Question : Configure ISA 2004 as Backend Firewall

Hello,
Actually I want to confirm my information and got a new information if I missed something:

The Environment contain ISA Server 2004 (Workgroup) and 2 AD, 2 Exchange 2003 (BE and FE), LCA, MOM, and SMS.
External DNS locaated in DMZ Zone
The ISA Connected directly to Internet.

They need to add a new Cisco Firewall to be in the front and ISA will be in the Backend

I think firstly I need to open all outbound traffice on the external firewall
open the nessesary ports for incoming request from outside to ISA through Cisco firewall.

now my qustions:
For ISA Publish rules I think that I need to add ip's in external network for smtp, dns, ftp..... etc then edit the external IP on publish rule
also i need to inform Cisco engineer to redirect the smtp traffic for example to that ip that i assigned in external isa, is that correct?
I need more details about what i should ask network engineer to open on ISA
is it necessary to join ISA to domain
I need to Configure VPN
I'll open the necceasry ports on cisco FW and configure VPN ISA.

I'l looking for confirmations and advise to continu configuration

Answer : Configure ISA 2004 as Backend Firewall

Dear All,
Unfortunately I didn't found anyone in Expert-Exchange that can confirm my requiest, I just need to inform that I already found the answer and I need to share it, I think it will be usefull for others:

actually I neet to inform the Network Engineer to configure the following:

Port Name      Port Number      Direction      From      To
SMTP      25      Inbound       212.77.209.xxs      10.0.0.3
SMTP      25      Outbound      10.0.0.3      All
TCP/UDP      53      Inbound       212.77.209.xxd      10.0.0.2
TCP/UDP      53      Outbound      10.0.0.2      All
SMTP      25      Inbound       10.0.0.2      172.16.1.2
SMTP      25      Outbound      All External-ISA      10.0.0.2
TCP/UDP      53      Outbound      All External-ISA      10.0.0.2
HTTPS      443      Inbound      212.77.209.xxw      172.16.1.3
VPN      1723      Inbound      212.77.209.xxv      172.16.1.4
Any      Any      Outbound      All External-ISA      All

Where the IP are:
212.77.209.xxs = Public IP for SMTP
212.77.209.xxd = Public IP for DNS
212.77.209.xxw = Public IP for OWA
212.77.209.xxV = Public IP for VPN
172.16.1.2 = ISA External IP for SMTP
172.16.1.3 = ISA External IP for OWA
172.16.1.4 = ISA External IP for VPN
10.0.0.3 = First SMTP GW
10.0.0.2 = DNS and 2nd SMTP GW
If the internal DNS forward to Service Provider so we have to create access role from Internal to External port 53.
On ISA Server we need to configure the following:
1-      Change all IP Publish rules in ISA to select all IP in External.
2-      Remove the public IPs on ISA server and configure the new IPs.
3-      Go back to Publish rule to specify the new IPs
4-      Change SMTP/DNS Server SMTP Remote domain to 172.16.1.2
And change the relay to accept all mail from all ISA IPs

       If the VPN will configure on ASA Firewall so we have to create publish rule to specify to which server we need to allow VPN.
If the customer needs to configure VPN to access all internal network so in this case we have to configure VPN on ISA Server and configure the Firewall to allow VPN request to ISA.  

Regards
 
Random Solutions  
 
programming4us programming4us