Where to put my ISA with Netscreen??? (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure



Message


kenisswell -> Where to put my ISA with Netscreen??? (10.Jan.2006 9:22:49 AM)

I am trying to determine the best way for me to install my ISA 2004 server. I own and have read Toms book. I have read many articles including "Playing well with others. Configuring the ISA...PIX DMZ...", and other artilces here that cover DMZ concepts, but I still don't know the best place to place my ISA server. I need to decide between the following methods for deploying my ISA and I need some help.
  1. The back to back firewall setup
  2. The parallel firewall setup
  3. The ISA firewall in a DMZ setup
    • The Back to Back Private Address DMZ
    • The Back to Back Public Address DMZ

Currently I use Netscreen/Juniper as firewalls at all eight of my offices. The Netscreens are also being used for the VPN architecture so I am not really inclined to remove the Netscreens. Also all internet bound traffic travels across the VPN (from remote offices) to the central office so it can be filtered before going to the internet. I am not sure where to place the ISA server mainly because of the existing VPN.
The main functions I would like to use ISA as
  • Web/URL filtering (using Smartfilter)
  • Web caching
  • OWA publishing (with FBA and Radius/2-factor auth)
  • Exchange RPC (with radius/2-factor auth)

I am inclined to use a parallel firewall set up but I can't figure out the issue of having split gateways (in particular for the VPN traffic). If I connected both my Netscreen, and my ISA to my LAN, and I set ISA is the default gateway for all my internal hosts, how does traffic bound for remote office (VPN traffic) know to use the gateway of the Netscreen (ie how does ISA redirect it to the Netscreen's inside IP). Can I put hard routes on the ISA server?

If I used a back to back set up with ISA in back, a) How do I allow VPN traffic inbound into the LAN (ie how would ISA forward that traffic to my LAN. b) how would I force internet bound traffic from remote offices (VPN traffic) to go throught the ISA server (since the Netscreen is in front of the ISA.)

I know there are other options like using a DMZ but again I seem to run in to similar questions. Could anyone give me some constructive ideas and reasons?
Thanks
Ken




tshinder -> RE: Where to put my ISA with Netscreen??? (10.Jan.2006 4:01:06 PM)

Hi Ken,

It's an interesting question that actually got me to pull out some graph paper to draw out the diagrams. I'll try to get them on Visio sometime today and then do the POC in the VM lab. However, there are a few flaws in the design that I won't include in my POC:

1. The ISA firewall should be a domain member to get the highest level of security the ISA firewall can provide, so the POC will have the ISA firewall as a member of the user domain

2. RADIUS is a kludge solution for ISA authentication. I realize why MS included this option, but if someone doesn't have a gun to your head or a knife in your back, then avoid RADIUS and use integrated Windows authentication. Again, its more secure and more flexible

3. For Secure Exchange RPC Publishing, there is no pre-authentication at the ISA firewall. However, the ISA firewall's Secure Exchange RPC filter will scrub the RPC/MAPI communications to make sure they're not worm traffic and are legitimate Exchange/Outlook connections

4. I highly recommend using the Firewall client. The Firewall client is one of the core security technologies that puts the ISA firewall several orders of magitude more security than just about any firewall in the market today. Give the Firewall client very serious consideration, as the network you save could be yours :)

I'll get the diagram up later, but essentially the setup is a parallel config, with the ISA firewall and the other one have three NICs. Clients use the netscreen server as their default gateway, and the netscreen server has routing table entries for the remote site network, and the gateway of last resort will be the DMZ interface of the ISA firewall, which is connected to the same switch/hub as the DMZ interface of the netscreen server. Seems to work fine and doesn't require changing the defualt gateway config on any servers or clients and will also support the publishing scenarios.

HTH,
Tom





tshinder -> RE: Where to put my ISA with Netscreen??? (11.Jan.2006 5:52:58 AM)

Hi Ken,

Here are the diagrams for the design. I'll try to get the article written up tomorrow.

Nice problem! Glad you brought it up, as it will allow me to explain many of the ISA firewall's networking features and components.

Thanks!
Tom




kenisswell -> RE: Where to put my ISA with Netscreen??? (11.Jan.2006 6:34:33 AM)

Tom,
 
quote:

1. The ISA firewall should be a domain member to get the highest level of security the ISA firewall can provide, so the POC will have the ISA firewall as a member of the user domain

I agree and I hope that I can make it a domain member and still do what I want securely. Will there be any issues with making it a domain member in a DMZ? Also are there any issues using RADIUS (or RSA) when ISA is a domain member?

quote:

2. RADIUS is a kludge solution for ISA authentication. I realize why MS included this option, but if someone doesn't have a gun to your head or a knife in your back, then avoid RADIUS and use integrated Windows authentication. Again, its more secure and more flexible

My reason for using RADIUS is out of my companies security policy which requires two-factor authentication for remote users (ie. OWA, software based VPNs clients, Citrix or other applications over a VPN). I am still trying to decide between RSA Secure ID and Secureword from Secure Computing. Seems like RADIUS had some minor advantages over the integrated RSA Secure ID but I can't recall what it was at this point.

quote:

3. For Secure Exchange RPC Publishing, there is no pre-authentication at the ISA firewall. However, the ISA firewall's Secure Exchange RPC filter will scrub the RPC/MAPI communications to make sure they're not worm traffic and are legitimate Exchange/Outlook connections
While I want to be able to offer RPC over HTTP to my clients, but I may not be able to unless I can find a mechanism to add another layer of authentication. Perhaps a VPN will be the solution. (And I do know that RPC over HTTP is in itself a SSL tunnel "VPN" but I still have to require two-factor authentication.) I am open to ideas.

quote:

4. I highly recommend using the Firewall client. The Firewall client is one of the core security technologies that puts the ISA firewall several orders of magnitude more security than just about any firewall in the market today. Give the Firewall client very serious consideration, as the network you save could be yours :)
I am thinking about continuing to use the Netscreens for the Site-to-Site VPNs. But I may be willing to replace my Netscreen-remote (software VPN) with the integrated ISA VPN for my traveling folks. I am looking for a good VPN system that can use IPSec and require two-factor authentication (both company requirements). Would ISA be able to to that?

quote:

... but essentially the setup is a parallel config, with the ISA firewall and the other one have three NICs. Clients use the netscreen server as their default gateway, and the netscreen server has routing table entries for the remote site network, and the gateway of last resort will be the DMZ interface of the ISA firewall, which is connected to the same switch/hub as the DMZ interface of the netscreen server. Seems to work fine and doesn't require changing the default gateway config on any servers or clients and will also support the publishing scenarios.
That is interesting. Much more sophisticated than I first thought. It is sort of a hybrid parallel/DMZ method. A couple of questions thought...
a)Did you mean that my ISA server would have three interfaces or just two (only the Netscreen would have three interfaces?)
b)So the Netscreen would require static routes for all the IPs of VPN enpoints? Right? I think this is so the Netscreen sends VPN bound traffic direct to the internet using its external interface (as opposed to the DMZ interface). Otherwise it would use the ISA server as its DG.
c)Also, in the a DMZ should I use private or public IP?


Also, thank you for your response and your great input. I have been trying to wrap my head around this and have been white-boarding it but with little success.

Ken




tshinder -> RE: Where to put my ISA with Netscreen??? (11.Jan.2006 2:33:23 PM)

Hi Ken,

I forgot to post the link to the diagrams.

http://www.msfirewall.org/isa2004/2004isanetscreen.zip

HTH,
Tom




tshinder -> RE: Where to put my ISA with Netscreen??? (11.Jan.2006 3:09:20 PM)

Hi Ken,

Inline...



quote:

1. The ISA firewall should be a domain member to get the highest level of security the ISA firewall can provide, so the POC will have the ISA firewall as a member of the user domain


I agree and I hope that I can make it a domain member and still do what I want securely. Will there be any issues with making it a domain member in a DMZ? Also are there any issues using RADIUS (or RSA) when ISA is a domain member?
TOM: Of course, domain member ISA firewalls are 9 times out of 10 more secure than non-domain members. Its a hard thing for clipboard based "security guys" who don't understand how things work, but you'll find that if you can get them off your back, you'll end up with a much more secure ISA firewall solution.

quote:

2. RADIUS is a kludge solution for ISA authentication. I realize why MS included this option, but if someone doesn't have a gun to your head or a knife in your back, then avoid RADIUS and use integrated Windows authentication. Again, its more secure and more flexible


My reason for using RADIUS is out of my companies security policy which requires two-factor authentication for remote users (ie. OWA, software based VPNs clients, Citrix or other applications over a VPN). I am still trying to decide between RSA Secure ID and Secureword from Secure Computing. Seems like RADIUS had some minor advantages over the integrated RSA Secure ID but I can't recall what it was at this point.
TOM: OK, I didn't take into account the two-factor auth issue. It might be that RADIUS auth would be more simple to implement.

quote:

3. For Secure Exchange RPC Publishing, there is no pre-authentication at the ISA firewall. However, the ISA firewall's Secure Exchange RPC filter will scrub the RPC/MAPI communications to make sure they're not worm traffic and are legitimate Exchange/Outlook connections

While I want to be able to offer RPC over HTTP to my clients, but I may not be able to unless I can find a mechanism to add another layer of authentication. Perhaps a VPN will be the solution. (And I do know that RPC over HTTP is in itself a SSL tunnel "VPN" but I still have to require two-factor authentication.) I am open to ideas.
TOM: I wasn't talking about RPC/HTTP, I was thinking of Secure Exchange RPC. In both cases, you won't be able to implement two-factor authentication. However, if you're using a VPN connection to allow the Outlook clients, you don't even need to mess with RPC/HTTP and you can use the native MAPI/RPC connection to the Exchange Server.

quote:

4. I highly recommend using the Firewall client. The Firewall client is one of the core security technologies that puts the ISA firewall several orders of magnitude more security than just about any firewall in the market today. Give the Firewall client very serious consideration, as the network you save could be yours :)

I am thinking about continuing to use the Netscreens for the Site-to-Site VPNs. But I may be willing to replace my Netscreen-remote (software VPN) with the integrated ISA VPN for my traveling folks. I am looking for a good VPN system that can use IPSec and require two-factor authentication (both company requirements). Would ISA be able to to that?
TOM: The solution I put together doesn't require you to change your site to site VPN configuration and it doesn't require that you change any of the host's default gateways.

quote:

... but essentially the setup is a parallel config, with the ISA firewall and the other one have three NICs. Clients use the netscreen server as their default gateway, and the netscreen server has routing table entries for the remote site network, and the gateway of last resort will be the DMZ interface of the ISA firewall, which is connected to the same switch/hub as the DMZ interface of the netscreen server. Seems to work fine and doesn't require changing the default gateway config on any servers or clients and will also support the publishing scenarios.

That is interesting. Much more sophisticated than I first thought. It is sort of a hybrid parallel/DMZ method. A couple of questions thought...
TOM: Yea, unfortunately my initial thoughts won't work. My new solution will work better.

a)Did you mean that my ISA server would have three interfaces or just two (only the Netscreen would have three interfaces?)
TOM: No, in the new design the ISA firewall only has two interfaces.


b)So the Netscreen would require static routes for all the IPs of VPN enpoints? Right? I think this is so the Netscreen sends VPN bound traffic direct to the internet using its external interface (as opposed to the DMZ interface). Otherwise it would use the ISA server as its DG.
TOM: No, in the new solution there is no changes to the routing tables on the netscreen, but there is a new entries on the routing table of the ISA firewall.
c)Also, in the a DMZ should I use private or public IP?
TOM: The DMZ between the ISA firewall and the netscreen should use private addresses.
HTH,
Tom




kenisswell -> RE: Where to put my ISA with Netscreen??? (13.Jan.2006 2:27:09 AM)

Tom,

I wanted to say thank you very much for taking all that time and effort. That was very generous.

I have printed out the visio docs and am filling it in with my IPs and routing information so I can work out the details. I am sure to have some questions with regards to the routes in the next few days as I test this out.

Thanks again.
Ken




tshinder -> RE: Where to put my ISA with Netscreen??? (13.Jan.2006 2:28:51 AM)

Hi Ken,

You bet! And thank you for providing clear design goals that enabled me to put the thinking cap on.

I'm writing the article now, and we'll post it next Tuesday.

Thanks!
Tom




tshinder -> RE: Where to put my ISA with Netscreen??? (16.Jan.2006 3:32:07 PM)

The article is complete. Will go up on the site tomorrow and if you want to see it before then, write to me.

Thanks!
Tom




kenisswell -> RE: Where to put my ISA with Netscreen??? (16.Jan.2006 9:12:56 PM)

Thanks Tom, I would like to see it. That may really help.

I spent some time last week trying to get it working but I got stuck. I realized I was not sure where to start. I could not decide on which network template to start with. This configuration sort of matches the front firewall template configuration but not exactly. I could start from scratch I don't know if I could ever get it working if I didn't start with a template. I think ISA was set up right (well maybe) but I did not correctly set my back-end firewall (my Netscreen) to route traffic properly via my new DMZ.

Anyway I am eager to see the article with hopes that it will give me some pointers.

Thanks
Ken




tshinder -> RE: Where to put my ISA with Netscreen??? (17.Jan.2006 3:46:12 PM)

Hi Ken,

Its now online!

Let me know if you have any questions about the design, I'll be really glad to answer them and maybe use the information to update the article.

Thanks!
Tom




kenisswell -> RE: Where to put my ISA with Netscreen??? (18.Jan.2006 8:44:03 PM)

Hello Tom,

I have read the article. It was very good. Thanks again for putting so much effort in to this.

I think I am going to try to use your suggested configuration with the DMZ as opposed to the parallel. I am hoping that I do not run into any issues on the Netscreen end.

I have a few notes and questions.

1)One thing to note is that ALL traffic from all the remote sites currently travels over the VPN and uses our HQ as the gateway to and from the internet. The goal is to have all internet bound traffic (with the exception of the VPN traffic itself) travel through the ISA server (even from the remote offices). You had mentioned this scenario as a possibility (in section 7-8 of the article) but I wanted to clear that up and let you know thats how it actually is here currently. I am not certain about using web proxy or firewall clients. I don't think that this will be an issue since my gateway on the Netscreen will change to use the ISA server.


2) What 'Network Template' would you suggest starting out with for ISA. I was thinking of using the Front Firewall template but I was not certain that was the best choice. I guess I will have a perimeter network and a trusted network but I only have two interfaces so I was confused on this point.

3) On a similar note, what networks should my ISA server have defined? Does the ISA server have to have the trusted network defined or will it be blind of the internal trusted network?

4)I am unclear on where it will route and where it will NAT in the scheme of things:
Internal LAN > Netscreen Internal IF > (NAT?) Netscreen DMZ IF >(Route?)> ISA DMZ IF(?)>ISA External IF > (?)> internet.

Ken




tshinder -> RE: Where to put my ISA with Netscreen??? (19.Jan.2006 7:13:16 AM)

Hi Ken,

1)One thing to note is that ALL traffic from all the remote sites currently travels over the VPN and uses our HQ as the gateway to and from the internet. The goal is to have all internet bound traffic (with the exception of the VPN traffic itself) travel through the ISA server (even from the remote offices). You had mentioned this scenario as a possibility (in section 7-8 of the article) but I wanted to clear that up and let you know thats how it actually is here currently. I am not certain about using web proxy or firewall clients. I don't think that this will be an issue since my gateway on the Netscreen will change to use the ISA server.
TOM: The only way you can route the remote network clients through the ISA firewall is to make them Web proxy and/or Firewall clients. I can't think of any other way to do it, since the remote VPN gateway is just a VPN router. If you know of a way to configure the remote gateway to use the ISA firewall as its own default gateway, that would work. If you do get this to work, let me know, as that would be an interesting addition to the article, or the subject of a whole new article based on your design.


2) What 'Network Template' would you suggest starting out with for ISA. I was thinking of using the Front Firewall template but I was not certain that was the best choice. I guess I will have a perimeter network and a trusted network but I only have two interfaces so I was confused on this point.
TOM: Bag the Network Templates. They're more trouble than they are worth. By default, when you install the ISA firewall on a multihomed device, you will have a configuration simliar to the Edge Template. The default configuration is fine for your baseline. This sets up the correct routing relationships for you right out of the post-install box. :)  As I said in the article, the ISA firewall is entirely unaware of the DMZ network, and it only sees the corpnet as a remote network ID that is part of the ISA firewall's definition of the default Internal Network.

3) On a similar note, what networks should my ISA server have defined? Does the ISA server have to have the trusted network defined or will it be blind of the internal trusted network?
TOM: The ISA fireall never implicitly trusts any network. All networks are equally untrusted. What you should do is create the routing table entries on the ISA firewall describing all the routes on the corpnet. The gateway address is going to the DMZ interface of the Netscreen for each of these routing table entries. After you've defined all the routing table entries on the ISA firewall, then install the ISA firewall software and use the internal interface NIC to define your default Internal Network. By doing it this way, it takes care of defining the addresses for the default Internal Network for you.

4)I am unclear on where it will route and where it will NAT in the scheme of things:
Internal LAN > Netscreen Internal IF > (NAT?) Netscreen DMZ IF >(Route?)> ISA DMZ IF(?)>ISA External IF > (?)> internet.
TOM: Check the diagrams again. And then tell me what they say. [:D]
 
HTH,
Tom




kenisswell -> RE: Where to put my ISA with Netscreen??? (19.Jan.2006 8:47:35 AM)

Ken:1)One thing to note is that ALL traffic from all the remote sites currently travels over the VPN and uses our HQ as the gateway to and from the internet. The goal is to have all internet bound traffic (with the exception of the VPN traffic itself) travel through the ISA server (even from the remote offices). You had mentioned this scenario as a possibility (in section 7-8 of the article) but I wanted to clear that up and let you know thats how it actually is here currently. I am not certain about using web proxy or firewall clients. I don't think that this will be an issue since my gateway on the Netscreen will change to use the ISA server.
TOM: The only way you can route the remote network clients through the ISA firewall is to make them Web proxy and/or Firewall clients. I can't think of any other way to do it, since the remote VPN gateway is just a VPN router. If you know of a way to configure the remote gateway to use the ISA firewall as its own default gateway, that would work. If you do get this to work, let me know, as that would be an interesting addition to the article, or the subject of a whole new article based on your design.

Ken: Here are my thoughts on this particular topic.
I used to have my VPN network set up in the typical hub and spoke fashion where my main office was the hub and all remote offices were the spokes. Each office would route internal bound traffic via the VPN but route all the other internet bound traffic through their own gateway (firewall) to their own ISP.
 
But I changed all that to cooperate with my security requirements. Now all the internet bound traffic, in fact ALL routed traffic (from my remote offices) comes across the VPN to our network (main office) then travels out to the internet using my (main office's) gateway. This way I eliminate all those internet facing points of entry for all traffic. *In actuality each remote office does utilize their own gateway but only for the VPN traffic itself. But of course that traffic is already encapsulated and encrypted then decrypted and de-encapsulated on my end.
 
So I already get all the remote office traffic routed though my Netscreen's DG. I figured I since I am changing the DG of my Netscreen to point to the ISA server, then all internet bound traffic, regardless if it is my local LAN traffic or traffic from my remote offices, it will get routed to my ISA server.
 
I didn't plan on needing to figure out a way to "configure the remote gateway to use the ISA firewall as its own default gateway". Although your right that would be a interesting solution. I wonder...
 
My main concern is that once I change the DG of my Netscreen that my VPN's will all continue to work. Worst case scenario is that I have to set up a static route for each of my VPNs. So it will use the external interface of the Netscreen (not ISA).
 
Ken




tshinder -> RE: Where to put my ISA with Netscreen??? (20.Jan.2006 4:14:34 PM)

Hi Ken,

Let me know how it works for you. But remember that the Web proxy and Firewall client solutions are the most secure, as you can require authentication for all outbound communications from all branches. Its a very strong solution and the reporting will blow your socks off!

Thanks!
Tom




kenisswell -> RE: Where to put my ISA with Netscreen??? (18.Feb.2006 12:23:04 AM)

I have run in to some snags and have some design questions.  Currently I have the Netscreen and ISA server set up in the DMZ design as you (Tom) laid out.

Issue 1) When I change my default gateway on my Netscreen to use the ISA server as the default gateway, then the Netscreen tries to route all of the Netscreen (site to site) VPN traffic through the ISA server. This was partially expected but is undesired. I would like the VPN traffic from the Netscreen to travel direct to the ISP router.
As a resolution, I think I could set up a static route for each one of my VPN but this further complicates things and I rather not have to use so many static routes if I can avoid it.


Issue 2) I currently have the Netscreen ROUTING traffic (from my internal network to the DMZ facing interface of the ISA server). While your design indicated using NAT between the "trusted" network and the "DMZ", I ran into the issue where the ISA server was not able to initiate communication with the internal DC (or any host) that was behind NAT.  I am not sure how one gets around this issue in general since NAT basically "blinds" the ISA server to what is behind it. Traffic did flow from the "trusted" side to the "DMZ" ok, but not the other way around. Don't I need the ISA server to be able to initiate traffic to the DC, Mail servers etc? If how would I use NAT? Looking back I guess I have to MAP IPs from the “DMZ” to the “Trusted” network (just like I do for traffic from the untrusted public IPs to my trusted internal NAT IPs.) 

Also, If I use NAT, the ISA server sees all traffic from the trusted network as the same single IP address (the IP of the Netscreens DMZ interface). This made it very difficult to track what was going on from the ISA logs. 

So as a solution, I now route my IP trusted space from my trusted network to my DMZ instead of using NAT. This may be flawed thinking and poor solution but I am not sure. 

Issue 3) One global design change would be to change my overall configuration to that of a parallel firewall configuration.  This way I do not have to worry about so many routing and natting issues from my netscreen to my ISA. The major issue which could difficult is how to handel the default route for everyone. The DF would need to be changed to use the ISA server. In that case, I would have to route traffic -FROM (or -BOUND FOR) my other sites to the Netscreen (acting as a VPN concentrator). I don’t know if the ISA server can do that?  

Ken




tshinder -> RE: Where to put my ISA with Netscreen??? (18.Feb.2006 6:29:56 PM)

Hi Ken,

Inline...

have run in to some snags and have some design questions.  Currently I have the Netscreen and ISA server set up in the DMZ design as you (Tom) laid out.

Issue 1) When I change my default gateway on my Netscreen to use the ISA server as the default gateway, then the Netscreen tries to route all of the Netscreen (site to site) VPN traffic through the ISA server. This was partially expected but is undesired. I would like the VPN traffic from the Netscreen to travel direct to the ISP router.
As a resolution, I think I could set up a static route for each one of my VPN but this further complicates things and I rather not have to use so many static routes if I can avoid it.
TOM: Yes, that was an issue we discussed. You can get around this by deploying the Web proxy and Firewall clients, since they don't depend on default gateway configurations. They just need to reach the internal interface of the ISA firewall.


Issue 2) I currently have the Netscreen ROUTING traffic (from my internal network to the DMZ facing interface of the ISA server). While your design indicated using NAT between the "trusted" network and the "DMZ", I ran into the issue where the ISA server was not able to initiate communication with the internal DC (or any host) that was behind NAT.  I am not sure how one gets around this issue in general since NAT basically "blinds" the ISA server to what is behind it. Traffic did flow from the "trusted" side to the "DMZ" ok, but not the other way around. Don't I need the ISA server to be able to initiate traffic to the DC, Mail servers etc? If how would I use NAT? Looking back I guess I have to MAP IPs from the “DMZ” to the “Trusted” network (just like I do for traffic from the untrusted public IPs to my trusted internal NAT IPs.) 
TOM: Check figure 3. You'll see that there is a ROUTE relationship between the DMZ and the internal network, so the netscreen should be configured to route those connections to the ISA firewall's internal internface. The DMZ and the corpnet are both part of the ISA firewall's default Internal Network in this scenario.

Also, If I use NAT, the ISA server sees all traffic from the trusted network as the same single IP address (the IP of the Netscreens DMZ interface). This made it very difficult to track what was going on from the ISA logs. 

So as a solution, I now route my IP trusted space from my trusted network to my DMZ instead of using NAT. This may be flawed thinking and poor solution but I am not sure. 

Issue 3) One global design change would be to change my overall configuration to that of a parallel firewall configuration.  This way I do not have to worry about so many routing and natting issues from my netscreen to my ISA. The major issue which could difficult is how to handel the default route for everyone. The DF would need to be changed to use the ISA server. In that case, I would have to route traffic -FROM (or -BOUND FOR) my other sites to the Netscreen (acting as a VPN concentrator). I don’t know if the ISA server can do that?  
TOM: You can use a third interface on the ISA firewall and create routing table entries so that it uses the netscreen's DMZ interface as the gateway to the remote networks.
HTH,
Tom




Page: [1]