Welcome to ISAserver.org

Trihomed ISA, WLAN and published servers

Users viewing this topic: none

Logged in as: Guest

Printable Version

All Forums >> [ISA 2006 Firewall] >> DMZ >> Trihomed ISA, WLAN and published servers

Page: [1]

Message

<< Older Topic Newer Topic >>

Trihomed ISA, WLAN and published servers - 20.Feb.2007 2:46:45 PM

Ben79

Posts: 46
Joined: 17.Mar.2006
Status: offline

I have a trihomed ISA 2006 std server.
I will publish a FTP server with PASSV mode on the DMZ.

However can I use Tom Shinder's guide how to use DMZ and WLAN togheter and let the clients from the wireless/DMZ network to VPN in to our SBS 2003 server? http://www.isaserver.org/articles/2004wirelessdmzpart2.html

Or should I use 4 NIC's on my ISA and let the 4th NIC "become" a second DMZ for my untrusted WLAN clients?

And since I'm using a SBS server as my Exchange server can I still publish my SBS server as an port published server?

Post #: 1

Featured Links*

RE: Trihomed ISA, WLAN and published servers - 5.Mar.2007 12:42:26 PM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Ben,

Is the SBS box behind the ISA Firewall?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Ben79)

Post #: 2

RE: Trihomed ISA, WLAN and published servers - 7.Mar.2007 6:23:11 PM

Ben79

Posts: 46
Joined: 17.Mar.2006
Status: offline

I�ll post this VSD file to show my current setup.

http://www.uperload.com/viewer.php?image=http://uperload.com/uploads/20070307/company5856.jpg

Thanks for your post Tom.

/Ben

(in reply to tshinder)

Post #: 3

RE: Trihomed ISA, WLAN and published servers - 8.Mar.2007 12:17:47 PM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Ben,

OK, got it. The ISA Firewall is in front of the SBS box, as it should be, and the SBS is a single NIC server, as it should be. You must have been in this business for quite a while to get this stuff all right!

Your question is a good one. I'd formulate like this -- are the clients connecting to my WLAN in the same security zone as the clients that will connect to the FTP server's DMZ?

It's an interesting questions because one can argue that there are millions of potential attackers that could go after the FTP server over the Internet, there are only a handful of attackers that will connect to the WLAN.

However, on the other hand, the WLAN attackers have full network access to the FTP server, using any protocol they want! I'd argue that these hosts are more dangerous, since the Internet users are allow only FTP access and the ISA Firewall provides worm and flood protection.

So, what would I do? Create a fouth ISA Firewall NIC by putting in another NIC for the WLAN users.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Ben79)

Post #: 4

RE: Trihomed ISA, WLAN and published servers - 14.Mar.2007 8:22:45 PM

Ben79

Posts: 46
Joined: 17.Mar.2006
Status: offline

Hi Tom and thank you for your post!

Well I have been spending my time reading your excellent book as well as this forum. I spent about 100 hours reading before i dared to try to install ISA on my companys network.
But as most of us in the business knows, networks changes by time. (Or is it me who wants new challanges?

)

I have a few more questions about "Perimiter Networks".

As you can see in my attached pic:
http://www.pixilive.com/viewer.php?image=http://www.pixilive.com/uploads/20070314/ISA_4NIC.jpg
I have changed the layout a bit, now with 4 NIC's.

I will use two DMZ's instead of one. And use the VPN "feature" for my untrusted WLAN network.

However the thing I most uncertain about is the configuration of the FTP server's NIC/NIC's.

Atm I only use one NIC for the FTP, is this correct or should i use two?

And should I use the guide:
http://www.isaserver.org/articles/2004perimeterdomain.html
for my internal clients whom whant to use \\server\ftp-share\ to access our customers uploaded files to the ftp server?

/Benjamin

(in reply to tshinder)

Post #: 5

RE: Trihomed ISA, WLAN and published servers - 19.Mar.2007 10:26:52 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Benjamin,

The FTP server only needs a single NIC.

Also, all published servers should be configured as SecureNAT clients.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Ben79)

Post #: 6

RE: Trihomed ISA, WLAN and published servers - 25.Mar.2007 4:48:18 PM

Ben79

Posts: 46
Joined: 17.Mar.2006
Status: offline

Thank you for your post.

How ever im not sure about how to configure this DMZ the "correct" way. So im reading your book and posts here, and hopefully I'll make it.

Ben

(in reply to tshinder)

Post #: 7

RE: Trihomed ISA, WLAN and published servers - 26.Mar.2007 11:18:06 AM

tshinder

Posts: 47439
Joined: 10.Jan.2001
From: Texas
Status: offline

Hi Ben,

Let me know if you have any questions.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/

GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8

(in reply to Ben79)

Post #: 8