Re: Moving from ISA 2000 to ISA 2004...

No problem, good luck and be sure to post here if you need additional
assistance along the way.

Regards,
Virgil


"LJH" <alphagahoo@xxxxxxxxx> wrote in message
news:eGbkGxsLGHA.1192@xxxxxxxxxxxxxxxxxxxxxxx
Virgil:

Thank you for taking time to respond...I'd not even considered going the
parallel route, but your post makes all of the sense in the world!!...and
the additional external IP need is not an issue at all - I've got control
of an entire Class C.

Thanks again for helping get my head out of the fog on this
question/issue.

LJH

"ZVR" <vzaneNOSPAM@xxxxxxxxxx> wrote in message
news:43ed1975$0$5467$9a6e19ea@xxxxxxxxxxxxxxxxxxxxxxxxxxxx
I will give you the same answer I gave many other people facing the same
task. The best path for a smooth migration on new hardware, is a parallel
installation of ISA2004 on the new box. Basically you install a second
firewall in your organization, which will have one internal IP from the
internal address space, and one external IP address different from the
existing firewall. You will run this in parallel with the old firewall for
a while, which will let you gradually migrate all clients, services, and
published rules from the old box to the new one.

From a "server publishing" point of view, once you're satisfied that the
publishing rules on the new box are in place and work as expected,
changing back and forth between the old box and the new one it's as
simple as changing the external DNS records to point to one external IP
or another. This lets you go back quickly to the old configuration if
there's something wrong with the new one (although there will probably be
some inherent delay that DNS caching introduces on the Internet).

As far as internal clients go, it's even easier. For SNAT clients all you
need to do is change the default gateway to point to the internal IP of
firewall #2, once you have your access rules in place (you can use a test
machine to make sure that everything works before switching the default
gateway on the workstations in the LAN). And for firewall clients, you
can configure proxy auto-discovery pointing to the new box. Moreover you
will eventually upgrade from the ISA 2000 firewall client (if you're
using it) to the new ISA2004 client, which will include the new config
anyway.

I guarantee things cannot go any smoother than when using this approach.
In-place upgrades are always far from perfect, and just exporting rules
from the old ISA2000 box and re-importing them on the new ISA2004 machine
will not take care of everything either. In the end you will need some
amount of manual reconfiguration as ISA2000 and ISA2004 are different
enough, so you might as well start with a parallel installation of
ISA2004 from scratch. The only disadvantage I see is the fact that you
need an additional external IP for firewall box #2.

Good luck,
Virgil



"LJH" <alphagahoo@xxxxxxxxx> wrote in message
news:%23nNp2DZLGHA.140@xxxxxxxxxxxxxxxxxxxxxxx
Greetings:

I'm looking to move from ISA 2K to ISA 2K4.

Current config is ISA 2K on dual-homed box running W2K. DNS is hosted
externally, but this box is also running DNS (acting as Forwarder).

I want to set up W2K3 Server on brand new machine and use this box to
host
ISA 2K4. This box would be dual-homed and essentially function as
before.

Two questions: 1)Does Tom S have any documents that speak directly to
upgrading ISA from 2K to 2K4 AND doing so in the context of a new box?
If
not him, who does? 2) Anybody done this that can offer some "gotchas" to
look out for? FWIW, like most companies these days, ours is very
dependent
upon Internet for research, email (we're running E2K3, including secure
OWA
and RPC over HTTPS), and remote access (basic MSFT VPN for limited group
of
users).

I want to make sure when I go down this road that things go as smoothly
as
possible.

Thanks in advance for any resources that people can point me toward as
well
as insights gained from own experiences!

LJH







.

Relevant Pages

  • Re: Outgoing VPN Error 619
    ... I've checked in local network rules and I do have a rule called VPN clients ... PPTP clients are configured to use ISA as a hop to the Internet ... SecureNAT Clients while still trying to have Web and Firewall Client ...
    (microsoft.public.isa.vpn)
  • RE: SBS Premium, Secure Banking site, certificate = no joy
    ... firewall client installed cannot access a specific banking web site. ... settings and create the ISA rules. ... 825763 How to configure Internet access in Windows Small Business Server ... On the ISA Server computer, stop the Microsoft Firewall service. ...
    (microsoft.public.windows.server.sbs)
  • RE: Web Pages Stall
    ... I understand that the internal clients can ... Ensure your SBS 2003 server have right network configuration. ... How to configure Internet access in Windows Small Business Server 2003 ... proxy port defined on ISA server, by default it is 8080 on SBS 2k3. ...
    (microsoft.public.windows.server.sbs)
  • RE: Web Pages Stall
    ... The clients can access the internet via IE7. ... All proxy settings are correct. ... Do you still need the ISA logs?? ...
    (microsoft.public.windows.server.sbs)
  • Re: Outgoing VPN Error 619
    ... all of the machines on the network set to use the ISA server internal NIC. ... SecureNAT Clients while still trying to have Web and Firewall Client ...
    (microsoft.public.isa.vpn)
Loading