hi all,
a number of articles and posts exist about ISA server being deployed on a 3-leg based DMZ.
I was unable to find anything specific for ISA to be deployed as a FRONT firewall in front of an edge server, in the typical consolidated edge scenario as per Microsoft edge deployment guide, featuring an internal firewall too.
What we're basically trying to accomplish is the following: we got a /26 public fully routable IP subnet which we further subnetted. One subnet is used as "external", one as DMZ.
one IP is on the external ISA NIC (on the same IP, a working static route on ISP devices routes traffic to the DMZ subnet). One IP is on the ISA DMZ NIC. on the same DMZ subnet, there's one consolidated edge with 3 NIC, each with own public IP. All IPs are fully routable, route relation exist in ISA between networks.
external clients can connect to the edge and perform authentication, IM and presence (from-to anywhere), AV call (the latter ONLY external-to-external). AV Calls from external-to-internal and from internal-to-external do not get through (clients do ring but call is dropped before is established).
we get these entries in ISA logs which, apparently, look like dropped packets from the av edge IP (3.3.3.3) to the external internet client (10.10.10.10). however there's no indication of any deny rule (not even the last default one - rule field empty...) that could explain such rejected packets.
UDP 3.3.3.3:3478 10.10.10.10:34688 3.3.3.3 Perimeter External Denied 0x80070008 - Unidentified IP Traffic 0
anyone has experienced this before?
thank you.
