Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

DMZ + Authentication/Active Directory

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> DMZ + Authentication/Active Directory Page: [1]
Login
Message << Older Topic   Newer Topic >>
DMZ + Authentication/Active Directory - 14.Apr.2004 1:02:00 AM   
nektar

 

Posts: 13
Joined: 14.Apr.2004
From: USA
Status: offline 		Hi People!
I'd like to implement this design in my network:

Public Net
|
[P1x/FW Ext]
|
[P1x/FW Int]-(DMZ)-[ISA FW/PRX]
|
wks's

The purpose of the ISA Server is to provide proxy capabilities to wks as well as access to internet services using proxy client, and authentication through Active Directory (user/groups). The Question are:

1)Where is the safest / securest place to situate the Active Directory? in another DMZ in P1x internal or in the internel network?

2)Is there any tip such as using IPSec instead of open all AD communication ports (53,88,135...) in FW?

Thanks In Advance!
Ariel
Post #: 1
RE: DMZ + Authentication/Active Directory - 14.Apr.2004 2:35:00 AM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Areil,

How about doing it this way:

PixPF
|
|
PixPF
|
|
ISA Firewall
|
|
AD/Workstations

This way, you have to the PIX packet filtering firewalls back to back, and then you have the advanced application layer firewall, ISA, behind the two packet filters. Put the AD and the workstations behind the ISA firewall. Now you have three layers of defense and two DMZs protected by the packet filters.

HTH,
Tom

(in reply to nektar)
Post #: 2
RE: DMZ + Authentication/Active Directory - 14.Apr.2004 3:53:00 PM   
nektar

 

Posts: 13
Joined: 14.Apr.2004
From: USA
Status: offline 		Tnx for your answer.

The only problem with this design is "users" on my internal network are wilder than the net users, and they'll be in the same vlan.

Which are the contras you see in my design?

I'll appreciate your advice.

Sincerely,
Ariel

(in reply to nektar)
Post #: 3
RE: DMZ + Authentication/Active Directory - 15.Apr.2004 9:34:00 PM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Airel,

You can lock down the internal interface as tight as you like with ISA 2004 firewalls. Just configure the System Policy to allow only the traffic, and from what hosts, you require. It won't matter how wild your users are!

You could put another NIC on the ISA box, and put the AD on a perimeter network segment, and only all AD traffic through, so that users can auth.

So, the ISA firewall has three NIC:

Internal
Perimeter with AD
External

Users will be able to auth with the AD machine in the DMZ/perimeter network, but not have any other access to the DC. The details of this config will be in the front-end/back-end config doc in the upcoming Exchange Kit (because the front-end will be in the DMZ and needs to communicate with the AD).

HTH,
Tom

(in reply to nektar)
Post #: 4
RE: DMZ + Authentication/Active Directory - 20.Aug.2004 9:46:00 AM   
Porolonchik

 

Posts: 3
Joined: 17.Aug.2004
From: Russia, Tuva, Kyzyl
Status: offline 		Is anywhere article for this scenario in IsaServer.org?
I'd like to make:

[External]
|
|
[ISA]--------[Perimeter]AD(net.local)(with Exchange, DHCP,DNS,MS SQL)
|
|
[Internal]
Workstantions (net.local)

Is it possible? If possible, how to make it?

(in reply to nektar)
Post #: 5
RE: DMZ + Authentication/Active Directory - 20.Aug.2004 1:27:00 PM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Porolonchik,

You mean like this:

http://www.msfirewall.org/testing/figure1.htm

Thanks!
Tom

(in reply to nektar)
Post #: 6
RE: DMZ + Authentication/Active Directory - 22.Aug.2004 5:54:00 PM   
Porolonchik

 

Posts: 3
Joined: 17.Aug.2004
From: Russia, Tuva, Kyzyl
Status: offline 		Thanks for your answer.
It is what I want! But what about IP-adresses?
Can I do folowing?

(External)
|
|- some Public IP
(ISA)--------(Perimeter)-AD(net.local)(with Exchange, DHCP,DNS,MS SQL)
| |192.168.0.3 | 192.168.0.1
|-192.168.0.2
|
|
(Internal) -192.168.0.4-192.168.0.254
Workstantions (net.local)

(in reply to nektar)
Post #: 7
RE: DMZ + Authentication/Active Directory - 22.Aug.2004 10:04:00 PM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Porolonchik,

Each interface must be located on a different network ID. But the configuration does work and I'm using it now!

HTH,
Tom

(in reply to nektar)
Post #: 8
RE: DMZ + Authentication/Active Directory - 23.Aug.2004 10:07:00 AM   
Porolonchik

 

Posts: 3
Joined: 17.Aug.2004
From: Russia, Tuva, Kyzyl
Status: offline 		Thanks for the answer!
I'm interesting, whether is on isaserver.org clauses describing the variant given in http://www.msfirewall.org/testing/figure1.htm?
(like your article: Configuring Multiple DMZs on the ISA Firewall(2004))
PS: Sorry my bad English... [Roll Eyes]

[ August 23, 2004, 10:09 AM: Message edited by: Porolonchik ]

(in reply to nektar)
Post #: 9
RE: DMZ + Authentication/Active Directory - 24.Aug.2004 2:57:00 AM   
tshinder

 

Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Porolonchik,

I haven't written out the entire instructions on how to support the configuration in the figure on the www.msfirewall.org site. It would be a *very long* article! There are a lot of access rules and routing relationships to set up.

I might do it in the future if I win the lottery and have extra time [Big Grin]

Thanks!
Tom

(in reply to nektar)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> DMZ + Authentication/Active Directory Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts