Getting started with Microsoft ISA Server 2006, Part II: Configure Network Topology
ISA, Security, Windows December 30th, 2007Network Topology
From Part I, you have finished install ISA Server 2006. Before using the server, you need to do some configurations first. On Getting Started with ISA Server 2006 page on ISA Server Management, there are 5 steps for set up ISA Server as the figure below.
To use ISA Server, only first 2 steps on the figure above are needed to be configured so this part will shows how to configure Network Topology on ISA Server which is the first step in the figure above. For the second step, I will cover in the next part(part III). Also, you need to enable client to access ISA Server by configure on clients,too. Client Configuration will be covered in part IV.
The series are divided into 5 parts:
- Getting started with Microsoft ISA Server 2006, Part I: Installation
- Getting started with Microsoft ISA Server 2006, Part II: Configure Network Topology
- Getting started with Microsoft ISA Server 2006, Part III: Create Firewall Policy Rule
- Getting started with Microsoft ISA Server 2006, Part IV: Configure Client Type
- Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter
ISA Server 2006 comes with many defined templates. Here are some details of each template. You can select one of them that match your network.
- Edge Firewall
This is a standard network topology for small to medium organization. The ISA Server is a main gateway controlling traffic between intranet and internet. The ISA Server needs 2 network interfaces. 
- 3-Leg Perimeter
This is a standard network topology for medium to large organization. There are another network which is Perimeter network adding to ISA server compare to edge firewall. The perimeter network or DMZ (Demilitarized Zone) is a network that is less secure for serving Web server, E-Mail server, DNS server,etc so that internet users can access these services without access to internal network. The ISA Server needs 3 network interfaces. 
- Front Firewall
This is a network topology for organization that security is high priority. In this case, there are more than 1 firewall server. When hacker attacks the server and one fails, there is still back firewall to protect your internal network. This template, ISA Server will be act as front firewall server between internet and perimeter network and needs 2 network interfaces. 
- Back Firewall
This is a network topology for organization that security is high priority. The configuration is the same as in Front Firewall template except that the ISA Server that you’re configuring is the back firewall that serperate internal and perimeter network.This template, ISA Server needs 2 network interfaces. 
- Single Network Adapter
This is a network topology for ISA Server to be act as Proxy server only. ISA Server can do caching to improve performance for users using Internet in organization. This template, ISA Server requires only a single network interface as the name of the template. 
Note: For Front and Back Firewall templates, you have more than one firewall servers. It is best practice that you should use different firewall software or using hardware firewall with software firewall not the same on front and back. If hacker can destroy the front firewall, you still have back firewall which the hacker can’t use the previous technique to attack the firewall.
Step-by-step
This example will configure ISA Server 2006 using Edge Firewall template.
- Open ISA Server Management.
- On left window, expand Configuration and select Networks
- On right window, select Templates tab.
- Click on Edge Firewall template. Network Template Wizard window appears.
- Click Next.
- You can export your configurations before let the wizard overwrite the old one by click on Export button. Otherwise, click Next.
- On Internal Network IP Addresses, you can configure your internel network IP Address. If the existing value is correct, click Next.
- On Select a Firewall Policy, you can select firewall policy template. The description will display what will be configure on ISA Server. I select “Block all” to block all traffic between ISA Server. I will configure rules later in the the next part.
- Click Finish to complete the wizard.
- To make ISA Server takes effect, click on Apply.
Related post
- Getting started with Microsoft ISA Server 2006, Part 6: Configure Network Layout This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index...
- Getting started with Microsoft ISA Server 2006, Part 5: Network Layout Concept This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index...
- Getting started with Microsoft ISA Server 2006, Part IV: Configure Client Type Introduction After completed part III, you have done basic configurations on ISA Server. In this part, you’re going to configure...
- Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter Have you ever need to block users using MSN or Yahoo Messenger? Or block them to using free email services?...
- Getting started with Microsoft ISA Server 2006, Part I: Installation Introduction Microsoft Internet Security & Acceleration Server 2006 is a firewall and proxy product from Microsoft. It can protects local...
Related posts:
March 26th, 2008 at 5:29 pm
Nipawit,
Your step by step installation is very helpful. Can you tell me any consideration for setting up ISA on single network adapter type. Any specific configuration or policy need to set ?
Thx,
BW
March 28th, 2008 at 9:03 am
I haven’t use this template before. This template, ISA Server will only function as a cache server.
I recommend you to read this for more detail about the template.
Single Network Adapter network template
July 29th, 2008 at 3:13 pm
Dear Linglom.com Team,
your web site is so nice and informatics that i never seen before it. Keep it up it really nice work you people have done.
thanks
Qazzafi,
System and Network Administrator,
Govt. of Punjab, Pakistan.
September 17th, 2008 at 12:11 am
I’m having trouble choosing from one of templates have given by isa server 2006.
I’ve 2 servers and 1 firewall.
My 1st server is the PDC server running on w2k3 std. My 2nd server is the Proxy-Server that i’m willing to deploy the ISA Server 2006.
Any template / isa-configuration suggestion ?
September 17th, 2008 at 9:27 am
Hi, Karsanto
If you want ISA to be only a proxy server, you can use Single Network Adapter template which makes ISA Server as a proxy server. This template requires only a single network card on ISA Server.
You’ve told me that you already have a firewall and you want to install another firewall (ISA Server). If you want to have perimeter network (DMZ zone), you can select between Front or Back firewall template which depends on where you want to place the ISA Server. Both templates require 2 network cards on ISA Server.
Or you can 3-Leg perimeter template which is less secure because it has only a firewall. This template requires 3 network cards on ISA Server.
October 8th, 2008 at 11:28 pm
Hello,
Thanks a lot for putting together this great HOWTO. I love it.
That said, I’m in the process of installing ISA Server 2006 and I need some guidance to put a solid foundation in place prior to moving forward. I have pick my topology and it will be a back firewall. In other words, it’s going to be a We already have a SonicWall Pro 4060 acting as our gateway/firewall and would like to put the ISA Server behind as a second line of defense. The ISA Server will then be connected to a gibabit switch with holds our LAN. Now, we are also planning to add a SonicWall SSL VPN 2000 in the topology for remote access so that telecommuters, remote users can access some resources like OWA, EAS, IM, MOSS,…without getting inside our network. What would be the best place to place the SSL VPN device? We are planning to plug it in one of the ports of the SonicWall Pro 4060 and then connect a VMWare box hosting different servers to it. Has anybody have to deal with such network configuration before? What can be the best practice to reduce the attack surface and offer resources to our users? we would like to make the configuration as simple as possible but secure to avoid troubles down the road.
Thanks for your feedbacks.
Armel -
October 10th, 2008 at 3:11 pm
Hi, Amel
It’s better if you have 2-level firewall than a single firewall. By having front and back firewall, when the system is attacked and the front firewall is compromised. You still have a back firewall which is protecting your private network and that can give you more time to investigate and fix the problem. But about VPN, I have no idea since I have never used it.
October 10th, 2008 at 8:26 pm
Hi Linglom,
Thanks for your input. I appreciate that.
I have found a way to place my SonicWall SSL VPN 2000 in the topology. The recommendation from SonicWall ( one of the placement scenario) is to place it in the DMZ. So, I’m going with that option.
Once again, thank you and keep up the good work !
Armel
October 10th, 2008 at 10:35 pm
Hi Linglom!
It’s me again. Based on my network topology, how can I enter persistent routes in my routing table using the route -p add command? Here is a rough diagram of my network:
Internet
|
SonicWall Firewall
192.168.3.1
|
|
|
192.168.3.2 (WAN NIC of ISA Server)
ISA Server 2006
10.0.0.65 ( LAN NIC of ISA Server)
|
|
|
|
Office LAN
(10.0.0.0/16)
Do you think
route -p add 10.0.0.0 mask 255.255.0.0 10.0.0.65
Would do it? I think that would allow all traffic coming from my LAN to be pass to the Internal NIC (10.0.0.65) of the ISA which will push it out to the External interface (192.168.3.2) which has a default gateway of (192.168.3.1) and will get to the SonicWall firewall.
What do you think?
Thanks for any feedback.
