is on a dmz. ... > can do the same thing, but me, i can't do it from my lan, if i do, from my ...
    (comp.security.firewalls)