Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Sharepoint portal server 2003
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Sharepoint portal server 2003 - 19.Jun.2006 8:40:42 PM
|
|
|
mjgraves@tisecurity.
Posts: 41
Joined: 19.Jun.2006
Status: offline
|
I have received help already from many posts and articles about using ISA server with an existing firewall. Thank you very much. I am in a similar situation.
We have an existing 3 legged PIX (External, DMZ, Internal) with other servers handling proxy and content filtering for outbound traffic to the Internet.
I am working on deploying Sharepoint and need to allow users to access it from the Internet. I agree that ISA 2004 is the way to do this. Initially the ISA 2004 would be used just for this, though later I would like to use it to publish Exchange to the Internet.
For starters one person recommended using the ISA 2004 box with one NIC, and I envisioned placing this in the DMZ. I do not want it as an outbound proxy, just to hanled HTTPS and HTTP traffic to Sharepoint, which is inside on the domain.
Do you recommend the 1 NIC scenario or perhaps in parallel to the PIX between the DMZ and the Internal network?
Thanks.
|
|
|
|
|
RE: Sharepoint portal server 2003 - 19.Jun.2006 10:12:41 PM
|
|
|
tonygauderman
Posts: 107
Joined: 6.Feb.2006
Status: offline
|
With a PIX that has at least 3 interfaces, you can certainly hook up your ISA in this manner, though in the long run you would probably be best of ending up with the PIX just being a traffic filter, letting only traffic through on specified ports and letting the ISA do its stateful packet and application layer inspection. In your case, I would probably put in 3 interfaces, but certainly at least 2. 3 let's you replicate your "DMZ" scenario you currently have onto your ISA server (eventually I think you will want to just push the PIX to the edge... I started out thinking I was going to do the same thing you are trying to do and decided to really leverage the advantages of the ISA server over the PIX)
Setting up the ISA server between the DMZ of your PIX and the same network as the internal interface of your PIX makes a migration to ISA relatively easy. First, you can obviously set up your static translation on the PIX from your outside interface to an address on the ISA server in your DMZ on ports 80 and/or 443 and publish the Sharepoint server as a web server on the ISA server. Because the default gateway of your Sharepoint server is likely a device that points to the PIX as it's gateway of last resort, you are going to have to set up the rule on ISA to "Requests appear to come from the ISA Server computer". When you publish Exchange, you will need to do the same thing, but very carefully. If your exchange server is configured to allow relay from an ip range that includes the ip address of your ISA server (i.e. internal servers for alert notification), this will turn your exchange server into an Open Relay. If you are uncomfortable with the relay configuration, you are probably best waiting on the Exchange traffic until the next step in your migration, which is changing the gateway of last resort on your network from the PIX to the ISA server. You are going to want to perform some testing before making this transitions, as you may break applications that are currently working on your network and need to come up with a fix (the only application I found the ISA server broke was FTP uploads, which was easily fixed by unchecking "Read Only" on the FTP protocol policy for the outbound traffic rule). Once you change the ISA server to be the gateway of last resort, you can go into any early rules you hade and change "Requests appear to come from the ISA Server computer" to "Requests appear to come from the original client". If you have traffic that the ISA server will not support (i.e. SIP), you can route that traffic to the inside interface of your PIX rather than the ISA server, or you can disable the inside interface of your PIX and route everything through ISA. In your case, with other servers handling the proxying, you could route that traffic to the inside interface, assuming that you aren't initiating the filtering from the PIX to N2H2 or WebSense. In my case, I moved from a WebSense/PIX integration to a WebSense/ISA integration.
|
|
|
|
|
RE: Sharepoint portal server 2003 - 20.Jun.2006 3:13:06 PM
|
|
|
mjgraves@tisecurity.
Posts: 41
Joined: 19.Jun.2006
Status: offline
|
Thank you very much for the detailed explanation!
We would like to test the ISA server in parallel with the PIX between the DMZ and internal network to secure some new web apps we are deploying. This leads to a few questions.
