Getting started with Microsoft ISA Server 2006, Part II: Configure Network Topology
ISA, Security, Windows December 30th, 2007Network Topology
From Part I, you have finished install ISA Server 2006. Before using the server, you need to do some configurations first. On Getting Started with ISA Server 2006 page on ISA Server Management, there are 5 steps for set up ISA Server as the figure below.
To use ISA Server, only first 2 steps on the figure above are needed to be configured so this part will shows how to configure Network Topology on ISA Server which is the first step in the figure above. For the second step, I will cover in the next part(part III). Also, you need to enable client to access ISA Server by configure on clients,too. Client Configuration will be covered in part IV.
The series are divided into 5 parts:
- Getting started with Microsoft ISA Server 2006, Part I: Installation
- Getting started with Microsoft ISA Server 2006, Part II: Configure Network Topology
- Getting started with Microsoft ISA Server 2006, Part III: Create Firewall Policy Rule
- Getting started with Microsoft ISA Server 2006, Part IV: Configure Client Type
- Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter
ISA Server 2006 comes with many defined templates. Here are some details of each template. You can select one of them that match your network.
- Edge Firewall
This is a standard network topology for small to medium organization. The ISA Server is a main gateway controlling traffic between intranet and internet. The ISA Server needs 2 network interfaces. 
- 3-Leg Perimeter
This is a standard network topology for medium to large organization. There are another network which is Perimeter network adding to ISA server compare to edge firewall. The perimeter network or DMZ (Demilitarized Zone) is a network that is less secure for serving Web server, E-Mail server, DNS server,etc so that internet users can access these services without access to internal network. The ISA Server needs 3 network interfaces. 
- Front Firewall
This is a network topology for organization that security is high priority. In this case, there are more than 1 firewall server. When hacker attacks the server and one fails, there is still back firewall to protect your internal network. This template, ISA Server will be act as front firewall server between internet and perimeter network and needs 2 network interfaces. 
- Back Firewall
This is a network topology for organization that security is high priority. The configuration is the same as in Front Firewall template except that the ISA Server that you’re configuring is the back firewall that serperate internal and perimeter network.This template, ISA Server needs 2 network interfaces. 
- Single Network Adapter
This is a network topology for ISA Server to be act as Proxy server only. ISA Server can do caching to improve performance for users using Internet in organization. This template, ISA Server requires only a single network interface as the name of the template. 
Note: For Front and Back Firewall templates, you have more than one firewall servers. It is best practice that you should use different firewall software or using hardware firewall with software firewall not the same on front and back. If hacker can destroy the front firewall, you still have back firewall which the hacker can’t use the previous technique to attack the firewall.
Step-by-step
This example will configure ISA Server 2006 using Edge Firewall template.
- Open ISA Server Management.
- On left window, expand Configuration and select Networks
- On right window, select Templates tab.
- Click on Edge Firewall template. Network Template Wizard window appears.
- Click Next.
- You can export your configurations before let the wizard overwrite the old one by click on Export button. Otherwise, click Next.
- On Internal Network IP Addresses, you can configure your internel network IP Address. If the existing value is correct, click Next.
- On Select a Firewall Policy, you can select firewall policy template. The description will display what will be configure on ISA Server. I select “Block all” to block all traffic between ISA Server. I will configure rules later in the the next part.
- Click Finish to complete the wizard.
- To make ISA Server takes effect, click on Apply.
Related post
- Getting started with Microsoft ISA Server 2006, Part 5: Network Layout Concept This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index...
- Getting started with Microsoft ISA Server 2006, Part 6: Configure Network Layout This article is one of the series of Getting started with Microsoft ISA Server 2006. You can see the index...
- Getting started with Microsoft ISA Server 2006, Part IV: Configure Client Type Introduction After completed part III, you have done basic configurations on ISA Server. In this part, you’re going to configure...
- Getting started with Microsoft ISA Server 2006, Part V: Configure HTTP Filter Have you ever need to block users using MSN or Yahoo Messenger? Or block them to using free email services?...
- Getting started with Microsoft ISA Server 2006, Part I: Installation Introduction Microsoft Internet Security & Acceleration Server 2006 is a firewall and proxy product from Microsoft. It can protects local...
Related posts:
March 26th, 2008 at 5:29 pm
Nipawit,
Your step by step installation is very helpful. Can you tell me any consideration for setting up ISA on single network adapter type. Any specific configuration or policy need to set ?
Thx,
BW
March 28th, 2008 at 9:03 am
I haven’t use this template before. This template, ISA Server will only function as a cache server.
I recommend you to read this for more detail about the template.
Single Network Adapter network template
July 29th, 2008 at 3:13 pm
Dear Linglom.com Team,
your web site is so nice and informatics that i never seen before it. Keep it up it really nice work you people have done.
thanks
Qazzafi,
System and Network Administrator,
Govt. of Punjab, Pakistan.
September 17th, 2008 at 12:11 am
I’m having trouble choosing from one of templates have given by isa server 2006.
I’ve 2 servers and 1 firewall.
My 1st server is the PDC server running on w2k3 std. My 2nd server is the Proxy-Server that i’m willing to deploy the ISA Server 2006.
Any template / isa-configuration suggestion ?
September 17th, 2008 at 9:27 am
Hi, Karsanto
If you want ISA to be only a proxy server, you can use Single Network Adapter template which makes ISA Server as a proxy server. This template requires only a single network card on ISA Server.
You’ve told me that you already have a firewall and you want to install another firewall (ISA Server). If you want to have perimeter network (DMZ zone), you can select between Front or Back firewall template which depends on where you want to place the ISA Server. Both templates require 2 network cards on ISA Server.
Or you can 3-Leg perimeter template which is less secure because it has only a firewall. This template requires 3 network cards on ISA Server.
October 8th, 2008 at 11:28 pm
Hello,
Thanks a lot for putting together this great HOWTO. I love it.
That said, I’m in the process of installing ISA Server 2006 and I need some guidance to put a solid foundation in place prior to moving forward. I have pick my topology and it will be a back firewall. In other words, it’s going to be a We already have a SonicWall Pro 4060 acting as our gateway/firewall and would like to put the ISA Server behind as a second line of defense. The ISA Server will then be connected to a gibabit switch with holds our LAN. Now, we are also planning to add a SonicWall SSL VPN 2000 in the topology for remote access so that telecommuters, remote users can access some resources like OWA, EAS, IM, MOSS,…without getting inside our network. What would be the best place to place the SSL VPN device? We are planning to plug it in one of the ports of the SonicWall Pro 4060 and then connect a VMWare box hosting different servers to it. Has anybody have to deal with such network configuration before? What can be the best practice to reduce the attack surface and offer resources to our users? we would like to make the configuration as simple as possible but secure to avoid troubles down the road.
Thanks for your feedbacks.
Armel -
October 10th, 2008 at 3:11 pm
Hi, Amel
It’s better if you have 2-level firewall than a single firewall. By having front and back firewall, when the system is attacked and the front firewall is compromised. You still have a back firewall which is protecting your private network and that can give you more time to investigate and fix the problem. But about VPN, I have no idea since I have never used it.
October 10th, 2008 at 8:26 pm
Hi Linglom,
Thanks for your input. I appreciate that.
I have found a way to place my SonicWall SSL VPN 2000 in the topology. The recommendation from SonicWall ( one of the placement scenario) is to place it in the DMZ. So, I’m going with that option.
Once again, thank you and keep up the good work !
Armel
October 10th, 2008 at 10:35 pm
Hi Linglom!
It’s me again. Based on my network topology, how can I enter persistent routes in my routing table using the route -p add command? Here is a rough diagram of my network:
Internet
|
SonicWall Firewall
192.168.3.1
|
|
|
192.168.3.2 (WAN NIC of ISA Server)
ISA Server 2006
10.0.0.65 ( LAN NIC of ISA Server)
|
|
|
|
Office LAN
(10.0.0.0/16)
Do you think
route -p add 10.0.0.0 mask 255.255.0.0 10.0.0.65
Would do it? I think that would allow all traffic coming from my LAN to be pass to the Internal NIC (10.0.0.65) of the ISA which will push it out to the External interface (192.168.3.2) which has a default gateway of (192.168.3.1) and will get to the SonicWall firewall.
What do you think?
Thanks for any feedback.
Armel
October 11th, 2008 at 10:42 pm
You don’t have to configure routing table on clients. ISA Server has 3 types of clients: SecureNAT client, Firewall client and Web Proxy client. For more detail, see Getting started with Microsoft ISA Server 2006, Part IV: Configure Client Type.
You have to configure clients to be one of these types. For example, if you using Firewall client type, all traffic from client’s browser will be sent to ISA Server.
March 3rd, 2009 at 12:42 am
I was running ISA 2006 with 2 internal nics and 1 external, using the 3-leg peremiter config. Now I want to change to 1 internal and 2 external (I have 2 different ISPs). What do I need to change to allow 2 external nics? Ideally, I would like all email traffic on the original and all web traffic on the new.
March 3rd, 2009 at 8:27 pm
this is really really helpfull thank you very much mate
March 6th, 2009 at 9:30 pm
Hi, Jdoty
I’m not sure that ISA Server can handle more than 1 external network.
Hi, Kreshnik
You’re welcome.
March 31st, 2009 at 9:43 pm
Hi,
We have two branches. Each branch is located 2 KMS away. We have 2MBPS fiber optic network connection between both the branches. So, we have decided to implement ISA Server 2006 in our network. What configuration steps I have to follow in IP Ranges. I mean, in network 1 I will be implementing ISA Server 2006 for that I should provide internal as well as external IP. please suggest me as to how should I follow the configuration procedures in terms of IP and also explain me how to I configure the Firewall to work for both the branches in a Domain Environment.
Thanks in advance
April 7th, 2009 at 1:27 pm
Hi, Ganu
I’ll guide only simple configuration which not include detail step. I inferred that you want to place ISA Server between branches so you only need 2 NIC cards on the server.
The first interface is connect to the internal network so IP Address can be any address in your branch and DNS Address should point to your branch’s DNS Server.
The second interface is connect to external network, in this case, it is another branch. You may connect this interface to the router which connect to the other branch so the IP Address should be in the same network as the router and gateway is point to the router. For DNS Address, you may point to the other branch’s DNS Server.
April 16th, 2009 at 10:27 am
Kinldy let me know i want the following to be implement the following through ISA 2006 using PPOE connection
CEOS—Full Access to Internet for all application
Finance–>Only Certian http Sites like hotmail.com
Network :
Internet with PPOE
Router
Switch
ISA 2006
AD
Sharepoint
SQL
Clients
How should the network be designed using ISA 2006
April 20th, 2009 at 4:15 pm
Hi Ash
I’m in same situation, please help me to know if you find any result for your implementation
July 9th, 2009 at 11:41 am
I want to configure the ISA 2006 with 2 LAN cards, can i configure both the IPs from my internal LAN address, for internal request it will use one IP & I will NAT other IP for external network (Internet),
Is it possible ??
August 3rd, 2009 at 11:37 pm
Nipawit,
I am new to setting up and configuring ISA. I am wanting to deploy OWA and Sharepoint through ISA but not sure what network setup to use. I currently have a Cisco PIX as a firwall. I also have a DMZ. I am not looking to replace my pix with the ISA only to secure and grant access to OWA & the Internal SharePoint Site. What method would you suggest.
August 5th, 2009 at 11:28 am
Hi, Peter
To define the network configure for ISA Server, first you have to decide where you want to place ISA Server on your network.
I assume that now your network is 3-leg perimeter with Cisco PIX as a firewall. If you want to place ISA Server between Cisco PIX and the Internet, ISA Server should be a front firewall. If you want to place ISA Server between Cisco PIX and your LAN, ISA Server should be a back firewall.
August 5th, 2009 at 8:34 pm
Hi Peter,
In my set up, I’m using ISA Server 2006 as a back firewall and it’s working great. I have a SonicWall UTM device as front firewall. I opted to go with a Dual-Homed ISA ( 2 NICs) and I’m able to publish both SharePoint 2007 and OWA with success. If you see posting 9. you’ll have a rough idea of my set up.
