Multiple Configuration Storage Servers (Full Version)

All Forums >> [ISA 2006 General] >> General



Message

Quee -> Multiple Configuration Storage Servers (11.Mar.2008 5:28:01 PM)

Hello,

I am deploying ISA 2006 with configuration storage servers in multiple sites, and was wondering if anyone knows if the only way you can use multiple Configuration Storage Servers is in a primary/backup scenario, where you would redirect the ISA array members to an alternate Configuration Storage Server in the event of a breakdown of the primary.

So is there no other way to use multiple Configuration Storage Servers associated with one array of ISA servers?  I'm concerned because if I'm truly limited to one Configuration Storage Server per site, then the only thing I can do as far as increasing the performance of that server will be to increase it's processor (primarily) and hope for the best, right?  I can throw a bunch of RAM at it but that's really not going to help much if at all, because all of the queries to ADAM from the array members will consume the processor.

If anyone has deployed this in an enterprise scenario and has advice it would be most welcome.

Thank you.



tshinder -> RE: Multiple Configuration Storage Servers (15.Mar.2008 11:37:50 AM)

Multiple CSSs are used for backup. There isn't much traffic between the array and the CSS unless there are many changes being make to the Firewall Array configuration.

HTH,
Tom



Quee -> RE: Multiple Configuration Storage Servers (18.Mar.2008 10:57:33 PM)

Thank you Tom,

It does help.  I understand that there's only one CSS per array, but I wasn't so clear before.  In a situation where you have sites of around 40,000 users (connecting to OWA for example), does this really scale?  Is there a better way of managing this so that the CSS server and/or the array isn't hit brutally every weekday at 8:00 in the morning?  Maybe multiple arrays, although how would you distribute traffic across arrays if the traffic (and corresponding URL) is the same?

Maybe I'm over-estimating the performance hit the CSS will take, but it seems a bit much for one lonely server doing (lightweight yes) front-line authentication.

Thank you,

Quee



tshinder -> RE: Multiple Configuration Storage Servers (19.Mar.2008 9:56:21 AM)

Hi Quee,

The CSS doesn't authenticated the users, so it doesn't take a hit during high usage of the ISA Firewall array. The Firewall array members do the authentication.

However, if your arrays are getting hammered, you can create multiple arrays, esp if it is an inbound only array.

HTH,
Tom



Jason Jones -> RE: Multiple Configuration Storage Servers (19.Mar.2008 10:49:39 AM)

quote:

ORIGINAL: Quee

Thank you Tom,

It does help.  I understand that there's only one CSS per array, but I wasn't so clear before.  In a situation where you have sites of around 40,000 users (connecting to OWA for example), does this really scale?  Is there a better way of managing this so that the CSS server and/or the array isn't hit brutally every weekday at 8:00 in the morning?  Maybe multiple arrays, although how would you distribute traffic across arrays if the traffic (and corresponding URL) is the same?

Maybe I'm over-estimating the performance hit the CSS will take, but it seems a bit much for one lonely server doing (lightweight yes) front-line authentication.

Thank you,

Quee


Why do you think you can only have one CSS? Are your CSS and ISA Servers not domain members then?

If you are not using workgroup mode (best avoided IMHO) you should be able to define a primary and alternate CSS locations per array. In your scenario, you can then define the primary as a local CSS and the alternate as a central (head office) CSS server.

Sounds like you need to do a bit of background reading on what the CSS does and doesn't do as you seem a bit confused...have a look here:

http://www.microsoft.com/technet/isa/2004/deploy/dgisaserver.mspx

Please Note: This doc still applies for ISA2k6 too.

Once you have the CSS element sorted, you can then think about the arrays using ISA Enterprise edition and integrated NLB. I don't see why you couldn't just scale out (add more servers) a single array in the first instance...it depends on what you are doing, but I have seen a 4 node array handle these sorts of user levels and that was for all types Exchange traffic, not just OWA. 

Cheers

JJ



Quee -> RE: Multiple Configuration Storage Servers (19.Mar.2008 2:36:03 PM)

Hi Jason

Thank you for your response.  So I've left out a bit that will probably help explain the design decision here - the ISA servers are being located in a DMZ.  This is an Exchange proxy server solution, and along with the ISA servers there will be an Exchange Edge server in the DMZ as well.  Because of this we decided to go with putting the ISA servers in a workgroup instead of in the domain to reduce security exposure of the domain credential store (and the domain itself). 

The ISA CSS will have an ADAM store where it will do 1st-line authentication in the DMZ before allowing client traffic to be passed on to the Exchange back-end resources (CAS servers then on to the Exchange mailboxes).

That's the source of my concern for the Config Storage Server, and with 40,000+ users per site, I wonder if it'll scale.  Can't seem to find any comparable case studies or scenarios with this many users.

Also I've been asked if we can add traffic for SharePoint and OCS to run through this ISA array.  At this point my answer is 'no' because the scalability of the model is still unproven.  Am I way off base being concerned about peformance?

