Setup with MS ISA 2006



  • I have pfSense 1.2 as the gateway, and I want to use Microsoft ISA 2006 to perform additional application filters and provide better reports per user.  Main question is, how do I set the architecture up?  For example, my pfSense is in a test environment as the GW, and now I need to add ISA to filter the additional traffic.  Could someone give me an idea how I would set this up - how traffic should flow through the two systems?  Imagine I am using 192.168.10.1 as the pfSense GW.  Thank you.



  • I have a similiar setup at a customers location. I use a 3 nic pfSense for this:

    
                         LAN--------------LAN-Switch---LAN-Network
    ISP------WAN pfSense                  /
                         OPT1------ISA---/
    
    

    The clients have the pfSense set as gateway, though I block nearly everything outgoing so they have to use the isa proxy (non transparent). The ISA has 2 nics with his WAN pointing to the pfSense Opt1interface. I used this setup as pfSense is terminating VPNs as well. Another nice thing is that I can allow some special applications/hosts/ports to go through the pfSense directly without using the ISA as some applications/protocols just have issues with proxies.



  • I'd recommend the same type of setup hoba described, I'm running similar configurations as well. You will need to dual home ISA (unfortunately) because that's the only way firewall clients will work.



  • Let me clarify my question.  What I was trying to say / ask is, I know pfsense would be at the front, and ISA 2006 would be behind it, but my question is really, where would the clients and server point to?  Do they point to the IP address of ISA LAN side, and the ISA WAN would go into the pfsense LAN side?  What would be best is an ideal ip setup of ISA and pfSense on LAN / WAN interface and even OPT interface.  Just not clear on how packets are being routed through ISA, pfSense and client.  Hoba, in your digram, does your ISA have 1 or 2 interface; private and public?

    Nevermind, I think I understand it…just re-read your comment and looked "harder" at your example.  Thank you.



  • @hoba:

    The clients have the pfSense set as gateway, though I block nearly everything outgoing so they have to use the isa proxy (non transparent). The ISA has 2 nics with his WAN pointing to the pfSense Opt1interface. I used this setup as pfSense is terminating VPNs as well. Another nice thing is that I can allow some special applications/hosts/ports to go through the pfSense directly without using the ISA as some applications/protocols just have issues with proxies.



  • Ha…looked harder.  Anyhow, with this setup, will clients going to the pfSense as the GW, ISA can not do the proxy or the clients can't really use the FW client - is that correct?  My main goal is to gather statistics on clients (e.g. what sites they are going to, when, etc) - along with the added security of ISA - will I be able to accomplish this with your example?  I know about NTOP, RRD, etc - but they just do not cut it - hopefully ISA can provide more.



  • You have to make the clients use the proxy (like proxy settings in webbrowser and so on). Simply add block rules at interface>lan so they really have to use it .


Locked