Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

ISA network settings

0 views
Skip to first unread message

polilop

unread,
Jul 7, 2009, 9:39:15 AM7/7/09
to

If i have a router, which has an internal ip 192.168.10.1 is it possible
to
setup the ISA server to be 192.168.10.2 and point all computers to the isa
server to be their Gateway, which will proxy the request?

Jens Baier

unread,
Jul 7, 2009, 1:24:21 PM7/7/09
to

Hi,

yes, configure the ISA interface to use the router as the default gateway

regards jens
www.nt-faq.de
www.it-training-grote.de

polilop

unread,
Jul 8, 2009, 5:57:58 AM7/8/09
to

> yes, configure the ISA interface to use the router as the default gateway
>
My Subnet is a C class 192.168.10.0-192.168.10.255 subnet 255.255.255.0
SO i have setup my 2 NIC's in this manner:

External :
IP Adress : 192.168.10.203
Default gateway:192.168.10.1

Internal:
Ip Adress: 192.168.10.202
DNS server : 192.168.10.201 internal DNS server)

If in my isa mmc console i stop the firewall service it works fine, but if
the Firewall service is on it dosent work. I allso created an access rule
for all traffic
from internal to external on HTTP an FTP.

When trying to acess the internet from the server i get the 403 forbiden
error, but when i try to access from a client on which i set the default
gateway to be 192.168.10.202, it just tries for aa while, then says it
cannot display the web page. Any help on how to solve this?

Paul Yhonquea

unread,
Aug 2, 2009, 3:53:12 PM8/2/09
to
From my experiences with ISA, setting up your ISA Server to use IP addresses
on the same subnet for BOTH internal and external interfaces can cause
nightmares! Foremost, your ISA server will definately generate a lot of "IP
spoofing" errors. This is due to the fact that it will, in your case,
recognize IP addresses from the 192.168.10.0/24 network as internal. This
will also include any traffic coming from your router (192.168.10.1). It
will recognize that the router's traffic is originating from the ISA's
external interface, and block it.

How are you assigning IP addresses on your internal network? If you are
using static addresses, I would suggest using a different network for
internal ISA interface and for your clients that will be behind the ISA
server (like 10.0.0.0/24) - see diagram below. Ensure all clients have an
IP on the same subnet as the internal interface of the ISA server, and point
their DNS to the Router. Configure the Internal network with the full
address range you choose (in this example, 10.0.0.0 - 10.0.0.255). That
way, your ISA server will naturally route traffic through itself without
problems. This will place the ISA server in a "Firewall" state, instead of
"Proxy". Configure the ISA server with a rule that allows HTTP, FTP and DNS
traffic from the clients to the External network. Another benefit from this
configuration is that, if you wish, you can setup the Proxy function of ISA
with web caching, although it is not necessary.

INTERNET <--> (ext. IP address) ROUTER (192.168.10.1) <--> (192.168.10.203)
ISA (10.0.0.1) <--> (Clients with 10.0.0.0/24 addresses)

If you are using DHCP, do you have a separate dedicated DHCP server, or are
you using the router? If you have a server, change it's IP (and therefore
it's scope) to match the network used on the internal side of the ISA
server. You can still adjust the extra options (specifically DNS) to point
to the router, but point the default gateway to the internal ISA interface.
If you are using the router, you may need to find an alternate solution for
the DHCP service, like setting up DHCP on the ISA server itself. It will
take a bit more configuration, though, but it will provide your clients with
the appropriate IPs to communicate with each other and the ISA server.

Hopefully this helps.


Paul Yhonquea

"polilop" <fmatosi...@inet.hr> wrote in message
news:C8BD1CBA-36FB-4AE3...@microsoft.com...

0 new messages