I'm planning to implement ISA server 2004 on our DMZ network and setting up a FE/BE server configuration for OWA and as an SMTP relay and Exchange. The OWA and SMTP relay will be on the front-end box and the exchange server is on the back-end box. I will be using SSL encryption between the client and the ISA through to the FE box using SSL bridging. We also have a couple clients who use IMAP4 to read mail from their Outlook client. I would like to use secuire IMAP4 for them for added security.
I'm confused about what I've read both from isaserver.org and other sites (mostly Microsoft). I've read both that it's a crime to make the ISA server part of the Intranet domain but also that the only way to use IPsec encryption is that the ISA server would have to be part of the domain in order to provide the needed IPsec encryption. I will be providing IPsec between the front-end and the back-end because they'll be part of the same domain in inside the Intranet.
Is it possible to provide IPsec encryption w/out adding the ISA server to the domain. Also, would it be a crime to add it to the domain and require secure communications between it and the front-end server. The front-end server would be setup to require secure communications already.
Who said it was a crime to make the ISA firewall a member of the domain? Let me know and I'll arrest him for 'criminal misinformation'!
Honestly, there is nothing wrong with making the ISA firewall a member of the domain if that's what required for your design goals. If you configure the ISA firewall correctly, no one is ever going to own the box, so IMO, unless you're running a meth lab or the NSA, this configuration is just fine.
From: Lancashire, UK
Couple of helpers for your situation:
If you are going to use IPSec with ISA Server make sure IP Routing is DISABLED (Configuration, General, Define IP Preferences). IP Routing causes packets to skip IPSec in the TCP/IP stack in certain circumstances which doesn't go down well with your firewall clients!
You can provide IPSec to non-domain servers but you must use certificates (not Kerberos) and have the PKI to support them. This takes a bit work with the certificates and fiddling with IPSec policies. You could also use shared secrets if you're not being serious!
The new RADIUS authentication method in ISA 2004 allows non-domain ISA Servers to authenticate domain users. Very handy; I use it even on domain member ISA Servers just 'cos I can!
The 'security in depth' ethic might suggest you don't make the ISA Server a domain member, but if your ISA Server is compromised you're in it up to your neck either way! Follow Tom's advise. An ISA Server for Intranet access should be a domain member unless you want to make your life very difficult. For ISA dealing with only public access there is no reason for ISA to be a domain member.
Good advise! One thing, you can only use RADIUS with Web Proxy authentication. I've been begging the ISA team to allow RADIUS auth with the Firewall client. Then you would never need to make the ISA firewall a member of the domain. But because the Firewall client is a key security piece for outbound access control, I prefer to take the theoretical risk of making the ISA firewall a member of the domain, rather than allow non-authenticated access for non-Web Proxy client protocols.