building first dmz

[alpha88]

Hi everyone I'm in the process of building my first front end back end firewall setup. I would like to know about nat and the creation of nodes. Basically I would like for internal users to only to be able to ask the internet through the proxy server which will be isa server 2004. The front end firewall will be astaro version 5. Do I need to create a node on the astaro box that represents the isa server 2004 box. I would than allow traffice to the internet only from that node. I'm a little confused on this part of the setup I was looking through some microsoft docs and they stated that the backend firewall should be used to control outbound access and that the frontend firewall should be used to control access to the dmz zone. Also how does nat come into paly with this setup.

 

[TravisM]

Unless you're really building a true DMZ into your infrastructure, I would suggest forcing all the browsers to use the proxy server through GPO (note this only works if you're using IE, unless you want to write a custom .adm) and then setting a rule on the firewall to only allow outbound access from the IP address of the proxy server, or any other machines (other servers perhaps) that need to access the internet.

I don't know anythingabout that firewall appliance, but if you have a cisco router or something sitting around I could give you a sample config on how to limit it in nat via a route-map or ACL.

 

[fuunstatic]

you need to also configure your router to only accept web requests/traffic from the ISA box, otherwise users would simply untick the boxes in their IE browsers and bypass your proxy server. (another way they can bypass is, if they install a different browser)

"Work to live, don't live to work"

"The problem with troubleshooting is that sometimes it shoots back"