Announcement

Collapse
No announcement yet.

ISA and PIX

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • ISA and PIX

    Hello,

    I just started at this company and I have the following scenario.

    I have a PIX firewall where all internet traffic is going in and out of.
    I also have an ISA server which seems to be used for incoming connections to the Intranet, OWA and FTP. No outgoing traffic going through it.

    Intranet is using Sharepoint and this servers default gateway is the ISA server.

    I was wondering if any of you could shed some light into why it would be setup this way?

  • #2
    Re: ISA and PIX

    Is ISA setup with a single NIC? It is not uncommon (although still not the norm) to see ISA introduced as a reverse proxy server to secure OWA and do a few other things behind existing hardware firewalls.

    Alternatively the ISA server could be setup as a back firewall behind the Pix with the clients on the internal network using ISA as a default gateway and ISA using the Pix as it's gateway. In this scenario it may well be the case that the sharepoint server is on a perimeter network to isolate it from the internet and intranet.

    Pure speculation though, we'd need more details on the setup to shed any more light on it.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: ISA and PIX

      It has 2 NIC's. 1 outside and 1 inside.
      The outside NIC has an external IP and its gateway is an external router.
      The inside NIC does not use a gateway.

      The ISA server is not behind the PIX.

      Comment


      • #4
        Re: ISA and PIX

        Ok, so you have 2 routes to the internet. IMO the clients should be configured to use ISA as their default gateway (Making them SecureNAT clients) and possibly also as their proxy (Web Proxy clients).

        The only time I've seen a setup like this before it was because the client had several remote offices which were too small to justify a server. There was a Pix 515 as well as ISA server at the head office because the Pix was acting as the VPN endpoint for the small offices with Pix 501s. The reason for this is that setting up a Pix for an IPSec tunnel to an ISA Server is harder than french kissing a cobra.

        It may of course just be that the person(s) who installed ISA Server did not reconfigure the clients or remove the Pix after the install. Or it could be that ISA was intended for reverse proxy use as I mentioned before. Unlikely though with a dual NIC configuration.
        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
        sigpic
        Cruachan's Blog

        Comment


        • #5
          Re: ISA and PIX

          Can you make a drawing about the complete setup?
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment

          Working...
          X