1. Can I do this and still have the PIX the default gateway on the internal network?
2. I do have en existing proxy/content filter infrastructure in place that I do not want to change or break, hence question 1. I want outbound traffic to continue on the current PIX and proxy setup.
3. So will the ISA server be a member of the domain on the internal network?
I am trying to use ISA server to allow Internet users access to selected web/sharepoint resources on the internal network, which seems to be one of the reasons for it, but I do not want to break or replace my existing outbound infrastucture at this point.
Thanks!
Mark
|
|
|
|
|
RE: Sharepoint portal server 2003 - 20.Jun.2006 3:51:08 PM
|
|
|
tonygauderman
Posts: 107
Joined: 6.Feb.2006
Status: offline
|
1. Absolutely, though I would probably not do the Exchange services that way unless you are comfortable making sure that you aren't a relay per my last post. When you publish the web services, just make sure that you select "Requests appear to come from the ISA Server computer", that way the ISA server "proxies" the session with it's own ip address and you won't have to worry about your gateway of last resort routing the traffic through the PIX. You could use this method to publish OWA as well... setting static translations on your PIX specific to the port.. sending 25 through the inside interface of the PIX to your mail server, 80 & 443 to the DMZ to the ISA server. The only drawback to doing this is that I would expect that if you are planning on using reporting statistics on visitors to your web sites, they probably won't be accurate.. they will reflect a lot of visits from your ISA server!
2. This will work fine, though there are a couple of scenarios... if your browsers are configured to use a proxy, changing their gateway of last resort to the ISA server won't affect them using the existing proxy/content filter... if the PIX is directing traffic to the proxy, obviously you can't change the gateway of last resort...
3. I would definitely have the ISA server be a domain member... refer to Tom's post from today
http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html
If your current proxy/content filter setup uses the PIX to initiate the session, you are stuck leaving the PIX as your gateway of last resort as long as you want to keep your existing cache/content filtering setup the way it is... Prior to ISA, I had been using Websense on it's own box, with the PIX redirecting traffic to Websense... since putting in ISA, I decided to install WebSense on the ISA server (we are a small site, less than 50 internet users and a T1 to the internet less than 25% utilized.. in a larger scenario I would suggest putting WebSense on another box).
|
|
|
|
|
RE: Sharepoint portal server 2003 - 20.Jun.2006 3:59:25 PM
|
|
|
mjgraves@tisecurity.
Posts: 41
Joined: 19.Jun.2006
Status: offline
|
Tony,
Thank you for your excellent help. I had just read Tom's article about ISA being a domain member.
Hopefully in a couple of days I will be testing the scenario we are discussing.
Thanks again,
Mark
|
|
|
|
|
RE: Sharepoint portal server 2003 - 20.Jun.2006 5:36:03 PM
|
|
|
mjgraves@tisecurity.
Posts: 41
Joined: 19.Jun.2006
Status: offline
|
One more question. Can I have 3 NICs in the ISA box? The purpose would be for testing in 2 environments.
I would want HTTP requests to come in on NIC1 on the DMZ and depending on the requested IP connect out NIC2 or NIC3. Basically it would be reverse proxy for different Sharepoint servers on 2 subnetworks on NICs 2 and 3 with user requests coming in from the Internet on NIC1.
From what I have read, this is a no brainer, but wanted to be sure.
Regards,
Mark
|
|
|
|
|
RE: Sharepoint portal server 2003 - 20.Jun.2006 9:38:52 PM
|
|
|
tonygauderman
Posts: 107
Joined: 6.Feb.2006
Status: offline
|
What you want to do will work fine.
|
|
|
|
|
RE: Sharepoint portal server 2003 - 20.Jun.2006 11:01:20 PM
|
|
|
mjgraves@tisecurity.
Posts: 41
Joined: 19.Jun.2006
Status: offline
|
Thanks again.
Regards,
Mark
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
