Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
DMZ in a Front and Back ISA Configuration
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
DMZ in a Front and Back ISA Configuration - 6.Feb.2007 1:10:30 PM
|
|
|
Arkane78
Posts: 25
Joined: 9.Dec.2005
Status: offline
|
I've setup 2 ISA 2006 Std Servers (on Windows Server 2003 SP1), each one has 2 Network Interfaces.
First Box : Configured as Front-End Firewall (using template).
NIC 1 (Primary Interface) - External - points to DSL Router.
IP - 192.168.200.x/255.255.255.0. Gateway - DSL Router.
NIC 2 - DMZ - points to DMZ
IP - 10.10.200.150/255.255.255.0.
Second Box : Configured as Back-End Firewall (using template).
NIC 1 (Primary Interface) - Internal - points to internal LAN.
IP - 10.5.87.x/255.255.252.0.
NIC 2 - DMZ - points to DMZ
IP - 10.10.200.84/255.255.255.0. Gateway - NIC 2 of FE Firewall.
I have enabled the web proxy on both servers and have successfully managed to surf the internet from both boxes - confirming that communication through the DMZ is working.
However, I currently have another ISA 2006 box that handles our VPN service, which I'd like to move to one of the newer ISA boxes (as the 2 new ISA servers are to replace some existing infrastructure).
I'm not sure how I can move the VPN component onto the ISA boxes, or which one I should use for this in the configuration I have setup.
Would I be better off using the Three-Leg template on 1 box and only have 1 box? The idea was that the FE firewall would handle all internet traffic (via a DSL router infront of it) and only pass through traffic to the BE firewall that was needed and would also allow VPN connections to be given DMZ IP addresses (as opposed to being automatically given Internal network IP addresses).
I'd appreciate a reply even if it's just to tell me I'd be better off using the three-leg template for ISA. I had little problem setting up VPN on an ISA server with the edge-template but this new setup is somewhat more complicated but hopefully much more secure as the needs of our school is growing faster than we can keep up.
Thanking you in advance.
Kris
|
|
|
|
|
RE: DMZ in a Front and Back ISA Configuration - 5.Mar.2007 12:40:09 PM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Kris,
I avoid using the templates because they do strange things with the Network Rules and other components. I always start with the defaults and then configure things to my requirements.
You can publish the internal ISA Firewall to act as a VPN server. However, if you already have a box with the ISA Firewall running in as a VPN server, it's best to put in it as a parallel ISA Firewall with the front-end ISA Firewall.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: DMZ in a Front and Back ISA Configuration - 5.Mar.2007 2:27:56 PM
|
|
|
Arkane78
Posts: 25
Joined: 9.Dec.2005
Status: offline
|
Tom,
Thanks for the hint about the templates, they look helpful enough but as I've learnt to my cost it's better as you say - to stick with the default template (edge) and configure it to your needs.
What I was wanting to do was publish the VPN on the front-end firewall, so that all VPN clients become part of the DMZ between the back-end and front-end firewall, so that no-one with the exception of certain members of staff and a few servers - can go from DMZ to Internal.
I'm sure I could accomplish what I'm wanting now - just using the edge template, setting up an extra network in ISA on both firewalls and configuring it from there, but before I try to do that, am I barking up the wrong tree so to speak?
It's not that we don't trust our VPN users - it's that we'd rather not open up the internal network to them - we'd rather provide some servers on the DMZ they can access instead. These servers have 'pinholes' through the firewall to internal servers - so file updates and such are one way (Internal to DMZ) but not the other.
It's so staff can view data from home but can only update it via USB memory sticks or sending it via E-Mail (which they then collect on-site) - as it's always a risk a student could compromise a staff account - now internally we have methods to deal with such an eventuality - but we'd rather not leave the internal network open to abuse or attacks from said student from the comfort of their own home.
Any more advice you could give would be great.
Thanks.
Kris
|
|
|
|
|
RE: DMZ in a Front and Back ISA Configuration - 6.Mar.2007 11:07:01 AM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Kris,
1. terminate the VPN connection on the front-end ISA Firewall
2. On the BE ISA Firewall, create an ISA Firewall Network reprsenting the DMZ
3. On the BE ISA Firewall, create a Network Rule setting a route relationship between it's default Internal Network and the DMZ
4. On the BE ISA Firewall, create rules that allow connections from the DMZ to the Internal Network as desired
5. On the FE ISA Firewall, create Access Rules allowing connections to the BE ISA Firewall's default Internal Network ID
6. On the FE ISA Firewall, make sure that you include the addresses of the BE ISA Firewall's default Internal Network as part of the defintion of the FE ISA Firewall's default Internal Network
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: DMZ in a Front and Back ISA Configuration - 6.Mar.2007 1:22:06 PM
|
|
|
Arkane78
Posts: 25
Joined: 9.Dec.2005
Status: offline
|
Tom,
When you write it - it looks ridiculously simple.
I was trying all manner of things to make it work out but it was happy enough to get a DMZ IP from the DMZ DHCP but it refused point blank to pass any DHCP options, regardless of DHCP relay agent or not.
So, assuming that both Firewalls are set as 'Edge Template' and that my DMZ DHCP server is working as expected with regular clients (non VPN clients).
I should be able to follow your steps and get closer to my desired solution?
My only query is that you say to create a network describing the DMZ on the BE firewall, would I not need this on the FE firewall also or would the 'Internal' network object on the FE firewall consist of the DMZ range AND the BE Firewall Internal range?
If the latter, I'm assuming that a VPN client can VPN in, get terminated at FE firewall, get a DMZ IP and only be able to access systems in the DMZ unless a suitable access rule on the BE firewall allows access to the internal network? (Rules that permit IT support staff, certain servers/protocols)
(Somewhat O/T - I'm slowly getting to grips with HTTP filtering, something that until I read about it, had no idea what it was or did - I'm learning ISA 2004/2006 from being a MS Proxy 2.x only environment - looking back... Proxy 2.x was painful)
Thanks for your help again Tom, will let you know how this all goes once I get a chance to try all this out.
Kris
|
|
|
|
|
RE: DMZ in a Front and Back ISA Configuration - 7.Mar.2007 9:37:17 AM
|
|
|
tshinder
Posts: 47420
Joined: 10.Jan.2001
From: Texas
Status: offline
|
One thing I forgot!
7. Create a routing table entry on the FE ISA Firewall so that it knows the route to the network ID for the default Internal Network located behind the BE ISA Firewall.
That'll do it!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: DMZ in a Front and Back ISA Configuration - 1.Sep.2007 3:42:21 PM
|
|
|
habibalby
Posts: 126
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
|
Hi Arkane78,
Did your issue solve with the Back-to-back Firewall? I'm having the same issue.
1. Created On the BE ISA Firewall, create an ISA Firewall Network reprsenting the DMZ 192.168.1.0~192.168.1.255
2. Created On the BE ISA Firewall, create a Network Rule setting a route relationship between it's default Internal Network and the DMZ. (Route) Internal -> DMZ
3. Created On the BE ISA Firewall, create rules that allow connections from the DMZ to the Internal Network as desired. All Outbound DMZ -> Internal
4. Created On the FE ISA Firewall, create All Outbound Access Rules allowing connections to the BE ISA Firewall's default Internal Network ID. Computer/EdgeTransport/DC -> Computer/EdgeTransport/DC
5. On the FE ISA Firewall, make sure that you include the addresses of the BE ISA Firewall's default Internal Network as part of the defintion of the FE ISA Firewall's default Internal Network
6.Created a Routing table Entery in the FE ISA Firewall and on the EdgeTransport Server setting on the DMZ. 10.0.0.0 mask 255.255.255.0 192.168.1.70 -p
7. Created Enterprise Policy and assigned to the Main Array. In the Enterprise Networks Created DMZ Network and Enterprise-Internal Network.
8. Created a Route RelationShip between the Enterprise-Internal -> DMZ
9. Created NAT Relationship between the Enterprise-Internal Network -> External.
10. Created Enterprise Policy All Outbound Protocl from DMZ & Enterprise-Internal Network --> DMZ & Enterprise-Internal Network.
Still I'm not getting the DNS Server located in the Default Internal Network behind the back-end ISA Firewall.
Any help?
BR,
Habibalby
_____________________________
For online help with ISA Server 2004 & 2006 SE or EE. Please call on +973-39228431
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
