• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on configuring ISA firewall in Netscreen DMZ

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Discussion about article on configuring ISA firewall in Netscreen DMZ Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion about article on configuring ISA firewall in... - 17.Jan.2006 3:22:07 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article on how to configure the ISA firewall in a Netscreen device's DMZ at http://www.isaserver.org/tutorials/Creating-Parallel-ISA-Firewall-Configuration-Netscreen-DMZ.html

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.
Post #: 1
RE: Discussion about article on configuring ISA firewal... - 17.Jan.2006 8:04:28 PM   
jrice

 

Posts: 13
Joined: 17.Jan.2006
Status: offline
Tom

Great article!  I have been planning to do something very similar myself.

I just have one question.  You made these comments:
"There is an important configuration setting that we must enforce on all of our Web and Server Publishing Rules. For each publishing rule, you need to make sure the ISA firewall replaces the source IP address of the external client with its own address.
The reason for this is that the ISA firewall is not the default gateway for the corporate network servers. If we allowed the original external client IP address to remain as it is, the responses from the published servers would be sent to the internal interface of the Netscreen device, and then forwarded from the Netscreen’s external interface IP address to the external client. Since the external client made the request to the external IP address of the ISA firewall, and not the external IP address of the Netscreen firewall, the response will be dropped by the external client as an unsolicited inbound connection."

Is this really necessary?  I know the servers and all the workstations on the internal network need to have the netscreen device as the default gateway, but the netscreen can have a default gateway as well.  Can you make the ISA server the default gateway of the netscreen box?  You can have static routes for the remote branches but have everything else go through the ISA server.  The requirements would infer that only the vpn traffice to the remote sites go through the external interface of the netscreen box.  Is that a correct assumption?

Thanks.

_____________________________

Rice

(in reply to tshinder)
Post #: 2
RE: Discussion about article on configuring ISA firewal... - 17.Jan.2006 10:56:15 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rice,

You bet! In fact, I thought I would mention that option in the article, but then thought that might confuse things for some people. But you're absolutely right, if you configure a static route to the remote VPN gateway on the Netscreen device, and make the ISA firewall's internal interface the default gateway of the Netscreen, then everything outbound except for that to the remote site network will go through the ISA firewall.

thanks!
Tom



_____________________________

Thomas W Shinder, M.D.

(in reply to jrice)
Post #: 3
RE: Discussion about article on configuring ISA firewal... - 18.Jan.2006 1:48:23 PM   
jrice

 

Posts: 13
Joined: 17.Jan.2006
Status: offline
Thanks Tom

Just to be clear.  This would resolve the issue of the external IP address, wouldn't it?

Thanks again

_____________________________

Rice

(in reply to tshinder)
Post #: 4
RE: Discussion about article on configuring ISA firewal... - 18.Jan.2006 3:35:02 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rice,

That's correct. If you configure the Netscreen to use the ISA firewall as its default gateway, you won't need to replace the external client IP address with the IP address of the ISA firewall.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jrice)
Post #: 5
RE: Discussion about article on configuring ISA firewal... - 18.Jan.2006 4:58:03 PM   
jrice

 

Posts: 13
Joined: 17.Jan.2006
Status: offline
Tom

Thanks for the follow up.

I do have another question. The design I put together was very similar (I had a generic firewall instead of Netscreen).  The one difference was that I had the external nic of the ISA server connected back into the hardware firewall.  Therefore the hardware firewall would have 4 Interfaces.  1 external interface connecting to the Internet.  1 interface connecting to perimiter 1 (external Interface of ISA), 1 interface connecting to perimeter 2 (Internal interface of ISA) and 1 interface connecting to the Internal Network.  I guess in the end, I'm not sure exactly why I did that.  I guess I was thinking having only one path to the Internet was a best practice.  I also thought I would have more control over the traffic as well, since I could control the routing among al the interfaces better.  Is this design overly cumbersome or does it have some merit?

Thanks for the input.

_____________________________

Rice

(in reply to tshinder)
Post #: 6
RE: Discussion about article on configuring ISA firewal... - 19.Jan.2006 4:32:53 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Rice,

In the scenario discussed in the article, there is really only one path to the Internet, since the Netscreen is only allowing connections to the remote site network, and forwards Internet bound connections to the ISA firewall.

I think your design might be a little more complex than required

Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jrice)
Post #: 7
RE: Discussion about article on configuring ISA firewal... - 21.Dec.2006 8:47:06 AM   
Arcesilaus

 

Posts: 19
Joined: 21.Dec.2006
Status: offline
Hi!

Thank you very much for your article!
Following Rice's questions, I am considering a setup where it might make sense.

I have a NetScreen 5GT Extended with two DMZ ports, besides the two Trust and one Untrust.

Unfortunately, for now, I have only one public IP available. In that case, I will need the NetScreen's Untrust interface for all outbound traffic to keep the current VPN setup.
In order to avoid the Unihomed 'Hork Mode' I would like to deploy ISA with two cards and benefit from the advanced security features.
The NetScreen supports Dual DMZ, so it must be possible to attach the ISA's internal NIC to DMZ1 and the external to DMZ2. This will allow me to route any outbound traffic as Rice suggested.

It seems to me that by doing so, I create some sort of perimeter network using the two DMZ zones on the Netscreen and thus avoiding the need for a direct connection to the internet for the ISA server.

Do I miss something? C.q. do you think it will work using only 1 public IP and using the Dual DMZ on the Netscreen?

Thank you very much for your support.

< Message edited by Arcesilaus -- 21.Dec.2006 10:07:02 AM >


_____________________________

Homo sum: humani nil a me alienum puto (Terence)

(in reply to tshinder)
Post #: 8
RE: Discussion about article on configuring ISA firewal... - 26.Dec.2006 1:56:58 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Arcesilaus,
 
You could do that. The external interface can be connected to one DMZ and the Internal interface can be connected to the other DMZ. Just make sure the definition of the default Internal Network on the ISA Firewall includes the internal DMZ and all internal addresses behind the Netscreen.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Arcesilaus)
Post #: 9
RE: Discussion about article on configuring ISA firewal... - 31.Jul.2008 9:15:48 AM   
Arcesilaus

 

Posts: 19
Joined: 21.Dec.2006
Status: offline
Hi Tom!

Thanks to your encouraging answer, I've worked recently on testing ISA in the DMZ as suggested.
My network lay-out is displayed in the picture:


I've succeeded to setup the ISA server as an edge firewall and included the DMZ 2 subnet in the 'Internal network'.
Since NAT is applied on the Netscreen firewall, all network rules on the ISA server are on Route mode.
Web proxying and publishing websites are working without problems.

Now here's my problem: Incoming e-mail is denied by the Enterprise default rule, since it does not match my publishing rule (the published server is my SMTP relay with IP 192.168.200.11, that resides in the DMZ 2).

The logs show that the ISA server sees incoming SMTP traffic as sent to its own external IP (192.168.100.11 in the DMZ 1). Applying NAT to the network rule from the external to the internal network solves the issue, but causes problems with the published websites.
In order to keep it "simple", I would prefer to leave the networking rules on Route for all networks. 

My question therefore is: Is there a way to have the ISA server accept incoming SMTP traffic at its own external IP (192.168.100.11) and direct it to the published e-mailserver (192.168.200.11) without applying NAT?

Thank you very much in advance for your help!

_____________________________

Homo sum: humani nil a me alienum puto (Terence)

(in reply to tshinder)
Post #: 10
RE: Discussion about article on configuring ISA firewal... - 5.Aug.2008 10:17:56 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Arc,

Is the mail server configured to use the ISA firewall as it's default gateway? I think that might solve the problem. I don't see how NAT across the firewall would cause a problem.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Arcesilaus)
Post #: 11
RE: Discussion about article on configuring ISA firewal... - 8.Aug.2008 6:26:43 PM   
Arcesilaus

 

Posts: 19
Joined: 21.Dec.2006
Status: offline
Hi Tom!

Incredible how quickly you respond, even to such an old thread!

Well, the e-mail server is not yet configured with the ISA server as its default gateway, since I haven't placed it in production yet.

Would that really solve the issue for incoming traffic? It sounds a bit odd to me, if I am honest. Does it have anything to do with being configured as a secureNAT client?
If so, I might have to digg into that a bit deeper...

Is there a way to test it before reconfiguring the e-mail server?

(edit: typo - Since I am currently in Nice only speaking French, my English has not really improved )

< Message edited by Arcesilaus -- 8.Aug.2008 6:27:50 PM >


_____________________________

Homo sum: humani nil a me alienum puto (Terence)

(in reply to tshinder)
Post #: 12
RE: Discussion about article on configuring ISA firewal... - 10.Aug.2008 10:08:34 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
That's correct. If the mail server is a SecureNAT client, then it has to have the default gateway be the ISA firewall, or a router that routes the outbound connections to and from the mail server through the ISA firewall.

However, you can change this by configuring the SMTP server publishing rule to change the source IP address to the IP address of the ISA firewall.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Arcesilaus)
Post #: 13
RE: Discussion about article on configuring ISA firewal... - 10.Aug.2008 10:51:42 AM   
Arcesilaus

 

Posts: 19
Joined: 21.Dec.2006
Status: offline
Hi

It seems to me I've missed the point: I've changed the publishing rule by making the incoming packets look as if they were originated by the ISA server.

However, I still see the incoming traffic is blocked:
  • the client IP is still the external host (routed to the ISA external port by the Netscreen firewall, leaving the source IP intact)
  • the destination IP is still the external (though not public) IP of the ISA server, and thus the rule is not triggered.

Setting the ISA server's internal NIC as the e-mail server's gateway does not solve the issue.

Probably I am still misunderstanding the implications of using a Route networking rule when publishing a non-web server?


_____________________________

Homo sum: humani nil a me alienum puto (Terence)

(in reply to tshinder)
Post #: 14
RE: Discussion about article on configuring ISA firewal... - 11.Aug.2008 9:15:07 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
When using Route, you should target the packet for the actual IP address of the destination. However, the "port stealing" feature of ISA should allow you to use the external address of the ISA firewall -- it's just that you shouldn't need to depend on port stealing and that you should use the actual IP address of the destination server.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Arcesilaus)
Post #: 15
RE: Discussion about article on configuring ISA firewal... - 11.Aug.2008 2:33:34 PM   
Arcesilaus

 

Posts: 19
Joined: 21.Dec.2006
Status: offline
Hi Tom

Thanks for the info! I've been thinking it over: a 'simple' Route relationship won't work, since the Netscreen Firewall also has access to the DMZ 2, with subnet 192.168.200.0.
A MIP or VIP towards the actual IP of the mailserver thus would not be sent to the ISA in DMZ 1, but directly to the mailserver in DMZ 2.

That leaves me with three options:

It seemed to me that a Route relationship was preferred since the reverse-proxy would took care of the problem for web-publishing rules, but that indeed won't not work for non-web-servers.
Is any of the three solutions above preferred over the others?

For now, I will first have to configure the ISA server a bit further so I can set the mailserver as a SecureNAT client while keeping the existing setup working (I've been bypassing the ISA server so far for incoming e-mail) and keep the ability to manage it over RDP.
It will probably have to wait for a while (priorities are set by others), but I'll keep this thread posted!

_____________________________

Homo sum: humani nil a me alienum puto (Terence)

(in reply to tshinder)
Post #: 16
RE: Discussion about article on configuring ISA firewal... - 12.Aug.2008 9:14:45 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
I prefer to change the entire relationship to NAT, as it makes it a more simple configuration and perhaps a bit more secure.

You're right that this is not an issue in either case with Web Publishing, since the Web Proxy listener will always intercept the request and you should configure DNS to be the address on the external interface (or the public address on an upstream device that forwards to the external interface).

Let us know how it works out for you!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Arcesilaus)
Post #: 17
RE: Discussion about article on configuring ISA firewal... - 14.Aug.2008 8:23:39 AM   
Arcesilaus

 

Posts: 19
Joined: 21.Dec.2006
Status: offline
Hi Tom

Here's the update that you definately deserve:

I've changed all non-localhost network rules to NAT and re-created the firewall policies.
I've been able to publish Exchange, multiple websites and, finally, the e-mailserver.

The e-mailserver is still not a SecureNAT client (gateway is still the Netscreen), but by changing the 'to' option on the ISA server to 'appears to come from the ISA server' and adding the ISA server in the DMZ server list of my Antispam application, everything works just fine!

It has thus been proved that with a dual DMZ setup of the Netscreen it is possible to implement an ISA 2006 in Edge Mode without having to break the existing IPSEC VPN infrastructure.

Thank you very, very much for your help. I've definitely learnt a lot by trial and error and I am starting to feel comfortable with maintaining the ISA server.

Warm regards,

Arcesilaus

P.s. For playing around with custom HTML forms and publishing Citrix Secure Gateway without breaking the SSL connection, I might need a second public IP after all 

_____________________________

Homo sum: humani nil a me alienum puto (Terence)

(in reply to tshinder)
Post #: 18
RE: Discussion about article on configuring ISA firewal... - 15.Aug.2008 9:00:41 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Arcesilaus,

Great! Good to hear you got it working and thanks for the follow up!

I think you're right about using the second IP address for Citrix :)

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Arcesilaus)
Post #: 19
RE: Discussion about article on configuring ISA firewal... - 21.May2013 4:00:53 PM   
dglasgow

 

Posts: 21
Joined: 9.Jun.2003
Status: offline
Tom or Deb, I am struggling with a config very similar to the one layed out in this older article, specifically the diagram 7 proposed.



We have acquired a small firm with 2 branch offices that I need to integrate with our existing Corporate domain. This is a temporary configuration as I migrate the netscreen out of the picture. I want to join all of the client machines from domain 1 to domain 2, and then temporarily share the file server and printer resources from domain 1 to those domain 2 clients while I work on migrating the users/machines at the other branch site the same way. I have the TMG Site-to site working well, but every time I try to connect the tmg to the existing domain 1, it breaks the link to the internet and thus the site to site.

I have three NICs in the tmg server and I have tried it as a dmz and internal network, but it still breaks the connection. Can you point me to a potential resource or suggest a place to look for help? Thanks DG

< Message edited by dglasgow -- 21.May2013 4:02:17 PM >

(in reply to tshinder)
Post #: 20

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Discussion about article on configuring ISA firewall in Netscreen DMZ Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts