• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Using IPsec with ISA 2004 on DMZ

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Installation >> Using IPsec with ISA 2004 on DMZ Page: [1]
Login
Message << Older Topic   Newer Topic >>
Using IPsec with ISA 2004 on DMZ - 28.Jul.2004 5:48:00 PM   
davebrez

 

Posts: 1
Joined: 28.Jul.2004
Status: offline
I'm planning to implement ISA server 2004 on our DMZ network and setting up a FE/BE server configuration for OWA and as an SMTP relay and Exchange. The OWA and SMTP relay will be on the front-end box and the exchange server is on the back-end box. I will be using SSL encryption between the client and the ISA through to the FE box using SSL bridging. We also have a couple clients who use IMAP4 to read mail from their Outlook client. I would like to use secuire IMAP4 for them for added security.

I'm confused about what I've read both from isaserver.org and other sites (mostly Microsoft). I've read both that it's a crime to make the ISA server part of the Intranet domain but also that the only way to use IPsec encryption is that the ISA server would have to be part of the domain in order to provide the needed IPsec encryption. I will be providing IPsec between the front-end and the back-end because they'll be part of the same domain in inside the Intranet.

Is it possible to provide IPsec encryption w/out adding the ISA server to the domain. Also, would it be a crime to add it to the domain and require secure communications between it and the front-end server. The front-end server would be setup to require secure communications already.

Thank you for your help!
Post #: 1
RE: Using IPsec with ISA 2004 on DMZ - 29.Jul.2004 7:57:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi David,

Who said it was a crime to make the ISA firewall a member of the domain? Let me know and I'll arrest him for 'criminal misinformation'!

Honestly, there is nothing wrong with making the ISA firewall a member of the domain if that's what required for your design goals. If you configure the ISA firewall correctly, no one is ever going to own the box, so IMO, unless you're running a meth lab or the NSA, this configuration is just fine.

HTH,
Tom

(in reply to davebrez)
Post #: 2
RE: Using IPsec with ISA 2004 on DMZ - 29.Jul.2004 9:53:00 AM   
paulbaldwin

 

Posts: 139
Joined: 2.Apr.2004
From: Lancashire, UK
Status: offline
Couple of helpers for your situation:

If you are going to use IPSec with ISA Server make sure IP Routing is DISABLED (Configuration, General, Define IP Preferences). IP Routing causes packets to skip IPSec in the TCP/IP stack in certain circumstances which doesn't go down well with your firewall clients!

You can provide IPSec to non-domain servers but you must use certificates (not Kerberos) and have the PKI to support them. This takes a bit work with the certificates and fiddling with IPSec policies. You could also use shared secrets if you're not being serious!

The new RADIUS authentication method in ISA 2004 allows non-domain ISA Servers to authenticate domain users. Very handy; I use it even on domain member ISA Servers just 'cos I can!

The 'security in depth' ethic might suggest you don't make the ISA Server a domain member, but if your ISA Server is compromised you're in it up to your neck either way! Follow Tom's advise. An ISA Server for Intranet access should be a domain member unless you want to make your life very difficult. For ISA dealing with only public access there is no reason for ISA to be a domain member.

Cheers

(in reply to davebrez)
Post #: 3
RE: Using IPsec with ISA 2004 on DMZ - 29.Jul.2004 3:07:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Paul,

Good advise! One thing, you can only use RADIUS with Web Proxy authentication. I've been begging the ISA team to allow RADIUS auth with the Firewall client. Then you would never need to make the ISA firewall a member of the domain. But because the Firewall client is a key security piece for outbound access control, I prefer to take the theoretical risk of making the ISA firewall a member of the domain, rather than allow non-authenticated access for non-Web Proxy client protocols.

Thanks!
Tom

(in reply to davebrez)
Post #: 4

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Installation >> Using IPsec with ISA 2004 on DMZ Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts