mascalia
Posts: 36
Joined: 13.Feb.2008
Status: offline
|
Thanks, Jason. A few points....
quote:
I think you need to reconsider terminilogy here and think about having a trusted zone (for your applications) and an untrusted zone (for your corporate network).
In this sceanio, your corporate network represent the big ol' bad Internet (untrusted) and your protected applications servers represent the "normal" internal network (trusted).
Not exactly. I have two separate VLANs (internal and external), and the array has NLB VIPs built in both VLANs.
- The "internal" network is not segmented, so all servers and workstations are part of the same Network (as ISA defines networks). Unfortunately (for me), I have to move traffic through the Internal VIP/VLAN to get to all of my published servers. That means either clawing my eyes out creating a mass of disorganized static routes, or using the gateway on the Internal VLAN as the DG for the array.
- The "external" network is not really a network per se; it is a separate VLAN which can only communicate with two other VLAN's: the Internet DMZ (where the corporate reverse proxies live), and the VLAN hosting the routers from our business clients. Both of these other VLANs are easy-to-define Class "C" networks.
As for useage:
- All "external" users (from the Internet or outside customers) will hit the ISA VIP in the external VLAN/network, and will be proxied to the appropriate published app.
- All "internal" users will hit the internal VIP to be proxied to the same published apps, which just happen to be on the same network. So, for internal users, the ISA array functions as a pseudo single-leg proxy array.
I understand that the best scenario would be to have an external zone, a perimeter zone (for internal users), and a protected zone hosting the app servers. Unfortunately, the Powers-That-Be do not support such network segmentation at this time, nor are they convinced that ISA would be the right tool for network segmentation. So, I have to work with what they give me  .
We already have corporate proxies that could be used, if that's all we needed. What I wanted to do was find a way to introduce ISA to the company to meet an immediate need: URL abstraction in solution publication.
By moving access to all our published apps to the ISA array, I can now get rid of all the URLs that map directly to app servers/app server clusters (and the headaches that come from using server names for web apps). I can use generic URL's that "always work", regardless of what server they live on (or where they are). And I can change the rule to point to a new server, which makes server maintenance and upgrade a snap.
Of course, if I properly configure the array from the start, it wouldn't be THAT hard to extend it to SSO, network segmentation, and all the other wonderful things that ISA can do, whenver we're ready.
That said, I became a victim of my own success. Since the primary reason for the internal ISA array is solution publication and URL abstraction, all of a sudden I could be asked to publish any app on any server, from anywhere on our convoluted internal network.
And I'm being nice when I use the word "convoluted". It works. I don't ask questions. 
But, that also means that I have to be able to move traffic from the array to anywhere on the network. Since the Internal VIP terminates in its own VLAN, and we intentionally disabled RIP/OSPF broadcasts into that VLAN (and listeners on the ISA servers), the only thing left for me to do is build a myriad of static route statements on my ISA servers to all the various "internal" networks (little "n").
BTW, I don't control the internal networks, nor do I control the routing between those networks, so it would be a PITA to try and keep the static routes up-to-date.
Or, I could trust  that VLAN routing is set up correctly, and throw all requests for published resources at the VLAN gateway by setting up the DG on the Internal NIC instead of the External NIC. Then I only have to build two static routes back to the customer demarc VLAN and the Internet DMZ (those won't change at all).
I know it "works", since that's how I've been testing it. My only concern is my hubris; just because it "appears" to work, does it, really? I don't claim to be an expert, and I know this isn't the "normal" way of doing things, so I thought I'd come here and ask the real experts if there were any problems or pitfalls with doing this.
I'd really like to do it the "right way", but I can only do what they let me, and they won't segment the app servers from the user network.
I don't mean to be argumetative, but I don't think I explained it very well the first time. Thanks so much for your original reply, and I look forward to hearing your thoughts on this "refined" version of my original question.
Mike
|
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
"Backwards" ISA Default Gateway Configuration? - 
RE: "Backwards" ISA Default Gateway Configura... - 
). Right or wrong, I can also GUARANTEE to a customer that there is no way someone can "hop from a competitor's app server onto their app server". Yes, that question has come up many times in due diligence meetings. Customers treasure server isolation, regardless of how well (or poorly) it actually "protects" the servers. 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread