ISA has only one NIC with 192.168.2.2, DG is the firewall appliance LAN IP
192.168.2.1 and DNS is the internal dns server address 192.168.2.3. ISP DNS
Addresses are configured on my DNS Server as forwarders.
I need ISA for chaching only to allow my users access internet through it.
My concern is the default gateway address on servers and clients. Is there
any problem or conflict if i use Firewall LAN IP 192.168.2.1 as DG for
everyboyd and secondly what about the DNS Server address on ISA itself. Can i
use the internal dns server address 192.168.2.3 or it should also be the
firewall LAN IP 192.168.2.1 or the ISP Dns Server addresses?
"Grant Taylor" wrote:
> On 08/20/09 08:26, create_share wrote:
> > What is the recommended Default Gateway address for Servers and
> > clients in presence of a Firewall Appliance and ISA Server(Single
> > NIC). Both are connected to the Internal Lan Switch where all the
> > client computers are connected.
> That really depends on what you are wanting. (See more below.)
> > Is it good to use Firewall Ethernet Port IP Address as the Default
> > Gateway for all servers and client computers and configure ISA Server
> > as proxy in their browsers or ISA Server should be the default
> > gateway for all the client computers and Servers excluding ISA
> > Server.
> Do you want all traffic to pass through the ISA or just web (proxied)
> I presume that you are wanting ISA to be protected by the firewall.
> (Some people, including Microsoft, like to see a host based firewall
> running on all computers, something I /personally/ don't subscribe to.
> Your opinion may differ.)
> I would have all the workstations use ISA as their default gateway and
> optionally as a proxy.
> I would put a second NIC in the ISA server and have it connect to a new
> network (cross over cable or stand alone switch) to the firewall appliance.
> I would have ISA use the firewall as its default gateway.
> This way all your systems are behind ISA and you can take full advantage
> of all of its features. Where as if you only used ISA as a proxy you
> would only be able to act on the traffic that passed through it, not
> everything from / to the workstations.
> Depending on how you want things set up, you can have your firewall know
> about the network behind ISA or you can have ISA NAT all the traffic
> behind it. I personally am fond of routing and as such would let the
> firewall do the NATing.
> Besides, unless you are using globally routable IP addresses on ISA,
> which I doubt you are, or you would be asking different questions, the
> firewall will be doing NAT any way.
> Grant. . . .