Results 1 to 10 of 10

Thread: ISA Server as a Firewall

  1. #1
    Senior Member
    Join Date
    Jul 2004
    Posts
    177

    ISA Server as a Firewall

    Hi, until now I only have used ISA server as a cache (using third party products as a firewall). Now I need to install as a security server in a tipical enviroment, that is, two NIC server, one plugged to a router and the another one to the coporate network. I'm plannig to install a Windows 2003 Server with a ISA 2000 server plus SP1 for ISA (I've one of this working as a cache in other place and it works fine).

    It would be great if you guys can give some basic recommendationson the initial setup.

    Thank you very much to all!

  2. #2
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    I would recommend using ISA 2004. (Which is the latest version of ISA server)

    How many users? What kind of machine are you installing this onto?
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  3. #3
    Senior Member
    Join Date
    Jul 2004
    Posts
    177
    Yes I know that 2004 is the last version, but 2000 is the last that I've license for

    Actually is a test purpose machine. I expect about 25 users.

    The hardware is a HP Proliant BL10e, a blade server with an 1.0 GHz Pentium M processor, 512 Mb DDR RAM and 40 Gb HDD.

    Since this is only for test, that I was asking for is more about default rules that I should use. I'm not used to work with ISA as a firewall.

    Thank you.

  4. #4
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Originally posted here by DerekK
    Yes I know that 2004 is the last version, but 2000 is the last that I've license for

    Actually is a test purpose machine. I expect about 25 users.

    The hardware is a HP Proliant BL10e, a blade server with an 1.0 GHz Pentium M processor, 512 Mb DDR RAM and 40 Gb HDD.

    Since this is only for test, that I was asking for is more about default rules that I should use. I'm not used to work with ISA as a firewall.

    Thank you.
    That should be ok hardware for 25 users. Its what we used to have here until the servers hardware died.

    To start your going to have to setup Access Rules in the MMC for ISA.

    In the MMC snap in go to:
    Servername - Access Policy - Protocol Rules

    Then you are going to have to setup policy to allow or deny certain protocals. You can look at the list of protocals or add them if you look into the Servername - Policy Elements - Protocol Definitions folder in the MMC snap in.

    I would suggest setting up allowing web access as a start for your testing.

    If you right click in the protocol rules folder you will see that you can add a new rule. It comes up with a wizard that walks you through creating the rule.

    Based on what you allow your users to do, you will have to setup allow or deny rules in the Servername - Access Policy - Protocol Rules folder. You may need to restart the ISA server service to see the changes go into effect immediately.

    That should get you started, but if you run into any problems PM me or post here.

    Personally, I set up deny rules for everything that I am not using and even more deny rules for others in the organization (based on work needs) but it really depends on what you want to allow or not allow.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  5. #5
    Senior Member
    Join Date
    Jul 2004
    Posts
    177
    Thank you very much. And by default it will block all the incoming traffic from tje internet NIC?

  6. #6
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    Yes, until you allow the traffic to come in, the network adapter that you setup as the external interface will block all incoming traffic.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  7. #7
    Senior Member
    Join Date
    Jul 2004
    Posts
    177
    Ok, I think that this is enough to begin with it. Thank you very much, I'll PM you in case I need help

  8. #8
    Hope no one minds me piggybacking this post--I need to be able to use ISA or something similar to control web access for users on our 30-40 client LAN. We are sharing a 2Mb connection which will prob rise to 4Mb soon.

    As we have one w2003 box which does a multitude of things(PDC/DNS etc etc) I can see that we'll need a new 2003 box and then load ISA on it? If we then sit this between the router and everything else(LAN) I guess then we'd need to configure it to allow/deny thru ISA?

    Thanks for any suggestions.

    My other option as I see it is to go a Watchguard Firebox and get the web content filtering add-ons for it. Or maybe that won't be good enough?

    Thanks for your help.
    \"\'Do not despise the snake for having no horns, for who is to say it will not become a dragon?\"

  9. #9
    AO Decepticon CXGJarrod's Avatar
    Join Date
    Jul 2002
    Posts
    2,038
    If you do go with the ISA box then definetely set it up between the LAN and the Router. Also make sure to set it up on another box. The reporting in ISA 2000 is not that great (without add on components) but I have not played with 2004. You might be better off with the Watchguard Firebox if the add on component works for your reporting.
    N00b> STFU i r teh 1337 (english: You must be mistaken, good sir or madam. I believe myself to be quite a good player. On an unrelated matter, I also apparently enjoy math.)

  10. #10
    Senior Member
    Join Date
    Jul 2004
    Posts
    177
    If you have to begin with it and want to save good money I would recommend you to investigate SQUID proxy wich is a Linux solution. I'm using ISA because the enterprise policy, but I would use proxy+iptables+webmin if i was allowed to....

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •