• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Network reconfiguration ISA server 1 Nic -> 2 NICs

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Network reconfiguration ISA server 1 Nic -> 2 NICs Page: [1]
Login
Message << Older Topic   Newer Topic >>
Network reconfiguration ISA server 1 Nic -> 2 NICs - 13.Jul.2007 6:41:26 AM   
catfish

 

Posts: 13
Joined: 22.Jun.2007
Status: offline
I'm currently in a situation where I look after a network that I'm quite unhappy with, I'm looking to propose some changes to the infrastructure.

Our ISA server is a single network card machine doing proxy stuff only and to put it frankly our internet performance is garbage and always has been, failed page loads and general misery. I'm almost certain that the problems are a mixture of bad rules and the layout.

What I want to do is start making better use if the ISA server, but not sure that it is required. Here is a picture of our current situation..

http://img.photobucket.com/albums/v227/c@tfish/networkdilemma-1.jpg

Now my problem is, if I was to use the ISA server in a firewall situation, I'm not sure where I would exactly put it, the network is complicated (for me) slightly by the MPLS connection.

At the moment our hardware firewall is a tri homed solution so the DMZ is handled by it, not sure there is a need for a back end firewall as well.

However, Our ISA is currently doing network access rules using the EXTERNAL network in the 'to' section of the firewall policy. While I understand this shouldn't be the case in a single nic config, I have tried changing it to internal and all internet communication ceases to function. I wonder if this is because the 'internal' networks are specified by ip range? Should I remove these entries specifying our internal network (since everything is the internal network) or add an 'internal' entry for our externally provided upstream firewall?

We also have DNS issues, which I detailed in this thread
http://forums.isaserver.org/External_DNS_name_resolution_concerns%25/m_2002047759/tm.htm
but I'm unsure what should be addressed first, or if they even relate to each other at all.

oh and tshinder, if you read this the dns situation I want to setup is similar to what you detail in your 4th DNS article.

Cheers
Post #: 1
RE: Network reconfiguration ISA server 1 Nic -> 2 NICs - 13.Jul.2007 9:20:13 AM   
hantahipi

 

Posts: 84
Joined: 26.Jan.2006
From: Kenya
Status: offline
Hi,

For starters, in this and your previous postings, you have raised administrative/managerial issues ie what you desire versus what your boss wants. The 1st step to me is to understand your own idea and sell it as a comprehensive one identifying any vulenerabilities that your config may bring (security is very relative in people's perception!)

Two, you need to approach the issues of ISA and Name Resolution separately because they are fairly independent.

Once you understand what kind of security that you company is looking for (through) your boss, then you should be able to give your boss a proposal that incorporates it but includes the configuration changes that you need.

With regard to DNS, I think you should have an Internal DNS service, but I am not sure (based on necessity, resource requirement & security concerns) that you need a public DNS. Your explanation of your current implementation isnt clear

If you are agreeable, then that would allow you to set up an Internal DNS service with forwarders whereby all traffic meant for internet is forwarded to your ISPs DNS servers.

As far as ISA is concerned, I'd go for a dual-homed ISA (add 1 NIC, or even more). This would allow ISA to bring to bear its firewall capabilities.

By the way, you are talking about configuring access rules - isa will not control access in this single card mode so note that the rules are not useful

You also need to depart from the change-no-change formula that is applied by IT people - they want to add new capabilities without changing their current configurations and they are therefore forced to compromise the new capabilites so much they become useless. Review the Network entirely to see where ISA fits and in what role. That's why you need your boss on board and also a mastery of DNS and ISA!

Thanks

(in reply to catfish)
Post #: 2
RE: Network reconfiguration ISA server 1 Nic -> 2 NICs - 13.Jul.2007 9:44:34 AM   
catfish

 

Posts: 13
Joined: 22.Jun.2007
Status: offline
Thanks for the reply hantahipi, some clarification.

Management basically agrees that there is some issues but wants a very secure solution, that is the prime concern.

My main issue stems from the fact that I think our ISA server is basically hopelessly misconfigured. We have a single network card using a firewall policy and trying to pass traffic from the internal network to the external network. I can tell you for a fact that this certainly does work to an extent, in that it blocks some traffic, assumes some traffic is 'anonymous' when we are trying authenticate to websites and generally behaving unpredictably. So it does control access, in a way, but in an unpredictable and unusable way. This is a long standing problem that I think has been ignored and labelled 'that's the way it is'. Which I want to repair basically.

