How should I configure the network interfaces on my ISA Server?
A high-level overview of NIC configuration best practice is provided below:
- The network card name used within the operating system should be changed to closely match the associated ISA Server network name. This clarifies assignment and improves supportability.
- Only one network interface should be configured with a default gateway.
- Only one network interface should be defined with DNS servers.
- Unused or unnecessary bindings should be removed from all interface, where possible, to improve security. This is often termed ‘interface hardening’.
- The default bind order should be amended to define a specific customised order.
Based upon these best practices, the configuration shown below is the standard approach that I normally use as part of my usual ISA Server build process.
Multiple NIC Deployment - ISA Server Standard Edition
Rename NICs:
Rename all NICs to descriptive names that ideally match the ISA Server network names.
Internal Network
Anonymous Access Perimeter Network
Authenticated Access Perimeter Network
External Network
Etc.
By matching the names, this makes mapping networks between ISA Server and Windows much easier when troubleshooting…
Configure NICs:
Internal Network
Default Gateway should not be defined
DNS Servers should be defined
Register this connection’s address in DNS – Enabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Perimeter Network(s)
Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IP – Disabled
Show icon in notification area when connected – Enabled
Default Gateway should be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IP – Disabled
Show icon in notification area when connected - Enabled
Please Note: Disabling the 'File and Print Sharing for Microsoft Networks' binding on the ISA Server internal interface will prevent you from connecting to shares on the ISA Server computer, irrespective of ISA Server system policy or other custom rules that may allow it. This approach is recommended for better security, as your firewall should not be accessible as a file server!
Amend Bind Order:Edit the bind order as follows:
Internal Network (Highest)
Perimeter Network(s)
…Others…
External Network (Lowest)
Multiple NIC Deployment - ISA Server Enterprise Edition
With ISA Server Enterprise Edition, it is recommended to add a dedicated Intra-Array NIC. Therefore, we need to consider this additional interface in our configuration.
Rename NICs:Rename all NICs to descriptive names that ideally match the ISA Server network names.
Internal Network
Intra-Array Network
Anonymous Access Perimeter Network
Authenticated Access Perimeter Network
External Network
Etc.
Configure NICs:
Internal Network
Default Gateway should not be defined
DNS Servers should be defined
Register this connection’s address in DNS – Enabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Intra-Array Network
Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Enabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IP – Disabled
Show icon in notification area when connected – Enabled
External Network
Default Gateway should be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IP – Disabled
Show icon in notification area when connected – Enabled
Edit the network bind order as follows:
Internal Network (Highest)
Intra-Array Network
Perimeter Network(s)
…Others…
External Network (Lowest)
Single NIC Deployment – ISA Server Standard Edition
For a single NIC deployment, the following actions are recommended.
Rename NICs:
Rename all NICs to descriptive names that ideally match the ISA Server network names.
By matching the names, this makes mapping networks between ISA Server and Windows much easier when troubleshooting…
Configure NICs:
Internal Network
Default Gateway should be defined
DNS Servers should be defined
Register this connection’s address in DNS – Enabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Please Note: Disabling the 'File and Print Sharing for Microsoft Networks' binding on the ISA Server internal interface will prevent you from connecting to shares on the ISA Server computer, irrespective of ISA Server system policy or other custom rules that may allow it. This approach is recommended for better security, as your firewall should not be accessible as a file server!
Single NIC Deployment – ISA Server Enterprise Edition
For a single NIC deployment, the following actions are recommended.
Rename NICs:
Rename all NICs to descriptive names that ideally match the ISA Server network names.
Internal Network
Intra-Array Network
By matching the names, this makes mapping networks between ISA Server and Windows much easier when troubleshooting…
Configure NICs:
Internal Network
Default Gateway should be defined
DNS Servers should be defined
Register this connection’s address in DNS – Enabled
File and Print Sharing for Microsoft Networks – Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS – Disabled
File and Print Sharing for Microsoft Networks – Enabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IP – Enabled
Show icon in notification area when connected – Enabled
Please Note: Disabling the 'File and Print Sharing for Microsoft Networks' binding on the ISA Server internal interface will prevent you from connecting to shares on the ISA Server computer, irrespective of ISA Server system policy or other custom rules that may allow it. This approach is recommended for better security, as your firewall should not be accessible as a file server!
Amend Bind Order:
Edit the network bind order as follows:
Internal Network (Highest)
Intra-Array Network
I hope this helps!
23 comments:
Thanks.
Short and precise, and it works :)
Excellent guide, de-mystifies the whole subject. Thanks!
What if you are using a single NIC card. You have an ideal configuration for that?
Thanks!
>> Evan
For single NIC:
Internal Network
* Default Gateway should be defined.
* DNS Servers should be defined.
* Register this connection’s address in DNS – Enabled
* File and Print Sharing for Microsoft Networks – Disabled
* Client for Microsoft Networks – Enabled
* NetBIOS over TCP/IP – Enabled
* Show icon in notification area when connected - Enabled
Article updated for both single and multi NIC deployments and some pretty pictures too ;)
i have a question about DNS on internal NIC. It should be internal DNS or External DNS server aadress (ISP provided)?
They should normally be internal DNS servers which are then configured to forward Internet requests to your ISP DNS servers. If ISA is domain joined using internal DNS is mandatory anyhow...
Thanks.
Very straightforward. It works the first time!!
Do you have same recommendations for TMG on WinSrvr2008R2?
Give me chance! :)
Ok, will try and update soon but concept will remain even for TMG...
what is the best practice for interarray communication if i have only external and internal NIC.
shall it communicate via internal or external one
^^^ I would say intra-array should be on the internal NIC
Nope, dedicated NIC is recommended; always has been:
http://technet.microsoft.com/en-us/library/dd441004.aspx
It is configured for internal NIC by default
Thank you.
I'm looking for help on 3 NIC Scenario, where I'm using the ISA server as Web Proxy Server. I want to use 2 NIC cards to link to ISPs and one NIC to link to Clients in my network.
So, I want to implement Load Balancing for the two NICs so that the clients on the 3rd NIC can avail services from both ISPs and can also benefit from web proxy server.
Hi Zohaib,
You can use this guide or my newer version which covers TMG/UAG with Windows Server 2008:
http://blog.msedge.org.uk/2010/04/recommended-network-card-configuration_14.html
The two ISP NICs will be configured the same using the settings described for the "External Interface" in my guides.
It might also be worth looking here for other NIC recommendations:
http://www.isaserver.org/tutorials/Exploring-ISP-Redundancy-Forefront-Threat-Management-Gateway-TMG-2010.html
Cheers
JJ
Thanks for the article. One issue I have is my internal DNS forwards to another networks DNS (we are internally connected but no trust exists). For this reason if I leave my external DNS blank it will never work correctly so in ISA 2004 I have internal DNS on the internal card and my ISP's DNS on the external card. It works fine with ISA 2004 but I'm having issues with TMG 2010. Any ideas?
Hi Allan,
Configure TMG with a single DNS server pointing at your internal DNS server.
If you need to, you should then be able to configure this DNS server to do conditional forwarding to internal or external DNS servers as required.
Only ever define DNS on the ISA/TMG internal interface; doing otherwise will cause problems...period!
Cheers
JJ
Hello,
Thank for information.
I have questions:
Suppose that you have ISA with 2 NIC, and one ADSL modem as following:
ISA Network Configuration
-Internal Network:
IP: 10.0.0.1
DNS: 192.168.1.1 (of local)
-External Network:
IP: 192.168.1.2
GW: 172.16.2.3
-ADSL Modem for browsing Internet:
IP: 192.168.1.3
DNS (ISP): 212.121.12.1, 212.121.12.1
1. What is wrong with my configuration?
2. How I configure the client to use Web proxy (isaserver)? with default gateway on client.
3. How I can use ISA to let users access internet by using User Name & Password?
Thank you in advance!
Hi Yaseen,
ISA only supports a single external interface so you need to either use the ethernet NIC or the ADSL model, but not both.
For your other questions, post a question on forums.isaserver.org and I can answer better there...
Cheers
JJ
Hi Jason,
Thank you for quick respond.
here is my post: http://forums.isaserver.org/m_2002102157/mpage_1/key_/tm.htm#2002102157
Hi Jason,
I have a 2 remote offices. What is the proper NIC deployment in order for me to provide them an internet access? Should I add a 3rd NIC for remote user? Please advise.
Kurt
Hi!
Excellent guide! Thx a lot.
But one question:
I know ISA/TMG was not ment to be used with DHCP enabled on either NIC. However I think many peopla like me still use DHCP on the External NIC.
How should I configure DNS in such a case?
I use Internal DNS on both External NIC and Intelnal NIC. Otherwise I get a DNS from my ISP...
Is that the correct way of doing i when using DHCP?
Regards,
Kjell, Sweden
Post a Comment