• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Help with ISA/TMG Array Domain Membership....

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA 2006 General] >> Installation and Planning >> Help with ISA/TMG Array Domain Membership.... Page: [1]
Login
Message << Older Topic   Newer Topic >>
Help with ISA/TMG Array Domain Membership.... - 19.Jan.2010 11:23:15 AM   
mascalia

 

Posts: 44
Joined: 13.Feb.2008
Status: offline
Hope some smart folks here can help me figure out how to answer a "boss" question about ISA/TMG array domain membership.

We have a project to build an internally-segmented enviroment using ISA or TMG.  The idea is that we would build a COMPLETELY NEW environment, with it's own AD forest, and that the new ISA/TMG array would be intstalled IN that forest (as would servers behind ISA/TMG in the various protected segments).  We would then use one-way forest trusts to grant access to servers/published apps within that environment.

Here's the problem - another issue in our current production environment has pushed up the deployment of the new segmented environment, and I now have to deploy a basic version of the new infrastructure that can be built out at a later date into the full-blown environment.

Here's the question:  I'm getting pushback from my manager about why we have to deploy the new AD forest NOW. 

He wants to know why we can't just build the ISA array using the existing AD forest, and then change it to the new forest later.  Or, deploy it now as a standalone array, and add it to the new forest later.

I know that both of those are BAD ideas, when it comes to ISA/TMG, and I can provide a litany of techno-babble that would not help my cause one bit. 

Can anyone give me some good, plain-english "manager-level" reasons why we should push forward with the new AD forest now?  Or, why either alternative is a BAD idea (in the same, plain-english managerspeak way)?

Thanks,
Mike

< Message edited by mascalia -- 19.Jan.2010 11:24:46 AM >
Post #: 1
RE: Help with ISA/TMG Array Domain Membership.... - 19.Jan.2010 12:04:08 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Ok, so the new design is going to provide a "bubble" which will contain ISA/TMG plus application servers, all members of a new forest? Kinda like a perimeter network for an extranet with an AD perimeter forest?

But, for now, you want to create the "bubble", but join all servers (inc ISA/TMG) to the existing forest?

I got that right??

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to mascalia)
Post #: 2
RE: Help with ISA/TMG Array Domain Membership.... - 19.Jan.2010 1:20:09 PM   
mascalia

 

Posts: 44
Joined: 13.Feb.2008
Status: offline
That's kinda correct.  I want to create a bubble, pass intradomain communications to app servers, but create a new AD forest that contains the new ISA enterprise.

We will be creating an internally segmented environment with ISA as the gateway into that environment.  That lets us isolate physical access to the servers (as well as segmenting groups of them from each other, too). 

The idea was to create a completely isolated internal environment, and use one-way forest trusts with other internal domains for access control (via ISA firewall rules). 

Only, there's some pushback on the need to create the new AD forest right now.  We had to push up the deployment of a limited version of this environment to support one specific set of app servers that will NOT initially be part of the new AD forest.  For now, we'll simply allow intra-domain communications from the DC's on the internal network to that segment.  The app servers will get migrated to the new AD forest later, when the larger project starts up.

The question is why we have to create a new AD forest right now, when the only servers that will go into that forest will be the new ISA enterprise.  Saying that we would have to reinstall the ISA enterprise to move it to another forest didn't work very well...

Is that a little clearer?

Thanks for pitching in.

Mike

< Message edited by mascalia -- 19.Jan.2010 1:22:05 PM >

(in reply to Jason Jones)
Post #: 3
RE: Help with ISA/TMG Array Domain Membership.... - 19.Jan.2010 3:33:06 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Creating a Trust (one-way or not) pretty much eliminates the bubble concept.  To let a Trust work you have to allow all the important protocols that the bubble would be trying to prevent,...so it is completely counter productive (IMO of course).  At this point you could forget the TMGs all together and just segment these machines from the LAN with a regular LAN Router (no NAT) and use heavy ACLs on the LAN Router.

I seen this post in the public newsgroups as well but held off saying anything.  On the original question,...tell your boss to keep his pants on,...there is no logical reason whatsoever to rush it into place in the "wrong" Domain just to turn around and move into the correct domain later.  It takes 15 minutes to create a new Forest/Domain,...what's the holdup?  Just create the right Forest/Domain now and be done with it.

_____________________________

Phillip Windell

(in reply to mascalia)
Post #: 4
RE: Help with ISA/TMG Array Domain Membership.... - 19.Jan.2010 3:34:28 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Sorry, I don't speak Manager, only techo-bable!

Managers normally respond to cost, so I would play on the costs of deploying twice...



_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to mascalia)
Post #: 5
RE: Help with ISA/TMG Array Domain Membership.... - 19.Jan.2010 4:12:23 PM   
mascalia

 

Posts: 44
Joined: 13.Feb.2008
Status: offline
Thanks for the reply, Phillip.  FYI this is the blog post that is the culprit of my current design:  http://blog.msfirewall.org.uk/2008/06/using-isa-server-2006-to-protect-active.html

It does work, and it works well (I've tested it several times, in various configurations in a VMWare virtual environment).  The only difference is that I have a separate network segment that contains the DC's for the new forest.  App servers are in a separate segment and access the DC's using the excellent articles on allowing intra-domain communications to pass through ISA server (found here on isaserver.org).

I will also try again on the cost/benefit argument of time to reinstall vs. time to reconfigure, since at least one person from another respected source has said it is possible to move an array to a different domain (I'm hoping he replies with links to more info on how to do it (and how difficult it is to do).

Thanks again for your reply.

Mike

(in reply to pwindell)
Post #: 6
RE: Help with ISA/TMG Array Domain Membership.... - 19.Jan.2010 4:33:06 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Well my point is that why put them in the wrong domain first then move them later to the correct domain,...it makes no logical sense to me.   But more so than that I don't see what is the hold up on creating the right domain that you want it to permanently be in.  In the time it took me to type my last reply you could have created the Forest/Domain and have it ready to put the TMGs into it.

I will also try again on the cost/benefit argument of time to reinstall vs. time to reconfigure, since at least one person from another respected source has said it is possible to move an array to a different domain (I'm hoping he replies with links to more info on how to do it (and how difficult it is to do).

Yes, you can see him here...
http://www.isaserver.org/Marc_Grote/
http://www.it-training-grote.de/blog/

He doesn't use that name in the public news groups for some reason, but he shows both names in his blog.  I'm not sure why he does that.

_____________________________

Phillip Windell

(in reply to mascalia)
Post #: 7
RE: Help with ISA/TMG Array Domain Membership.... - 19.Jan.2010 4:44:26 PM   
mascalia

 

Posts: 44
Joined: 13.Feb.2008
Status: offline
Well my point is that why put them in the wrong domain first then move them later to the correct domain,...it makes no logical sense to me.  

Nor does it make sense to me, but that's why I asked the question;  a simple "that's not the best way to do it" didn't work the first time.... 

But more so than that I don't see what is the hold up on creating the right domain that you want it to permanently be in.  In the time it took me to type my last reply you could have created the Forest/Domain and have it ready to put the TMGs into it.  

Politics, most likely, but I don't know for sure.  My group doesn't own the AD infrastructure, and there may be other, unknown reasons why he wants to avoid setting up a new forest right now (if he can).

That said, he's not totally against it;  but he wants more justification than claiming additonal work at some later date needed to reconfigure the array...
 
Honestly, I was functioning under the impression that you should NOT move an array or enterprise to another domain; service accounts, authentication, and other configuration issues could make that a nightmare (at least the way I see it).  However, once the question was asked, I have to answer truthfully whether or not it's possible, and what it would take.

Within those limits, I also the claim right to find reasons why we SHOULDN'T do it....


Thanks,
Mike

(in reply to pwindell)
Post #: 8
RE: Help with ISA/TMG Array Domain Membership.... - 19.Jan.2010 8:03:22 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
quote:

ORIGINAL: mascalia

Thanks for the reply, Phillip.  FYI this is the blog post that is the culprit of my current design:  http://blog.msfirewall.org.uk/2008/06/using-isa-server-2006-to-protect-active.html

It does work, and it works well (I've tested it several times, in various configurations in a VMWare virtual environment).  The only difference is that I have a separate network segment that contains the DC's for the new forest.  App servers are in a separate segment and access the DC's using the excellent articles on allowing intra-domain communications to pass through ISA server (found here on isaserver.org).

I will also try again on the cost/benefit argument of time to reinstall vs. time to reconfigure, since at least one person from another respected source has said it is possible to move an array to a different domain (I'm hoping he replies with links to more info on how to do it (and how difficult it is to do).

Thanks again for your reply.

Mike


Probably being defensive here, but the model in my post is a recommended Microsoft standard when you require forest isolation to separate users. I also asked Jim/Tom/Mohit from MS to QA that post at the time, as it was a little controversial

The key aim of that design is to prevent the impact of account compromise and privilege escalation. Of all the firewalls that can segment and protect a forest trust and windows comms, ISA does a pretty good job with DNS and RPC filters, especially if you go down to UUID filtering levels. 

If the protected servers are also web servers, the model works even better with ISA web publishing brought into play too...you can also create as many segments behind ISA as you have server roles, the concept is the same.

I'm sure it may be possible, but moving EMS servers and array members from one forest to another doesn't sound like something you want to be doing when you have a live environment using array members as their default gateway. I've always installed a parallel setup into the new environment and then migrated policies/objects, but maybe I missed a trick

Cheers

JJ



_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to mascalia)
Post #: 9
RE: Help with ISA/TMG Array Domain Membership.... - 20.Jan.2010 9:27:17 AM   
mascalia

 

Posts: 44
Joined: 13.Feb.2008
Status: offline
Probably being defensive here, but the model in my post is a recommended Microsoft standard when you require forest isolation to separate users. I also asked Jim/Tom/Mohit from MS to QA that post at the time, as it was a little controversial

Would you have any links to Technet, MSDN, or other web resources that I can show my boss that using one-way forest trusts is a recommended Microsoft standard for forest isolation?  That would help me a lot....

Controversial or not, your model works very well for our needs.  It allows us to deploy a complete customer-facing environment using an AD structure that does NOT have a reverse trust relationship back into our internal network.  It also provides a way to host external customer accounts in Active Directory instead of LDAP, and safely mix those accounts with internal accounts for access control to published resources within the "bubble"

The only change I made was breaking the DC's into their own segment for additional protection and access control.  Furthermore, I thought about one additional change:  instead of allowing the extranet DC's within the ISA "bubble" to communicate with intranet DC's outside the bubble, I would place a read-only intranet DC within the bubble (i.e. in the DC segment). 

That way, there's even less  (or no?) cross-forest traffic going through the bubble perimeter.  Only intra-domain traffic passes through the bubble, between the intranet RODC in the DC segment and the intranet DC's on the internal network.

I belive this change will increase the overall security of the model for the following reasons:
  • All DC's are in a separate segment, with strict access control into/out of that segment.
  • The extranet DC's only have access to a Read Only intranet DC (less exposure to malicious changes).   
  • No AD/domain traffic exits the bubble (the RODC will pull sync info from the internal DC's into the DC segment, though). 
  • I could get really picky and also use IPSec and other means to further protect the RODC as well.

What do you think of these modification to your original design?

The complexity of this model is also why I want to start off with the right AD model from the beginning, instead of having to change the domain/forest membership of the enterprise at some later date....

...not to mention pre-positioning us for things like edge authentication, SSO, and other "cool" things that ISA or TMG can do for us in the future .

Thanks for your help, and looking forward to your reply.

Mike

< Message edited by mascalia -- 20.Jan.2010 9:33:51 AM >

(in reply to Jason Jones)
Post #: 10
RE: Help with ISA/TMG Array Domain Membership.... - 20.Jan.2010 7:37:09 PM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Hi Mike,

This shows the AD model for the back-to-back perimeter model:

http://technet.microsoft.com/en-us/library/cc263513.aspx

Directory Services planning guide from here too: http://www.microsoft.com/downloads/details.aspx?FamilyId=D44E34EC-B4E2-49A1-9F40-9ED4BA3765DF&displaylang=en

Yep, I have used a model with several DMZs; one for dedicated AD, one for app/SQL servers and one for web servers. More isolation = better least privilege.

Not sure about using an RODC, it is not the panacea it was meant to be from what I hear...I'm also pretty sure that DCs in one forest will provide a refereral to a DC in the other forest, rather that proxy the request; hence you need to provide comms for this behaviour.

I have quite a few customers using the bubble concept with ISA; some with trusted forests, some without.

The other option to consider is IAG/UAG as these feature a datacentre protection model (using IWA) that you might be able to use:

http://blogs.technet.com/edgeaccessblog/archive/2008/12/23/intelligent-application-gateway-iag-2007-goes-into-data-center-with-service-pack-2-sp2-part-1.aspx

http://blogs.technet.com/edgeaccessblog/archive/2009/01/08/intelligent-application-gateway-iag-2007-goes-into-data-center-with-service-pack-2-sp2-part-2.aspx

http://technet.microsoft.com/en-us/library/dd857241.aspx

Cheers

JJ

< Message edited by Jason Jones -- 21.Jan.2010 4:01:36 AM >


_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to mascalia)
Post #: 11
RE: Help with ISA/TMG Array Domain Membership.... - 21.Jan.2010 10:20:05 AM   
mascalia

 

Posts: 44
Joined: 13.Feb.2008
Status: offline
Thanks for all the good info, Jason.  One more question?

Assume that the new AD forest will be used for extranet servers and user accounts, and that all DC's for the new forest will be isolated in a separate ISA-controlled segment within the "bubble".....

Do you think it's too "risky" to put an intranet DC in the extranet DC segment (i.e. in the the bubble) - read-only or not?

I was thinking that the risk is small, because a compromiser would have to:
  1. Penetrate the various firewalls and ISA servers to get to a vulnerable app server
  2. Compromise the app server
  3. Penetrate the extranet ISA server to get to a vulnerable extranet DC
  4. Compromise the extranet DC
  5. Use the compromised extranet DC to then compromise the intranet DC in the same segment (assuming you can compromise a read-only DC?)

And this also assumes that the intrusion detection layers are neutralized to prevent the Predator drones with Hellfire missles from being launched back at the attacker before he can get to the intranet DC....

I don't see a significant increase in risk, but I'm no expert, either. 

Thoughts, anyone?

TIA,
Mike

(in reply to Jason Jones)
Post #: 12
RE: Help with ISA/TMG Array Domain Membership.... - 21.Jan.2010 10:56:11 AM   
Jason Jones

 

Posts: 4663
Joined: 30.Jul.2002
From: United Kingdom
Status: offline
Don't think I would do this; nothing concrete, just a gut feel...

_____________________________

Jason Jones | Forefront MVP | Silversands Ltd
My Blogs: http://blog.msedge.org.uk/ and http://blog.msfirewall.org.uk/

(in reply to mascalia)
Post #: 13

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA 2006 General] >> Installation and Planning >> Help with ISA/TMG Array Domain Membership.... Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts