Hi Tom, thanks for your great tutorial for setting this all up. I'm trying to do exactly this now for my network. I have a question though, I'm using ISA 2004 Beta2 for this, and I have 2 DNS servers in the DMZ zone that need to be accessed from the External zone (the internet). In the article you mention having DNS servers in the internal portion of the network.
What should I do different and what should I watch out for to have these DNS servers in the DMZ zone and to have them accessible from the Internet and at the same time allowing the DMZ hosts to do lookups through the DNS servers?
Should I just skip the parts for allowing DNS from DMZ to Internal and just change the allowing DNS from Internal to External part to allow DNS from DMZ to External?
The internal network is not important to me right now, my main goal is to get an IP block with HTTP, SMTP, DNS, FTP and other servers published on the internet with their public addresses while at the same time being firewalled by ISA.
You can put your public access DNS servers on the public address DMZ segment. Just make sure they are DNS advertisers *only* and not resolvers. You want to configure them to host the records for your public domains, but not resolve queries for domains for which the DNS is not authoritative.
Remember to configure the machine to prevent cache poisoning too.
thanks for your reply. One more thing, on which Zone's NIC configuration do I need to have all the IPs of the Class C subnet. Do I add them all to the DMZ NIC, the external NIC, or both?
Also, would it be a problem to add various Class C subnets to the ISA firewall?
Actually nevermind on the 1st question, I've set up the ISA as follows (not real IPs)
IPs of ISA server on External (gateway 188.8.131.52) 184.108.40.206 220.127.116.11 18.104.22.168
IPs of ISA server on DMZ 22.214.171.124 126.96.36.199 188.8.131.52
set up access rules to HTTP, HTTPs, FTP, etc for subnet ranges 184.108.40.206-255 and so on... DNS servers are inside the DMZ and published to external. At the moment not using Internal for anything. I'm going to start testing this setup and hope it works.
Once fully functional, this ISA will have to deal with lots of traffic and different hosts, I hope the beta2 can handle everything that will be thrown at it. There is no other firewall on this network.
In the article you write : "The next step is to create the route relationship between the DMZ Network and the Internal Network. In this case, weÆll use the NAT route relationship between DMZ and Internal network.
Perform the following steps to create the NAT route relationship between DMZ and Internal networks: "
But when I look at the steps it seems to me it creates a route relationship between the internal and the DMZ zone?! Or am I wrong??
From: OK, USA
Keep in mind you have to define how the DMZ will communicate with the External and Internal. So a Network relationship should be defined for each. Since there could be firewall policy defined for each network.
RE: Discussion about Publishing DMZ Servers on a Public... - 28.Jan.2005 3:53:00 PM
I understand what you mean, the only thing I meant to say is that in the article Thomas says "Perform the following steps to create the NAT route relationship between DMZ and Internal networks:" but when you read the "following steps" it it turns out that a route relationship is being created between Internal and the DMZ network.
RE: Discussion about Publishing DMZ Servers on a Public... - 31.Jan.2005 1:37:00 PM
Another thing that won't work as described in the article is the DNS-test query to www.hotmail.com. The reason is the fact that a NAT network-rule from the Internal to <> the DMZ network needs to be created too. Without that rule the DNS-test query won't work, DNS queries made from the DMZ network will be stopped at the ISA Server.... (on their way back that is).
Hi Tom (and everyone else, of course). Great write-up on public addressed DMZs.
I still have one question, though: Is the "Networks" tab really neccesary in server publishing rules to publicly addressed DMZ servers?
I have got a DNS server with a public IP address .2 and an ISA Server with external public IP addresses .8 and .10.
My server publishing rule looks like this:
Action: Allow Traffic: DNS Server From: Anywhere To: [public IP .2] - requests appear to come from the original client. Networks: External <all IP addresses> Schedule: Always
Now, if I sit externally and try to connect using nslookup to .2, it works. If I try .8 or .10, it doesn't.
If I run nslookup from the Internal network, my request won't hit the publishing rule, but it will hit a DNS access rule further down the rule set.
So apparently, server publishing rules don't have listeners the same way web publishing rules do, and the "Networks" tab only specifies which clients are allowed to use the publishing rule, not which IP addresses of the ISA server which should be listening for request. Am I right?
DMZ: ip: 1xx.000.000.158 (same network as the external, since I have got to publish public ips on the webservers) mask: 255.255.255.128 GW: none DNS1: none DNS2: none
I guess I am doing something wrong with the masks here? I need to split my 1xx.000.000.000-range in 2 and use the top-half for DMZ.
I have a client, webserver on the DMZ as well, that one is using: ip: 1xx.000.000.157 mask: 255.255.255.128 GW: 1xx.000.000.158 (firewall dmz-nic) DNS1: 1xx.000.000.158 (firewall dmz-nic) DNS2: none
I was hoping you could help me out a litle bit here. I am as I wrote, going to add a 4th NIC for a totally separate segment here. This part will be isolated from the DMZ, but I need some VPN-connections to connect to this 4th network.
Thank you anyways and thanks for some good books from you! :-)
PING from external and onto the firewall (I have made a temp-filter that allows this) PING from local host to a DMZ-server (I have made a temp-filter that allows this) HTTP from local host to a DMZ-server (I have made a temp-filter that allows this) RDP from local host to a DMZ-server (I have made a temp-filter that allows this)
and NOT able to:
PING from external and onto the DMZ-server (I have made a temp-filter that allows this) I just get answer from the firewalls external ip that the destination host is unavailable. HTTP from external to the DMZ-server, no answer...
What am I doing wrong? This is an addition to my first post in this thread.
I have successfully configured ISA Server 2006 SP1 to publish a web server on a public address DMZusing the technique described in your article. I have been unable to implement reverse caching of the websites on this server using this configuration. Can you please tell me if this is possible, how it is achieved, and how I can verify that the websites are in fact being cached.
Secondarily, is it possible in your configuration to pass the client IP address to the web server for logging purposes?