For SharePoint, I have a Windows Server 2008 box running SQL Server 2008, another Windows Server 2008 running SharePoint Server 2007. I also have another Windows Server 2008 running SharePoint as a Front-End server. That’s the server I’m publishing through ISA for my remote users. For secure your communication, you’ll need a SSL certificate. I’m using a unified communication certificate from one of the major vendors.
There are other tiny details but I’m sure you’ll figure out how to proceed.
As far as OWA is concerned, you’ll also need a certificate. A UC cert is the way to go if on top of OWA you want to offer autodiscover or activesync for mobile users. You’ll need to install your cert on your Client Access Server (CAS). I split the server roles on two servers with teh CAS sitting separate from the server holding the mailboxes.
As Linglom said, the first thing that you need to do is to pick your topology ( based on your specific needs and requirements). Then, you can focus on the request of the stuff. I’m sure you’ll really enjoy the experience.
August 5th, 2009 at 8:44 pm
Toward the end of my post, in the line “Then, you can focus on the ‘request’ of the stuff” I’m sure people have figured out that I wanted to say “…focus on the ‘rest’ of the stuff”. Sorry about that.
September 4th, 2009 at 9:41 pm
hi linglom,
i’m trying to set up my isa 2006 server, my scenario is stated below
multihomed server, asa firewall to be included in network, websense to be configured on isa 2006.
from wat i have read thus far i have decided to implement a front firewall topology.however my question /the unclear part of it is that the asa would implement a dmz in which the application server will be placed for external users to have access to it without coming into the network.but the internal users will also need access to the application server.so i’m asking how what configuration i need to set to permit them (internal users)access to the dmz?
ps: the internal nic of the isa will be configured with internal ip while the external nic will be configured with a public ip/natted ip not sure yet which the cisco guy would be giving.
thanks
October 29th, 2009 at 9:10 pm
Hi,
My ISA server is giving below problem when im using with my application.could you suggest me the solution for this problem, and let me know how to configure it properly:
HTTP transport error: java.io.IOException: Unable to tunnel through proxy. Proxy returns “HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )”; nested exception is:
HTTP transport error: java.io.IOException: Unable to tunnel through proxy. Proxy returns “HTTP/1.1 407 Proxy Authentication Required ( The ISA Server requires authorization to fulfill the request. Access to the Web Proxy filter is denied. )”
November 4th, 2009 at 11:40 am
Hi, Muppie
If you are going to implement ISA Server as front firewall, it means that you have another firewall as back firewall, right? And if you want internal users to access any application on DMZ, you don’t need to configure anything on front firewall. You only need to configure on the back firewall to allow traffic from internal to DMZ. The configuration depends on which application you provided.
November 4th, 2009 at 7:11 pm
Hi Linglom,
Thanks for your reply. I have deployed the ISA already using the edge template because the back firewall has not been mounted. i would like to know what immediate steps to take once the firewall is put up. the intended firewall is cisco’s asa 5510 series.
Also i have published owa and exchange server already. What should i expect with the new changes that would be made when the firewall is mounted?
Thanks.
November 9th, 2009 at 3:00 pm
Hi, muppie
When you installed a back firewall, you will have three separate networks: Internal, Perimeter and External.
If you want the internal network access the Internet through ISA Server, you need to add the internal network address range to the ISA Server. Otherwise, clients in internal network couldn’t access the Internet.
November 9th, 2009 at 4:08 pm
Hi Linglom,
Thanks a lot, the post has been very helpful.
January 1st, 2010 at 8:37 pm
Good Day,
I have a networks with a central Draytek connect to our stores with site-to-site VPN’s.Connect to de router i have ISA 2006 with two nics.
Internet
|
Draytek-(VPN’s for the 5 stores)(LAN port(192.168.100.1)
|
ISA 2006(WAN port(192.168.100.2)
| (LAN port(192.168.254.253)
LAN
The stores use RDP to connect a internal aplication.I Have also OWA working without problems. I am traying that clients in the store connect to a share inside the lan without success. Can you help?.
Thanks
Rui Castro
January 7th, 2010 at 11:36 am
Hi, Rui Castro
I’m not much experience with VPN. First, I will observe in ISA Server’s Logging to see if there is any traffic from clients or not.