problems for current configuration 2

[dande]

Looking to put ISA server 2004 (HP package) on network with the following items. 2000 enviroment in mixed mode includes Exchange 5.5, SQL 2k, 2 citrix servers, AD server and a member file server all 2k - and a watchgaurd 700. Can isa just be a member server on the 2k mixed mode setup? Can Exchange 5.5 run in native mode? Any other recommendations? Thanks, Paul

 

[SjrH]

ISA 2004 will function on your network as is, exchange 5.5 will not operate in native. 5.5 is your tail drager here and should be your next priority upgrade!

 

[dande]

SjrH - Thanks Exchange is next on the list..Your thoughts on ISA position - infront or behind Watchgaud - we do not have a web server at this location?

 

[SjrH]

Putting ISA behind watchguard would give you a dmz and double security depending on how you install ISA. If its installed in integrated mode, then you will have two firewall configurations to manage. However, like watchguard, ISA is fairly easy to administer and quite user friendly.

 

[dput]

We run an ISA 2000 Server and a Watchguard firewall. We run the Watchguard on the outside of our network and the ISA inside. We use the ISA for it's caching abilities and to place limits on some of our users. The Watchguard is used as our primary protection on the Internet. This has worked very well for us.

Dan

 

[dande]

Thanks SjrH & dput - Currently we use w/g to control internet access via the authencation feature. Since we are a Citrix enviroment, user authencation to w/g isn't easy to manage. Because w/g authencation is by ip address, any user on the same Citrix server could "slide" out once an allowed user authencates & opens up server ip. To workaround set IE to proxy to a dummy ip address in Group Policy for non-internet users. Looking for ISA to make this area better managed. - Paul

 

[SjrH]

ISA would work great for you here. It can filter web & port access in a number of ways, the easiest being by user or groups. Looks like you already have your groups configured so setting up an internet access rule and applying your internet group to it would save the need for your workaround.

Here is a link that might give you some more insight into how ISA functions...

http://www.isaserver.org/

 

[dput]

Paul, we are also a city, with much the same issues. It use to be that if we blocked the user's IP address, they would just go to another PC, log on and access the Internet. With ISA 2000, we have been able to deny them access from anyplace on the network. It has worked great and is easy to administer. If you have questions or problems, let me know.

Dan

 

[dande]

I back - after losing my helper, I'm back to a department of 1. ISA and new w/g 700 are in place. Most is working fine. I can connect from home through Citrix Program Neighborhood. Having problems with remote office and vpn. Tunnel is up and can ping remote office (DSL) from main office (Cable ISP). W/G first - then ISA - then internal network. Thin clients not able to connect from remote office. Nothing is showing up on either w/g or isa logs. Any thoughts??