Guest TJ Posted May 8, 2008 Posted May 8, 2008 Hi First of all my apologies for cross posting, but this covers many issues that I do not think may be possible to cover in a single post. If I have underestimated the skills in the community, again my apologies. I have a major redesign of our network to undertake - without impinging on the business operation. I can't really do a weekend as we are a 24/7 operation. I need to move from 1 scenario to another and am looking for the best way of doing it - these follow. Current Scenario - Externally managed Linux Server with 3 ADSL lines acting as Gateway/DHCP Server/Firewall/VPN Server (OpenVPN)/File Server Windows 2K3 R2 servers managing DNS/Active Directory/Exchange (including external RPC over HTTP access)/File & Print Services. Future Scenario - Everything managed in a Windows 2K3 R2 environment with a leased line, intersite VPN (have office in London & Doncaster) and a firewall with a DMZ for a Application Web Server running on Red Hat Enterprise (which I can't change as it was in place when I arrived). I already have the leased line in place (but not yet used) and have purchased ISA Server 2006. My issues are 1) How do I move DHCP to Windows without interrupting Internet access for the main site? 2) Will this affect VPN access, both individual and intersite? 3) I need to change the gateway for the main site to the leased line while (for the present) leaving VPN access through the Linux box. This will utilise ISA Server, which will eventually handle all firewall operations. What is the best way to achieve this? 4) Anything else I need to be aware of? When all this is complete I will then de-commission the Linux gateway/server and have everything handled internally. Sorry for the length but this is (for me) a complex project I need to do in a short space of time Thanks in advance TJ.
Guest Phillip Windell Posted May 12, 2008 Posted May 12, 2008 Re: Change from Linux to Windows. "TJ" <nomail@not.here.com.de.nz> wrote in message news:uG5j59TsIHA.3780@TK2MSFTNGP03.phx.gbl... > ....... and have purchased ISA Server 2006. Excellent choice for a Firewall > 1) How do I move DHCP to Windows without interrupting Internet access for > the main site? a. Configure/Prepare the Windows DHCP,...but do not "authorize" it. b. disable the DHCP on the Linux box c. "Authorize" the Windows DHCP Service and "activate" the Scope(s) d. Never enable the DHCP on the Linux box again or they will clash. e. You "might" have to do a forced Renew/Refresh with IPConfig on the Clients. You should not really have to,...but we live in an imperfect world > 2) Will this affect VPN access, both individual and intersite? .......Assuming the Lease Line is for Internet Access and assuming it will be eliminating/replacing the former DSL lines,....continued.... > 3) I need to change the gateway for the main site to the leased line while > (for the present) leaving VPN access through the Linux box. This will > utilise ISA Server, which will eventually handle all firewall operations. > What is the best way to achieve this? Install ISA and get it working. ISA does *not* have to be the Default Gateway of anything for it to work. ISA only needs to be the Default Gateway (or be in the Routing Path to the Internet) for SecureNAT Clients. Set up the LAN to use Proxy Auto-detection via WPAD. Just google "WPAD" and limit the domain to either "microsoft.com" or "isaserver.org". You can use both ISA and the Linux system for VPN at the same time during the transition. The only thing that can't run at the same time is the DHCP. Everything else can co-exist. WPAD does not cover SecureNAT Clients. They are done manually. > 4) Anything else I need to be aware of? > > When all this is complete I will then de-commission the Linux > gateway/server and have everything handled internally. > Sorry for the length but this is (for me) a complex project I need to do > in a short space of time You are going to be running both the ISA and old firewall VPN system at the same time for a while. I can't really answer anything more specific without something more specific to answer. -- Phillip Windell http://www.wandtv.com The views expressed, are my own and not those of my employer, or Microsoft, or anyone else associated with me, including my cats. ----------------------------------------------------- Understanding the ISA 2004 Access Rule Processing http://www.isaserver.org/articles/ISA2004_AccessRules.html Troubleshooting Client Authentication on Access Rules in ISA Server 2004 http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc Microsoft Internet Security & Acceleration Server: Partners http://www.microsoft.com/isaserver/partners/default.mspx Microsoft ISA Server Partners: Partner Hardware Solutions http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx -----------------------------------------------------
Guest TJ Posted May 14, 2008 Posted May 14, 2008 Re: Change from Linux to Windows. Thank you Phillip, this is exactly what I was looking for. Thanks again Tony "Phillip Windell" <philwindell@hotmail.com> wrote in message news:eT2hWmHtIHA.5096@TK2MSFTNGP02.phx.gbl... > "TJ" <nomail@not.here.com.de.nz> wrote in message > news:uG5j59TsIHA.3780@TK2MSFTNGP03.phx.gbl... > >> ....... and have purchased ISA Server 2006. > > Excellent choice for a Firewall > >> 1) How do I move DHCP to Windows without interrupting Internet access for >> the main site? > > a. Configure/Prepare the Windows DHCP,...but do not "authorize" it. > b. disable the DHCP on the Linux box > c. "Authorize" the Windows DHCP Service and "activate" the Scope(s) > d. Never enable the DHCP on the Linux box again or they will clash. > e. You "might" have to do a forced Renew/Refresh with IPConfig on the > Clients. You should not really have to,...but we live in an imperfect > world > >> 2) Will this affect VPN access, both individual and intersite? > > .......Assuming the Lease Line is for Internet Access and assuming it will > be eliminating/replacing the former DSL lines,....continued.... > >> 3) I need to change the gateway for the main site to the leased line >> while (for the present) leaving VPN access through the Linux box. This >> will utilise ISA Server, which will eventually handle all firewall >> operations. What is the best way to achieve this? > > Install ISA and get it working. ISA does *not* have to be the Default > Gateway of anything for it to work. ISA only needs to be the Default > Gateway (or be in the Routing Path to the Internet) for SecureNAT Clients. > Set up the LAN to use Proxy Auto-detection via WPAD. Just google "WPAD" > and limit the domain to either "microsoft.com" or "isaserver.org". > > You can use both ISA and the Linux system for VPN at the same time during > the transition. The only thing that can't run at the same time is the > DHCP. > Everything else can co-exist. > > WPAD does not cover SecureNAT Clients. They are done manually. > >> 4) Anything else I need to be aware of? >> >> When all this is complete I will then de-commission the Linux >> gateway/server and have everything handled internally. >> Sorry for the length but this is (for me) a complex project I need to do >> in a short space of time > > You are going to be running both the ISA and old firewall VPN system at > the same time for a while. > > I can't really answer anything more specific without something more > specific to answer. > > -- > Phillip Windell > http://www.wandtv.com > > The views expressed, are my own and not those of my employer, or > Microsoft, > or anyone else associated with me, including my cats. > ----------------------------------------------------- > Understanding the ISA 2004 Access Rule Processing > http://www.isaserver.org/articles/ISA2004_AccessRules.html > > Troubleshooting Client Authentication on Access Rules in ISA Server 2004 > http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc > > Microsoft Internet Security & Acceleration Server: Partners > http://www.microsoft.com/isaserver/partners/default.mspx > > Microsoft ISA Server Partners: Partner Hardware Solutions > http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx > ----------------------------------------------------- >
Recommended Posts