RE: Upstream router and DMZ configuration...confused~~!!

  • From: MarvinC <marvinc@xxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 24 Jun 2005 18:00:21 -0400

Yes sir, sounds like the setup of my dreams except for the
back-to-back ISA. No extra ISA boxes.

On 6/24/05, JosephK <josephk@xxxxxxxxx> wrote:
> http://www.ISAserver.org
> 
> Hi Marvin,
> 
> I've found the articles and information on isaserver.org informative.
> I run a back to back setup. I have my exchange in my INTERNAL site.
> I've also placed an exchange box in the second DMZ without issue.
> I have FTP, DNS, WEB(iis, apache, and Tomcat) and exchange forwarder all
> located in my DMZ.
> 
> My backend ISA box has 4 NIC'S,  1 ext nic, 2 int nic, 3 dmz, 4 secure
> parameter.  It's in the secure parameter that I allow my sharepoint and
> outgoing exchange mail to pass through.
> 
> so, with this list and isaserver.org and tools that you find on
> isatools.org you can find the answers to what you seek.
> 
> Joseph
> 
> -----Original Message-----
> From: MarvinC [mailto:marvinc@xxxxxxxxx]
> Sent: Friday, June 24, 2005 6:48 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: Upstream router and DMZ
> configuration...confused~~!!
> 
> http://www.ISAserver.org
> 
> I've yet to come across anything written that covers having a
> front-end back-end exchange solution using ISA2K4 without the
> front-end being on a seperate DMZ. The other reason for the DMZ is to
> publish other servers to include DNS, web, FTP, and maybe even an
> Apache web server, if possible.
> Most of the articles I've read on DMZ configuration with ISA2K4 leaves
> out configuring the DMZ interface and/or using a private IP. I'm a
> true novice to DMZ configurations and when you throw in stumbling to
> learn learning ISA2K4 you have one often confused person.
> 
> 
> On 6/24/05, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:
> > http://www.ISAserver.org
> >
> >
> > The other question is "why do you feel the need to place that in a
> DMZ?"
> > ISA can protect it on the internal net without all that noise...
> >
> > -----Original Message-----
> > From: MarvinC [mailto:marvinc@xxxxxxxxx]
> > Sent: Thursday, June 23, 2005 6:20 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: Upstream router and DMZ
> > configuration...confused~~!!
> >
> > http://www.ISAserver.org
> >
> > One W2K3 server that I plan to install Exchange 2003 on and use as an
> > OWA front-end server. I may opt to add my web server later on.
> >
> > On 6/23/05, Thomas W Shinder <tshinder@xxxxxxxxxxx> wrote:
> > > http://www.ISAserver.org
> > >
> > > Hi Marvin,
> > > What resources do you have in the DMZ?
> > > Thanks!
> > >
> > > Tom
> > > www.isaserver.org/shinder
> > > Tom and Deb Shinder's Configuring ISA Server 2004
> > > http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > >
> > >
> > >
> > > > -----Original Message-----
> > > > From: MarvinC [mailto:marvinc@xxxxxxxxx]
> > > > Sent: Thursday, June 23, 2005 1:13 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: Upstream router and DMZ
> > > > configuration...confused~~!!
> > > >
> > > > http://www.ISAserver.org
> > > >
> > > > Ok so this leaves me with the following:
> > > >
> > > > Internal:
> > > > IP: 10.0.0.x
> > > > Subnet: 255.0.0.x
> > > > GW:
> > > > DNS: IP of internal DNS server.
> > > >
> > > > DMZ:
> > > > IP: 172.16.0.x
> > > > Subnet: 255.0.0.x
> > > > GW:
> > > >
> > > > External: ISP Static IP
> > > > IP: 70.148.240.122
> > > > Subnet: 255.255.255.248
> > > > GW: 70.148.240.121
> > > >
> > > > Dial Up: BellSouth Connection
> > > >
> > > > Now comes the newbie questions:
> > > >
> > > > 1. Do I need to create any records or zones for the DMZ on the
> > > > internal DNS server?
> > > >
> > > >
> > > > On 6/23/05, Jim Harrison <Jim@xxxxxxxxxxxx> wrote:
> > > > > http://www.ISAserver.org
> > > > >
> > > > > Hi Marvin,
> > > > >
> > > > > You dun a bad ting.
> > > > > 1. Ditch the GW on the DMZ interface - it's non-functional.
> > > > > 2. Unless you plan to lose lots of hair, you've failed to meet
> the
> > > > > "public address" part of the DMZ network
> > > > > 3. The static route Tom refers to is at the router, not the
> > > > ISA.  ISA in
> > > > > effect becomes "another hop in the chain" between the ISP router
> > and
> > > > > your DMZ.
> > > > > 4. Based on your IP setting, you don't have enough IPs to create
> a
> > > > > public DMZ.  Your /29 address space only provides 6 usable
> > > > addresses;
> > > > > not enough to subnet off for a DMZ.
> > > > >
> > > > > -----Original Message-----
> > > > > From: MarvinC [mailto:marvinc@xxxxxxxxx]
> > > > > Sent: Wednesday, June 22, 2005 9:51 PM
> > > > > To: [ISAserver.org Discussion List]
> > > > > Subject: [isalist] Upstream router and DMZ
> > > > configuration...confused~~!!
> > > > >
> > > > > http://www.ISAserver.org
> > > > >
> > > > > I've asked this question before but it was under different
> > > > > circumstances so I need to try again for further clarification.
> > > > > This may seem like a "dumb question" but it's one I have to ask
> so
> > > > > please accept my apologizes in advance if anyone's bothered by
> it.
> > > > > I have the Configuring ISA 2004 book and I'm reading an article
> in
> > > > > Chapter 7 entitled "Creating and configuring a public address
> > > > > tri-homed DMZ Network". I have on my ISA2K box three (3) network
