Welcome to ISAserver.org
Forums |
Register |
Login |
My Profile |
Inbox |
RSS 
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Wireless DMZ Setup
|
Users viewing this topic:
none
|
Logged in as: Guest
|
Login  | |
|
Wireless DMZ Setup - 16.Dec.2006 7:04:11 AM
|
|
|
rabjac
Posts: 17
Joined: 10.Jan.2006
Status: offline
|
I'm stumped.
I've been following Tom's ISA Server atricles on Wireless DMZ set-up (parts 1 and 2). I've pretty much followed to the letter the outlay Tom gives. However I'm now finding I have problems.
1. I cannot browse the Internet from the Wireless DMZ.
2. I can only browse the Internet from the Production Network if I specify proxy settings within IE Options (this may be by design, in which case great I've managed to get something working). Just now my Production Network consists of 1 server and nothing else.
3. Should I go with the split DNS as outlined in Tom's articles or should I go with the DNS configuration as outlined in the Configuring ISA Server 2004 book where it talks about internal DNS servicing Active Directory. In either case this may be where my problem(s) are.
My network outline is exactly that in the 2004wirelessdmzpart1 and 2004wirelessdmzpart2 articles. The only exception being, I don't have an Exchange Server - yet!!
Any help, as always most appreciated.
TIA,
Robert.
|
|
|
|
|
RE: Wireless DMZ Setup - 17.Dec.2006 1:55:31 PM
|
|
|
rabjac
Posts: 17
Joined: 10.Jan.2006
Status: offline
|
Is there anyone out there who is willing to speak about my ISA wireless DMZ configuration issues?
I'm absolutely stuck!
|
|
|
|
|
RE: Wireless DMZ Setup - 18.Dec.2006 8:16:55 AM
|
|
|
Guest
|
Hi Robert,
let's take it step by step.
first I don't like having ANY additional services running on my ISA!
this includes a DNS server!
I guess you are stuck on the DNS issue here.
The internal DNS server only resolves for your internal private network and must have DNS forwarders enable on it -the DNS servers from your ISP or host your own DNS resolvers in a dmz which will only cache and resolve for your internal DNS server(non-autothoritive on any domain)- for resolving public names.
Do you plan to have that Exchange server and access it like specified in those articols?
if yes:
you will have to have a DNS server set just like there(except that it is not
located on ISA, if it is not possible then put it on ISA). this is so because the domain is private and the only DNS server which will resolve exchange server's name to an ip address is the internal DNS server. this is not a valid option since there is a big security issue allowing the untrusted dmz network to talk to the internal DNS server.
if not:
does your access point support DNS forwarding?(I suppose it does)
if so, configure this on it with the DNS servers from your ISP(you will need a rule on ISA which will allow DNS from the access point to the external). this along with the dhcp set on the access point will solve the problem.
on the internal network(example for http): your clients can be secureNat clients, web proxy clients, firewall clients or any combination of these three.
if you require authentication your clients must use either the web proxy settings,
the FWC or boths(secureNat clients in this case can't access http).
to check if you don't have a DNS issue you can simply ping www.google.com, copy the ip address return by your ping and paste it in your browser. if it works it means that DNS it is not setup properly.
< Message edited by adrian_dimcev -- 18.Dec.2006 8:18:02 AM >
|
|
|
|
|
RE: Wireless DMZ Setup - 19.Dec.2006 4:02:26 AM
|
|
|
rabjac
Posts: 17
Joined: 10.Jan.2006
Status: offline
|
Hi Adrian,
Many thanks for the reply.
I've managed to set-up a DNS caching-only server on the ISA Server with IP forwarding set to my ISP's DNS servers. I don't know if this was the correct thing to do or not. Currently from my DC (which is the only machine on the internal network), I can browse the web and run nslookup and have site names resolved. In order to browse the internet I've had to set the IE options for a proxy server. Therefore I'm assuming that internally I'm pretty much set?
Now for the wireless side:
I've disabled DHCP on the wireless AP (combined router, switch etc) because I can't see an option to set the ISP DNS entries. My wireless clients now get DHCP assigned IP addresses from my DC using DHCP relay as outlined in Tom's book and this seems to work. Should I be DHCP assigning a default gateway and DNS servers as well as an IP address. If so what should the gateway be set to?
I've also got an issue in that I cannot VPN from the wireless DMZ to the internal network (I'll admit though that I don't know what IP address to use in the connectiod). However one thing at a time!
|
|
|
|
|
RE: Wireless DMZ Setup - 19.Dec.2006 5:05:20 AM
|
|
|
Guest
|
Hi Robert,
I guess your clients are untrusted and you are using no encryption on the Wlan right?
if so:
quote:
My wireless clients now get DHCP assigned IP addresses from my DC using DHCP relay
No, no, no! and no!
this is a huge security hole!
quote:
I've disabled DHCP on the wireless AP (combined router, switch etc) because I can't see an option to set the ISP DNS entries.
You won't see it. Not on this type of access point.
The DNS settings are probably located where you set the "wan" connection on that access point(or maybe they called this Lan, typically you have at least one RJ-45 port on it) or in some place called DNS forwarding.
this AP will set the DNS server address on your clients to point to him and then he will do DNS forwarding to the DNS server selected by you in those areas of above(I don't know exactly were are situated the DNS settings on you AP 'cause I don't know the model)
but it will do this only between the WLan and the "wan" port(or how it this port called maybe Lan port).
does your AP support bridge mode?
if so put it in bridge mode between "wan"(or whatever, you should have some instruction it its manual how to do that) and WLan with the "wan" port connected to ISA.
if not:
put a separate server on the Lan with DNS and DHCP on it.
the last solution is to install DHCP on ISA.(but this will add another possible security
problem to your configuration).
quote:
In order to browse the internet I've had to set the IE options for a proxy server.
as I have said in my previous past if you make your server a secureNat client(this means putting the default gateway on it the ISA ip address) as long as your rule is for all users you don't need proxy settings.
< Message edited by adrian_dimcev -- 19.Dec.2006 5:10:58 AM >
|
|
|
|
|
RE: Wireless DMZ Setup - 19.Dec.2006 6:12:48 AM
|
|
|
rabjac
Posts: 17
Joined: 10.Jan.2006
Status: offline
|
My apologies for being a bit on the thick side today!
Are you saying that I should strip out the DHCP set-up I have created and go back to the AP (Linksys Compact Wireless-G 54 Mbps WRT54GC) giving out addresses etc for the wireless clients?
Are you also saying that I should dispense with the DNS set-up on the ISA server?
I only have 2 servers currently and getting a 3rd one at the moment is not an option for me.
|
|
|
|
|
RE: Wireless DMZ Setup - 19.Dec.2006 7:00:26 AM
|
|
|
Guest
|
what I'm saying is that due to the untrusted relationship which you have with your wireless clients they cannot be allowed to access the internal network except with vpn.
that internal server can serve only your internal clients(dhcp, active directory...).
what I'm saying is that little dumb Linksys AP with DHCP enabled gives the clients as their DG its ip address, their DNS setting is filled with its ip address(DNS forwarding) and it acts as a bridge between wired Lan and WLan.
this means it will do DNS forwarding and any "routing" only between Wan and Lan(which is a single network which comprises the wired Lan and the WLan).
so you can't use it with the switch ports that your Linksys has(just plugged the cable from ISA in one of those switch port of the AP).
one option you have is to put a server on the network which will act as DHCP and DNS server giving the right IP settings to clients. If you cannot put another one(an old box can do the trick) then other option you have is to put DNS on ISA(which you have done) and install also the DHCP server on ISA to serve only the dmz clients.
Every additional service you install on ISA adds a possible hole(if the DHCP server is insecure can make your network vulnerable).
another option you will have is to connect the Wan port of your Linksys directly to ISA(I think this can be done with a cross-over cable). the disadvantages of doing this are that you will have 2 different networks: one which connects ISA interface with the Wan interface of AP and one network for your Lan(wired+Wlan) + the Linksys will do NAT. now the DHCP settings with +DNS(ISP servers) from the AP should work fine(no extra server needed).
A solution to this will be to put the Wan and Lan in bridge mode. I think this can be done with one of those hacked images available for WRT54, never tried that tough.
< Message edited by adrian_dimcev -- 19.Dec.2006 8:20:02 AM >
|
|
|
|
 New Messages |
 No New Messages |
 Hot Topic w/ New Messages |
 Hot Topic w/o New Messages |
 Locked w/ New Messages |
 Locked w/o New Messages |
|
 Post New Thread
Reply to Message
Post New Poll
Submit Vote
Delete My Own Post
Delete My Own Thread
Rate Posts |
|
Printable Version
