Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Discussion about article on configuring ISA firewall in Netscreen DMZ
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
RE: Discussion about article on configuring ISA firewal... - 17.Jan.2006 8:04:28 PM
|
|
|
jrice
Posts: 13
Joined: 17.Jan.2006
Status: offline
|
Tom
Great article! I have been planning to do something very similar myself.
I just have one question. You made these comments:
"There is an important configuration setting that we must enforce on all of our Web and Server Publishing Rules. For each publishing rule, you need to make sure the ISA firewall replaces the source IP address of the external client with its own address.
The reason for this is that the ISA firewall is not the default gateway for the corporate network servers. If we allowed the original external client IP address to remain as it is, the responses from the published servers would be sent to the internal interface of the Netscreen device, and then forwarded from the Netscreen’s external interface IP address to the external client. Since the external client made the request to the external IP address of the ISA firewall, and not the external IP address of the Netscreen firewall, the response will be dropped by the external client as an unsolicited inbound connection."
Is this really necessary? I know the servers and all the workstations on the internal network need to have the netscreen device as the default gateway, but the netscreen can have a default gateway as well. Can you make the ISA server the default gateway of the netscreen box? You can have static routes for the remote branches but have everything else go through the ISA server. The requirements would infer that only the vpn traffice to the remote sites go through the external interface of the netscreen box. Is that a correct assumption?
Thanks.
_____________________________
Rice
|
|
|
|
|
RE: Discussion about article on configuring ISA firewal... - 17.Jan.2006 10:56:15 PM
|
|
|
tshinder
Posts: 49222
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Rice,
You bet! In fact, I thought I would mention that option in the article, but then thought that might confuse things for some people. But you're absolutely right, if you configure a static route to the remote VPN gateway on the Netscreen device, and make the ISA firewall's internal interface the default gateway of the Netscreen, then everything outbound except for that to the remote site network will go through the ISA firewall.
thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
|
|
|
|
|
RE: Discussion about article on configuring ISA firewal... - 18.Jan.2006 1:48:23 PM
|
|
|
jrice
Posts: 13
Joined: 17.Jan.2006
Status: offline
|
Thanks Tom
Just to be clear. This would resolve the issue of the external IP address, wouldn't it?
Thanks again
_____________________________
Rice
|
|
|
|
|
RE: Discussion about article on configuring ISA firewal... - 18.Jan.2006 3:35:02 PM
|
|
|
tshinder
Posts: 49222
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Rice,
That's correct. If you configure the Netscreen to use the ISA firewall as its default gateway, you won't need to replace the external client IP address with the IP address of the ISA firewall.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
|
|
|
|
|
RE: Discussion about article on configuring ISA firewal... - 18.Jan.2006 4:58:03 PM
|
|
|
jrice
Posts: 13
Joined: 17.Jan.2006
Status: offline
|
Tom
Thanks for the follow up.
I do have another question. The design I put together was very similar (I had a generic firewall instead of Netscreen). The one difference was that I had the external nic of the ISA server connected back into the hardware firewall. Therefore the hardware firewall would have 4 Interfaces. 1 external interface connecting to the Internet. 1 interface connecting to perimiter 1 (external Interface of ISA), 1 interface connecting to perimeter 2 (Internal interface of ISA) and 1 interface connecting to the Internal Network. I guess in the end, I'm not sure exactly why I did that. I guess I was thinking having only one path to the Internet was a best practice. I also thought I would have more control over the traffic as well, since I could control the routing among al the interfaces better. Is this design overly cumbersome or does it have some merit?
Thanks for the input.
_____________________________
Rice
|
|
|
|
|
RE: Discussion about article on configuring ISA firewal... - 21.Dec.2006 8:47:06 AM
|
|
|
Arcesilaus
Posts: 13
Joined: 21.Dec.2006
Status: offline
|
Hi!
Thank you very much for your article!
Following Rice's questions, I am considering a setup where it might make sense.
I have a NetScreen 5GT Extended with two DMZ ports, besides the two Trust and one Untrust.
Unfortunately, for now, I have only one public IP available. In that case, I will need the NetScreen's Untrust interface for all outbound traffic to keep the current VPN setup.
In order to avoid the Unihomed 'Hork Mode' I would like to deploy ISA with two cards and benefit from the advanced security features.
The NetScreen supports Dual DMZ, so it must be possible to attach the ISA's internal NIC to DMZ1 and the external to DMZ2. This will allow me to route any outbound traffic as Rice suggested.
It seems to me that by doing so, I create some sort of perimeter network using the two DMZ zones on the Netscreen and thus avoiding the need for a direct connection to the internet for the ISA server.
Do I miss something? C.q. do you think it will work using only 1 public IP and using the Dual DMZ on the Netscreen?
Thank you very much for your support.
< Message edited by Arcesilaus -- 21.Dec.2006 10:07:02 AM >
_____________________________
Homo sum: humani nil a me alienum puto (Terence)
|
|
|
|
|
RE: Discussion about article on configuring ISA firewal... - 26.Dec.2006 1:56:58 PM
|
|
|
tshinder
Posts: 49222
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Arcesilaus,
You could do that. The external interface can be connected to one DMZ and the Internal interface can be connected to the other DMZ. Just make sure the definition of the default Internal Network on the ISA Firewall includes the internal DMZ and all internal addresses behind the Netscreen.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
|
|
|
|
|
RE: Discussion about article on configuring ISA firewal... - 5.Aug.2008 10:17:56 AM
|
|
|
tshinder
Posts: 49222
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Arc,
Is the mail server configured to use the ISA firewall as it's default gateway? I think that might solve the problem. I don't see how NAT across the firewall would cause a problem.
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
|
|
|
|
|
RE: Discussion about article on configuring ISA firewal... - 10.Aug.2008 10:08:34 AM
|
|
|
tshinder
Posts: 49222
Joined: 10.Jan.2001
From: Texas
Status: offline
|
That's correct. If the mail server is a SecureNAT client, then it has to have the default gateway be the ISA firewall, or a router that routes the outbound connections to and from the mail server through the ISA firewall.
However, you can change this by configuring the SMTP server publishing rule to change the source IP address to the IP address of the ISA firewall.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
|
|
|
|
|
RE: Discussion about article on configuring ISA firewal... - 10.Aug.2008 10:51:42 AM
|
|
|
Arcesilaus
Posts: 13
Joined: 21.Dec.2006
Status: offline
|
Hi
It seems to me I've missed the point: I've changed the publishing rule by making the incoming packets look as if they were originated by the ISA server.
However, I still see the incoming traffic is blocked:
- the client IP is still the external host (routed to the ISA external port by the Netscreen firewall, leaving the source IP intact)
- the destination IP is still the external (though not public) IP of the ISA server, and thus the rule is not triggered.
Setting the ISA server's internal NIC as the e-mail server's gateway does not solve the issue.
Probably I am still misunderstanding the implications of using a Route networking rule when publishing a non-web server?
_____________________________
Homo sum: humani nil a me alienum puto (Terence)
|
|
|
|
|
RE: Discussion about article on configuring ISA firewal... - 11.Aug.2008 9:15:07 AM
|
|
|
tshinder
Posts: 49222
Joined: 10.Jan.2001
From: Texas
Status: offline
|
When using Route, you should target the packet for the actual IP address of the destination. However, the "port stealing" feature of ISA should allow you to use the external address of the ISA firewall -- it's just that you shouldn't need to depend on port stealing and that you should use the actual IP address of the destination server.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
|
|
|
|
|
RE: Discussion about article on configuring ISA firewal... - 11.Aug.2008 2:33:34 PM
|
|
|
Arcesilaus
Posts: 13
Joined: 21.Dec.2006
Status: offline
|
Hi Tom
Thanks for the info! I've been thinking it over: a 'simple' Route relationship won't work, since the Netscreen Firewall also has access to the DMZ 2, with subnet 192.168.200.0.
A MIP or VIP towards the actual IP of the mailserver thus would not be sent to the ISA in DMZ 1, but directly to the mailserver in DMZ 2.
That leaves me with three options:
It seemed to me that a Route relationship was preferred since the reverse-proxy would took care of the problem for web-publishing rules, but that indeed won't not work for non-web-servers.
Is any of the three solutions above preferred over the others?
For now, I will first have to configure the ISA server a bit further so I can set the mailserver as a SecureNAT client while keeping the existing setup working (I've been bypassing the ISA server so far for incoming e-mail) and keep the ability to manage it over RDP.
It will probably have to wait for a while (priorities are set by others), but I'll keep this thread posted!
_____________________________
Homo sum: humani nil a me alienum puto (Terence)
|
|
|
|
|
RE: Discussion about article on configuring ISA firewal... - 12.Aug.2008 9:14:45 AM
|
|
|
tshinder
Posts: 49222
Joined: 10.Jan.2001
From: Texas
Status: offline
|
I prefer to change the entire relationship to NAT, as it makes it a more simple configuration and perhaps a bit more secure.
You're right that this is not an issue in either case with Web Publishing, since the Web Proxy listener will always intercept the request and you should configure DNS to be the address on the external interface (or the public address on an upstream device that forwards to the external interface).
Let us know how it works out for you!
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
|
|
|
|
|
RE: Discussion about article on configuring ISA firewal... - 15.Aug.2008 9:00:41 AM
|
|
|
tshinder
Posts: 49222
Joined: 10.Jan.2001
From: Texas
Status: offline
|
Hi Arcesilaus,
Great! Good to hear you got it working and thanks for the follow up!
I think you're right about using the second IP address for Citrix :)
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
)
