Announcement

Collapse
No announcement yet.

Isa server in DMZ

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Isa server in DMZ

    Hello,

    I want to use my ISA server with dmz section.
    I have few real ip adresses and i want to put 1 in dmz and open only port 80 (for web server on linux) for that real ip.
    Do i need third lan card ?
    How to realize it ?


    Other way is the web server to be with local ip only. And port forward from ISA to him.

    Which way is better ?


    Thank you.

  • #2
    Re: Isa server in DMZ

    If you want ISA to protect a DMZ then you need a third NIC, the server(s) in the DMZ can have private IPs though. In ISA the terminology is perimeter network I.e you'll have an external network (all unknown clients, I.e the Internet effectively), an internal network and a perimeter network. The internal network will be all your production servers and clients, and the perimeter the DMZ.

    You can if you desire assign multiple IPs to the ISA external NIC so that all traffic for the DMZ comes in on one IP and all internal traffic (E.g. SMTP mail) comes in on another. Personal preference though.

    To set this up, add the new NIC to ISA, configure the settings and bindings appropriately as shown here and configure web publishing for the server in the perimeter network. You'll also need to setup network rules if there needs to be comms between the DMZ and the internal clients.
    BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
    sigpic
    Cruachan's Blog

    Comment


    • #3
      Re: Isa server in DMZ

      Here's how I've setup my "dmz"

      Forefront TMG installed on a Windows 2008 server, with 2 network interfaces
      NIC1 has an address on the internal network (192.168.1.4) and uses the network dns server, but has NO GATEWAY
      NIC2 has an address on the "dmz" network (in my case it's 172.16.1.1) and uses the ISP's name server, and has a default gateway of our 877 router.

      our 877 router has two interfaces connected: one to the production lan, (vlan1, 192.168.1.254) and one to the dmz lan (vlan2, 172.16.1.254)
      we have firewall rules setup to prevent traffic travelling between those two interfaces.

      We have configured a nat entry to traverse port 80 on the public gateway to port 80 on the isa server.

      by this method, our DMZ server can only talk to the network through the second network interface, and will automatixally send any traffic not destined for that network out the first interface.



      does this help you at all ?
      Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

      Comment


      • #4
        Re: Isa server in DMZ

        TehCamel,
        please remove the External Name servers. Just use the internal. This is since the ISA (or TMG) might getting confused which name server he should use.
        Please refer to this article: http://blog.msfirewall.org.uk/2008/0...work-card.html
        Marcel
        Technical Consultant
        Netherlands
        http://www.phetios.com
        http://blog.nessus.nl

        MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
        "No matter how secure, there is always the human factor."

        "Enjoy life today, tomorrow may never come."
        "If you're going through hell, keep going. ~Winston Churchill"

        Comment


        • #5
          Re: Isa server in DMZ

          that... may answer a question for me.. thanks dumber
          Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

          Comment


          • #6
            Re: Isa server in DMZ

            No problem at all.
            It's one of the most commonly mistakes I found, although multiple configured gateways might win
            Marcel
            Technical Consultant
            Netherlands
            http://www.phetios.com
            http://blog.nessus.nl

            MCITP(EA, SA), MCSA/E 2003:Security, CCNA, SNAF, DCUCI, CCSA/E/E+ (R60), VCP4/5, NCDA, NCIE - SAN, NCIE - BR, EMCPE
            "No matter how secure, there is always the human factor."

            "Enjoy life today, tomorrow may never come."
            "If you're going through hell, keep going. ~Winston Churchill"

            Comment


            • #7
              Re: Isa server in DMZ

              The other one I seem to get regularly is the adapter binding order being incorrect.
              BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
              sigpic
              Cruachan's Blog

              Comment


              • #8
                Re: Isa server in DMZ

                in actual fact.. I don't even have nameservers configured on the FE interface anyway...

                Is it ok to only have them on the BE ?

                should have the back end bound as the first interface, right ?
                Last edited by tehcamel; 6th December 2009, 23:43.
                Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                Comment


                • #9
                  Re: Isa server in DMZ

                  Not only is it OK, it's the recommended config. Only the Internal Network should have DNS servers configured on it. Only the external network should have a default gateway configured on it. The binding order of the NICs should always have the Internal Network first, and the External Network last, with the Perimeter/DMZ networks inbetween.

                  It's well worth bookmarking the link Dumber posted, it's the best guide to ISA NIC configuration I've seen and misconfiguration is the cause of more than 50% of the ISA issues I see. Got weird DNS issues with ISA? Check the NIC configuration is always your starting point IME.

                  It's a minor gripe of mine that the ISA setup wizards don't configure this for you in the standalone product, or warn you if the config is wrong. This feature IS included in SBS 2003 Premium, which will auto-configure the NICs for ISA 2004.
                  BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                  sigpic
                  Cruachan's Blog

                  Comment


                  • #10
                    Re: Isa server in DMZ

                    cool.. so I did have it right

                    thanks fellows
                    Please do show your appreciation to those who assist you by leaving Rep Point https://www.petri.com/forums/core/im.../icon_beer.gif

                    Comment


                    • #11
                      Re: Isa server in DMZ

                      Originally posted by cruachan View Post
                      If you want ISA to protect a DMZ then you need a third NIC, the server(s) in the DMZ can have private IPs though. In ISA the terminology is perimeter network I.e you'll have an external network (all unknown clients, I.e the Internet effectively), an internal network and a perimeter network. The internal network will be all your production servers and clients, and the perimeter the DMZ.

                      You can if you desire assign multiple IPs to the ISA external NIC so that all traffic for the DMZ comes in on one IP and all internal traffic (E.g. SMTP mail) comes in on another. Personal preference though.

                      To set this up, add the new NIC to ISA, configure the settings and bindings appropriately as shown here and configure web publishing for the server in the perimeter network. You'll also need to setup network rules if there needs to be comms between the DMZ and the internal clients.

                      Did i must reinstall the OS and ISA servers or everything is fine. Because the article says that i must set up bindings first and then install ISA ?

                      Comment


                      • #12
                        Re: Isa server in DMZ

                        Ideally the NICs should be setup pre-ISA installation, but I've personally never had an issues changing the settings when I've found something misconfigured.
                        BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                        sigpic
                        Cruachan's Blog

                        Comment


                        • #13
                          Re: Isa server in DMZ

                          Originally posted by cruachan View Post
                          Ideally the NICs should be setup pre-ISA installation, but I've personally never had an issues changing the settings when I've found something misconfigured.

                          Ok, because is my very first time doing this i have some other questions.

                          Did i must create new network in enterprise networks, with ip range of my real ip addresses (including ISA's one or not) ?

                          What kind of rules i must assign to that network ?

                          Comment


                          • #14
                            Re: Isa server in DMZ

                            Internal and External are reserved network names, representing your range of client IP address and the Internet respectively. IP Addresses can belong to exactly one network only.

                            To create a perimeter network install a new NIC, configure it with the appropriate IP settings as detailed in the link Dumber provided, and then define the network on the Networks page in ISA Management. You'll need to define Network Rules between the new network and the existing ones E.g. whether or not system on the perimeter are allowed Internet Access or not.
                            BSc, MCSA: Server 2008, MCSE, MCSA: Messaging, MCTS
                            sigpic
                            Cruachan's Blog

                            Comment


                            • #15
                              Re: Isa server in DMZ

                              I tried some things but is not work for now.

                              I try with 3 leg perimeter template.

                              On picture 2 is the range that i want to be in perimeter network. Picture 3 is rules created form the template.

                              I put on my "DMZ network card" ip 212.50.14.38 and subnet 255.255.255.224

                              Also create rule to allow traffic from external to perimeter networks. Then connect laptop to perimeter lan card. Put it on it ip 212.50.14.40 subnet 255.255.255.224
                              and gateway 212.50.14.38. Now i can ping 212.50.14.38 but that is all. I do not have internet.
                              What i miss ?

                              Thanks.
                              Attached Files

                              Comment

                              Working...
                              X