Question : ISA 2006 Server configuration of second intenal network

Hello,

I am currently running ISA Server 2006 standard on Windows 2003 server Standard with SP2.

I have the default networks defined, and all work as they are designed to.

I have an External, Internal, Local Host, and VPN Clients networks define.

Now I want to make some changes:

I have added a new network card. I have created a new network, which I call "virualization".

On the virtualization network, no internet access is required, no routing beyond this network. All that is required is for all machines connected to this network to be able to communicated with each other (via ip address).

Here is what I have created:

Each server is connected to this Virtualization network for the sole purpose of backups. The backup software is installed on a backup server within this virtalization network.

I want the backup software to connect to each server within this zone and pull down the data so each server can be backed up.

I want the backup server to be able to communicate with the ISA Server and pull down the data on it in order to make a backup of the ISA 2006 server.

Here is the problem I am facing (I have obviously made a config error):

I can ping from the ISA server to the backup server. The backup server cannot ping the ISA server;

On the "internal network" I can ping the ISA server from my workstation (which is part of the internal network) and I cand RDP, as well as view the hidden shares (e.g. "C-drive") of the ISA server from my worksation, but I cannot do so from the backup server in the virtualization network.

Another important note - when I had my backup server in the "Internal network", I could not pull the data from the ISA server for backup. I then added a policy rule (as a test) to allow me to back up the data, but the result was that when the backup was in progress (and reading / transfering data from ISA server), no computer on the internal network was able to communicate with the firewall server (and hence no internet access).

Another interesting thing:

I wanted to see why I cannot communicate with the ISA server from the backup server by pinging, so I checked the monitoring and I see access denied (last rule in firewall policy, deny everything).

Now when I try the same thing, ping from my workstation to the ISA server is successful, but I can find no entry in the monitoring (within ISA server management). Why would this be the case? I cannot understand why one network allows communication and one does not.

Can I accomplish what I want?

Thanks in advance.

Mark

Answer : ISA 2006 Server configuration of second intenal network

Review the ISA gui system policy - not the firewall policy.
highight the firewall policy on the left-hand pane. Open the side window on the right (the handle half way down on the right-edge if it is closed and select edit system policy.

Keith