Welcome to ISAserver.org

Planning a VPN/Proxy ISA 2006

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 General] >> Installation and Planning >> Planning a VPN/Proxy ISA 2006

Page: [1]

Message

<< Older Topic Newer Topic >>

Planning a VPN/Proxy ISA 2006 - 11.Aug.2008 12:20:08 PM

bunj

Posts: 7
Joined: 17.Mar.2005
Status: offline

Hi

I was hoping I could attach a visio diagram to explain how I think I would like to set up the ISA 2006 and external firewalls and its feasibility. As I cant I'll try and explain.

Scenario.. I have two sites on two subnets e.g. 10.41.1.0 and 10.41.2.0. Each has an adsl feed. The two sites are connected via leased line on an MPLS network.

Goal: I need to allow web access via proxy at both sites, publish outlook web access from the first as well as other http servers and allow full client VPN.

I would like to use a two tier firewall topology at each site and my internet provider has recommended using Cisco ASA 5505 firewall/routers. Im insisting on using ISA 2006 as the second tier, mainly to handle the publishing rules rather than put OWA and other web servers in a DMZ.

I would like to configure the users to use the local proxy and if that is not available to switch over to the other. Do not need to worry about the publishing rules so much.

For the inbund VPN connection have a virtual IP that looks at site A for VPN connection, if that is unresponsive switch over to site B.

My manager definately wants a two tier VPN sign on as well. for example the Cisco will authenticate the machine and then ISA the user.

The two cisco should be replicated and same for the ISA array. Both sites the same, except the local LAN IP address.

Now is this all possible? Am I trying to go about this the wrong way? is the cisco the right box to use? Do I need ISA 2006 enterprise or will standard do?

Is there some particular reading materials/step by step guides that I should read. I've looked at the step by step for setting up arrays but that looked as though it was a single network card on two ISAs on the LAN. I thought this would be an interesting one to put to you guys... the experts!

Post #: 1

Featured Links*

RE: Planning a VPN/Proxy ISA 2006 - 11.Aug.2008 3:13:56 PM

pwindell

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

quote:

Scenario.. I have two sites on two subnets e.g. 10.41.1.0 and 10.41.2.0. Each has an adsl feed. The two sites are connected via leased line on an MPLS network.

If I am not mistaken that means the two networks are already connected to each other with a private link. ISA really would have nothing to do at all with any communication between these two network segments. That may be what you already know, but just making sure.

quote:

I would like to use a two tier firewall topology at each site and my internet provider has recommended using Cisco ASA 5505 firewall/routers. Im insisting on using ISA 2006 as the second tier, mainly to handle the publishing rules rather than put OWA and other web servers in a DMZ.

Of course the ISP would recommend the ASA,...it says "Cisco" on the front and cost a lot more than anything else. Everybody knows MS could not possibly produce a secure product (I'm being sarcastic.)

ISA is a better product and lower TCO than the Cisco ASA in my opinion.

Why have the ASA and DMZ in the first place if you don't want those in the DMZ? Just forget the ASA and run ISA by itself.

quote:

I would like to configure the users to use the local proxy and if that is not available to switch over to the other. Do not need to worry about the publishing rules so much.

Don't know what to tell you there.

quote:

For the inbund VPN connection have a virtual IP that looks at site A for VPN connection, if that is unresponsive switch over to site B.

Not gonna happen. The user just has to be smart enough to try one dialup connection,...if it doesn't respond then try the other one.

quote:

The two cisco should be replicated and same for the ISA array. Both sites the same, except the local LAN IP address.

Don't know what that means. How do you "replicate" a pair of NAT boxes when they aren't even on the same network?,...heck,,...for that matter how do you do it when they are one the same network? As far as I know there is no such concept. Maybe Dynamic Routing Protocols on the MPLS Routers might be able to do something,..I don't know.

quote:

Now is this all possible? Am I trying to go about this the wrong way? is the cisco the right box to use? Do I need ISA 2006 enterprise or will standard do?

About half of it is not possible (as far as I can tell). I have not yet seen a reason for the ASA to even exist on the LAN based on what you are describing,...if you wanted a Back-to-Back DMZ then fine,...but you said you didn't (I dislike DMZs myself). Proxy Arrays require the Enterprise Edition. I'm not sure if it is possible to have an Array without the proxys being right next to each other on the same network,...I suspect it is not possible, but I don't mess with the Enterprise Edition stuff myself.

