Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations sizbut on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

proxy to isa question

Status
Not open for further replies.
Alanukdude

Alanukdude

Technical User
Nov 13, 2002
20
GB
hi all,

we have some spare time and want to migrate from proxy server 2 to isa.

we're purely using the proxy server as a web proxy and we hear good things about isa.

However, the implication is we only want it as a web proxy and only connect it via one NIC.

can isa cope with this ok? what will be the limitations and benefits?
 
Sort by date Sort by votes
You can install it in web cache mode only. You will not be able to use any of its firewalling capabilites. Hopefully you have another firewall in place to take care of that issue. ________________________________________
Check out
 
Upvote 0 Downvote
You can do this no problem. This is what we are doing. We were running proxy2 and migrated to ISA in intergrated mode. This was a headache because we have a PIX firewall and having ISA running firewalling was silly. Today I am rebuilding it in Cache only mode and using 1 nic like we had on Proxy.

Here are some info that I have looked at just for this.


"Cache Mode allows you to install ISA Server on a machine with a single network interface card and use that machine as both a caching proxy and Web Publishing server. This unihomed ISA Server can connect to the Internet through your existing firewall."

Have fun ;)
A
 
Upvote 0 Downvote
got isa up and running, working a real treat.

just a quick query.

If i use web cache mode, can i configure isa to allow some protocols other than http/s ftp. i want to allow certain users to access radio on media player and also deny some users abilitiy to download exe's.

How would i go about that also?

Thank's for previous post's.
 
Upvote 0 Downvote
Great question. I actually sent this one off to MS yesterday, I have the same needs as yourself.

My net is set up so that the default gateway for unknown traffic is the ISA server. Well, that kinda stinks when using CACHE mode ISA. It will only pass FTP "download only", HTTPS and HTTP (Browser traffic). Which is really dumb. So, since this is the case we are probably going to have to change the default gateway for unknown traffic to our choke router, get specific connection information from users and set acl's on the PIX based on destination and port.

So, if we have a need to connect to Equifax secure FTP I would add an ACL to allow all internal access to the ip and port of that ftp server. I would use the destination rather than the source to avoid endless additions and removes to the access-list.

Really stinks that even though I set my cache ISA server to allow IP any any and no go. The problem is that #1, no proxy client on the user end to allow other traffic to flow, cant add any other protocols besides whats included.


Intergrated mode will let you do what you want to do though but it's a pain in the butt to configure a firewall inside a firewall.

When we were using a unihomed proxy 2 server it could use proxy client and pass winsock app's, not ISA Cache though... really stinks.

Hopefully MS will give me a work around.


 
Upvote 0 Downvote
We run our ISA server in Integrated mode and it works great. and yes, we have it inside of our "real" firewall. The cache mode is pretty limited on what you can do with it. The integrated is a little bit more work, by the extra features (and another layer of protection) is worth it from our experience.

Good Luck Dan
 
Upvote 0 Downvote
How do you set it up in integrated mode with the PIX as upstream proxy - we can't get that config to work....
 
Upvote 0 Downvote
This is basically our setup...

Network===>ISA Server===>Firewall=====>router/internet

Our network uses a private IP range of 172.xx.xx.xx. The ISA Server has two interfaces, one is in the 172.xx.xx.xx range and the other is in a 10.xx.xx.xx range. Our firewall has an interface in the 10.xx.xx.xx range and an interface with a public IP address. It appears to the Firewall, that all of the activity is coming from our ISA Server (doing NAT).

Is this what you are looking for? (without giving away too much) Dan
 
Upvote 0 Downvote
We have connected it up exactly like that - but it is just not working.

i.e. LAN -> ISA -> (DMZ ->) Pix -> Internet

We get 502 errors trying to access the web. What else needs configured? We think our rules are set up correctly - at the moment all addresses are allowed through, both ways at all times. Could it be the Pix end?
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

Sameer258
  • Locked
  • Question
Need Help to Find ip and mac address with email who one open my email
Replies
0
Views
763
Sameer258
Sameer258
Ailuin
  • Locked
  • Question
Best Residential proxy provider.
Replies
1
Views
700
AvivBes
AvivBes
jim_bmx
  • Locked
  • Question
sh proxy command
Replies
0
Views
636
jim_bmx
jim_bmx
Sparrow4
  • Locked
  • Question
Configure Avaya IPO R11 / VM Pro + Office365 or Exchange for voicemail to email
Replies
2
Views
637
Johnkite
Johnkite
intel233
  • Locked
  • Question
Cisco ASA - VPN Question
Replies
6
Views
635
intel233
intel233

Part and Inventory Search

Sponsor

Back
Top