ISA and SBS Again

**JointTech** · 07-14-2009, 01:38 PM

Hi ALL-
I have a client with SBS2003, ISA2004 with 2 NICs.
ISP T-1 -> ISA(SBSNIC1) -> SBS -> Switch(SBSNIC2) -> LAN

ISA is being used for program control and logging. Disabling the second NIC is not an option.

Soooo. My plan is to put UT in bridge mode between the ISP's Cisco and the SBS's External NIC.

As I was driving to the office today I had the bad thought that I wouldnt know how to manage it. Generally I set them to DHCP and put it inside the LAN. It grabs an internal IP and I can get to it.

BUT if I put it on the Outside of the SBS it wont pickup an IP and I couldn't think how I could give it an external.

I saw a few posts saying put the UT on the other side of the SBS between the switch and the LAN.
My issue is I dont see how that will stop spam. For web filtering I can see.
My main use for UT is spam filtering.

So after that long one. Any ideas?

**sky-knight** · 07-14-2009, 02:59 PM

This configuration can be done...

The UT needs a static IP that is in the ISP's provided T1 IP block. And, you're going to have to exempt the SBS's IP from the attack blocker.

However, because you've got that SBS server doing NAT. The logs on the UT will be USELESS. Everything will be the SBS as far as UT is concerned. AD integration is out too...

You're also going to have to make careful use of the packet filter to prevent unauthorized access to the HTTP/HTTPS/and SSH services.

**JointTech** · 07-14-2009, 03:05 PM

Originally Posted by sky-knight

This configuration can be done...

The UT needs a static IP that is in the ISP's provided T1 IP block. And, you're going to have to exempt the SBS's IP from the attack blocker.

However, because you've got that SBS server doing NAT. The logs on the UT will be USELESS. Everything will be the SBS as far as UT is concerned. AD integration is out too...

You're also going to have to make careful use of the packet filter to prevent unauthorized access to the HTTP/HTTPS/and SSH services.

I'm only using it for spam filtering. I may turn on the firewall at some point. No AD integration so thats not an issue. I have an extra IP to use in the ISPs block so that will work.

I suppose my only other question then is remote management.

I suppose it has to be left open? Or will UT consider it internal if I connect to that external IP from inside the lan. It would still be hitting UT on the Inside NIC. So theoretically I can turn off remote management. i think

Thanks for the Tips. Your posts are *usually* helpful.
(I'm an SBS guy, like the wizards, and also know how to work in an enterprise. You are anti SBS LOL.) no offense taken.

**sky-knight** · 07-14-2009, 05:08 PM

"internal" works by source interface so that should work.

**JointTech** · 07-14-2009, 05:13 PM

thanks for the tip. I will post back results.

Thread: ISA and SBS Again

LinkBack

Thread Tools

ISA and SBS Again

Posting Permissions