Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Secure web publishing with ISA in DMZ
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Secure web publishing with ISA in DMZ - 19.Sep.2008 11:21:53 AM
|
|
|
greyhorsecorp
Posts: 15
Joined: 31.Mar.2008
Status: offline
|
I have dilema that has to be solved.
I want ISA 2006 Std. to be capable of publishing multiple secure web (https) sites that are located in a LAN.
There is Sonicwall NSA 5000 series in front of ISA with Layer 3 firewall only. Swall is facing internet and ISA is behind it.
There is NAT-T between WAN and DMZ, and ROUTE relationship between DMZ (ISA) and internal LAN.
I have talked to Sonicwall and they said that from Sonicwall side is enough to setup 1-2-1 NAT from WAN to DMZ (external interface of ISA) and since ISA is publishing those secure sites, it should forward https requests to secure web servers internally.
In discussion with consultant, he says that this is not possible,since ISA's web listener can not have multiple https (with different public certificate names) tunnels established on only one "listening IP-the one that is facing internal interface of the NAT device in front of it, in this case Sonicwall.
In order for this to work, he basically recommends to have FE Firewall (Sonicwall) with multiple public IPs binded to one public interace, but such an option doesn't exist even though Swall has Sonic Enhanced OS with latest firmware. What he said basically is that in that case, every single https tunnel would be assigned specific Public IP that is in a back end binded to specific private ip. So, if we have 3 https tunnels, he says that we should have 3 public IPs and 3 private IPs on ISA, so that the tunnels can work.
I was thinking that having Swall open WAN to DMZ firewall rule (Layer 3 firewall) for all incoming https traffic to ISA would be enough. So, if let's say 3 simultanious secure web sites requests come in from the internet, they would hit publically available WAN ip (single IP, since all 3 secure web sites are registered with the same public IP) of the Swall. Swall as layer 3 firewall doesn't care about the number of https requests, but just let it forwarded to external interface of ISA (that is btw in private IP address range, since it is in NAT-T relationship with Sonicwall-as mentioned earlier).
ISA intercepts those 3 requests on it's front end IP address, inspects them and forward them to internal secure web servers, after which 3 https tunnels are established between web servers and clients.
My question is: Is ISA 2006 capable of handlig (publishing) 3 simultanious https tunnels through it's own web listener, by having all 3 tunnes coming in to ISA on one IP address (it's front end NIC that is facing Swall) and forwarded to secure web servers in a LAN through it's second NIC in a back end?
Thanks,
|
|
|
|
|
RE: Secure web publishing with ISA in DMZ - 24.Sep.2008 10:07:11 AM
|
|
|
greyhorsecorp
Posts: 15
Joined: 31.Mar.2008
Status: offline
|
Thank you Tom.
I have already solved the first part of a puzzle; have setup Sonicwall properly with NAT-T and have setup two multiple Public IPs for 2 internally published https web sites and it works with no problems.
All internal web sites (that are published) are sitting on the same box with 2 different (internal) IPs.
Now, the problem came in when I installed ISA 2006 Std. First of all, I want to have full HTTPS tunnel from client on the WAN up to internal Secure web server. If I use https between WAN client and ISA, and back end on port 80, all is OK. So, I am aware that I have to use Bridging option on ISA. I have also added lmhost entries for thos two internal servers on ISA.
I have installed local certificates on each web server. I have also created listeners for those web servers on ISA and they have publicly recognized certificates with web sites public names.
To make long story short, listeners are listening at regual 443 port (each) and in a back end, when ISA needs to forward traffic for specific server in LAN, I have set one https tunnels to be on 443, the other on port 444. Doesn't work. I have also setup back end tunels to 443 both and still the same.
I have also setup on both web server to force 128 bit encryption and require Secure SSL.
I am getting various errors when I try to access them from outside:
Error 500, network logon failed and so on.
What I am doing wrong here???
Thanks,
|
|
|
|
|
RE: Secure web publishing with ISA in DMZ - 29.Sep.2008 9:48:55 AM
|
|
|
greyhorsecorp
Posts: 15
Joined: 31.Mar.2008
Status: offline
|
What...it showed up...COOL.
Grey
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
-web site and SQL didn't like each other this morning.
