locked
Can ISA 2004 be used as a reverse proxy + placement of A/V Edge RRS feed

  • Question

  •  

    Hi,

     

    I´m doing a OCS pilot with collolcated edge topology. We have a ISA 2004, can this be used instead of ISA 2006?

     

    ISA 2004 has the private and dmz interface are using private IPs. The public interface uses public IPs

     

    We will NAT access edge + web conf edge from the DMZ to the private interface.

     

    In current setup - what is the best way of implementing the A/V edge? We can´t NAT the a/v edge as it´s not supported.

     

    The edge server has 3 NIC, one for A/V edge...second NIC for access/web conf edge and the thirs interface is for internal communications.

     

    Best Regards

    Daniel

    Thursday, September 4, 2008 12:49 PM

Answers

  • In that case you'll have to install another interface on your ISA server and create a second perimeter network using your public IP subnetwork for that A/V interface to connect to.

    Thursday, September 4, 2008 4:02 PM
    Moderator
  • Thanks Jeff, I suspected that but I wanted to avoid extending the number of NICs in the ISA server.

    It´s a for a pilot purpose, don´t want to change too much. Will go for a separate external a/v edge NIC in the edge server with a public ip.

     

    Do you have a handy script that configures a windows 2003 nic with the correct port range for a/v edge?

     

    Br, Daniel

    Thursday, September 4, 2008 7:12 PM

All replies

  • Absolutely - We're using ISA 2004 EE in a customer production environment...

     

    The ISA DMZ network is the 'inside' network for the Edge server.

     

    However - the 'outside' network for the edge server connects to another vendors' firewall which routes public IPs to the server.

     

    Yours,

    Andy

     

     

    Thursday, September 4, 2008 1:33 PM
  • Thank you, good to know that it works with ISA 2004.

     

    ok, to clarify...here´s an example scenario of the ISA Interfaces/setup:

     

    NIC1 OUTSIDE 194.71.11.xxx - public IPs

    NIC2 DMZ 192.168.100.2 - private IPs (access- & webconf-edge is located here)

    NIC3 INSIDE 10.115.36 - private IPs (the internal ocs std server is located here)

     

    access edge & web conf edge will be NATed from OUTSIDE to DMZ.
    But what about the a/v edge?

     

    To conform to the requirement of a publicly routable IP address of the A/V Edge Server, the external firewall of the perimeter network must not act as a NAT (Network Address Translator) for this IP address.

    Additionally, the internal firewall must not act as a NAT for the internal IP address of the A/V Edge Server. The internal IP address of the A/V Edge Server must be fully routable from the internal network to the internal IP address of the A/V Edge Server.

    Given my current ISA setup, will it really work to connect a/v edge interface to this DMZ? Then NAT is used...

     

     Andy Bloomfield wrote:

    Absolutely - We're using ISA 2004 EE in a customer production environment...

     

    The ISA DMZ network is the 'inside' network for the Edge server.

     

    However - the 'outside' network for the edge server connects to another vendors' firewall which routes public IPs to the server.

     

    Yours,

    Andy

     

     

    Thursday, September 4, 2008 2:41 PM
  • You cannot NAT the A/V Edge at all, regardless of the configuration of your Perimeter (DMZ) network.  You'll need to acquire another public IP address for that interface if you want fully external functionality.

     

    Take a look at these articles for more on the Edge configuration:

     

    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=33

    http://blogs.pointbridge.com/Blogs/schertz_jeff/Pages/Post.aspx?_ID=19

    Thursday, September 4, 2008 3:02 PM
    Moderator
  • ok, having cleared the NAT issue...

     

    I don´t want to connect the a/v edge NIC directly to the ISP switch with a public IP

     

    I want the a/v edge traffic to pass my ISA (without using NAT, of course.)

     

    How do I acomplish this?

     

    Thanks,

    Daniel

    Thursday, September 4, 2008 3:12 PM
  • In that case you'll have to install another interface on your ISA server and create a second perimeter network using your public IP subnetwork for that A/V interface to connect to.

    Thursday, September 4, 2008 4:02 PM
    Moderator
  • Thanks Jeff, I suspected that but I wanted to avoid extending the number of NICs in the ISA server.

    It´s a for a pilot purpose, don´t want to change too much. Will go for a separate external a/v edge NIC in the edge server with a public ip.

     

    Do you have a handy script that configures a windows 2003 nic with the correct port range for a/v edge?

     

    Br, Daniel

    Thursday, September 4, 2008 7:12 PM