• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 5

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Discussion about article Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 5 Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion about article Creating Multiple Security Per... - 27.Dec.2005 2:39:16 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing part 5 of the article series on creating multiple security perimeters with a multihomed ISA firewall at http://www.isaserver.org/tutorials/Creating-Multiple-Security-Perimeters-Multihomed-ISA-Firewall-Part5.html

Thanks!
Tom

< Message edited by tshinder -- 27.Dec.2005 2:41:56 PM >


_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: Discussion about article Creating Multiple Security... - 31.Dec.2005 4:26:56 AM   
irbarianto

 

Posts: 5
Joined: 31.Dec.2005
Status: offline
quote:

ORIGINAL: tshinder

This thread is for discussing part 5 of the article series on creating multiple security perimeters with a multihomed ISA firewall at http://www.isaserver.org/tutorials/Creating-Multiple-Security-Perimeters-Multihomed-ISA-Firewall-Part5.html

Thanks!
Tom


Hi thom,

I was able to join domain as well as logon from my server located in perimeter. But I'm still got an error when trying to running DCDIAG especially on the FSMOCHECK. Furthermore I could not run DOMAINPREP for Exchange 2k3 installation.

Please advise

Regards

IRB 

(in reply to tshinder)
Post #: 2
RE: Discussion about article Creating Multiple Security... - 31.Dec.2005 5:07:05 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi IRB,

What communications are being blocked? Is DNS setup correctly yet?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to irbarianto)
Post #: 3
RE: Discussion about article Creating Multiple Security... - 4.Jan.2006 4:55:25 AM   
irbarianto

 

Posts: 5
Joined: 31.Dec.2005
Status: offline
Hi thom,

Finally after I check into the error message, it seems I could not have a difference between Suffix name of computer name and domain name (AD) where the computer member of. I change the computer name and re-tested..  and it worked.

BTW, I have another problem... 

I implementing back to back DMZ with configuration as follows :

External Firewall : Cisco router 2811 series with firewall feature

S0/0/0 : 61.14.47.1 / 29
Ethernet 0/0 : 172.31.2.1

Internal Firewall : ISA 2004

Ethernet external : 172.31.2.3
Ethernet internal : 172.31.1.5


I planned to use ISA 2004 + message screener as SMTP relay inbound.

What I have done :

1. Create network rule

DMZ -> internal ...  ROUTE
DMZ -> External ... NAT
Internal -> DMZ .... NAT

2. Install SMTP virtual server on the ISA 2004 and bind to external IP of ISA 2004.

3. Publish ISA server as inbound SMTP relay with listener to "External network" (builtin network from ISA 2004) and DMZ .

4. Create static NAT on the external firewall

When I tested from DMZ network, telnet port 25.. is working well. but if I tested from external it was denied by default rule in ISA 2004 server...

Pls advise

regards

IRB

(in reply to tshinder)
Post #: 4
RE: Discussion about article Creating Multiple Security... - 4.Jan.2006 6:01:13 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi IRB,

First thing, you can have a ROUTE relationship between DMZ to Internal and have a NAT relationship between Internal to DMZ. The reason for this is that if you Route from DMZ to Internal, that automatically means you have a ROUTE relationship between Internal to DMZ -- since Route relationships are reciprocal.

Try removing the ROUTE relationship first, and test it that way, so that there is a NAT relationship between Internal to DMZ.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to irbarianto)
Post #: 5
RE: Discussion about article Creating Multiple Security... - 5.Jan.2006 2:18:40 AM   
carorieta

 

Posts: 102
Joined: 15.Dec.2005
Status: offline
Mr. Shinder,

My question is about part 3  http://www.isaserver.org/tutorials/Creating-Multiple-Security-Perimeters-Multihomed-ISA-Firewall-Part3.html (Note on certificate deployment)
Specifically about Publishing OWA with SSL: The certificate for the ISA firewall is owa.msfirewall.org and the one for the FE Exchange Server is feexchange.msfirewall.org - I understand they are diferent certificates
On your previous article Publishing OWA Sites using ISA Firewall Web Publishing Rules (2004) Version 1.1 you used the same certificate (owa.msfirewall.org) for both, IIS on the Exchange server and the ISA firewall.
Why don't use the same certificate for the FE and ISA? on part 3 as we did it on your Publishing OWA sites... article? Or I kind of understood the certificated should be the same (exact name) for the SSL channel between Exchange and ISA to work properly.
I will appreciate a short explanation.
Thank you for all the hard work you do

(in reply to tshinder)
Post #: 6
RE: Discussion about article Creating Multiple Security... - 5.Jan.2006 3:29:08 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Carorieta,

You ask an excellent question!

The reason why I do this is because we can only bind a single certificate to the FE Exchange Server's Web site. This isn't a problem when we publish only the OWA site, since the same certificate can be used on the FE Exchange site and on the Web listener used by the Web Publishing Rule used to publish the OWA site.

HOWEVER, since we also want to publish the RPC/HTTP and OMA/ActiveSync sites, we have to create a second (and even third if we wanted to) to support those connections. We can't use the same Web listener because we want to enable OWA FBA on the ISA firewall. This means the second Web listener needs to listen for connections to a different FQDN, and that FQDN must be on the certificate, for example:

owa.msfirewall.org for the OWA connections
rpc.msfirewall.org for the RPC/HTTP connections
oma.msfirewall.org for the OMA/ActiveSync connections

The common names on the certificates must be the same as the name used to access the site, so we would require three certificates in this example with the common names:

owa.msfirewall.org
rpc.msfirewall.org
oma.msfirewall.org

However, for each of the listeners used in each of the rules, we can forwarded the connection to the same server using the same name, such as feexchange.msfirewall.org, which is the name used on the TO tab of each of the Web publishing rules.

I always wanted to show that you didn't have to use the same name from end to end, which is what I do in all my articles and all my deployments, but some people don't want to or can't do the same.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to carorieta)
Post #: 7
RE: Discussion about article Creating Multiple Security... - 5.Jan.2006 5:27:40 AM   
carorieta

 

Posts: 102
Joined: 15.Dec.2005
Status: offline
Thank you Mr. Shinder,

The SSL channel between the clients and the external ISA IP (OWA listener) is thanks to the owa.msfirewall.org certificate, the SSL channel between ISA and the FEE is thanks to the fe.msfirewall.org certificate that should match the Published server name (TO). 
Thank you again

_____________________________

carorieta

(in reply to tshinder)
Post #: 8
RE: Discussion about article Creating Multiple Security... - 5.Jan.2006 6:25:17 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Carorieta,

Yes. The TO tab of the Web Publishing Rules need to match the name of the Web site certificate bound to the FE Exchange Server.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to carorieta)
Post #: 9
RE: Discussion about article Creating Multiple Security... - 17.Mar.2006 11:54:51 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Tom,

Just noticed you missed HTTP from the list of protocols needed between the FE and BE.

It may also be worth adding that if you intend to use RPC-over-HTTP, you will also need to create and allow the following protocols between the FE and the BE:

TCP 6001 (Exchange Information Store)
TCP 6002 (DS Referral)
TCP 6004 (DS Proxy)

Cheers

JJ

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to tshinder)
Post #: 10

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Discussion about article Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 5 Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts