Say you wanted to go just nuts with security, and are employing a a server setup similar to, but not exactly like Figure 2 in scenario two. The difference here is that there would be a back to back ISA setup with a DMZ (unauthenticated) in between instead of a single ISA between the internal network and router. So it would be like critical services on one network segment, internal firewall, then work group network segment, then another firewall, then a DMZ, then finally an edge firewall. Where's the best place to put the front-end Exchange Server? I'd say in the DMZ, but on a different segment, so one is authenticated, one's not. It's sort of a back-to-back-to-back firewall setup. Any ideas?
For the FE Exchange Server, it depends on what you want to do with it. If you want to provide a authenticating SMTP relay for your external users, it will need to resolve external names. I set it up with the FE Exchange Server using the DNS server on the internal network. Since there is a route relationship between the authentication access DMZ and the Internal network, you would configure it to use the IP address of the DNS server on the internal network.
The anonymous access SMTP server doesn't require a DNS server address at all. This helps prevent spammers from using it as a relay (in case the SMTP server was misconfigured). It also prevents sending of NDRs.
Thanks for all the articles, they are always great, keep up the good work. The first part of this article states:
"We use ISA firewall best practices and make the firewall a domain member, so that we can enhance the overall level of security provided by the ISA firewall."
I think I know some of the reasons why this might be true (mainly control of the ISA server through policy i.e. auditing, account rename, security templates, etc...), but feel like there has to be a lot of reasons why you would not want to do this as well. I know if this topic has ever come up with any of my colleagues it has always been a tough sell... but then again most of them are Cisco bigots and would never put an ISA server on the edge of their network :)
So, could you detail the points that would make it more secure and "best pactice" to make the ISA server a member of your domain? Maybe a dedicated article on why to do it and how to actually secure the ISA server once it is in the domain.
Also, if you have any comments or references for my Cisco friends that ammunition is welcome as well.
Cisco guys are very good at routing and switching, but they usually have no concept of security other than "open a port". Any organization that allows the "network guys" to have any control over the security infrastrucuture has some serious problems. Network guys are not security guys, and security guys are not network guys. However, there are some "network security guys" but you don't find them in the Cisco camp very often.
I actually have a comprehensive outline of the advantages of making the ISA firewall a domain member, that I can mail to you if you like. I'll probably include a comprehensive coverage of this issue in our ISA 2006 book
Also, I should make it clear that its best practice to make the ISA firewall a domain member when you get the security benefits (Firewall client, user certificate authentication, regulatory compliance via AD centralized management, etc), but if the scenario of the ISA firewall deployment doesn't take advantage of them (for example, unihomed ISA firewall) then there's no need to make it a domain member.
Posts: 2187
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
Tom, Could you expand on your reasoning in the case of two ISA firewalls; A Front (edge) and a Back (internal). What reasoning would apply to the one on the edge?
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
With a back to back ISA firewall config, I don't see any reason to make the FE ISA firewall a domain member. You can get the AD auth and all the advantages domain membership provides on the back-end, so there's no reason to make the FE a domain member. Of course, you could create a DMZ domain if you want, and use that for partners, etc. But for internal users only, I only make the BE ISA firewall a domain member.
I have attempted the "Creating Multiple Security Perimeters ..." tutorial on ISA server 2006, but I believe I have been able to configure ISA 2006 as dictated but the tutorial for isa 2004. I am new to this software and beginning to pull my hair out. The configuration offered in the tutorial is what I am wanting for my network, but unfortunately I have as of yet been unable to access the OWA, RPC etc for the exchange servers outside or the inside. I have been throught the settings time and again not being able to find the answer. For example I try and log into the owa.(site name)/Exchange from the internet side of the firewall, I get the ISA log in screen and then I get a server error 'The network logon failed'.
I would be most grateful if you could offer guidance for implementing the brilliant tutorial you have written on isa 2006 in an effort to solve my current nightmare and further my knowledge of using isa 2006. Also you mention about the servers in the Anonymous DMZ but could you offer some information on how to set them up for this network situation.
I appologise for what may seem like a very bare report of my situation. Needless to say I am using ISA server 2006 with Windows server 2003 and I would like to implement the network topology and setup from the turorial. As of yet I have had no luck!!