Armel
October 11th, 2008 at 10:42 pm
You don’t have to configure routing table on clients. ISA Server has 3 types of clients: SecureNAT client, Firewall client and Web Proxy client. For more detail, see Getting started with Microsoft ISA Server 2006, Part IV: Configure Client Type.
You have to configure clients to be one of these types. For example, if you using Firewall client type, all traffic from client’s browser will be sent to ISA Server.
March 3rd, 2009 at 12:42 am
I was running ISA 2006 with 2 internal nics and 1 external, using the 3-leg peremiter config. Now I want to change to 1 internal and 2 external (I have 2 different ISPs). What do I need to change to allow 2 external nics? Ideally, I would like all email traffic on the original and all web traffic on the new.
March 3rd, 2009 at 8:27 pm
this is really really helpfull thank you very much mate
March 6th, 2009 at 9:30 pm
Hi, Jdoty
I’m not sure that ISA Server can handle more than 1 external network.
Hi, Kreshnik
You’re welcome.
March 31st, 2009 at 9:43 pm
Hi,
We have two branches. Each branch is located 2 KMS away. We have 2MBPS fiber optic network connection between both the branches. So, we have decided to implement ISA Server 2006 in our network. What configuration steps I have to follow in IP Ranges. I mean, in network 1 I will be implementing ISA Server 2006 for that I should provide internal as well as external IP. please suggest me as to how should I follow the configuration procedures in terms of IP and also explain me how to I configure the Firewall to work for both the branches in a Domain Environment.
Thanks in advance
April 7th, 2009 at 1:27 pm
Hi, Ganu
I’ll guide only simple configuration which not include detail step. I inferred that you want to place ISA Server between branches so you only need 2 NIC cards on the server.
The first interface is connect to the internal network so IP Address can be any address in your branch and DNS Address should point to your branch’s DNS Server.
The second interface is connect to external network, in this case, it is another branch. You may connect this interface to the router which connect to the other branch so the IP Address should be in the same network as the router and gateway is point to the router. For DNS Address, you may point to the other branch’s DNS Server.
April 16th, 2009 at 10:27 am
Kinldy let me know i want the following to be implement the following through ISA 2006 using PPOE connection
CEOS—Full Access to Internet for all application
Finance–>Only Certian http Sites like hotmail.com
Network :
Internet with PPOE
Router
Switch
ISA 2006
AD
Sharepoint
SQL
Clients
How should the network be designed using ISA 2006
April 20th, 2009 at 4:15 pm
Hi Ash
I’m in same situation, please help me to know if you find any result for your implementation
July 9th, 2009 at 11:41 am
I want to configure the ISA 2006 with 2 LAN cards, can i configure both the IPs from my internal LAN address, for internal request it will use one IP & I will NAT other IP for external network (Internet),
Is it possible ??
August 3rd, 2009 at 11:37 pm
Nipawit,
I am new to setting up and configuring ISA. I am wanting to deploy OWA and Sharepoint through ISA but not sure what network setup to use. I currently have a Cisco PIX as a firwall. I also have a DMZ. I am not looking to replace my pix with the ISA only to secure and grant access to OWA & the Internal SharePoint Site. What method would you suggest.
August 5th, 2009 at 11:28 am
Hi, Peter
To define the network configure for ISA Server, first you have to decide where you want to place ISA Server on your network.
I assume that now your network is 3-leg perimeter with Cisco PIX as a firewall. If you want to place ISA Server between Cisco PIX and the Internet, ISA Server should be a front firewall. If you want to place ISA Server between Cisco PIX and your LAN, ISA Server should be a back firewall.
August 5th, 2009 at 8:34 pm
Hi Peter,
In my set up, I’m using ISA Server 2006 as a back firewall and it’s working great. I have a SonicWall UTM device as front firewall. I opted to go with a Dual-Homed ISA ( 2 NICs) and I’m able to publish both SharePoint 2007 and OWA with success. If you see posting 9. you’ll have a rough idea of my set up.
For SharePoint, I have a Windows Server 2008 box running SQL Server 2008, another Windows Server 2008 running SharePoint Server 2007. I also have another Windows Server 2008 running SharePoint as a Front-End server. That’s the server I’m publishing through ISA for my remote users. For secure your communication, you’ll need a SSL certificate. I’m using a unified communication certificate from one of the major vendors.
There are other tiny details but I’m sure you’ll figure out how to proceed.
As far as OWA is concerned, you’ll also need a certificate. A UC cert is the way to go if on top of OWA you want to offer autodiscover or activesync for mobile users. You’ll need to install your cert on your Client Access Server (CAS). I split the server roles on two servers with teh CAS sitting separate from the server holding the mailboxes.
As Linglom said, the first thing that you need to do is to pick your topology ( based on your specific needs and requirements). Then, you can focus on the request of the stuff. I’m sure you’ll really enjoy the experience.
August 5th, 2009 at 8:44 pm
Toward the end of my post, in the line “Then, you can focus on the ‘request’ of the stuff” I’m sure people have figured out that I wanted to say “…focus on the ‘rest’ of the stuff”. Sorry about that.
September 4th, 2009 at 9:41 pm
hi linglom,
i’m trying to set up my isa 2006 server, my scenario is stated below
multihomed server, asa firewall to be included in network, websense to be configured on isa 2006.
from wat i have read thus far i have decided to implement a front firewall topology.however my question /the unclear part of it is that the asa would implement a dmz in which the application server will be placed for external users to have access to it without coming into the network.but the internal users will also need access to the application server.so i’m asking how what configuration i need to set to permit them (internal users)access to the dmz?
ps: the internal nic of the isa will be configured with internal ip while the external nic will be configured with a public ip/natted ip not sure yet which the cisco guy would be giving.
thanks
October 29th, 2009 at 9:10 pm
Hi,
My ISA server is giving below problem when im using with my application.could you suggest me the solution for this problem, and let me know how to configure it properly:
HTTP transport error: java.io.IOException: Unable to tunnel through proxy. Proxy returns “HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )”; nested exception is:
HTTP transport error: java.io.IOException: Unable to tunnel through proxy. Proxy returns “HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )”
November 4th, 2009 at 11:40 am
Hi, Muppie
If you are going to implement ISA Server as front firewall, it means that you have another firewall as back firewall, right? And if you want internal users to access any application on DMZ, you don’t need to configure anything on front firewall. You only need to configure on the back firewall to allow traffic from internal to DMZ. The configuration depends on which application you provided.
November 4th, 2009 at 7:11 pm
Hi Linglom,
Thanks for your reply. I have deployed the ISA already using the edge template because the back firewall has not been mounted. i would like to know what immediate steps to take once the firewall is put up. the intended firewall is cisco’s asa 5510 series.
Also i have published owa and exchange server already. What should i expect with the new changes that would be made when the firewall is mounted?
Thanks.
November 9th, 2009 at 3:00 pm
Hi, muppie
When you installed a back firewall, you will have three separate networks: Internal, Perimeter and External.
If you want the internal network access the Internet through ISA Server, you need to add the internal network address range to the ISA Server. Otherwise, clients in internal network couldn’t access the Internet.
November 9th, 2009 at 4:08 pm
Hi Linglom,
Thanks a lot, the post has been very helpful.
January 1st, 2010 at 8:37 pm
Good Day,
I have a networks with a central Draytek connect to our stores with site-to-site VPN’s.Connect to de router i have ISA 2006 with two nics.
Internet
|
Draytek-(VPN’s for the 5 stores)(LAN port(192.168.100.1)
|
ISA 2006(WAN port(192.168.100.2)
| (LAN port(192.168.254.253)
LAN
The stores use RDP to connect a internal aplication.I Have also OWA working without problems. I am traying that clients in the store connect to a share inside the lan without success. Can you help?.
Thanks
Rui Castro
January 7th, 2010 at 11:36 am
Hi, Rui Castro
I’m not much experience with VPN. First, I will observe in ISA Server’s Logging to see if there is any traffic from clients or not.
April 7th, 2010 at 10:45 pm
Hello..Those steps are very nice and helpful! I just wanna know if wht i’m doing is right..I have my first server (domain controller)named test1 and planned to install ISA on another domain controller named tes2:
test1:
ip: 192.168.0.1
sub mask: 255.255.255.1
Gateway: 192.168.0.5 (i guess after installation of my isa i need to pass the ip address of my isa server) is it ok?
dns: dns of my ISP..
test2:
ip 192.168.0.20
sub mask: 255.255.255.0
gateway: 192.168.0.50
dns: dns of my ISP..
AT CLIENT SIDE: they are on dhcp..so i need to put a gateway of 192.168.0.20 is that ok?
i need to configure under tools, internet options….lan settings: ip-192.168.0.20-port 8080..
Please tell me if my configs are correct?
thanks
john
April 8th, 2010 at 2:20 am
Hi John,
It’s not recommended to install ISA Server 2006 on a DC/GC. You’ll find yourself with a boat load of issues to tackle down the road. If you can get a hold of Dr. Tom Shinder’s book titled “ISA Server 2006″, it will really help you understand the nuts and bolts. You can also check the ISA Server forum ( http://isaserver.org) to read about other people’s experiences. I started using ISA in 2008 and have just upgraded to TMG 2010. I’ve learned a lot checking the forum and learning from others.
If you scroll up you can see what my set up looks like. I’m able to publish OWA, Autodiscover, Communicator 2007 R2, SharePoint 2007 via ISA first and now via TMG 2010.
If you can afford it, have a server with at least 2 fast NICs ( everything depends on how you want to use ISA/TMG for) that only runs your ISA 2k6/TGM2010. Configure one NIC to connect to your LAN and the other one with an IP from a different subnet.
If you want your internal clients to be SecureNAT clients then you need to configure them to use the internal IP of the ISA as their default gateway. You can do that on your DHCP server so that clients get that info as an option whenever they acquire/renew their IP.
Anyway, I hope my rambling is of some help to you. If you have specific questions, feel free to ping back. This venue has also been of great help to me so I’m sure you’ll find the help you need.
Armel -
April 8th, 2010 at 10:11 am
Thanks Armel,
So u suggest not to install isa 2006 on another DC…So i will set up my 2003 server and join it to my domain controller.
April 8th, 2010 at 8:50 pm
Yes, build another server running Windows Server 2k3, join it to your domain and install ISA Server 2k6 on it.
April 14th, 2010 at 11:45 pm
Hello…my isa installation works and my client are using internet through isa server..But i wanna make sure wht i have done is ok..
I have a 2003 server which i have installed ISA 2006..of course i have join this server to my domain controller..My ISA server has 2 network adapter..One for internal network and another one for internet access.
the one used for my internal network get ip from my dhcp server (from domain controller)
the other one , i have put a fixed ip address and the gateway is the gateway of my ISP..
on client side, i have put the ip address of my ISA server and port 8080 under lan setting and it works..
I have also create some rules to access particular website..i have used the edge template..
I just wanna know if it’s ok and also wanna know if it’s a really secured installation i have made..
April 15th, 2010 at 7:15 pm
@John: all looks ok except the fact that the internal NIC should be using a static IP or reserved IP from the DHCP. The IP address should not be dynamic in anyway since its configured to be used as a proxy server address for clients.
April 15th, 2010 at 7:20 pm
the above post is intended for john barnes. thanks
April 26th, 2010 at 6:47 pm
Hi,
Your ISA 2006 step by step Network configuration is very helpful. Can you please tell the step by step approach, for Configuration of Network Topology using Back Firewall Template.
April 26th, 2010 at 7:21 pm
Hi Linglom!,
Your ISA 2006 step by step note is very helpful
Here is the rough diagram of my Network
Internet
|
|
Checkpoint Firewall
210.18.82.35
|
|
210.18.82.36 (LAN NIC of ISA2006 External) (Fixed)
ISA Server 2006
10.249.8.97 (Lan NIC of ISA 2006 Internal )(reserved IP from DHCP)
|
|
|
|
office LAN
(10.249.8.1/255)
Will Back Firewall Network Topology work for this.
Could you please tell the step by step approach for this
April 26th, 2010 at 7:34 pm
@Mandan
If you are going to deploy the back firewall then you have take note of the following;
* Do ensure that you do not have a gateway specified on the internal NIC of the ISA server.
* Also if you want the internal network access the Internet through ISA Server, you need to add the internal network address range to the ISA Server. Otherwise, clients in internal network wouldn’t access the Internet.
Ok.
April 27th, 2010 at 4:01 pm
Hi,
There is little bit change of IP address for
(External NIC of ISA2006 ) as local IP : 10.249.8.140
later on one live IP is routed to local IP(10.249.8.140)
Rough diagram in modified form
=========
Internet
|
|
Checkpoint Firewall
210.18.82.35
|
|
10.249.8.140 (External NIC of ISA2006 ) (reserved IP from DHCP)
ISA Server 2006
10.249.8.87 (Internal NIC of ISA 2006 )(reserved IP from DHCP)
|
|
|
|
office LAN
(10.249.8.1/255) –IIS web Server (10.249.8.134)
=======
1.
I have followed back Fire wall Network Template to build network layout, In the Internal network IP address range i have kept (from 10.249.8.1 To 10.249.8.255)
2.
I have crated a external web listner for port 80
External web 80
3.
I have crated a web publishing rule – web(10.249.8.134)
with publish a single web site option.
on internal publishing detail
Internal site name: abc
Use IP address: 10.249.8.134
on public name Details page
Accepts request for: This domain naem (type below)
public name: 10.249.8.140
path: leave empty
on Web listener- (External web 80) as created on step 2
4.
For network rule
I have used NAT for connectivity between Internal and external network.
April 27th, 2010 at 4:05 pm
In continuation to previous post
I have tried to access http://10.249.8.140 from a client computer in local network. I not able to access the website. once i can access it locally , I am planning
to access through live IP.
pl guide.
April 29th, 2010 at 4:38 pm
Hi, Mandandeo
You should test access IIS from external network since you have configured web listener to external.
Note: If you have two firewalls, why don’t you put IIS on DMZ?
May 25th, 2010 at 10:22 pm
hi i want ask about must i connect the isa 2006 with domin or not if not why ?
hope u help me
June 15th, 2010 at 2:30 pm
Guys – Fantastic install and config guide just what I needed.
I was windering if you could assist me, I have decided to rebuild my home office environment to Win 2008 enterprise R2. I nned to use Isa as a transparent proxy so t hat all my client pc’s can just pass via my server. I have 2 nics one on a 192 range going to my router and the other nic for my internal LAN on a 200 range. can yoou please advise me if I can use the ISA sewrver as a Firewall and proxy and if so which config should I use (never used ISA before but have been told this best fits my needs) all the help would be appriciated.
June 15th, 2010 at 8:16 pm
Hi Jag,
If what you mean is to deploy isa server 2006 on windows 2008 r2, its not a supported os version nor scenario. if your os platform will be 2008 windows server then you can look at deploying tmg. there a re good guides here http://technet.microsoft.com/en-us/library/cc441445.aspx
however if your os platform is still windows server 2003, yes it can work and yes you can use it as your firewall and proxy. to achieve that you can deploy the edge template and following linglom’s blog will help you through the deployment.
September 23rd, 2010 at 3:15 pm
Great post as usual – here is a little something that made me smile
Freedom of speech is wonderful – right up there with the freedom not to listen.
September 28th, 2010 at 2:46 pm
hi. if i want ISA 2006 conjunction with TS Gateway which network templates should I implement? how do I install the self-signature certificate which i have created on the ts gateway server to an ISA 2006 server?
September 30th, 2010 at 2:33 am
Hi
After installing “Edge Firewall” on my ISA server, the server stopped getting IP adress from DHCP “Router” ASA swtch.
Any sugestion?
I have been through this problem with two diffirent PCs.
Would be awsome if you could help me out, Having exam in 5 days :/
October 4th, 2010 at 9:43 am
Hi, Arash
Have you create an access rule for DHCP protocol? I suggest you check Logging on ISA Server to see whether the request is blocked or not.
October 4th, 2010 at 3:59 pm
Yes I have. Everything geting denied by Default Rule. DHCP protocol have also got access, but no sign of IP. Maybe this is ment by Microsoft to prevent higher security? and maybe they want to ISA server to have statick IP adress.
October 8th, 2010 at 10:03 pm
linglom
Great details.I am implementing OCS2007R2. internal use works great now i need to setup an edge server for external access mainpre reqis isa server. ican load 2003 or 2008 on a box but with 2008 i guess i need TMG2010. my dilema is i am new to this and totally confused my current network setup is
Inernet
sonicwall 240 FW
192.168.0.254
GB switch
office lan 192.168.0/24
physical server i am planning to use has 2 nics.
i just need my traffic for OCS external FQDN to pass in and out. what templates should i pick Also what ip addresses should i beusing for ISA. On the sonicwall will i need to create a dmz? any help is very much appreciated
October 11th, 2010 at 9:16 am
Hi, Arash
I recommend to set a static IP address on ISA Server. Normally, any server should use static IP rather than dynamic.
If the request is blocked by ISA Server, you should create an access rule to allow it. Otherwise, it will be blocked by the default rule.
October 11th, 2010 at 9:37 am
Hi, deejah
You already have a firewall (SonicWall 240) so I guess you want to implement ISA Server as another level firewall. You can choose which one is the front or back firewall. About DMZ, it depends on you whether you want it or not.
If you are new to ISA Server, I recommend you read this series – Getting started with Microsoft ISA Server 2006, Part 1: Introduction. It is more updated than this one.
October 11th, 2010 at 6:25 pm
Hi Linglom!
I found this out for few days ago. An ISA server cannot have dynamic address because of Microsoft has decide to be so.
You cannot change this rule either or cannot give primission to open DHCP request back.
Thanks for the help anyways
October 15th, 2010 at 5:16 pm
Hi linglom
Currently running ISA 2004 on SBS 2003, all clients request internet connection via ISA and Edge firewall topology is used
Now want to employ TMG 2010 as Proxy. Using Edge firewall, This is How my network is setup
Internet
|
|
Cisco Router (Default gateway 196..x.x.1)
|
|
|
|Fortinet Firewall (196.x.x.2)
|
|
|
|
RODC (2008 R2) with TMG 2010 installed ( Wan 196.x.x.3)
Lan 10.x.x.2
|
|
|
S2008 R2 DC (10.x.x.3)
|
|
Clients Computers
Am I setting up TMG 2010 the correct way using edge firewall. Thanks in advance
November 15th, 2010 at 2:25 pm
Actually I Installed a ISA 2006 on 2003 Server
I’m facing a problem is after Installing ISA server i am unable to ping or communicate with the ISA Server. I tried the above given suggestions and also tried to create a new Network rule and a Firewall policy but still i am unable to communicate from the client side. My network setup is in this way:
Internet directly connected to the server
WAN IP: 10.0.29.233
ISA Server
LAN IP: 192.168.11.250
Client IP: 192.168.11.233
Hence I want to apply NATing and a Firewall Policy.Hence I kindly need somebody to help me resolve this problem.I would be very grateful for the help.
November 16th, 2010 at 1:13 am
Hi othniel,
I am not sure you have stated how exactly you have configured your ISA server. However you would need to edit the system policy to allow ICMP protocol (this is the protocol responsible for connectivity check tasks such as ping). the protocol should be allowed from local(ISA) and internal (if you want your ISA server to respond to ping requests from clients/servers) network server to local host and internal network.
November 17th, 2010 at 3:45 pm
Hi Muppie
Thanks for your concern. I understood and configured according to as you said. I am sorry to disturb you again please do not mind to answer. The query is the ‘Ping command works but to enable secure NAT or the network traffic to bypass the ISA server what services to be enabled or disabled, as well do I have to compulsorily install and configure ADS,DNS and DHCP or is it fine with Installing ISA and leave for bypassing and applying Firewall policy.’ I would be thankful please.
November 19th, 2010 at 10:25 am
Hi Muppie
Thanks for the guide you have posted.I could configure the ISA server as per your post and could access as well could restrict the browsing but could do it with web proxy not SecureNAT, so I must have to go to each client and configure at the browser but I actually wanted it at the IP address side.Aswell I want to know how to stop Video streaming and specific websites like Social Networking websites and Porn websites.
November 19th, 2010 at 2:37 pm
Hi Othniel,
Many thanks to Linglom for the posts, I’m just trying to help based on your question. Its possible you configure your clients as secureNat client, but you would have to specify the ISA server as the gateway/router in the DHCP scope setting, that way they automatically pass through the ISA server to get to the internet.
With regards to blocking specific websites you can achieve that by using HTTP Filtering. Marc Grote has a good tutorial about that here
http://www.isaserver.org/tutorials/Configuring-ISA-Server-2006-HTTP-Filter.html
Hope you find it helpful!
November 19th, 2010 at 8:39 pm
Hi Muppie
Thanks for your reply and help I am very grateful you took out your precious time to answer my queries. As according to your reply I configured the client by adding the default gateway as well I also tried configuring at the dhcp end and could not suceed in that. Dont know wether its the configuration problem at my side. Is it so that I need to create any particular firewall policy so that the secureNAT clients can access. I dont know exactly what to do?!!!!
November 20th, 2010 at 1:36 am
Hi Othniel,
I’lld like to know if your clients receive automatic IP addresses when they connect to the network. If the answer is yes, then you can configure a router address (specify the ISA server local IP address) in the DHCP scope used by the clients. That is the easiest way to get the job done. indly read this article below also
http://www.isaserver.org/tutorials/The_SecureNAT_Client.html
You do not need to configure access rules to determine what type of clients you would have, the rules are for access control to the internet.
Hope this helps.
December 17th, 2010 at 12:35 am
Hi
plz i need assistant..i installed ISA server on a virtual windows server 2003 running VMworkstation.it has 2 network adapters wit 1 havin 192.168.2.101 as its Ip,gateway 192.168.2.1…durin installation i included some client ips 192.168.2.102-103…i den installed microsoft irewall client on 1 of th clients but they dont seem to be detecting the ISA server
December 18th, 2010 at 9:24 am
Hi, Chike
Have you try to input the IP address of ISA Server on Microsoft Firewall Client manually? Can you ping from ISA Server to client?
January 19th, 2011 at 3:35 pm
Hi,
How to setup isa server using vmware workstation. I am new to isa server. i installed ISA server on windows 2k3.
January 20th, 2011 at 9:43 am
Hi, Vas
I recommend you read this series – Getting started with Microsoft ISA Server 2006, Part 1: Introduction. It is more update than this one. For how to install ISA Server is on part 3.
February 9th, 2011 at 12:00 pm
Hi,
I am planning to extend my internal sharepoint application to internet and use ISA Server as the reverse proxy server. As of now the sharepoint server is internal to the organisation and not hosted in DMZ. can you please suggest me how to go about this.
my requirement is that employees and non employees both should be able to get in to the sharepoint server from internet.
February 21st, 2011 at 11:15 am
Hi, Subbu
This article may be useful, How to Publish Microsoft Sharepoint Services with ISA Server 2006.
April 2nd, 2011 at 7:15 am
have an smc router at home which gives out DHCP to the clients, i wanted to implement ISA server in between the router and the clients. i have an adsl connection which gives out the public ip to the smc router. i was gona ask i know what to do with the internal clients like they gona get dhcp from the router, what about the ISA server, shall i give it a static private address and allow the internet connection to get shared so that all the clients pass through it or the way you showed to renew dhcp in ISA server so that it gets ip from the SP.
Clients————–ISA server ———-SMC router ——————- Internet
get ip from router External ? gives out dhcp and it gets public ip from SP
Please do replay me regarding it
November 6th, 2011 at 11:12 am
Friends i am new inisa 2006.
i have two network cards .
card1 is connected to internet having static ip(192.168.2.100
default gatway 192.168.2.1)
plz tell me the other card is lan card how to assign it an ip and othe user connected to this server can access internet by using proxy.
December 6th, 2011 at 12:59 am
Hi Linglom!
I want to join domain on my ISA Server but can’t to do this.
Because in ISA Server there are two LAN cards one is using for internal & second is for External.In External LAN card defined Gateway address & DNS IP address.On External LAN card without gateway address and DNS IP I could not access internet but can join the domain when I insert the gateway address on internal LAN card but simply tell me what I do than I can easily join domain & also access the internet.
I shall appreciate your support.