Some of the gory details aside, you will have to deal with routing issues as well. Generaly speaking the MPLS Routers will become the LAN Routers assuming each Site is a single subnet. Each Site will use its own MPLS Router as the Default Gateway for the LAN. The MPLS Router of each site will then use that particular Site's firewall (ISA?) as it Default Gateway. Each firewall (ISA?) will use the local MPLS Router as the Gateway to the opposite Site by entering the appropriate Static Route in the OS's Routing Table on the ISA box. The IP Subnets of each Site will both be listed in both Internal network Definitions on both ISA Servers.

There are Active Directory and DNS issue to deal with too, but I can comment on those with no information to judge that on. I'm pushing my luck already on some of the assumptions I have made up to now.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to bunj)

Post #: 2

RE: Planning a VPN/Proxy ISA 2006 - 12.Aug.2008 4:45:28 AM

bunj

Posts: 7
Joined: 17.Mar.2005
Status: offline

(in reply to pwindell)

Post #: 3

RE: Planning a VPN/Proxy ISA 2006 - 12.Aug.2008 5:06:35 AM

bunj

Posts: 7
Joined: 17.Mar.2005
Status: offline

quote:

Some of the gory details aside, you will have to deal with routing issues as well. Generaly speaking the MPLS Routers will become the LAN Routers assuming each Site is a single subnet. Each Site will use its own MPLS Router as the Default Gateway for the LAN. The MPLS Router of each site will then use that particular Site's firewall (ISA?) as it Default Gateway. Each firewall (ISA?) will use the local MPLS Router as the Gateway to the opposite Site by entering the appropriate Static Route in the OS's Routing Table on the ISA box. The IP Subnets of each Site will both be listed in both Internal network Definitions on both ISA Servers.

The MPLS router should be configured only to forward traffic intended for the other subnet and drop everything else. We dont want unecessary traffic eating bandwith. I could amend the rule so rather drop the packes forward to the local ISA.

Just FYI bottom end with no smarts ASA 5505 �1,200 GBP ISA 2006 enterprise including software assurance �5,563.

(in reply to pwindell)

Post #: 4

RE: Planning a VPN/Proxy ISA 2006 - 12.Aug.2008 10:41:21 AM

pwindell

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

Hi Thank you for your response. The MPLS network and routers are on the LAN and the two different subnets are fully routed. DNS is across them both & AD.

The two adsls are purely for internet and vpn NOT site interconnects.

Good.

If you are saying not to worry about the ASA what would you put in its place? would you not bother having a two tier firewall? Isnt that less secure? Also the ASA would provide a additional VPN Client, wouldn't that make it more secure also?

If there is nothing between them in the Back-to-Back DMZ that is created when you do that (2 tier),..then there is no point in it.

"Additional VPN Client"? I don't even know what you are asking there. ISA has more VPN capabilites then the Cisco box does and it is unlimited, there is no additonal licensing cost no matter how many users there are. For Cisco you have to buy additional licensing.

How would you do it in a purely ISA environment? Dont forget that CISCO maybe expensive boxes but ISA is an expensive license.

You said you are going to buy ISA anyway,...so why spend �6763 when you only have to spend �5,563. And no one says you have to buy Software Assurance (although I would since TMG is nearing realse).

Cisco also has constant ongoing subscription costs that go on and on forever.

ISA Environment? I would put ISA on the network edge against the Internet than just "use it" the way it was designed to be used. The rest of the details I already said that at the end of the first post.

If you want to make it more complex and spend more money than buy the extra Cisco and place it between the ISA and the Internet,..I'm not telling you that you can't,...I'm just saying that I wouldn't waist my money on doing that.

The MPLS router should be configured only to forward traffic intended for the other subnet and drop everything else. We dont want unecessary traffic eating bandwith. I could amend the rule so rather drop the packes forward to the local ISA.

You won't have to do any filtering at those devices. Traffic on a multi-subnet LAN does not just "wonder around" everywhere,...it only goes where it is supposed to go. Traffic only crosses routers when the Routing Tables specify that is has to go over the router to get to the destination. Often when Admins try to filter traffic across LAN Segments they end up causing more problems and breaking more things than they ever end up really protecting anything. But you can do what you want there.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to bunj)

Post #: 5