ISA 2006 Fun – Installation and Configuration


Hi, I have not blogged much this week as I have not done anything with our SharePoint Site as I our LA have done the changes to allow us to host our own ISA box internally, so I have been setting that up. Should have been pretty straight forward but as most people know it never seems to go that way, especially in schools.

Services we want to publish are:

  • - Main School Website
  • - Talmos Virtual Learning Environment
  • - MS Exchange Server 2007
  • - MOSS 2007

We have never really done much with ISA with it always been managed by our LEA, I have setup ISA 2004 before so I had a brief idea of how we were going to configure our box.

So, the plan initially was to setup an Edge Network using 2 NICS which never worked to start of with we just kept getting loopbacks when navigating to our domain. As we used Talmos Externally before we had ISA the DNS Entries were already setup for that so we used that to test our setup. Unfortunately we could not get this to work as we were just getting loopbacks. The reason this was happening was because both of our NIC's were on the same IP Range.

As our LA don't agree with us having our own Internal IP Range we thought the only way to get around this was to setup a Single Interface network up on our ISA box. So off we went uninstalled ISA and Reinstalled it again setting it up on 1 NIC.  

We are not allowed to have a Public IP on our Box so we basically the LA gave us a Public IP which they NAT to a Internal IP on the same WAN Range. No problem that works fine no issues with that. So we published our Talmos Server (as this only requires port 80 and no authentication it was pretty straight forward) gave it a few minutes. Logged into my 3G Connection went to talmos.mydomainname.sch.uk and as you would of guessed that work a treat. So we all have happy faces and go and have a coffee break :D.

When we get back we give publishing our Exchange Box ago, as this is required pretty urgently as we are moving away from our current email provider we want to get this working ASAP.  Now it never crossed my mind until I got prompted with a message saying we are using a single NIC and published multiple servers is not supported on this configuration. But we just ignore that and hope that it would work anyway. So we set it up and could not get any kind of connection externally so gave up In the end as we knew why we were having this problem (down to the fact both NICs were on the same Range).

So I did some research into this just to see if anyone had actually got it working, well turns out it is just NOT possible. So I put my thinking cap on, the only way we are going to get this to work is if we change our INTERNAL IP Range.

So i put our INTERNAL NIC on a completely different IP Range (192.168.0.x) and change the IP on our TALMOS Server so it is in the same range. Publish that server again and guess what it works fine. Put it back on the same IP and it didn't. I knew it was going to happen but just wanted to test it before sending an email to the LA.

 So we send an email to the LA telling them everything we have done and how this problem is going to be resolved (changing our Internal IP Range /or/ create a mini network that the servers we wish to publish will sit on) but if they had any other ideas could they let us know.

20 minutes later we get an email back saying something along the lines of "yes what you are saying is right, you can either change your entire internal IP range or make a mini network just for the servers you wish to publish".

It is not east just to change the entire IP Range of an internal network a lot of thought has to go into it as most people are probably aware, things we had to think about were

- Telephone System
- Switches
- CCTV Cameras
- Wireless Access Points
- Printers which have Manual IP's

So technically this is not going to be something we can do over night as it is not as easy as changing the scope in DHCP to dish out loads of new IP Address to the clients.

So what we are going to do is, as our Exchange box has a another NIC which is where we are fortunate and we are going to setup a mini network, as exchange needs to speak with the Main DC/Active Directory it needs to have access to that as well as connect to the ISA INTERNAL NIC so it can be published.

With this in place it will allow us to have our mail published so we can use it, and we plan to change the internal IP range in the big holiday. As at least if we have any problems we have enough time to resolve it. To be honest we should be pretty straight forward, it is the fact we have to change all the IP Addresses on the Telephone system, switches etc that is going to be the brain ache.

We are going to use a Class A - (10.0.8.0/8)10.0.8.0 - 10.0.15.255 which will give us around 2,000 IP Addresses so we have more than enough.  We can have around 500 IP Addresses excluded from the scope to use as Static IP's.

We will be doing a lot of planning over the next few weeks, so I am sure I will bring this topic up again.

Thankfully our LA have said they don't mind if we have change our Internal Range, it is a shame we never knew this a few years ago as then we would never of had this problem and it would have been a few hours work instead of a few days of brain ache.

For the record, we have setup the mini internal network and Talmos published to the web with no problems, this evening we setup our Exchange Box and published that to the web as well with no problems just waiting for the DNS Entry to propagate through the internet but I have faith that will work with no issues. Our SSL is ready to be issued so in theory we should have our mail server fully published and secure by the end of the week. J *touch wood*

Example of Setup until we change internal IP range:

 

 

*Yes I know a 2 year old could probably do a better drawing in mspaint* 😉

 

So there you go. When we do the change-over with regards to the internal IP range, I will blog about how it all went and if we hit any problems etc. I will also do another diagram to try and show how we have it set up. I could show you now, but there are 2 routes I am looking at and don't know which one I am going to go ahead with yet.

Unfortunately I did not have any major problems so this is probably going to be useless to anyone looking for help, but it is a good read anyone even if it is to laugh.

One thing you might of gained from this, yet it is on the internet in a few placed. If you're planning on publishing exchange etc do not use a Single NIC Setup as it won't work. And if you're using a 2 NIC setup make sure there on 2 different IP Ranges.

I also nearly forgot, our SharePoint server will be setup the same as the exchange if it needs to be published before we change the internal IP Range, but we should not need to publish that to the Web until September so we might be able to get away with it, if not the same configuration will happen for the SharePoint server as with the Exchange Server.

If anyone has any questions regarding what I have done, please feel free to contact me.

James.

Comments (0)

Skip to main content