Skip to content

Recommeded Network Card Configuration for ISA Firewall Servers

2009/08/17

A common question asked about ISA by people on the forums is:

"How should I configure the network interfaces on my ISA Server?"

This is the model that I normally use as part of my usual ISA Server build process.

ISA Server Standard Edition

Rename NICs:

Rename all NICs to descriptive names that ideally match ISA configuration names e.g.

External Network
Internal Network
Anonymous Access Perimeter Network
Authenticated Access Perimeter Network
Etc.

By matching the names, this make mapping networks between ISA and Windows much easier when troubleshooting…

Configure NICs:

External Network

Default Gateway should be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IP – Disabled
Show icon in notification area when connected – Enabled

Perimeter Network(s)

Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IP – Disabled
Show icon in notification area when connected – Enabled

Internal Network

Default Gateway should not be defined.
DNS Servers should be defined.
Register this connection’s address in DNS – Enabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled

Amend Bind Order:

Edit the bind order as follows:

Internal Network (Highest)
Perimeter Network(s)
…Others…
External Network (Lowest)

ISA Server Enterprise Edition – Additional Considerations

Rename NICs:

Rename all NICs to descriptive names that ideally match ISA configuration names e.g.

Intra-Array Network
Etc.

Configure NICs:

Intra-Array Network

Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Enabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled

Amend Bind Order:

Edit the network bind order as follows:

Internal Network (Highest)
Intra-Array Network
Perimeter Network(s)
…Others…
External Network (Lowest)

Please Note: Disabling the ‘File and Print Sharing for Microsoft Networks’ binding on the ISA Server internal interface will prevent you from connecting to shares on the ISA Server computer, irrespective of ISA Server system policy or other custom rules that may allow it. This approach is recommended for better security, as your firewall should not be accessible as a file server!

Posted by Jason Jones at 09:52

http://blog.msfirewall.org.uk/2008/06/isa-servers-recommeded-network-card.html

Advertisements
No comments yet

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: