Welcome to ISAserver.org

Questions Around Network Configuration

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> Network Infrastructure >> Questions Around Network Configuration

Page: [1]

Message

<< Older Topic Newer Topic >>

Questions Around Network Configuration - 24.Mar.2008 11:34:11 AM

shannonharvey

Posts: 56
Joined: 8.Feb.2002
From: Massachusetts
Status: offline

Hello All,

I am looking to create/enhance (learn) what I believe to be a fairly complex network infrastructure (maybe not, which is why I’m reaching out to you guys) the physical layer consists of the following a

1.       A Cable Modem (Comcast)
2.       Two Linksys Wireless Routers (WRT350N and WRT300N)
3.       A VMware ESX 3.5 Host with 3 NIC’s
4.       2 Gigabyte Switches (With One Integrated Into The WRT350N….all physical hosts are attached to one of these switches)

What I have been doing is this (please keep in mind that I am a visual learner) and hope that some of you might be able to provide some insight on the existing configuration and how to possibly enhance it using some of the articles I’ve found on this site. Before I begin let me state that this configuration speaks mostly to a Windows 2003/8 infrastructure, with all of that out of the way…let me see if I can explain this in a way that makes sense.

My cable modem is attached to the Linksys WRT350N, from it I am attached to a physical nic that isa 2006 standard edition is using as an uplink to the world via a virtual nic. On the isa server I have two additional nics one for internal communication the other for (private address) dmz traffic. The network is setup as such external 172.16.0.0/26, the internal network 10.0.0.0/26, the dmz segment 192.168.0.0/26

Excluding any and all communication via ISA The WRT350N is being used for my wife to communicate to the outside world via her laptop (not sure if any of you have experienced the wrath of a woman not being able to get on the web because you’ve attached her to a segment that is down due to you engaging in proof of concept testing and such…not pretty. The WRT300N (which is currently hanging off of the WRT350N ) I’m using almost as a wireless gateway to the internal production lan or if you will an access point.

I know this isn’t a forum for ESX but I want to mention (for anyone familiar with it) that communication between virtual hosts (machines) on the ESX server is being done by way of virtual switches where the isa server is attached to one virtual switch that is bound to a physical nic that is attached to the WRT350N, another virtual switch has been created for all production lan traffic which is attached to the remaining two physical nics on the VMware ESX 3.5 Host. And Finally I have created another virtual switch that isn’t attached to any physical nics but rather bound to the virtual nic that represents the perimeter network on the virtual machine that is being used for isa server. Given the setup that I’ve defined here. I need to ask the question, based on experience is this sound and secure? Is there anything else I should be doing to make certain that this is in fact that way?

Now with all being said this is what I’m looking to do. I’ve seen a tutorial that speaks to “Configuring an Untrusted Wireless DMZ on the ISA Firewall: Parts 1 and 2: Defining the Infrastructure and Setting Up the Split DNS”. First things first, can someone here explain to me the term “Untrusted” (not sure I get that piece) also I use zone edit as a means for “Split DNS” is this adequate for use in resolving external names that speak to the same domain name both internal and external? If not can someone explain to me how I should be setting a “Split DNS” environment. In short what do I need to do with my existing configuration to allow for this scenario to work…..do I need to bind another physical nic to the isa server and attach it to the WRT300N and route traffic between it and the production lan via network rules or do I continue to do as I am doing in terms of hanging it off of the WRT350N, (my guess is no….but I’m confused)

I’ve also seen the article “Publishing a Windows Server 2008 SSL VPN Server Using ISA 2006 Firewalls” however I am a bit confused on the setup or if you will placement of the second nic. Should the external nic be placed in the perimeter network and termination take place there, or do both nics sit in the production segment? The article also makes mention of creating a custom CDP (CRL Distribution Point) to prevent an organization of having to expose the private name of your CA in their public DNS. However the following KB http://support.microsoft.com/kb/313234 speaks to components that aren’t or otherwise no longer available in Windows 2008, (unless of course I’m missing something or I’ve selected and installed the wrong type of CA…..I believe I selected and installed and enterprise root CA…but I could be wrong. Either way can someone tell me what I’m missing here?

Thank you all for you time in reading and responding to this.

Shannon

Post #: 1

Featured Links*

RE: Questions Around Network Configuration - 24.Mar.2008 5:36:14 PM

pwindell

Posts: 782
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline

Throw out the second Linksys box,..it is pointless for it to be there and it over complicates an otherwise very simple network. If you need "wireless functionlity then by a Wireless Access Point (WAP) and plug it into one of the Switches just as if it was a PC.

On the remaining Linksys box (between ISA and the Comcast line) set it back to "factory defaults". Then configure the LAN side of it to what is compatible with the ISA's External Nic. Completely disable the wireless functionality of that box if it happens to be a wireless "router".

Keep in mind that Comcast will "force" you to use one of their "NAT Boxes" if you ask them for a Static IP#. In this case you would throw out the remaining Linksys and would use only the Comcast box between the ISA and the Internet. You would configure the ISA with a Public IP that Comcast assigns and the Comcast box (they call a Comcast Business Gateway) would "pass-through" that IP# from the outside to the ISA. Comcast has a really "odd-ball" setup concerning static IP#s and you are stuck doing things "their way".

Your "virtual environment" in VMWare has nothing to do with and has no effect on the Physical LAN's design or topology. You just have to make sure the LAN's design is "clean" and "correct". At that point it is totally up to you to correctly build your virtual environment to "fit" in with the Physical design of the LAN. I cannot help with VMWare,..have never used it,..never even seen it,...I always use Virtual PC.

_____________________________

Phillip Windell
www.wandtv.com

(in reply to shannonharvey)

Post #: 2

RE: Questions Around Network Configuration - 24.Mar.2008 11:39:40 PM

gbarnas

Posts: 147
Joined: 27.Apr.2005
From: New Jersey
Status: offline

I've got ESX running here at home, with 16 virtualized hosts. The NIC on the VM host is unconfigured at the ESX OS level, and connected to the ISA VM only internally. There's no linksys router either - the "external" NIC is connected directly to the cable modem. ISA get's its external address via DHCP.

I hung my wireless router on a perimiter subnet from ISA, setting the linksys unit in Router mode rather than Gateway. It provides DHCP for the wireless and wired guest network. No wireless connection to internal network except via VPN, but free access to the internet. Great when friends drop by with a laptop. (or the wife wants to surf without grief)

I've got 6 Gigabit NICs on the ESX host - admin, External, Internal, Wireless, and Perimiter. The 6th is for external iSCSI SAN connections, testing a vm-based iSCSI target. That and the admin interface are the only ones that aren't under control of the ISA VM. The iSCSI is on a dedicated switch, and the admin interface is reachable from the Internal network only.

As for security (ISA in a VM), I used tools and procedures similar to those used at secure financial sites to perform a penetration test, and was unable to circumvent the security of this configuration. Won't say the same for other virtual systems, but ESX (and MS Virtual Server) handle the network interfaces differently than the "free" systems.

I think using the Linksys routers as anything other than dedicated WLAN access points will unnecessarily complicate your environment. I've also got some concerns about you using all 3 private network ranges. Pick one and segment it properly - it will force you to solidify your subnetting and routing skills, too. Most enterprise environments I've worked with use either 10, or 172.16-31, but don't mix them. If you want to learn about more complex networking, allocate a block for your DMZ, another for wireless, and several for internal. Segment your servers from workstations, and maybe even your "qa" from "production" servers.

I've got a new ESX server going up in the next few weeks. If you want to chat offline about ESX configs, drop me a PM.

Glenn

(in reply to shannonharvey)

Post #: 3

RE: Questions Around Network Configuration - 25.Mar.2008 12:54:45 PM

shannonharvey

Posts: 56
Joined: 8.Feb.2002
From: Massachusetts
Status: offline

Preview This preview windows does not show attachments
RE: Questions Around Network Configuration
--------------------------------------------------------------------------------
Hi Glenn,

Thanks for the insight. Some of the items you speak of definitely tweak my interest, but for the sake of clarity I
wonder if I can ask a question or two of you and at the same time speak of some of the limitations that I have in
place regarding my hardware configuration. My ESX server is a "white box” configuration (unsupported I know, but
for home lab use it works…and well) running for the most part 10 vm's (absolutely love the product……working towards
my cert, having of course taken the prerequisite course offered by hp) due to my configuration of this white box I
can (unfortunately) only put in place 3 physical nics.

One of the questions that I have here is based around your configuration which I might add I like (a lot) where
you place your router into gateway mode and place it in the dmz segment. But with that let me ask this, what are
you doing if anything to ensure that your wife can always get on the web? Based on what I'm reading it sounds as
though your router (or wireless gateway) is dependent on isa for external network connectivity…via the dmz segment
of your network layout, and if you're anything like me you're always trying new things which can in turn (at least
in this scenario) cause concern when your wife can't get on the web….as if the isa server is down…then her web and
anyone else's for that matter is down or I am misunderstanding something here. If I'm not I guess it could be said
that this is why I was looking to put in place a 2nd wireless router/gateway/access point but again perhaps I am
missing something here.

I want to make certain that this network setup is simple, yet challenging enough to allow for me to learn more
about the product(s) but I don't want my wife to fall victim (if you will) of something that I may be doing to
prove a concept. With that would you have any suggestions that could speak to this where at the same time offer all
of the functionality that you speak of and that I've outlined below based of course on what your reply.

You also make mention of having concern around my using all three private network ranges…..(which I admit is going
a little overboard). With that let me present the following and ask if this make a little more sense.

1.External Network Configuration - 24.X.X.X (Provided By ISP)

2.Perimeter Network Configuration- 10.0.0.1/28 – (statically assigned, correct me if I am wrong but I would need to
use one of the three nics and bind it to the perimeter network correct?) DHCP Range assigned via Linksys Router
10.0.0.4 – 10.0.0.14, Gateway 10.0.0.1, DNS 10.0.0.5

3.Internal Network Configuration - 10.1.1.0/26 – (static range for vm's including ESX host 10.1.1.2 - 10.1.1.15
(DHCP Range 10.1.1.20 – 10.0.1.63 assigned via MSDHCP)

I will have two hosts (vm's) sitting in the perimeter network, one being a domain member (SSL VPN via the following
tutorial "Publishing a Windows Server 2008 SSL VPN Server Using ISA 2006 Firewalls” ) the other, will be a non
domain member (Exchange 2007 Edge Server).

Communication will take place via the following Network and Firewall Policy Rules.

1.Network Rules - "Internal to Perimeter – Route” / "External to Perimeter – NAT”

2.Windows 2008 Domain Membership Firewall Policy Rule(s) – "Kerberos-Adm (UDP),Kerberos-Sec (TCP), Kerberos-Sec
(UDP),LDAP, LDAP (UDP),LDAP GC (Global Catalog),RPC (All Interfaces), NTP (UDP), and Ping” From Domain Member to
Windows 2008 DC (Both Directions)

3.Exchange 2007 Edge Server Policy Rule(s) – SMTP (TCP/25 From Edge To External), SMTP (TCP/25 From Edge To Hub
Transport, LDAP (TCP 50389 and 50636 From Edge to Hub Transport) RDP (TCP 3389 Optional From Specific Host to Edge)

One other thing that I'm hoping you can shed some light on. The following article "Publishing a Windows Server 2008
SSL VPN Server Using ISA 2006 Firewalls” makes mention of creating a custom CDP (CRL Distribution Point) to prevent
an organization of having to expose the private name of your CA in their public DNS. However the following KB
http://support.microsoft.com/kb/313234 speaks to components that aren't or are otherwise not available in Windows
2008, (unless of course I'm missing something or I've selected and installed the wrong type of CA…..I believe I
selected and installed and enterprise root CA…but I could be wrong. Would you happen to know anything regarding
this setup as well?

< Message edited by shannonharvey -- 25.Mar.2008 1:02:54 PM >

(in reply to gbarnas)

Post #: 4