Change from Linux to Windows.

[TJ]

Hi

First of all my apologies for cross posting, but this covers many issues
that I do not think may be possible to cover in a single post. If I have
underestimated the skills in the community, again my apologies.

I have a major redesign of our network to undertake - without impinging on
the business operation. I can't really do a weekend as we are a 24/7
operation.

I need to move from 1 scenario to another and am looking for the best way of
doing it - these follow.
Current Scenario -
Externally managed Linux Server with 3 ADSL lines acting as Gateway/DHCP
Server/Firewall/VPN Server (OpenVPN)/File Server
Windows 2K3 R2 servers managing DNS/Active Directory/Exchange (including
external RPC over HTTP access)/File & Print Services.

Future Scenario - Everything managed in a Windows 2K3 R2 environment with a
leased line, intersite VPN (have office in London & Doncaster) and a
firewall with a DMZ for a Application Web Server running on Red Hat
Enterprise (which I can't change as it was in place when I arrived).

I already have the leased line in place (but not yet used) and have
purchased ISA Server 2006. My issues are
1) How do I move DHCP to Windows without interrupting Internet access for
the main site?
2) Will this affect VPN access, both individual and intersite?
3) I need to change the gateway for the main site to the leased line while
(for the present) leaving VPN access through the Linux box. This will
utilise ISA Server, which will eventually handle all firewall operations.
What is the best way to achieve this?
4) Anything else I need to be aware of?

When all this is complete I will then de-commission the Linux gateway/server
and have everything handled internally.
Sorry for the length but this is (for me) a complex project I need to do in
a short space of time

Thanks in advance
TJ.

 

[Phillip Windell]

"TJ" <nomail@not.here.com.de.nz> wrote in message
news:uG5j59TsIHA.3780@TK2MSFTNGP03.phx.gbl...

> ....... and have purchased ISA Server 2006.

Excellent choice for a Firewall

> 1) How do I move DHCP to Windows without interrupting Internet access for
> the main site?

a. Configure/Prepare the Windows DHCP,...but do not "authorize" it.
b. disable the DHCP on the Linux box
c. "Authorize" the Windows DHCP Service and "activate" the Scope(s)
d. Never enable the DHCP on the Linux box again or they will clash.
e. You "might" have to do a forced Renew/Refresh with IPConfig on the
Clients. You should not really have to,...but we live in an imperfect world

> 2) Will this affect VPN access, both individual and intersite?

.......Assuming the Lease Line is for Internet Access and assuming it will
be eliminating/replacing the former DSL lines,....continued....

> 3) I need to change the gateway for the main site to the leased line while
> (for the present) leaving VPN access through the Linux box. This will
> utilise ISA Server, which will eventually handle all firewall operations.
> What is the best way to achieve this?

Install ISA and get it working. ISA does *not* have to be the Default
Gateway of anything for it to work. ISA only needs to be the Default
Gateway (or be in the Routing Path to the Internet) for SecureNAT Clients.
Set up the LAN to use Proxy Auto-detection via WPAD. Just google "WPAD" and
limit the domain to either "microsoft.com" or "isaserver.org".

You can use both ISA and the Linux system for VPN at the same time during
the transition. The only thing that can't run at the same time is the DHCP.
Everything else can co-exist.

WPAD does not cover SecureNAT Clients. They are done manually.

> 4) Anything else I need to be aware of?
>
> When all this is complete I will then de-commission the Linux
> gateway/server and have everything handled internally.
> Sorry for the length but this is (for me) a complex project I need to do
> in a short space of time

You are going to be running both the ISA and old firewall VPN system at the
same time for a while.

I can't really answer anything more specific without something more specific
to answer.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------

 

[TJ]

Thank you Phillip, this is exactly what I was looking for.
Thanks again
Tony

"Phillip Windell" <philwindell@hotmail.com> wrote in message
news:eT2hWmHtIHA.5096@TK2MSFTNGP02.phx.gbl...
> "TJ" <nomail@not.here.com.de.nz> wrote in message
> news:uG5j59TsIHA.3780@TK2MSFTNGP03.phx.gbl...
>
>> ....... and have purchased ISA Server 2006.
>
> Excellent choice for a Firewall
>
>> 1) How do I move DHCP to Windows without interrupting Internet access for
>> the main site?
>
> a. Configure/Prepare the Windows DHCP,...but do not "authorize" it.
> b. disable the DHCP on the Linux box
> c. "Authorize" the Windows DHCP Service and "activate" the Scope(s)
> d. Never enable the DHCP on the Linux box again or they will clash.
> e. You "might" have to do a forced Renew/Refresh with IPConfig on the
> Clients. You should not really have to,...but we live in an imperfect
> world
>
>> 2) Will this affect VPN access, both individual and intersite?
>
> .......Assuming the Lease Line is for Internet Access and assuming it will
> be eliminating/replacing the former DSL lines,....continued....
>
>> 3) I need to change the gateway for the main site to the leased line
>> while (for the present) leaving VPN access through the Linux box. This
>> will utilise ISA Server, which will eventually handle all firewall
>> operations. What is the best way to achieve this?
>
> Install ISA and get it working. ISA does *not* have to be the Default
> Gateway of anything for it to work. ISA only needs to be the Default
> Gateway (or be in the Routing Path to the Internet) for SecureNAT Clients.
> Set up the LAN to use Proxy Auto-detection via WPAD. Just google "WPAD"
> and limit the domain to either "microsoft.com" or "isaserver.org".
>
> You can use both ISA and the Linux system for VPN at the same time during
> the transition. The only thing that can't run at the same time is the
> DHCP.
> Everything else can co-exist.
>
> WPAD does not cover SecureNAT Clients. They are done manually.
>
>> 4) Anything else I need to be aware of?
>>
>> When all this is complete I will then de-commission the Linux
>> gateway/server and have everything handled internally.
>> Sorry for the length but this is (for me) a complex project I need to do
>> in a short space of time
>
> You are going to be running both the ISA and old firewall VPN system at
> the same time for a while.
>
> I can't really answer anything more specific without something more
> specific to answer.
>
> --
> Phillip Windell
> www.wandtv.com
>
> The views expressed, are my own and not those of my employer, or
> Microsoft,
> or anyone else associated with me, including my cats.
> -----------------------------------------------------
> Understanding the ISA 2004 Access Rule Processing
> http://www.isaserver.org/articles/ISA2004_AccessRules.html
>
> Troubleshooting Client Authentication on Access Rules in ISA Server 2004
> http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc
>
> Microsoft Internet Security & Acceleration Server: Partners
> http://www.microsoft.com/isaserver/partners/default.mspx
>
> Microsoft ISA Server Partners: Partner Hardware Solutions
> http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
> -----------------------------------------------------
>