Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Will ISA Do this?
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Will ISA Do this? - 2.Jan.2006 11:25:25 PM
|
|
|
marvinmiller
Posts: 51
Joined: 2.Jan.2006
Status: offline
|
Hi Folks;
I'm new to the world of ISA but was very fluent in Proxy 2.0 a few years ago. I've also taken a few years off from networking so I was hoping that someone could go over my design and see if ISA will do what I've come up with and if I've made any mistakes along the way! :-)
I made a cheezy network diagram to better explain what I'm after.....
So, basically what I'm after is a firewall, caching and server publishing. Of main concern to me right now is two areas;
- I plan on assigning two static IP's to the external NIC and I need to route traffic based on external requests to those NIC's. For instance, I need two DNS servers on the internal network and need ISA to route requests accordingly. I also plan on having at least two web sites in place on the internal network and need ISA to route accordingly.
- The next thing I am very concerned about is DNS. I would prefer to have two DNS servers on the Internal network composed of reserved IP's. Will ISA be able to service external DNS requests properly in this case?
- The last thing I am wondering about is internal users. I really don't need/require any accounts/monitoring etc of internal users. My preference would be that all internal users have full access to anything on the Internet all the time. Caching their requests and the common requests made from the web server would be ideal though.
Is anyone out there able to definatively give me a yes or no on this scenario? It's very important to me as I can still choose another solution at this point. I'm actually faced with one more issue but before getting into that I'd like to hear first if this design will work from people in the know :-)
< Message edited by marvinmiller -- 6.Feb.2008 9:47:39 PM >
_____________________________
Best & thanks;
Marvin
http://www.asksomeone.net
|
|
|
|
|
RE: Will ISA Do this? - 3.Jan.2006 3:15:28 PM
|
|
|
KyleKartan
Posts: 47
Joined: 21.Oct.2003
From: New Hampshire
Status: offline
|
I'll do my best here :)
Yes, ISA can have multiple external IP's so that you can publish multiple servers with different IP's. ISA does NOT support multiple internet connections to do traffic balencing.
If I understand your question correctly, then Yes, your internal DNS servers can handle both internal queries as well as resolving external addresses. You'll probably want to set up DNS forwarding on the DNS server to point to your ISP's servers for external resolution.
ISA has an "all users" option as well as an "all protocols" with allows everyone (valid logon or not) access to anything on the external interface.
good luck!
|
|
|
|
|
RE: Will ISA Do this? - 3.Jan.2006 3:29:04 PM
|
|
|
LLigetfa
Posts: 2184
Joined: 10.Aug.2004
From: fort frances.on.ca
Status: offline
|
Multiple external IPs are only supported inbound. Outbound will always be on the primary IP.
"All Protocols" does not really mean "ALL", only those that ISA knows about.
_____________________________
The School of Hard Knocks is a mean teacher. She gives the exam before the lesson.
|
|
|
|
|
RE: Will ISA Do this? - 3.Jan.2006 4:14:35 PM
|
|
|
tshinder
Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Marvin,
- I plan on assigning two static IP's to the external NIC and I need to route traffic based on external requests to those NIC's. For instance, I need two DNS servers on the internal network and need ISA to route requests accordingly. I also plan on having at least two web sites in place on the internal network and need ISA to route accordingly.
TOM: No problem with that. Just bind two IP addresses to the external interface and create two Server Publishing Rules.
- The next thing I am very concerned about is DNS. I would prefer to have two DNS servers on the Internal network composed of reserved IP's. Will ISA be able to service external DNS requests properly in this case?
TOM: Yes, no problem with that. DNS servers, by definition, need static addresses :)
- The last thing I am wondering about is internal users. I really don't need/require any accounts/monitoring etc of internal users. My preference would be that all internal users have full access to anything on the Internet all the time. Caching their requests and the common requests made from the web server would be ideal though.
TOM: Not very secure, and doesn't take advantage of the major security advantage the ISA firewall has over most over firewalls, but yes, you can certainly configure things that way
Is anyone out there able to definatively give me a yes or no on this scenario? It's very important to me as I can still choose another solution at this point. I'm actually faced with one more issue but before getting into that I'd like to hear first if this design will work from people in the know :-)
TOM: OK, what's the last issue?
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Will ISA Do this? - 4.Jan.2006 5:04:09 AM
|
|
|
tshinder
Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Marvin,
Ha! That's great! Thanks for getting the book! :))
Yes, its fine to use the ISA firewall as a DHCP server. There's information in the book on how to do that. While I prefer a strictly pristine ISA firewall configuration, I do make allowances for the IIS SMTP service (so that you can use the ISA firewall as an inbound and/or outbound SMTP relay) and DHCP.
Allowing all traffic isn't a best security configuration, but if you deploy the Firewall client and Web proxy client configurations on your computer, your mom's computer and your neighbor's computer, at least you'll have comprehensive logging of who did what when, and then you might choose to lock down firewall policy in the future. Don't install the Firewall client on the Web server, though. That can make bad things happen.
You can setup the ISA firewall offline, but make sure each interface is connected to a hub or switch, so that the ISA firewall software sees that the NICs are "alive". Since this is a non-domain environment, you won't have any problems at all. It'll be drop in, plug in, and turn on.
Please feel free to post early and often about any questions you have about what you read in the book. Its sitting next to me on my desk, as I use it too, since I can't possibly remember of the information I put in the book :)
Thanks!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Will ISA Do this? - 4.Jan.2006 5:34:53 AM
|
|
|
marvinmiller
Posts: 51
Joined: 2.Jan.2006
Status: offline
|
Hi tom;
Thanks for the tips :-) You mentioned, "Since this is a non-domain environment, you won't have any problems at all" - actually I guess I didn't mention this is a domain environment :-) I have a Active Directory services computer set up on the internal network and the ISA is actually already a member of it. Does that make it more complex or easier in that it's already a member of the domain?
PS>Your book moved from being behind the salt shaker and under the Proliant manuals to on my desk now! :-)
_____________________________
Best & thanks;
Marvin
http://www.asksomeone.net
|
|
|
|
|
RE: Will ISA Do this? - 4.Jan.2006 5:55:32 AM
|
|
|
tshinder
Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Marvin,
Ha! That's some positive movement :)
Actually, making the ISA firewall a domain member gives you a lot more security and flexibility. It won't make things more complex, and can make things a lot less complex as you are likely to want to do more cool things with the firewall as you get to know it and read about all the neat things it can do.
When the ISA firewall is a domain member, you can use the Firewall client to transparently authetnicate users that are domain members. But even if users are not domain members, you can mirror their accounts on the ISA firewall itself -- so you have strong user/group authentication avaiable to you for domain members and non-domain members. Nice, eh? :)
In addition, making the ISA firewall a domain member will greatly simplify Web publishing, where you want the ISA firewall to authenticate users before they reach your published Web sites. This make for a very secure configuration, as no anonymous connections are allowed to the Web server when you have the ISA firewall pre-authenticate those users.
Have fun with the book!
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Will ISA Do this? - 14.Feb.2006 10:35:02 PM
|
|
|
marvinmiller
Posts: 51
Joined: 2.Jan.2006
Status: offline
|
Hi Tom!
Thanks for the reply. What I mean is that the entire internal network is using non-routable addresses. So my DNS machines use a 192.168.1.* address and contain internal machine names with 192.168.1.* addresses.
What I'm doing is simply running a website with mail etc. So my web server is 192.168.1.50 and it's entry in the DNS server is 192.168.1.50
Basically what I'm after is running my existing site/servers behind ISA using reserved IP's - including the DNS servers - without putting a DNS server outside the protected network or using my ISP as a DNS server. I'm interested in keeping all machines behind the firewall running on the 192.168.1.* address set.
So I need confirmation that ISA will do this as each time I look into DNS with ISA I only seem to find information on using a split DNS setup.
Does that make sense or clear it up?
Thanks for taking the time to review this issue with me :-)
|
|
|
|
|
RE: Will ISA Do this? - 16.Feb.2006 4:12:17 AM
|
|
|
tshinder
Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Marvin,
OK, you're referring to private IP addresses (which are indeed routable, you just can't use them as public IP addresses).
The same DNS server cannot provide both public and private name resolution for a split DNS, because each zone needs to be on a different DNS servers. However, you can configure one DNS server to resolve internal names and Internet host names, and the other DNS server can host your external zone.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
|
RE: Will ISA Do this? - 16.Feb.2006 4:23:55 AM
|
|
|
marvinmiller
Posts: 51
Joined: 2.Jan.2006
Status: offline
|
Hi Tom;
That's correct as mentioned earlier I'm using reserved class C IP addressing on my network (including the DNS servers)
OK, so I can't use reserved IP's on the DNS servers to service external requests. How would I properly implement DNS then if I want all my servers located behind the proxy? I really didn't want to use an external DNS server and so I laid out the network according to your response earlier;
- The next thing I am very concerned about is DNS. I would prefer to have two DNS servers on the Internal network composed of reserved IP's. Will ISA be able to service external DNS requests properly in this case?
TOM: Yes, no problem with that. DNS servers, by definition, need static addresses :)
I also asked about this in the msnews forums prior to adopting ISA and I had the same response - there was no problem with internal DNS servers comprised of reserved IP's. What's the answer to the DNS issue? Is there no way to run DNS entirely behind the ISA server without using publicly routable IP's?
|
|
|
|
|
RE: Will ISA Do this? - 20.Feb.2006 3:34:50 PM
|
|
|
tshinder
Posts: 47669
Joined: 10.Jan.2001
From: Texas
Status: online
|
Hi Marvin,
Inline...
That's correct as mentioned earlier I'm using reserved class C IP addressing on my network (including the DNS servers)
OK, so I can't use reserved IP's on the DNS servers to service external requests. How would I properly implement DNS then if I want all my servers located behind the proxy? I really didn't want to use an external DNS server and so I laid out the network according to your response earlier;
TOM: You can publish DNS servers that are using private IP address. So, putting your public DNS server on private network is possible and what I almost always do. But you can't put it behind a proxy, you'll need to put it behind the ISA firewall, unless you have a DNS proxy device. The ISA firewall doesn't do DNS proxy.
- The next thing I am very concerned about is DNS. I would prefer to have two DNS servers on the Internal network composed of reserved IP's. Will ISA be able to service external DNS requests properly in this case?
TOM: Yes, no problem with that. DNS servers, by definition, need static addresses :)
TOM2: Yes, no problem with that. You can put the public and private DNS servers on the same network, but I wouldn't do that, because you're putting Internet facing servers in the same zone as non-Internet facing servers, which isn't the best security policy.
I also asked about this in the msnews forums prior to adopting ISA and I had the same response - there was no problem with internal DNS servers comprised of reserved IP's. What's the answer to the DNS issue? Is there no way to run DNS entirely behind the ISA server without using publicly routable IP's?
TOM: Both the msnews answers and mine are correct. Just don't put the public and private zones on the SAME DNS server.
HTH,
Tom
_____________________________
Thomas W Shinder, M.D.
Sr. Consultant/Technical Writer
Prowess Consulting http://www.prowessconsulting.com/
Blog: http://blogs.isaserver.org/shinder/
GET THE NEW ISA 2006 Book!: http://tinyurl.com/2gpoo8
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
