• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion about article on making the ISA firewall a domain member

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> General >> RE: Discussion about article on making the ISA firewall a domain member Page: <<   < prev  1 [2]
Login
Message << Older Topic   Newer Topic >>
RE: Discussion about article on making the ISA firewall... - 25.Jun.2006 6:16:24 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Chris,

You bet!
Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ChrisP)
Post #: 21
RE: Discussion about article on making the ISA firewall... - 27.Jun.2006 7:09:02 PM   
th.maier

 

Posts: 8
Joined: 22.Jul.2005
From: Germany
Status: offline
Thanks for the great article.
It actually dispelled my last doubts about the matter.

Is there anything I have to consider when joining an active server?
My understanding is, that beside adding some new admins, there is nothing to edit within the firewall configuration.

Update:
From what I've learned the only thing I should take care of are properly defined dns settings.
I guess I'll give it a try tomorrow.

< Message edited by th.maier -- 28.Jun.2006 9:42:27 PM >

(in reply to tshinder)
Post #: 22
RE: Discussion about article on making the ISA firewall... - 29.Jun.2006 7:03:34 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Chris,

You bet!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ChrisP)
Post #: 23
RE: Discussion about article on making the ISA firewall... - 28.Jul.2006 4:28:52 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Chris,

You bet!

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to ChrisP)
Post #: 24
RE: Discussion about article on making the ISA firewall... - 4.Oct.2006 4:25:00 PM   
mamo

 

Posts: 23
Joined: 22.Sep.2006
Status: offline
Hi Tom,

In your book on page 775 about RADIUS you write "We prefer not to join the front-end firewall to the user domain".
Is this "old school" or does your arguments in this article distinguish between front-end and back-end ISA servers?

Thanks for a good site!!!

/Marten


(in reply to tshinder)
Post #: 25
RE: Discussion about article on making the ISA firewall... - 5.Oct.2006 6:37:42 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Marten,

No, I still don't see any reason to join the front-end ISA Firewall to the domain, since I'm using it for mostly stateful packet inspection and some app layer inspection, but not using it for pre-authentication.

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to mamo)
Post #: 26
RE: Discussion about article on making the ISA firewall... - 19.Dec.2006 10:55:21 PM   
Nexus6

 

Posts: 4
Joined: 14.Dec.2001
Status: offline
Hi, I just read the article. I have ISA running as a workgroup member (in my domain). Are there any issues I have to consider before I add the ISA server to the domain? ISA is very basically configured (HTTP out, SMTP in/out for Exchange). Thanks Thomas

(in reply to tshinder)
Post #: 27
RE: Discussion about article on making the ISA firewall... - 20.Dec.2006 10:24:09 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Nexus,

Not sure what you mean by saying your ISA firewalls are workgroup members in your domain. Are the domain members or in a workgroup?

Thanks!
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Nexus6)
Post #: 28
RE: Discussion about article on making the ISA firewall... - 20.Dec.2006 11:11:35 PM   
Nexus6

 

Posts: 4
Joined: 14.Dec.2001
Status: offline
Sorry, I see, it was not very clear: ISA is in WORKGROUP. 3 Computers in Domain A, 1 Server in Domain A. Internet traffic: Workstation / Server (in Domain A) to ISA Firewall (in WORKGROUP) to ADSL Modem/Firewall. Thanks and sorry again...

(in reply to tshinder)
Post #: 29
RE: Discussion about article on making the ISA firewall... - 26.Dec.2006 2:00:40 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Nexus,

The only thing to watch out for is the possible effects of domain Group Policy. You might want to create your own OU for the ISA Firewall and prevent the default domain GPO and any other GPOs from being applied to the ISA Firewall's OU, then create a custom GPO for the ISA Firewall's OU.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to Nexus6)
Post #: 30
RE: Discussion about article on making the ISA firewall... - 27.Jan.2007 10:17:56 AM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
Hi Tom,
    In my network I have only one Firewall (ISA). Dont have Front end and Backend firewall.  The only firewall I have is a domain member.

Is it secure the way it's configured ?
or
should I make my ISA workgroup member?

Do I have to change anything on my ISA Fireall rules etc if I bring my ISA in workgroup?

what are your suggestion?

My network:

ISA (domain member)--------


DMZ-----------
Web Server (not a domain member)

Internal Netowork.
Exchange
SQL
File Server
Work Station

(in reply to tshinder)
Post #: 31
RE: Discussion about article on making the ISA firewall... - 27.Jan.2007 11:54:06 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
In a single ISA Firewall environment, ALWAYS make the ISA Firewall a domain member. This is the most secure configuration.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to bhavin78)
Post #: 32
RE: Discussion about article on making the ISA firewall... - 27.Jan.2007 8:51:00 PM   
bhavin78

 

Posts: 433
Joined: 18.Jul.2005
From: USA
Status: offline
Thanks for the quick reply Tom. I need to work on this server tomorrow so please help to clear the below question.

As of right now my ISA is a domain member (ISA 2004 EE). I want to make it ISA 2004 SE or ISA 2006 SE.

1)In a single ISA Firewall environment, ALWAYS make the ISA Firewall a domain member. This is the most secure configuration.
What's the article I need to follow to harden ISA Box?
I have already followed instruction from your book which talks about TCP/IP properties. What else I need to do?

2)Can I backup configuration and uninstall ISA 2004 EE than re-install ISA 2004 SE or 2006 SE and import configuration?

(in reply to tshinder)
Post #: 33
RE: Discussion about article on making the ISA firewall... - 28.Jan.2007 11:52:15 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi B,

1)In a single ISA Firewall environment, ALWAYS make the ISA Firewall a domain member. This is the most secure configuration.
What's the article I need to follow to harden ISA Box?
I have already followed instruction from your book which talks about TCP/IP properties. What else I need to do?
TOM: There's really only two things required: first, run the Security Configuration Wizard on the ISA Firewall, and second, closely review the System Policy and lock it down based on your own network requirements.

2)Can I backup configuration and uninstall ISA 2004 EE than re-install ISA 2004 SE or 2006 SE and import configuration?
TOM: No. There is no cross pollination between ISA SE and EE policies.
 
HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to bhavin78)
Post #: 34
RE: Discussion about article on making the ISA firewall... - 25.Jul.2007 11:29:09 AM   
aek033

 

Posts: 42
Joined: 19.Sep.2006
Status: offline
OK, I'm sold on putting the ISA server in the domain.  Now since it is a firewall, what ports will I need to open to allow connection to group policy, DC's and the global catalog?

(in reply to tshinder)
Post #: 35
RE: Discussion about article on making the ISA firewall... - 25.Jul.2007 11:45:47 AM   
elmajdal

 

Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
They are enabled by default, check your syste policy :

http://www.isaserver.org/tutorials/Editing-ISA-2004-system-policy-Part1.html

http://www.isaserver.org/tutorials/Editing-ISA-2004-system-policy-Part2.html

_____________________________

Tarek Majdalani

Windows Expert - IT Pro MVP
Facebook : https://www.facebook.com/ElMajdal.Net

(in reply to aek033)
Post #: 36
RE: Discussion about article on making the ISA firewall... - 6.Sep.2007 4:34:08 PM   
andresm53

 

Posts: 1
Joined: 6.Sep.2007
Status: offline
Tom, I am confused. I agree 100% about making ISA member of a domain in a forward proxy scenario. But what about a reverse proxy (web publishing scenario)? According to this article: "Keeping your ISA Server computers in a workgroup configuration reduces the attack surface and simplifies the deployment of ISA Server".
Secure Application Publishing
http://www.microsoft.com/technet/isa/2006/secure_web_publishing.mspx
Should I have at least 2 ISA Servers? One as a forward proxy (domain member) and the other as a reverse proxy (workgroup, in a DMZ)? And may be a 3erd ISA as a firewall (edge)?
What do you think? Thanks.

(in reply to tshinder)
Post #: 37
RE: Discussion about article on making the ISA firewall... - 7.Sep.2007 9:41:21 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Andre,

I disagree wholeheartedly with that statement in the article you pointed out, and some of the most sophisticated ISA Firewall consultants and devs and security engineers at MS disagree with it too.

You lose out on many security features of the ISA Firewall when you don't make it a domain member, so I almost always join my ISA Firewalls to the domain, both for inbound and outbound access control.

The only time I don't make the ISA Firewall a domain member is in a back to back ISA Firewall config. In this scenario, the edge ISA Firewall is performing only stateful packet inspection, like a pix or check point. No authentication is taking place, so domain memberhsip isn't an issue. Then the backend ISA Firewall is configured as a domain member, so that I can take full advantage of all the ISA Firewall's security features.

It is true that separating the outbound and inbound access control to different ISA firewalls is a best practice, but I always make them domain members whenever authetication is required (either for inbound or outbound access control).

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to andresm53)
Post #: 38
RE: Discussion about article on making the ISA firewall... - 23.Sep.2010 9:24:21 AM   
Data1701

 

Posts: 4
Joined: 23.Sep.2010
Status: offline
Hello,

old thread but the subject is update..

Tom... i read your arcticle, you wrote about knowing no "securityhole" in intraside DC communication..
But that is not the problem.

If i put TMG into DMZ i need to open highports for communication with the inside world, if that world is secured e.g. by an ASA that is not real fun.

Those highport are the reason for my headach, because the TMG will not trigger a special DC in the inside world if it needs GPO-Updates or AD-Inforamtion at all, it will trigger all DC at least in the AD-side the TMG is hoted.

That means highports from TMG to all inside DCs... ARGH. Those mass of "connection-posibilty" from DMZ to inside is THE problem for me.

Fine feature would be an AUTO VPN for TMG. So TMG should use IPSec to tunnel all AD-Requests, than it would be only necessary to open "ONE" Port for the TMG, and you can be sure i would be the first to implement it. If you build up IPSec manualy in a large evironment you get mad, or do you own a good ToDo ?

Something like TMG-Authentication Gateway could handle that, too.

Ideas over ideas from me....

Regards Timo

_____________________________

90 % of all computerrelated problems are sitting 60 cm in front of the screen.

(in reply to ChrisP)
Post #: 39

Page:   <<   < prev  1 [2] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> General >> RE: Discussion about article on making the ISA firewall a domain member Page: <<   < prev  1 [2]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts