Replace dual wan ISA SERVER with Pfsense



  • I have a ISA Server i need to replace.
    This ISA has two ADSL lines one is for internet ,the other is a VPN to another site.
    I also have Outlook web Access behind it.
    I nedd to have an idea of the problems i may find because this is a critical device.
    Lets assume i have this setup runnig on my isa.

    ISA NICS:
    LAN:10.10.10.250/24
    WAN:192.168.2/24
    VPN:10.3.1.1/24

    Internet ADSL Router –--WAN-|||| ISA ||||-VNP--VPN ADSL Router---------Company X
                                                     ||
                                                     LAN
                                                      |
                                             Owa(Outlook web Access)

    If i whant to have all the services running but whit pfsense is there any special need for Outlook webaccess or the VPN?
    If i bridge the VPN nic with LAN will it work ?
    How can i tell pfsense that all requests to the VPN network must use the VPN nic as gateway?



  • Yes it can be done and done easily. You're looking at a dual wan and single lan setup. Then you're looking to setup vpn and anything else you want/need as well. pfsense supports IPsec, OpenVPN, and PPTP out of the box but since it is freebsd you could go into terminal and install anything you want. You can also setup the dual wan to do load balancing if you want (or not, completely up to you) and all vpn software requires a server address as far as I know so you have to tell it which wan to listen to. This solves the setting up which lan for vpn issue. Also, default with pfsense is that vpn auto punches a hole through the firewall (so no need to setup nat for it), and it auto bridges to the LAN if you setup your vpn IP range the same as the lan interface (your owa) so you do not have to worry about setting up a bridge. For example: owa ip is 192.168.1.10 and your vpn range is 192.168.1.100 to 192.168.1.115 then the vpn users will be able to connect to the owa.

    It really is a simple setup. The hardest part is setting up the vpn imho but maybe that is because I hardly know the first thing about them.


  • Banned

    ISA is capable of running Layer 7 inspection, and is very good at it.

    PFsense does not yet, and I still use ISA2006 for traffic inspection and delivery to the serverfarm….L7 is the one thing I miss in PFsense, and the reason for ISA not beeing replaced.


Log in to reply