Hello everyone, Iím hoping for some advice on an ISA solution Iím putting together for a customer?
They have a fault tolerant Exchange infrastructure split across 2 data centers and I need to design a fault tolerant Exchange publishing solution using ISA server. The solution needs to be limited to 2 servers with one in each data centre. There is an existing firewall solution in place and ISA will be placed in to the existing DMZ. The DMZ subnets are extended across the 2 data centers so they are on the same subnet and appear to the servers to be on the same LAN. There is gigabit connectivity between the 2 sites.
I plan to have 2 Uni-homed ISA 2006 Enterprise Servers that will be part of an array. The servers have additional NICs for intra array communications that is on a separate subnet (also extended across the 2 sites). The servers are not members of a domain (I know this is a contentious subject but this is what the customer has requested)
I plan to use ISA NLB to provide load balancing and fault tolerance. The CSS will also be on one of the ISA servers as there is no scope for additional hardware.
I have tried to set this up in a test environment and it all appeared to work ok.
One thing I noticed though is that when I setup NLB it tells me to configure the ISA servers to talk to the CSS using the Intra Array NIC address if the CSS server is on one of the ISA server nodes (which it is). I tried to setup an alias for the CSS by adding another hosts file entry for ServernameCSS with a corresponding certificate but if I try to change the Configuration Storage Server FQDN under the array properties it gives me the error ĎThe changes cannot be savedí with details of logon failure unknown username /password etc. Even if I just install the CSS and create an array with no servers I still cannot change the CSS fqdn to replace with an alias.
The questions I have are :-
Does this setup sound like an ok solution or would something else be more suitable?
Will the array with NLB be ok across a WAN link? (although they are extended to be part of the same subnet and have Gigabit connectivity)
To keep the CSS on one of the ISA boxes and follow the suggestions from ISA to use the Intra Array NIC how can I change the CSS name in ISA?
From: United Kingdom
Ok, I will be brave and offer an honest, but hopefully contructive, answer:
"I wouldn't design it that way"
but it sounds like you are under a lot of constraints from the customer.
As a start:
I wouldn't use unihomed ISA Servers
I wouldn't put ISA in a DMZ like that
I wouldn't deploy ISA without domain membership
I wouldn't put the CSS on the ISA Server firewall nodes
Apart from that, the design is fine
Why, here goes:
Unihomed ISA Servers completely de-value the product and "proper firewalls" have two NICs at a minimum.
Putting a Layer 7 security device in a Layer 3 DMZ of a firewall that is likely to understand a lot less about the application traffic than ISA (and likely pass encrypted data!!!) has always seemed ridiculous to me.
You lose so much when ISA is not a domain member. For example in your scenario it appears that 'high availability' is VERY important. However, with ISA in workgroup mode, you can only have one CSS. Not exactly ideal Also, I am not sure what version of Exchange you plan to use, but if it is Exchange 2007 you will probably need to use KCD to do things properly which relies upon domain membership. Lots and lots more reasons here
Putting the CSS on your 'most likely to be attacked' host is never a good idea IMHO, let alone the workaround that has to be done when you enable NLB due Kerberos setup. It really should go on another host - personally I would rather have the CSS co-located on an existing server (even a DC!) rather than have it on the array members.
I am guessing that you expect these sort of replies, but you did ask it is was an "ok solution"
I never used NLB across a WAN link, but knowing how difficult NLB can be from a networking perspective at times, this needs careful testing I would think, especially in terms of the most appropriate NLB mode (unicast/multicast).
I am not sure if you have any chance of getting the customer to change their views based upon some sound reasoning? It sounds like they need educating as to why some of their decisions are far from ideal and remove some of the constraints the current design is based upon...
Hope that helps!
< Message edited by Jason Jones -- 8.Oct.2008 9:28:15 AM >
JJ thanks for your reply!
I guess did expect the ĎI wouldnít do it like thatí
One of the problems I have is that I have no scope to change the structure of the DMZ. The existing firewalls are managed by another department who are responsible for security and they have to follow their standard practices and use their standard products. Much as I would like to use ISA as a firewall (I have Tomís books and know what a great firewall it is!) Im not in a position to be able to do this. In this solution unfortunately ISA is only there for Exchange publishing and nothing else.
It is Exchange 2007 and I would have liked to have had ISA in a domain (as I do for many other customers) but I donít have the option to change this. I have previously used LDAP authentication when ISA is in DMZ though and although its not ideal it seems to do everything we need to get the various Exchange services published.
A few questions following your reply :-
If ISA has to sit in the DMZ and I cannot use it as a firewall or to route between networks, there is nothing to be gained from multi homing it?
I am also concerned about issues with NLB across the WAN and Ive had many issues with layer 3 switches etc not to mention the extra stuff involved here so its something Im already very dubious about. Im tempted to have the load balancing done at network level by a local director or similar although I should point out that my preference would be for all traffic to be routed to the primary data center and only to the secondary in the event of a data center outage or ISA server outage. If that is the case is there still any point in me having ISA EE in an array when we may as well have ISA standard edition with 2 stand alone servers? This would at least remove the issue of where to put the CSS? Also I thought that if the CSS is down the ISA servers will still function but will not be able to update rules?
And as maybe a more general question Ė If I donít use NLB and ISA has to remain Uni-homed in a DMZ what would be an acceptable solution? By the way thanks for your blog articles especially Publishing Exchange 2007 Services with ISA Server 2006 Ė Creating the Publishing Rule for Outlook Anywhere with Transparent Windows Authentication which I found very useful!
From: United Kingdom
Yeah, I understand as I have been put in this position by customers too, it would be nice to walk away from people's ignorance at times, but unfortuantely sometimes the customer is always right!
I dislike unihomed ISA Server as much as most on here, but if they give you absolutely no other option, at least a reverse application-proxy is better than relying on the edge firewall alone!
Would agree that LDAP auth is your best option for this scenario. I have used this before and it does at least reduce the DMZ=>LAN traffic if the access control is performed by a layer 3 firewall that likely can't secure/inspect RPC properly. All you should need from ISA=>DCs is LDAPS. You've obviosly read my blog entry, so realise you will lose any KCD which from what I can tell means that you will always have the Outlook Anywhere password prompt (maybe nto a big issue for some) and I cannot see how OWA document access will ever work without KCD (again maybe not an issue for some).
I would recommend that you make the customer aware of these limitations (and others) just to cover your arse!
Difficult call to whether to stick with EE or go SE - EE is a better management solution as you can then use a single console. SE would work fine, but really not that elegant though...if you go EE with NLB I just think you need to think about the networking level and ideally test it out.
Yeah, the array members still function without the CSS, but a CSS replica is still a good idea for a HA design and overall disaster recovery. Performance will also be better if ou have a local CSS as opposed to going over the WAN link, but at 2GB this is unlikely to be a problem Not being able to make changes or look at logging can often be quite important, especially if rebuilding the CSS is gonna take a bit of time as you will be running "blind" if something else goes wrong.
With the contraints you have, yeah, I would think unihomed is acceptable (for the right reasons) as covered well by Tom here:
Glad you like the blog, I should be adding an update to that article soon to inlcude information about the same scenario when using wildcard certs on ISA and also how the solution changes when you have multiple CAS servers (CAS farm) being published with the ISA web publishing load balancing feature...
Hi I have issue with ISA 2006 , i will quick describe my network
Domain controller CSS server (configuratiom Storege Server) ISA 1 ISA2
all server joint domain
Step 1: install CSS server ,config array, policy, rule .e.g.I did check comunicate with other server, result OK Step 2: Install ISA service on ISA1 va ISA2 .Result OK, it can get policy , can contact with CSS server , CSS,ISA1 ,ISA2 was synchonize together.Inside network can go to out side thought ISA1 ,ISA2 . However
After i restart ISA1 ISA2,CSS , one of two ISA can not contact to CSS, only 01 ISA server,ISA1 OR ISA2 could contact to CSS.
I did try many time , so, i don't know why ? please help me !! Thank you and everyone ! Duy.Tran