Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
ISA2000 + hardware firewall + remote site vpn's
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
ISA2000 + hardware firewall + remote site vpn's - 11.Jun.2004 6:54:00 PM
|
|
|
tjcarst
Posts: 171
Joined: 6.May2004
From: Lincoln, NE
Status: offline
|
I'm sure this scenario has been posted here before, but for the life of me, I can't find one to reference. I am nearly ready to give up.
Remote sites connect to the trusted LAN via VPN. They have the following IP ranges:
192.168.100.0/24
192.168.110.0/24
192.168.120.0/24
The local LAN has the following ip range:
172.16.0.0/16
I have a hardware firewall with a trusted side of 172.16.0.1/16. By adding a route statement to each server that the remote clients must access, I can successfully provide network services to my clients. No problem. Add the ISA2000 machine to the mix and everything stops.
Route statements on servers on trusted LAN:
route add -p 192.168.100.0 mask 255.255.255.0 172.16.0.1
route add -p 192.168.110.0 mask 255.255.255.0 172.16.0.1
route add -p 192.168.120.0 mask 255.255.255.0 172.16.0.1
ISA2000 Trusted nic to local LAN: 172.16.0.1/16 (take over from Watchguard
ISA2000 External nic to Watchguard trusted: 10.1.0.2/16
Trusted port of Watchguard: 10.1.0.1/16
Remote sites added to LAT of ISA2000:
192.168.100.0 - 192.168.100.255
192.168.110.0 - 192.168.110.255
192.168.120.0 - 192.168.120.255
Static route statement added to Watchguard:
192.168.100.0/24-10.1.0.1 (trusted Watchguard port)
When I ping a remote site ip, I can see the ping going out the Watchguard so I know it is making it through ISA. I just don't get a reply.
Thanks for taking the time to look through this lengthy scenario. I hope someone sees what I have wrong and can provide some much needed assistance.
tjcarst
[ June 11, 2004, 06:57 PM: Message edited by: tjcarst ]
|
|
|
|
RE: ISA2000 + hardware firewall + remote site vpn's - 12.Jun.2004 11:29:00 AM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi tjcarst,
if I understand your configuration correctly, you have placed ISA between the internal LAN en the Watchguard. The latter beeing the VPN endpoint for the remote sites. Correct?
If that's the case, the remote sites will be still be considered untrusted by ISA server because the VPN endpoint is not the ISA server itself. To solve that problem, you have basically two options:
- wait for the release of ISA 2004 and make ISA 2004 your VPN endpoint. ISA 2004 supports IPSec tunnel mode for third-party VPN devices. A feature ISA 2000 is lacking.
- use the Watchguard only as VPN server and place it in parallel with the ISA server. In this configuration, the trusted interface os the ISA and the Watchguard should be connected to the internal LAN.
HTH,
Stefaan
|
|
|
|
|
RE: ISA2000 + hardware firewall + remote site vpn's - 13.Jun.2004 6:50:00 AM
|
|
|
tjcarst
Posts: 171
Joined: 6.May2004
From: Lincoln, NE
Status: offline
|
Yes, Stefan. The Watchguard is where ISA terminates.
Option #1 is out - this needs to be in next week.
Option #2. Please clarify.
"use the Watchguard only as VPN server and place it in parallel with the ISA server. In this configuration, the trusted interface os the ISA and the Watchguard should be connected to the internal LAN."
You instruct that the Watchguard and ISA are both on the trusted, parallel to each other, say 172.16.0.1 and 172.16.0.2 Not have ISA be the only means out of the network but rather have the VPN connection made and then the traffic passed to ISA? So ISA would have two nics on the trusted? Or only one nic with both ISA and Watchguard on trusted?
Thanks for your assistance.
tjcarst
|
|
|
|
|
RE: ISA2000 + hardware firewall + remote site vpn's - 13.Jun.2004 12:07:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi tjcarst,
assuming the Watchguard has only two legs (internal and external), I have the following design in mind: code:
+-- [VPN] --+
LAN --+ +-- Internet
+-- [ISA] --+
So, the Watchguard should only handle the VPN traffic. All other traffic should go through the ISA server.
If the Watchguard has 3 legs and you can terminate the VPN connections on the third leg only, you can change the design to: code:
LAN --+-- [ISA]--- [Watchguard] --- Internet
! ! VPN endpoint
+------------------+
HTH,
Stefaan
|
|
|
|
|
RE: ISA2000 + hardware firewall + remote site vpn's - 13.Jun.2004 6:12:00 PM
|
|
|
tjcarst
Posts: 171
Joined: 6.May2004
From: Lincoln, NE
Status: offline
|
The Watchguard does have three legs. I have been using only two. 172.16.0.1 trusted and public ip. I can use 10.1.0.x as the third if needed for ISA. Allowing outgoing only on 10.1.0.x and incoming on public ip. But I want ISA to inspect this traffic before passing to trusted on 172.16.0.x. We wanted to use the third leg for future DMZ with SMTP relay, mail screening, public web servers, etc.
We want the Watchguard to terminate the VPN tunnels. ALL outgoing network traffic is supposed to be 'controlled' by ISA and if it passes all requirements, ISA allows it out external port to the trusted Watchguard, including VPN traffic, for external destinations. All internal traffic should be allowed access to LAN resources, including the VPN traffic.
The Watchguard is to control incoming traffic and allow it to go to ISA external port for inspection. Then ISA pass to trusted port. This is the step that I can't get to work.
- Currently, I have a Proxy 2.0 server that handles ALL outgoing traffic using another connection to the internet with another ISP.
- The Watchguard is another connection to the internet with a different ISP.
- The remote sites establish a VPN connection with the Watchguard and get assigned 192.168.x.x/24 address ranges and they are able to access any server resource IF I have a route statement on the server pointing them at the Watchguard trusted as the gateway. VPN site internet access is allowed by the Proxy Server 2.0 machine on this separate internet connection.
What I am trying to do is replace the single software firewall, Proxy Server 2.0, with the ISA Server software firewall + Watchguard Hardware firewall which is connected to the internet.
Using the below suggested solution is what I believed I was doing (unsuccessfully). Allow traffice to come into the Watchguard public ip and pass to ISA external with outgoing traffic followoing reversal of same path. Watchguard to allow all outgoing traffic if passed by ISA. How do I pass the VPN traffic through ISA to trusted? Can this be accomplished with only one connection to the internet for Watchguard?
code:
172.16.x.x/16 10.1.x.x/16 public ip
| | |
LAN --+-- [ISA]--- [Watchguard] --- Internet
| |
+-----------------+ How do I create this?
| pass from WG to LAN
| thru ISA
|
VPN endpoint
This is what I want to do with only one connection to the internet.
Outgoing path
LAN to ISA to Watchguard to internet
172.016.xxx.xxx/16 LAN
172.016.000.001/16 ISA trusted
010.001.000.002/16 ISA external
010.001.000.001/16 Watchguard trusted
allowing ISA external traffic out
xxx.xxx.xxx.xxx Watchguard external public ip
terminate VPN tunnel
allow traffic on specific ports to ISA
VPN traffic to terminate at Watchguard and are assigned 192.168.100.x 192.168.110.x 192.168.120 ranges. *ISA needs to know to allow this traffic through the external port to trusted.* All servers have route statements pointing these ranges back through the ISA 172.16.0.1 internal gateway. *I just can't figure out how to get them from the Watchguard trusted side through the ISA external.*
Either I am confusing the matter and missing your point, or it isn't possible without your suggestion of moving ISA to its own port on the Watchguard. If this is done, will ISA require an address that is on the trusted LAN ip range for each nic?
tjcarst
[ June 13, 2004, 07:23 PM: Message edited by: tjcarst ]
|
|
|
|
|
RE: ISA2000 + hardware firewall + remote site vpn's - 13.Jun.2004 10:55:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi tjcarst,
I have the feeling you don't understand fully my point. So, let elaborate a little bit more on it.
When you create a back-to-back scenario with the WG as outer and the ISA as inner firewall, you can use the segment between the ISA external interface and the WG internal interface as DMZ segment. So, no problem with that.
However, if the VPN tunnels are terminated on the WG in this back-to-back scenario, ISA is not aware of that and will also consider that traffic as untrusted. In other words, the VPN users will have only access to the internal services published on the ISA external interface. That's far from having full access to the internal LAN which is the reason to use a VPN tunnel in the first place.
Therefore, if the VPN users should have full access to the internal LAN, then you should terminate the VPN tunnels on the ISA itself (not possible in your case because the remote sites aren't using ISA server), or make sure that the interface on which the WG terminates the VPN tunnels is directly connected to the internal LAN.
So, the question is: should the VPN users have full access to the internal LAN - therefore beeing considered as trusted - or only have access to the published services on the ISA external interface?
HTH,
Stefaan
[ June 13, 2004, 10:56 PM: Message edited by: spouseele ]
|
|
|
|
|
RE: ISA2000 + hardware firewall + remote site vpn's - 13.Jun.2004 11:31:00 PM
|
|
|
tjcarst
Posts: 171
Joined: 6.May2004
From: Lincoln, NE
Status: offline
|
Thanks, Stefaan:
The users should be seen as trusted and have full access to resources on the trusted LAN.
"make sure that the interface on which the WG terminates the VPN tunnels is directly connected to the internal LAN"
Let me see if I get this correctly:
Watchguard to terminate the VPN connections on the trusted LAN 172.16.0.x/16
ISA (2 connections) and Watchguard (1 connection)on local LAN
172.16.0.1 WG trusted
only accept outgoing from 172.16.0.2
vpn connections terminated here
172.16.0.2 ISA external
allow all outgoing
172.16.0.3 ISA trusted
users pass to external internet
access based upon group membership
Route statements on LAN servers for remote clients to remain:
route add -p 192.168.x.0 mask 255.255.255.0 172.16.0.1
ISA is aware of WG trusted port and will inspect each request and grant or deny access based up on group membership.
Firewall clients will point at 172.16.0.3 for internet access.
tjcarst
[ June 13, 2004, 11:39 PM: Message edited by: tjcarst ]
|
|
|
|
|
RE: ISA2000 + hardware firewall + remote site vpn's - 14.Jun.2004 9:48:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi tjcarst,
OK! So, the internal interface of the WG must be on the internal LAN. That's for sure.
Now, whenever ISA server is installed in integrated mode, ISA server must have two interfaces who must be on different Network ID's (or subnets if you like). Therefore, you must make another design decision. As already mentioned you have now two options.
1) parallel:code:
+-- [VPN] --+
LAN --+ +-- Internet
+-- [ISA] --+
Internal
LAN
In this case both internal interfaces are connected to the internal LAN and both external interfaces are connected to the external world. That means that both the external interfaces should have public IP's.
2) back-to-back code:
DMZ
vvv
LAN --+-- [ISA] --- [Watchguard] --- Internet
! ! VPN endpoint
+------------------+
Internal
LAN
In this case both internal interfaces are connected to the internal LAN. However, the ISA external LAN is connected to the WG DMZ interface (third leg) and only the WG external interface is connected to the external world and must have public IP's. Of course the DMZ must use a different Network ID than the internal LAN.
Which option will you implement?
HTH,
Stefaan
|
|
|
|
|
RE: ISA2000 + hardware firewall + remote site vpn's - 14.Jun.2004 10:11:00 PM
|
|
|
tjcarst
Posts: 171
Joined: 6.May2004
From: Lincoln, NE
Status: offline
|
Thanks, Stefaan:
"1) parallel:
code:
In this case both internal interfaces are connected to the internal LAN and both external interfaces are connected to the external world. That means that both the external interfaces should have public IP's."
** I do have 5 public IPs that I can assign to the Watchguard's various ports. I can use one for the Optional port and put ISA here, instructing the Watchguard to pass all traffic to this port for inspection.
"2) back-to-back
In this case both internal interfaces are connected to the internal LAN. However, the ISA external LAN is connected to the WG DMZ interface (third leg) and only the WG external interface is connected to the external world and must have public IP's. Of course the DMZ must use a different Network ID than the internal LAN."
**Although this appears the better choice, we plan to use the optional port of Watchguard for a DMZ hosting web servers. This is preferred over the ISA DMZ scenario.
This is the scenario I had set up initially, using the 10.1.0.0/16 range for the ISA server, placing it on the optional port of the Watchguard. I could not get the VPN cliens to connect using this.
tjcarst
|
|
|
|
|
RE: ISA2000 + hardware firewall + remote site vpn's - 14.Jun.2004 10:41:00 PM
|
|
|
tjcarst
Posts: 171
Joined: 6.May2004
From: Lincoln, NE
Status: offline
|
I have just set up option #2 with Watchguard external only connection to internet.
Watchguard external - public ip
Watchguard trusted - 172.16.0.1/16
Watchguard optional - 10.1.0.1/16
ISA trusted - 172.16.0.2/16
ISA external - 10.1.0.2/16
VPN client ip ranges
192.168.100.0/24
192.168.110.0/24
192.168.120.0/24
I want the VPN clients to be required to use the ISA server for all outgoing requests. I will create a rule on the Watchguard that says outgoing requests from 10.1.0.2 are allowed, no others.
All servers other than ISA:
route add -p 192.168.100.0 mask 255.255.255.0 172.16.0.2
route add -p 192.168.110.0 mask 255.255.255.0 172.16.0.2
route add -p 192.168.120.0 mask 255.255.255.0 172.16.0.2
ISA server:
same as above except gateway as 172.16.0.1
LAT entry on ISA:
172.16.0.0-172.16.0.255
192.168.100.0-192.168.100.255
192.168.110.0-192.168.110.255
192.168.120.0-192.168.120.255
I'll do some testing and see what happens.
tjcarst
[ June 14, 2004, 11:55 PM: Message edited by: tjcarst ]
|
|
|
|
|
RE: ISA2000 + hardware firewall + remote site vpn's - 15.Jun.2004 5:42:00 PM
|
|
|
tjcarst
Posts: 171
Joined: 6.May2004
From: Lincoln, NE
Status: offline
|
The testing has worked thus far. Can you confirm that the LAT is correct for the vpn clients.
Thanks.
|
|
|
|
|
RE: ISA2000 + hardware firewall + remote site vpn's - 15.Jun.2004 10:25:00 PM
|
|
|
tjcarst
Posts: 171
Joined: 6.May2004
From: Lincoln, NE
Status: offline
|
Stefaan:
Thank you so much for your assistance. It is truly appreciated.
tjcarst
|
|
|
|
|
RE: ISA2000 + hardware firewall + remote site vpn's - 15.Jun.2004 10:32:00 PM
|
|
|
tjcarst
Posts: 171
Joined: 6.May2004
From: Lincoln, NE
Status: offline
|
Let me summarize to confirm I grasp this setup accurately:
Remote clients come in through Watchguard trusted 172.16.0.1
They access servers on the local 172.16.x.x LAN. These servers have route statements that indicate the return path is through ISA's trusted port 172.16.0.2.
Do I need any rules that tell ISA how to handle the return traffic? Or is simply putting a route statement on ISA pointing the remote vpn addresses at the Watchguard trusted going to be sufficient 172.16.0.1 while the other servers point to ISA trusted 172.16.0.2?
tjcarst
|
|
|
|
|
RE: ISA2000 + hardware firewall + remote site vpn's - 15.Jun.2004 11:44:00 PM
|
|
|
spouseele
Posts: 12782
Joined: 1.Jun.2001
From: Belgium
Status: offline
|
Hi tjcarst,
I assume you have a non-routed internal network at the main site. Here are the routing requirements:
1) The default gateway of *all* hosts on the internal network, except the ISA server itself, should be the ISA internal interface.
2) Because the WG internal interface is directly connected to the internal LAN, *all* hosts on the internal LAN that must be able to communicate with the remote users, should have persistent static routes for the remote Network ID's reachable through the VPN tunnel with as gateway the WG internal interface.
3) I suppose that all remote sites must have Internet access through the ISA server at the main site. Right? If that's the case you must make sure that the default gateway of the WG for the traffic coming from the remote sites is also the ISA internal interface.
HTH,
Stefaan
|
|
|
|
|
RE: ISA2000 + hardware firewall + remote site vpn's - 16.Jun.2004 3:47:00 AM
|
|
|
tjcarst
Posts: 171
Joined: 6.May2004
From: Lincoln, NE
Status: offline
|
I currently have Proxy 2.0 installed. We specify no gateway on the clients. If Real Player or some special app is needed other than browsing, WSP Client is installed.
I do not plan on setting a gateway for any of our clients when I replace Proxy Server 2.0 with ISA 2000. I will re-direct the clients to use the ISA server for these apps that are not relying upon HTTP. I plan on installing the firewall client for them. Anonymous access is not allowed. Internet access is controlled by AD group membership.
I'll use a route statement the servers that host apps the remote VPN clients must access to point to the WG Trusted port as the gateway to the remote sites. For any apps that need access to ports other than 80, I will install the firewall client. For internet browsing, this is done in Internet Explorer, Tools, Connections, LAN Settings, check use a proxy server and put ISA port 8080.
Do you see any problems with this setup?
Thank you for your continuing patient assistance.
tjcarst
[ June 17, 2004, 12:01 AM: Message edited by: tjcarst ]
|
|
|
|
|
RE: ISA2000 + hardware firewall + remote site vpn's - 16.Jun.2004 11:59:00 PM
|
|
|
tjcarst
Posts: 171
Joined: 6.May2004
From: Lincoln, NE
Status: offline
|
quote:
"In any case, servers should not have global access to the Internet. Only some infrastructure servers such as DNS and SMTP servers should have outbound access and for those authentication by IP address (client address) is a perfect fit.
Thanks for this clarification. The servers do not have global access and I have been configuring protocol rules and destination sets based upon need for the servers. Most servers do not require access to antything other than the LAN with the exception of email and a few other services. The servers have static IPs, so setting them up as SecureNat clients should not be a problem. But if I set a default gateway in a client I must supply a static IP address which would be a nightmare. I don't want to provide the gateway via dhcp either, or all dhcp clients would have this setting. We are talking about re-designing the network subnet and dividing into multiple subnets, so routing and gateways will be a required setting soon.
quote:
So, it should be no problem that workstations are not configured as SecureNAT clients. However, I would not set the default gateway on the servers to the WG internal interface, but that's my personal preference.
I was planning on setting the servers gateway to the ISA trusted interface, not the Watchguard. This should allow ISA to control the traffic. Is this not correct?
Thanks!
|
|
|
|
|
RE: ISA2000 + hardware firewall + remote site vpn's - 30.Jun.2004 6:55:00 PM
|
|
|
tjcarst
Posts: 171
Joined: 6.May2004
From: Lincoln, NE
Status: offline
|
Stefaan -
Just a follow up. So far, everything has been going well. I find apps that don't work initially with ISA, but I am able to get the necessary rules and definitions created to get them up and running.
Thanks for your continued support. It is truly appreciated.
tjcarst
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
![[Wink]](/image/smiles/wink.gif)
![[Razz]](/image/smiles/tongue.gif)