Thank you,

Aquelah



Jason Jones -> RE: Multiple Configuration Storage Servers (20.Mar.2008 6:06:32 AM)

Yes, and you still don't seem to understand the role of the CSS - did you read the documents I linked you to? The CSS has ABSOLUTELY no involvement in user authentication or firewall traffic flow...it mearly provides a configuration storage point for the ISA data.

As you getting confused and assuming you can use the ADAM instance for user credential storage? If so, you can't. The ADAM instance that is installed as part of ISA is a customised version of ADAM specifically for ISA Server. It is not just a generic ADAM instance that can be used for other things.

No offence, but I don't think your propsed design is ideal. Using ISA Server in workgroup mode is not the best security model and has some serious implications, a single CSS being one you have already found. I assume you are also planning on using ISA Server in unihomed (single NIC) mode? Personally, I never understood the idea of placing an application-layer (layer7) firewall between network-level firewalls (layer3) as ultimately the layer3 back firewall often just becoming swiss cheese with open ports in order for the layer7 firewall to provide full value - you could also question the front firewall as in most cases all it does is pass encrypoted traffic to ISA, not exactly adding a lot of value. Always place the most intelligent firewall closes to your data...in this case, place ISA server closest to Exchange, not stuck in the DMZ.  

If you have to go with this DMZ model, you should be looking at using ISA Server LDAP(S) authentication from ISA Server to your internal domain controllers. This is a good compromise if you are not willing to place ISA in the domain, and allows for pre-authentication and delegation to for Exchange. Another issue yo umay not be aware of is that if ISA is not a domain memeber, you cannot use a feature called Kerberos Constained Delegation (KCD) which provides an awful lot of benefit if you are looking at new applications like Exchange 2007.

You may want to review the following article, as fear of placing ISA Server in the domain is a common misconception:

http://www.isaserver.org/tutorials/Debunking-Myth-that-ISA-Firewall-Should-Not-Domain-Member.html

Personally I would look at making ISA server a domain member with at least three networks interfaces (external, internal and intra-array). You can then either place ISA as a back firewall behind your exiting edge firewall, or if this is not possible, place it in bridging mode between your DMZ and the LAN. You can then start with at least two CSS servers to provide fault tolerance. In this model, ISA Server would be a member of the domain and the CSS servers would also be domain members.

I have a customer with approx 35k users where ISA is acting as an internal/external firewall for all Exchange applicaitons and is a very buys array, this includes OWA, Outlook Anywhere, POP3, IMAP, Outlook MAPI. The array consists of 4 members using reasonable standard server hardware (dual cpu, 2GB RAM, RAID1 disks etc).

I would start by using the ISA Server capacity planner here: http://www.microsoft.com/isaserver/capacityplanner.swf

If you scale it properly, I see no reason why the array couldn't also support SPS/OCS. Why don't you start with OWA, baseline the servers, see how they are coping and then start adding addtitional web publishing for SPS, then OCS. If you need to, you can always scale out the array dynamically by just adding new array members. This can be done pretty quickly and involves little downtime.

Cheers

JJ



tshinder -> RE: Multiple Configuration Storage Servers (20.Mar.2008 2:01:16 PM)

Hi Jason,

Excellent post on clarifying the role of the CSS!

Thanks!
Tom



ducsta -> RE: Multiple Configuration Storage Servers (28.Mar.2008 2:49:05 AM)

Hi Jason,

I'm currently designing a internet gateway solution for a customer. My customer wants to employ secuirty in depth practice where they want to have an ISA array on the internal network (part of the corp domain, 2 servers both running the role of ISA CSS and ISA Server (NLB) for fault tolerance and high availability of both CSS and ISA servers). Then they want another ISA array in their DMZ (2 servers only running ISA servers (NLB).

The internal array will authenticate users etc, and forward web requests to the dmz array (upstream array) in a web chaining sceanario.

My question .. is it possible add the DMZ ISA array to the CSS on the internal network. Are ports 2171 and 2173 only needed to be opened on the firewall seperating the DMZ network and the internal network.  I want to do this so we can managed the 2 ISA array from the central internal CSS.

Please help!! ;) any suggestions would help....

Ducsta!




Jason Jones -> RE: Multiple Configuration Storage Servers (28.Mar.2008 5:13:59 AM)

This is possible, but be aware that the CSS server will require Kerberos authentication from the DMZ ISA Servers to communicate. Subsequently these servers will also need to be part of the domain (or a trusted domain) and you would need to allow the appropriate protocols for this in addition the normal CSS communications ports.

Why do they need another array in the DMZ? I am confused as to the value this provides?

Is the internal array for internal firewalling or is it a back firewall behind the front firewall that defines the DMZ you mention?

A diagram of the topology you are planning (to show where ISA interfaces connect) would be handy...

Cheers

JJ



ducsta -> RE: Multiple Configuration Storage Servers (28.Mar.2008 6:14:55 AM)

Hi JJ,

You're right, I don't see the value of having a DMZ ISA Array (Upsteam), but they want it in place because it's logically further away from the internet. Go figure ;)

I have a drawn up a quick logical diagram, how do I upload it? ;)

The ISA Array will not be performing any firewall functions, only PROXYing..