> > > > > adapters with the following settings in the following order:
> > > > >
> > > > > Internal:
> > > > > IP: 10.0.0.x
> > > > > Subnet: 255.0.0.x
> > > > > GW:
> > > > > DNS: IP of internal DNS server.
> > > > >
> > > > > DMZ:
> > > > > IP: 172.16.0.x
> > > > > Subnet: 255.0.0.x
> > > > > GW: 172.16.0.1
> > > > > DNS: 172.16.0.1
> > > > >
> > > > > External: ISP Static IP
> > > > > IP: 70.148.240.122
> > > > > Subnet: 255.255.255.248
> > > > > GW: 70.148.122.121
> > > > >
> > > > > There is mention in the book on creating static routes to
> > > > the upstream
> > > > > router to ensure communication between the networks. I'm
> > > > not sure what
> > > > > the upstream router is and need clarification. Is this a
> > > > seperate unit
> > > > > functioning as a router or is this the ISA server? Where do I
> > enter
> > > > > this command and is this the correct syntax for the command:
> > > > >
> > > > > router add 172.16.0.0 add 172.16.0.0 0 mask 255.255.0.0
> > 192.168.1.20
> > > > >
> > > > > Would anyone have any links or articles that cover static routes
> > as
> > > > > they relate to ISA2K4? I'm also trying to determine if the
> > external
> > > > > interface consititutes as a public address?
> > > > > ANY responses are greatly appreciated. ANY!!!
> > > > >
> > > > > ------------------------------------------------------
> > > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > > ------------------------------------------------------
> > > > > Other Internet Software Marketing Sites:
> > > > > World of Windows Networking: http://www.windowsnetworking.com
> > > > > Leading Network Software Directory: http://www.serverfiles.com
> > > > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > > > Network Security Library: http://www.secinf.net/
> > > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org
> > > > Discussion List as:
> > > > > jim@xxxxxxxxxxxx
> > > > > To unsubscribe visit
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > > >
> > > > > All mail to and from this domain is GFI-scanned.
> > > > >
> > > > >
> > > > > ------------------------------------------------------
> > > > > List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > > > > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > > ------------------------------------------------------
> > > > > Other Internet Software Marketing Sites:
> > > > > World of Windows Networking: http://www.windowsnetworking.com
> > > > > Leading Network Software Directory: http://www.serverfiles.com
> > > > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > > > Network Security Library: http://www.secinf.net/
> > > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > > > ------------------------------------------------------
> > > > > You are currently subscribed to this ISAserver.org
> > > > Discussion List as: marvinc@xxxxxxxxx
> > > > > To unsubscribe visit
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > > >
> > > >
> > > > ------------------------------------------------------
> > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > > ------------------------------------------------------
> > > > Other Internet Software Marketing Sites:
> > > > World of Windows Networking: http://www.windowsnetworking.com
> > > > Leading Network Software Directory: http://www.serverfiles.com
> > > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > > Network Security Library: http://www.secinf.net/
> > > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org Discussion
> > > > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > > > To unsubscribe visit
> > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > > >
> > > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Other Internet Software Marketing Sites:
> > > World of Windows Networking: http://www.windowsnetworking.com
> > > Leading Network Software Directory: http://www.serverfiles.com
> > > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > > Windows Security Resource Site: http://www.windowsecurity.com/
> > > Network Security Library: http://www.secinf.net/
> > > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > marvinc@xxxxxxxxx
> > > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > jim@xxxxxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> > All mail to and from this domain is GFI-scanned.
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Other Internet Software Marketing Sites:
> > World of Windows Networking: http://www.windowsnetworking.com
> > Leading Network Software Directory: http://www.serverfiles.com
> > No.1 Exchange Server Resource Site: http://www.msexchange.org
> > Windows Security Resource Site: http://www.windowsecurity.com/
> > Network Security Library: http://www.secinf.net/
> > Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> marvinc@xxxxxxxxx
> > To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> josephk@xxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Other Internet Software Marketing Sites:
> World of Windows Networking: http://www.windowsnetworking.com
> Leading Network Software Directory: http://www.serverfiles.com
> No.1 Exchange Server Resource Site: http://www.msexchange.org
> Windows Security Resource Site: http://www.windowsecurity.com/
> Network Security Library: http://www.secinf.net/
> Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as: 
> marvinc@xxxxxxxxx
> To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 06-2005