Can any ISA 2004 experts give me some help?!
#1
Scooby Regular
Thread Starter
Join Date: May 2001
Location: Scotland
Posts: 4,580
Likes: 0
Received 0 Likes
on
0 Posts
Can any ISA 2004 experts give me some help?!
We have an ISA 2004 server that we are using as a web proxy. It's got one interface and routes web traffic through the defualt gateway (the firewall)
We need to enable another NIC to allow the server to connect to the backup LAN. Problem is as soon as it's enabled web access through the ISA stops.
I guess what I need to do is create a new network in ISA , call it the backup LAN, associate it to the new NIC....but what then?, will I need to create a new firewall rule to allow the ports required for backup to work, or can I tell ISA I don't want any firewall rules to apply to the backup NIC?
Can anyone help?, hope the question isn't too confusing!
We need to enable another NIC to allow the server to connect to the backup LAN. Problem is as soon as it's enabled web access through the ISA stops.
I guess what I need to do is create a new network in ISA , call it the backup LAN, associate it to the new NIC....but what then?, will I need to create a new firewall rule to allow the ports required for backup to work, or can I tell ISA I don't want any firewall rules to apply to the backup NIC?
Can anyone help?, hope the question isn't too confusing!
#2
Scooby Regular
I'm no expert, but we do run ISA here @ work.
There is a default network created called "Internal". You could simply add the new backup lan address into that. Then all your existing rules should work and allow traffic to pass, but the same rules would apply for both network segments.
The alternative is to create another entry just for the backup lan and then add that to the existing rules or create seperate rules just to define traffic from the backup lan to the Internet.
The default outgoing rule is to Allow all Outbound Traffic (all protocols) from Internal to External. Internal is where you define your local lan segments, External is treated as everywhere else.
Stefan
There is a default network created called "Internal". You could simply add the new backup lan address into that. Then all your existing rules should work and allow traffic to pass, but the same rules would apply for both network segments.
The alternative is to create another entry just for the backup lan and then add that to the existing rules or create seperate rules just to define traffic from the backup lan to the Internet.
The default outgoing rule is to Allow all Outbound Traffic (all protocols) from Internal to External. Internal is where you define your local lan segments, External is treated as everywhere else.
Stefan
#3
Scooby Regular
oh and the golden rule with firewalls is to block everything and then just open up selected ports, protocols, Ip addresses, etc.. You probably know that, but just what you want to pass between the Backup Lan and everywhere else will depend how tight or open you want and therefore what rules will be required.
#4
There are two versions of ISA to my knowledge. One is using it in a proxy server fashion as you initially describe the other is adding a second NIC and basically providing packet filtering between the two NIC's this is called ISA Enterprise.
You may find that basic ISA will not function correctly with more than one NIC. MS support www/google may turn something up.
edited to say - You may have a routing issue if you have not explictly defined the backup LAN using the ROUTE ADD command i.e.
route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2
destination^ ^mask ^gateway metric^ ^
Interface^
Check your existing routing table by using the ROUTE PRINT command it should list the BACKUP LAN with the approriate gateway. Obviously if you have just defined the default gateway all BACKUP LAN traffic will be sent there as you have not defined the exception.
hope that helps
rich
You may find that basic ISA will not function correctly with more than one NIC. MS support www/google may turn something up.
edited to say - You may have a routing issue if you have not explictly defined the backup LAN using the ROUTE ADD command i.e.
route ADD 157.0.0.0 MASK 255.0.0.0 157.55.80.1 METRIC 3 IF 2
destination^ ^mask ^gateway metric^ ^
Interface^
Check your existing routing table by using the ROUTE PRINT command it should list the BACKUP LAN with the approriate gateway. Obviously if you have just defined the default gateway all BACKUP LAN traffic will be sent there as you have not defined the exception.
hope that helps
rich
Originally Posted by mega_stream
We have an ISA 2004 server that we are using as a web proxy. It's got one interface and routes web traffic through the defualt gateway (the firewall)
We need to enable another NIC to allow the server to connect to the backup LAN. Problem is as soon as it's enabled web access through the ISA stops.
I guess what I need to do is create a new network in ISA , call it the backup LAN, associate it to the new NIC....but what then?, will I need to create a new firewall rule to allow the ports required for backup to work, or can I tell ISA I don't want any firewall rules to apply to the backup NIC?
Can anyone help?, hope the question isn't too confusing!
We need to enable another NIC to allow the server to connect to the backup LAN. Problem is as soon as it's enabled web access through the ISA stops.
I guess what I need to do is create a new network in ISA , call it the backup LAN, associate it to the new NIC....but what then?, will I need to create a new firewall rule to allow the ports required for backup to work, or can I tell ISA I don't want any firewall rules to apply to the backup NIC?
Can anyone help?, hope the question isn't too confusing!
Last edited by rich101; 18 August 2005 at 09:58 AM.
Thread
Thread Starter
Forum
Replies
Last Post
Sub-Subaru
General Technical
1
28 September 2015 12:47 PM