Announcement

Collapse
No announcement yet.

Consolidating ISA's

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Consolidating ISA's

    Hi all

    Its been a while since i have posted. I got an unusual query. We have two networks 10.44.200.* and 172.10.32.*. Currently the 10.44.200.* is SBS 2003 with an ISA 2006 Fwall. 172.10.32.* is AD on Windows Server 2008 + ISA 2006. The client now wants to consolidate these two networkss and preverve their own domains but have a trust going from 10.44.200.* to 172.10.32.*. The server that control these domain/networs are physically in one server room. Is this possible by deploying another NIC in the ISA's and connecting in essence a third network by joining the two networks or maybe deploy a freeBSD Firewall that does pure network routing. Any feedback on a recommended path to conslidate these networks will be appreciated. Also a note is that we have purchased SBS 2008 to replace the SBS 2003 Domain.

    Thanks


  • #2
    Re: Consolidating ISA's

    I'm not sure if I fully onderstand you, but where is the ISA server used for..?

    What you can do is indeed adding an addition nic to the ISA 2006 server and place the second domain behind that NIC.
    However if you use authentication you might run into issues since ISA can only be member for one domain. In that case you need to play/try with RADIUS authentication to set this up.
    Marcel
    Technical Consultant
    Netherlands
    http://www.phetios.com
    http://blog.nessus.nl

    MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
    "No matter how secure, there is always the human factor."

    "Enjoy life today, tomorrow may never come."
    "If you're going through hell, keep going. ~Winston Churchill"

    Comment


    • #3
      Re: Consolidating ISA's

      I'm confused too. I assume that you have an SBS 2003 domain with a seperate ISA 2006 member server, as SBS 2003 does not support ISA 2006 even in Premium. Likewise with the 2008 domain I assume that the ISA is a member server.

      In any case SBS 2003 does not support trust relationships, and neither does 2008. This is a limitation of the SBS product line.
      http://technet.microsoft.com/en-us/sbs/cc817589.aspx
      BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
      sigpic
      Cruachan's Blog

      Comment


      • #4
        Re: Consolidating ISA's

        Hi Guys

        Yes in both instances the ISA's are member servers fronting the 'Internet" and the domains behind. What about using Linux Firewalls?

        Comment


        • #5
          Re: Consolidating ISA's

          But do you need some form of authentication?
          ISA can do almost anything what an other firewall can.... sure there are limitations but they also exist on Linux firewalls, cisco, Check Point, Juniper etc.

          So what is your goal?

          Also SBS doesn't support any trust relationships and this is not a limitation of ISA
          A simple drawing might help....
          Marcel
          Technical Consultant
          Netherlands
          http://www.phetios.com
          http://blog.nessus.nl

          MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
          "No matter how secure, there is always the human factor."

          "Enjoy life today, tomorrow may never come."
          "If you're going through hell, keep going. ~Winston Churchill"

          Comment


          • #6
            Re: Consolidating ISA's

            Right, I think I understand. You want both subnets accessing the Internet through one ISA Server?

            That IS possible, although slightly awkward as only one network can be designated as Internal and that is the network which will contain the DNS Servers used globally by the ISA Server. That (thinking out loud now, never a good thing!) would mean all DNS entries would need to be on one subnet, or at least duplicated on the subnet designated as internal. This may be a good or a bad thing, you haven't really given us enough to go on there. You can also define network rules to tightly control what traffic is allowed to cross the ISA Server between subnets. Also the ISA will probably need to be a Workgroup server and use RADIUS authentication as without a trust it can't query two AD databases. The alternative to that (not recommended!) is turn off authentication altogether.

            Trusts are most definitely not possible though as long as you have SBS.
            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
            sigpic
            Cruachan's Blog

            Comment

            Working...
            X