The trouble with making the ISA server dual homed, is that because of the MPLS connection, I'm not sure where the server should actually sit, I mean there isn't another segment to connect the other network card to currently.

I hope I'm putting this across clearly, its a lot more difficult to type than to point at a drawing!

I'm starting to get the feeling that, because we have a tri homed hardware firewall and an offsite externally provided virus/message scanning solution, our ISA server is just needlessly overcomplicating the network and should be reduced to proxying only without attempting to allow/block traffic at all.

(in reply to hantahipi)
Post #: 3
RE: Network reconfiguration ISA server 1 Nic -> 2 NICs - 16.Jul.2007 1:16:13 AM   
hantahipi

 

Posts: 84
Joined: 26.Jan.2006
From: Kenya
Status: offline
quote:

ORIGINAL: catfish

The trouble with making the ISA server dual homed, is that because of the MPLS connection, I'm not sure where the server should actually sit, I mean there isn't another segment to connect the other network card to currently.



That part isn't clear - what other network card?

Important to mention though is you have two options - implement ISA as a proxy and enjoy that or implement isa as firewall/proxy and enjoy that too. As long as the roles you get you are happy with i.e. you do not have rules (or the need for rules) that will not work.

The ways i see it, you can always have a multi-homed (read tri-homed) ISA. Traffic from your Other Network can come in on the third card either fully trusted as an internal network (if you trust the traffic or your other firewall) or filtered - that is if traffic from this network is incoming and not outgoing

(in reply to catfish)
Post #: 4
RE: Network reconfiguration ISA server 1 Nic -> 2 NICs - 16.Jul.2007 3:45:57 AM   
catfish

 

Posts: 13
Joined: 22.Jun.2007
Status: offline
quote:

ORIGINAL: hantahipi
That part isn't clear - what other network card?


Well our server has 2 network cards. however, 1 is disabled and the ISA is in a unihomed config.

Can you expand a bit on what exactly you mean by 'access rules are not useful' in a unihomed config? I mean, I can start generating internet traffic and look at the iSA servers logs in real time and see that it is blocking requests based on rules that are set up on the box.

I do however feel that it isn't working correctly and my understanding was that if it is unihomed then it's a proxy server, nothing more, HOWEVER I can see that it is actually actively denying traffic.

That's my whole confusing with this ISA server, I've inherited a unihomed server with bunch of access rules and they appear to be working sometimes, not all the time and rather unpredictably.

If I run an ISA best practices server scan, I can see the message

"the external adapter is used in a single network card scenario, When the ISA server computer has 1 network adapter all non local network addresses are included in the internal network. Policy rules should allow or deny traffic from internal to internal network"

This tells me that in a unihomed scenario, access rules do work, with the caveat that things requiring application level filters will not work.

(in reply to hantahipi)
Post #: 5
RE: Network reconfiguration ISA server 1 Nic -> 2 NICs - 16.Jul.2007 5:47:33 AM   
hantahipi

 

Posts: 84
Joined: 26.Jan.2006
From: Kenya
Status: offline
quote:

When you install ISA Server on a computer with a single network adapter, ISA Server is only aware of two networks: the Local Host network that represents the ISA Server computer itself, and the Internal network, which includes all unicast Internet Protocol (IP) addresses that are not part of the Local Host network. In this configuration, when an internal client browses the Internet, ISA Server sees the source and destination addresses of the Web request as belonging to the Internal network.


I am pulling this from http://www.microsoft.com/technet/isa/2004/plan/single_adapter.mspx

From the same page you will learn that multi-network policies will not work - like the access rule you referred to with a destination of External! These are the access rules I was indicating that will not work.

Again to emphasize, the supported scenarios are:
  • Forward webproxy and caching
  • OWA and Web publishing

On the basis of this, you should be able to exclude all other rules that show up on your ISA as doing anything other than the above; they are not very useful

(in reply to catfish)
Post #: 6

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Network reconfiguration ISA server 1 Nic -> 2 NICs Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts