DominicA

Is anyone doing this?? Any points or routing issues I should be aware of??

I have the 3 network cards installed. Webserver connected via xover cable. Can ping the DMZ network card on ISA server. Can't ping the ISA server external card tho. Can load webpage from internal network.

Is it just a case of setting up a web publishing rule now??

thanks
Dom

ChristianR

iTrader: (1)

Dom,

This may be helpful:

http://www.isaserver.org/pages/article.asp?id=221

Regards,
Christian

DominicA

thanks, i have this already...

Ga22ar

set up a server publishing rule from the external nic IP and point it at the IIs servers IP, accept connections from anywhere and specify http server.



to ping you need to set up IP routing, go to Access Policy then IP Packet Filters and select properties. check packet filtering and then ip routing. Having done all that you will need to add icmp packet filters as well..

cheerio

DominicA

publishing worked fine, however, since obviously making port80 available out on the internet, we're seeing large numbers of spoof attacks from 2 ip addresses... how do i ban the packets for these 2 ips completely..... i have been digging out the books and searching the web, no luck yet...

Jeff Wiltshire

Buy a Firewall and don't trust Microsoft Proxy Server (or ISA)....


Jeff

DominicA

Jeff, what would you suggest we replace it with??? we need VPN access... if this effects the choice...

ChrisB

Budget, how many users, number of concurrent connections, VPN throughput???

Me, I'm a SonicWall fan...

Jeff Wiltshire

Depends on your budget....

SonicWALL at the cheaper end (700-3500 UKP)
Netscreen
Checkpoint (big bucks)

How many hosts do you have (ie machines that need protecting) and what type of VPN do you need (IPSec ??)


Jeff

Jeff Wiltshire

I would suggest that you look at my profile, but that would be advertising.....Hi Chris .....runs for cover


Jeff

Ga22ar

Depends on the size of your environment, cost of support, availability of in-house expertise.. The big firewalls are superb if your a large/huge org that can buyin the skills when it needs it.

With ISA you can create a rule to drop all packets inbound from a specific IP, which of course you can do with all the other firewalls as well..

VPN with ISA can be either PPTP or L2TP(ipsec) which is pretty robust (excusing the recent pptp hole found - oops!!) Checkpoint does provide secureID ability which is about as secure as you can( reasonbly) get.. However you can buy secureID seperate from Checkpoint Firewall if you require it..

Bascially you pays your money and you take you choice - or you pays a consultant to do it all for you - end of day its cost not functionality which decides...

cheerio

DominicA

what i'm after is....

Firewall to connect to ethernet ISP and ethernet LAN
20 user VPN access
DMZ for publishing web and ftp servers

DominicA

SonicWall Pro100 seems to be quite the ticket...???

Jeff Wiltshire

Dominic

The Pro-100 would work well....

Call me if you wish to talk about costs (or look at the web page)

Cheers


Jeff