Bridging firewall with Microsoft ISA server?

Forums › IT Pro and developers › Bridging firewall with Microsoft ISA server?

wazzageek

1095 posts

Uber Geek
+1 received by user: 108

ID Verified

Trusted

Lifetime subscriber

#28584 4-Dec-2008 23:46

Has anyone created a bridging firewall using microsoft ISA server? Can this be done? I've managed to get this going (both as a transparent firewall and as a non-transparent firewall) under linux / open/freeBSD variants before, but never tried under Microsoft's solution.

The reason for wanting this is to be able to split an existing LAN in two without having to change (too much) of the existing infrastructure.

I'm 90% positive that I'm going to have to create to logical networks and route between the two to accomplish this properly, but would like to know if it's possible to simply use a bridge functionality instead.

Thanks all.

Regs

4066 posts

Uber Geek
+1 received by user: 206

Trusted

Snowflake

#182176 5-Dec-2008 00:08

what is the end result you are looking for?

for example, do you want computers on two different IP networks to be able to talk to one another (e.g. computer 10.0.0.1 takling to computer 192.168.0.1) or do you just want computers on each network to be able to browse the internet via a single isa server?

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

wazzageek

1095 posts

Uber Geek
+1 received by user: 108

ID Verified

Trusted

Lifetime subscriber

#182179 5-Dec-2008 00:13

The end result is that I want all the LAN machines (on both sides of the ISA server) to be able to communicate - but the LAN Machines on the "protected" side of the ISA server will have a heavy restriction on the available destinations out on the general internet.

The LAN is already behind a NATing firewalling router, and it's only a selection of about 12 machines that I want to place the restrictions through the ISA server. As the traffic will not always be strictly web traffic (in the web browser sense) and will require streaming, I wasn't looking for a proxy solution.

All the machines I want to be on the same logical segment - ie. all machines will be within 192.168.0.0/24.

Thanks.

Regs

4066 posts

Uber Geek
+1 received by user: 206

Trusted

Snowflake

#182648 7-Dec-2008 22:51

wazzageek:
The end result is that I want all the LAN machines (on both sides of the ISA server) to be able to communicate - but the LAN Machines on the "protected" side of the ISA server will have a heavy restriction on the available destinations out on the general internet.
The LAN is already behind a NATing firewalling router, and it's only a selection of about 12 machines that I want to place the restrictions through the ISA server. As the traffic will not always be strictly web traffic (in the web browser sense) and will require streaming, I wasn't looking for a proxy solution.
All the machines I want to be on the same logical segment - ie. all machines will be within 192.168.0.0/24.
Thanks.

I would think that an ISA server with 3 nics (LAN1, LAN2 and WAN) would be the easiest option and I would make the two LANs use different subnets - e.g. 192.168.0/24 and 192.168.1/24. As long as all the machines use ISA as the default gateway there should be no problem communicating between each other - you will need to put in an allow rule between LAN1 and LAN2 though. For the restrictions on the internet you would then just set up a rule with the LAN2 source, allowed destinations and protocols and away you go.

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

wazzageek

1095 posts

Uber Geek
+1 received by user: 108

ID Verified

Trusted

Lifetime subscriber

#182671 8-Dec-2008 08:44

Thanks Regs,

I don't need the third card - I can see where you're coming from. I'm going to have to find some time and sit with the manuals and figure out if it's possible - currently the only way I can see this working is if I bar by MAC address the machines getting out to the internet and utilising the proxy server - of course, this assumes that all the traffic required allow being proxied.

I think to get this going I'm just going to create a second subnet and route between the two.

Cheers.

Regs

4066 posts

Uber Geek
+1 received by user: 206

Trusted

Snowflake

#183425 10-Dec-2008 23:36

wazzageek: Thanks Regs,

I don't need the third card - I can see where you're coming from. I'm going to have to find some time and sit with the manuals and figure out if it's possible - currently the only way I can see this working is if I bar by MAC address the machines getting out to the internet and utilising the proxy server - of course, this assumes that all the traffic required allow being proxied.

I think to get this going I'm just going to create a second subnet and route between the two.

Cheers.

you dont need to use the "proxy server" part of ISA in order to selectively block traffic - you do if you want to be able to block it by NT Username though. All traffic going out via ISA traverses the firewall rules.

Another option would be to create a DHCP range for the set of PC's you want to restrict and give them IP reservations (using their MAC addresses, of course) then create a rule for that range of source IPs.

Sales Engineer
Snowflake
www.snowflake.com

about.me/nzregs
Twitter: @nzregs

wazzageek

1095 posts

Uber Geek
+1 received by user: 108

ID Verified

Trusted

Lifetime subscriber

#183427 10-Dec-2008 23:49

That's true - but that also relies on the client machine not being tampered with - i.e. the DHCP being turned off or a different login being used. The idea is to physically lock down the machines (hence the MAC address filtering)

It all seems too hard (and as this is a nice to have and a side project) I think I'm just going to work with multiple subnets.

As ASCII art, this is what I'll end up accomplishing:

(Protected Machines) - [subnet 1 / physical net 1 / logical net 1] - (MS ISA server) - [subnet 2 / physical net 2 / logical net 2] - (Outside world router and only NAT device) - (Interwebnet cloud)