Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Back-to-back with SBS2k3 and ISA2k4
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Back-to-back with SBS2k3 and ISA2k4 - 1.Nov.2005 12:22:00 PM
|
|
|
Tyler
Posts: 24
Joined: 18.Dec.2002
From: Tampa, FL
Status: offline
|
I'm trying to implement the following configuration:
* SBS2k3 + ISA2k4
* External ISA2k4
I believe this is a back-to-back, but somewhere along the line I'm missing something. Is there a guide that gives a decent outline of the steps required?
Currently I only have the SBS2k3+ISA2k4 in place, with ISA2k4 configured as "Edge Firewall" template.
Here are my key questions:
* Am I correct to assume the SBS2k3+ISA2k4 box should be configured using the "Back Firewall" template, and the external ISA2k4 box should be configured as "Front Firewall"?
* What should the DNS and default gateway settings be for each adapter in this scenario?
Thanks,
Tyler
|
|
|
|
|
RE: Back-to-back with SBS2k3 and ISA2k4 - 2.Nov.2005 2:40:00 AM
|
|
|
Guest
|
Just for my education...why do you need this setup?
What are you looking to gain here?
Business reason? Needs? Just trying to define the project here and the client needs.
|
|
|
|
|
RE: Back-to-back with SBS2k3 and ISA2k4 - 2.Nov.2005 9:16:00 AM
|
|
|
Tyler
Posts: 24
Joined: 18.Dec.2002
From: Tampa, FL
Status: offline
|
See Dr. Shinder's first SBS/ISA article... it is Scenario #3. In the article, Tom described this type of setup as the most secure.
Since we have the budget and the existing hardware... why not? All I need is a little shove in the right direction and I'll be running.
--Tyler
|
|
|
|
|
RE: Back-to-back with SBS2k3 and ISA2k4 - 2.Nov.2005 3:10:00 PM
|
|
|
ababinchak
Posts: 195
Joined: 16.Aug.2005
From: Michigan
Status: offline
|
Keep in mind that that article series is not meant as an installation guide. It's about trial and error and learning a new implementation of ISA.
|
|
|
|
|
RE: Back-to-back with SBS2k3 and ISA2k4 - 2.Nov.2005 3:21:00 PM
|
|
|
Tyler
Posts: 24
Joined: 18.Dec.2002
From: Tampa, FL
Status: offline
|
Yes, I realize that. But I will take the residing expert's statements seriously... the opinion that Scenario #3 is the most secure is not something that is trial-and-error.
Anyway... I'd really like to hear some guidance/suggestions instead of criticizing the question itself.
--Tyler
|
|
|
|
|
RE: Back-to-back with SBS2k3 and ISA2k4 - 3.Nov.2005 2:51:00 AM
|
|
|
Guest
|
Also do you have a secondary domain controller?
Backup and restoration plan in place.
You haven't talked about a DMZ, you haven't talked about what you are protecting. You need to develop a solution from protecting from a valid threat.
What's the threat?
You at least need something between the edge and the SBS box to make it worth while.
|
|
|
|
RE: Back-to-back with SBS2k3 and ISA2k4 - 3.Nov.2005 11:27:00 AM
|
|
|
TDanner3
Posts: 5
Joined: 30.Jun.2005
Status: offline
|
To sbs (who ever you are)
I want Scenario #3 so I can learn how it works. I have an SBS2003 Server, and a ISA 2004 Server, and five static Ip's. I want to host my own web site from SBS2003. Why should I pay some one else for the hosting? Who knows some day I may need to set this up at a job site. My understanding of the message boards is so people can ask questions and share insite, not have there questions so questioned.
Thank you
|
|
|
|
|
RE: Back-to-back with SBS2k3 and ISA2k4 - 3.Nov.2005 8:25:00 PM
|
|
|
Guest
|
Well given that no one in the real SBS community has ever set up a box like this, you are a bit on your own. I do know folks who set up a loopback on the SBS box and then put a secondary firewall [non ISA] but due to the cost issues, you are probably the first to want to do this. I've honestly never seen one in the real world.
If you want to host a web site securely, the better thing to do is not host on your domain controller but instead put the web site on a Win2k3 web server in the DMZ.
Having another firewall still forwarding port 80 requests to your SBS box won't lower the risks there.
If your goal is adding overall security, pulling the webhosting off the SBS box, placing it on a server on the side is the better mitigation.
|
|
|
|
|
RE: Back-to-back with SBS2k3 and ISA2k4 - 4.Nov.2005 9:51:00 AM
|
|
|
Tyler
Posts: 24
Joined: 18.Dec.2002
From: Tampa, FL
Status: offline
|
TDanner3 --
It looks like you and I are in the same boat.
Basically... whether this is something that the "community" has in place or not, there are several of us out there who have an interest or need in implementing the scenario raised by Dr. Shinder's article.
Hoping somebody (Tom?) will offer a constructive posting.
--Tyler
|
|
|
|
|
RE: Back-to-back with SBS2k3 and ISA2k4 - 4.Nov.2005 12:16:00 PM
|
|
|
Guest
|
Interest is one thing. Right now I have never seen a setup like this. Again, with another firewall that is a non ISA, yes, absolutely.
With another ISA.. it's cost prohibitive in the SBS marketspace and thus has just not been done. I've never seen one set up in the real world where it counts out here.
You guys still haven't described the need that this is addressing.
What is the need that this is addressing that you can sell to the business owner?
SBS doesn't work in theory.. it lives in reality. It has to make sense to the business owner of that box.
I'm a business owner. Sell me on why another Winserver+Isa versus a hardware firewall on the outside makes sense.
I personally can think of one ...but I want you guys to come up with these reasons because quite frankly just because "this is the most secure" without the analysis of what you are protecting and the network threat modeling analsys to back it up, you cannot sell this to your business owner.
Do the network threat model and risk calculation for that firm. Don't just do it because an article says to.
|
|
|
|
|
RE: Back-to-back with SBS2k3 and ISA2k4 - 4.Nov.2005 2:41:00 PM
|
|
|
Tyler
Posts: 24
Joined: 18.Dec.2002
From: Tampa, FL
Status: offline
|
How about "I am the owner of the business"? Is that good enough for you?
Seriously... read Shinder's bit about "hardware" firewalls.
I'm more interested in the ISA part of the answer, not the SBS.
Either way, I'd prefer to hear from somebody other than you.
Any takers?
|
|
|
|
|
RE: Back-to-back with SBS2k3 and ISA2k4 - 5.Nov.2005 8:57:00 PM
|
|
|
Guest
|
Again, I don't think anyone else has set this up. You are stuck with me.
With the understanding that the typical boss/owner won't fork out $999 + $1299 for a secondary ISA server deployment in front of an SBS box. They'll get a Sonicwall instead.
Two ISA servers are seen in medium/larger enterprises.... it's one ISA and one ISA+Hardware firewall out here are the realities.
You want this a domain joined or workgroup/separated ISA box.
If it's a standard two firewall setup where the box on the outside is separate from the one on the inside... set the ISA up on the SBS box not with what template you chose but with the Connect to Internet wizard setup. I'd still keep the SBS at the standard setup and use the external one as the 'first line' wall.
Typically we'll set up the internal as the default of 192.168.16.2 and external as a 192.168.1.x. That External nic will then talk to your outside ISA box. On that one use your external template.
Give that a shot and report back.
|
|
|
|
|
RE: Back-to-back with SBS2k3 and ISA2k4 - 21.Nov.2005 2:35:37 AM
|
|
|
RBurr
Posts: 10
Joined: 20.Nov.2005
Status: offline
|
Hello,
You said "If you want to host a web site securely, the better thing to do is not host on your domain controller but instead put the web site on a Win2k3 web server in the DMZ."
That's exactly what I'd like to do, and it does seem a typical need, but, I don't feel comfortable enough with ISA to "wing" it without a roadmap. Hasn't someone posted the steps somewhere?
I'd rather not have to learn the hard way (again), but I'm determined to learn it.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
