Re: Moving from ISA 2000 to ISA 2004...
- From: "ZVR" <vzaneNOSPAM@xxxxxxxxxx>
- Date: Fri, 10 Feb 2006 17:53:41 -0500
I will give you the same answer I gave many other people facing the same
task. The best path for a smooth migration on new hardware, is a parallel
installation of ISA2004 on the new box. Basically you install a second
firewall in your organization, which will have one internal IP from the
internal address space, and one external IP address different from the
existing firewall. You will run this in parallel with the old firewall for a
while, which will let you gradually migrate all clients, services, and
published rules from the old box to the new one.
From a "server publishing" point of view, once you're satisfied that thepublishing rules on the new box are in place and work as expected, changing
back and forth between the old box and the new one it's as simple as
changing the external DNS records to point to one external IP or another.
This lets you go back quickly to the old configuration if there's something
wrong with the new one (although there will probably be some inherent delay
that DNS caching introduces on the Internet).
As far as internal clients go, it's even easier. For SNAT clients all you
need to do is change the default gateway to point to the internal IP of
firewall #2, once you have your access rules in place (you can use a test
machine to make sure that everything works before switching the default
gateway on the workstations in the LAN). And for firewall clients, you can
configure proxy auto-discovery pointing to the new box. Moreover you will
eventually upgrade from the ISA 2000 firewall client (if you're using it) to
the new ISA2004 client, which will include the new config anyway.
I guarantee things cannot go any smoother than when using this approach.
In-place upgrades are always far from perfect, and just exporting rules from
the old ISA2000 box and re-importing them on the new ISA2004 machine will
not take care of everything either. In the end you will need some amount of
manual reconfiguration as ISA2000 and ISA2004 are different enough, so you
might as well start with a parallel installation of ISA2004 from scratch.
The only disadvantage I see is the fact that you need an additional external
IP for firewall box #2.
Good luck,
Virgil
"LJH" <alphagahoo@xxxxxxxxx> wrote in message
news:%23nNp2DZLGHA.140@xxxxxxxxxxxxxxxxxxxxxxx
Greetings:
I'm looking to move from ISA 2K to ISA 2K4.
Current config is ISA 2K on dual-homed box running W2K. DNS is hosted
externally, but this box is also running DNS (acting as Forwarder).
I want to set up W2K3 Server on brand new machine and use this box to host
ISA 2K4. This box would be dual-homed and essentially function as before.
Two questions: 1)Does Tom S have any documents that speak directly to
upgrading ISA from 2K to 2K4 AND doing so in the context of a new box? If
not him, who does? 2) Anybody done this that can offer some "gotchas" to
look out for? FWIW, like most companies these days, ours is very
dependent
upon Internet for research, email (we're running E2K3, including secure
OWA
and RPC over HTTPS), and remote access (basic MSFT VPN for limited group
of
users).
I want to make sure when I go down this road that things go as smoothly as
possible.
Thanks in advance for any resources that people can point me toward as
well
as insights gained from own experiences!
LJH
.
- Follow-Ups:
- Re: Moving from ISA 2000 to ISA 2004...
- From: LJH
- Re: Moving from ISA 2000 to ISA 2004...
- References:
- Moving from ISA 2000 to ISA 2004...
- From: LJH
- Moving from ISA 2000 to ISA 2004...
- Prev by Date: banking programs
- Next by Date: Re: Moving from ISA 2000 to ISA 2004...
- Previous by thread: Moving from ISA 2000 to ISA 2004...
- Next by thread: Re: Moving from ISA 2000 to ISA 2004...
- Index(es):
Relevant Pages
|
