Aaron
Member
Registered: 9th Aug 04
Location: Cottingham, East Riding
User status: Offline
|
I've never really used ISA/Forefront in a live or test environment before, so i thought i'd give it a go now that i've got my VMware lab setup sorted at home.
At present, i have 2x Server 2008 DC's and one Server 2008 member server which Forefront will soon be installed on.
On the said member server, i've specified 2x NIC's, so that i can set it up as an edge firewall.
The bit which has me scratching my head is the IP addressing. At present, the range my servers and clients are talking to each other on is just a standard class C address and subnet mask of 192.168.0.x : 255.25.255.0. The servers of course have manual NIC settings, and the clients are using a DHCP scope of 192.168.0.20 to 192.168.0.30.
So what's confusing me? Well, the WAN IP address from my ISP is dynamic, so i aren't 100% sure what IP i should give to the "external" NIC on the Forefront server, nor am i sure what IP i should specify for my Netgear router (which will soon be relived of firewall duties)
Current WAN IP is 178.78.x.x
Any help?
[Edited on 28-10-2012 by Aaron]
|
willay
Moderator
Organiser: South East, National Events
Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
Before I start, I have a Forefront TMG server at work and I fucking hate it, its such a fucking piece of shit and it crashes randomly sometimes (fun!) and apparently Microsoft will not continue to develop/support it in the future. Its fucking wank.
Anyway, just give the external interface of your TMG server another private IP but in a different range such as 192.168.1.1 255.255.255.0, then get your netgear router and setup the lane interface as 192.168.1.2/255.255.255.0
Set the default gateway of the TMG server to 192.168.1.2 (the Netgear router) and you are away.
edit - putting the right IPs.
[Edited on 28-10-2012 by willay]
|
Aaron
Member
Registered: 9th Aug 04
Location: Cottingham, East Riding
User status: Offline
|
Got ya. I was wondering about the ranges which you originally posted, which is why i typed out the following (but thankfully i saw your edit before i posted it):
"Ta. Will that solution provide natting, given that the firewall on my Netgear router is going to be turned off?
Forgive me for perhaps sounding old-fashioned, but I've always been under the impression that a firewall was responsible for having an external and internal interface. The external interface (WAN range) communicates with the tinternet, and the internal interface (LAN range) communicates with the local clients. The handling of the traffic from internal to external and visa versa is then done by the firewall."
|
John
Member
Registered: 30th Jun 03
User status: Offline
|
Not many places use ISA or forefront anymore. A NAT router for anything up to medium size and some sort of firewall appliance for anything bigger.
ISA was always terrible.
|
Aaron
Member
Registered: 9th Aug 04
Location: Cottingham, East Riding
User status: Offline
|
Yeah that might be the case, and the contract we're currently supporting are using some crappy linux based system on each site which needs to be hard re-booted every day. The said device acts as the proxy server and content filter....and it's SHITE  Still...ISA/Forefront is something i'd like to know about, if only for the theory of setting one up.
Any suggestions of other products as alternatives (software products i mean)
|
willay
Moderator
Organiser: South East, National Events
Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
Aaaron - you are completely correct but I was giving you an idea of how to get it setup and running
But if I'm really honest, if it was my choice to use a WINDOWS based firewall to do NAT/Firewall/Router, it would be the very last option on my list, I'd rather deliver the packets by hand then let a windows box do it
EDIT - It isn't a proper firewall, as John said I'd rather use a firewall appliance/router to do a proper function.
[Edited on 28-10-2012 by willay]
|
willay
Moderator
Organiser: South East, National Events
Premium Member
Registered: 10th Nov 02
Location: Roydon, Essex
User status: Offline
|
quote:
Originally posted by Aaron
Any suggestions of other products as alternatives (software products i mean)
Appliance firewalls? Cisco ASA, Checkpoint Firewall,
Software/free?
http://m0n0.ch/wall/
FreeWRT
pfSense
IPCOP
|
VrsTurbo
Premium Member
Registered: 8th Jun 10
User status: Offline
|
Place I'm at now has around 15isa firewalls.
|
Kyle T
Premium Member
Registered: 11th Sep 04
Location: Selby, North Yorkshire
User status: Offline
|
I've just setup TMG for allowing SCCM to manage remote clients, and I've also published an internal https site to the Internet with it too.
It's been an absolute nightmare from start to finish, if your DMZ/network design doesn't exactly match that of the documented examples, you're fucked
Ours is sat behind ASAs and checkpoint appliances, no chance of it ever being a standalone firewall...
Lotus Elise 111R
Impreza WRX STi
|