The Internal Array is connected to the internal network, which is connected to a CISCO firewall.
The External Array is connected to the DMZ network, which is connected to the same CISCO firewall.
The CISCO firewall is 3-legged. 1 interface to the internet, 1 interface to the internal network and 1 interface to the DMZ.

"Subsequently these servers will also need to be part of the domain (or a trusted domain) and you would need to allow the appropriate protocols for this in addition the normal CSS communications ports"

As the DMZ Servers are in a workgroup, I was going to deployed certificates to for connecting to the ISA CSS.

I'll try to get a picture to you soon.

Ducsta 





Jason Jones -> RE: Multiple Configuration Storage Servers (28.Mar.2008 6:41:35 AM)

So the ISA Servers will only have one interface? You can host the picture on an image hosting site or draw it using text charachers. The key element is how many interfaces will the ISA servers have, and where will they be connected. Can you also indicate which array will be used for forward proxy, reverse proxy or firewall duties as I am still a little unsure?

I don't think you can configure a CSS to use both Kerberos and Certificate authentcation at the same time - it is a one or the other choice at install time. Therefore you will need two Enterprises and with separate CSS servers, unless the DMZ array is part of the domain.

Personally, I think I would put the ISA Array in-line behing the CISCO firewall to create a back-to-back firewall topology or deploy ISA in bridging mode between the DMZ and the LAN. ISA should be placed closest to your assests as it provides far more applications protection than the Cisco device. No offence and IMHO, but not sure I think the design is that great, I never really agreed with using a L7 application firewall and then limiting it with L3 network firewalls all around it...

Cheers

JJ



ducsta -> RE: Multiple Configuration Storage Servers (28.Mar.2008 7:53:58 AM)

Hi JJ,

Bugger, your right again... ;) It's either Windows Kerberos OR Certificate... can't be both.

Both is a logical text digram.

Internet -----------------Firewall--------------------DMZ Network
                                         |                     |
                                         |                     |
                                         |                     |
                                         |            DMZ ISA Array
                                         |   (Customer wants NLB for Redundancy)
                                         |   (Not part of Domain)  
                                         |   (Each Server will have 1 interface connected DMZ)
                                         |   (Each Server will have 1 interface for intra-array)
                                         |
                                         |
            ---------------------------------------------Internal Network
                 |
                 |
                 |
                 |
      Internal ISA Array
(2 Servers, both running CSS and ISA)
(Both server will have 1 Interface connected to the Internet Network)
(Both server will have 1 Interface for Intra-Array Comms)
(Array will be NLB integrated for ISA Server Redundancy)
(No firewall functionality, only PROXY. Dicated by customer :( )

Web Request Flow.
1. Web Proxy Client configured to use Internal ISA Array as PROXY
2. Internal ISA Array will be configured to Proxy Web Chain to DMZ ISA Array
3. Internet ISA Array will forward to DMZ Upstream ISA Array
4, DMZ Upstream ISA Array will request information from internet.
5. DMZ Upstream ISA Array returns request to Internal ISA Array
6. Internal ISA Array returns request to Web Proxy

I personally would perfer to get rid of the DMZ ISA Array, but the customer wants it there. I'm finding it hard to convince them.

Your right, I'll need 2 ISA Enterprise.. 1 for Internal and 1 for DMZ, but the DMZ Array will not have CSS Redundancy.........*sigh*

Cheers

Ducsta.






Jason Jones -> RE: Multiple Configuration Storage Servers (28.Mar.2008 8:16:36 AM)

Hi,

Ah right, make more sense...[;)]

I assume the design is purely for forward proxy then?

If the upstream proxy was doing something clever like AV or other content filtering it may make more sense. I must admit I have seen people use this design before to remove direct connectivity between the LAN and Internet. It is a common solution for things like DNS where you place a caching only DNS forwarding server in the DMZ and configure the internal DNS servers to forward to the DNS server in the DMZ. 

Be aware that running the CSS on the ISA nodes with NLB will mean some custom changes to the CSS FQDNs to allow kerberos to work. Maybe consider placing the CSS on remote/dedicated servers rather than the actual array members themselves...

Cheers

JJ 



Jason Jones -> RE: Multiple Configuration Storage Servers (28.Mar.2008 8:17:49 AM)

PS I think you should apologise to the OP for stealing his thread! [8D]



ducsta -> RE: Multiple Configuration Storage Servers (28.Mar.2008 8:31:42 AM)

Sorry OP for stealing the thread!!



Boedus -> RE: Multiple Configuration Storage Servers (30.Mar.2008 8:18:48 PM)

Well, my 2 cents here, but using ISA Server as a web cache only is throwing money out of the window, especially the Enterprise Edition which is about 5k USD.
You can use Squid of something for this running on Linux.



tshinder -> RE: Multiple Configuration Storage Servers (1.Apr.2008 11:17:16 PM)

Hi Boedus,

Yes! You are correct. I suspect that the ISA Firewall array is actually a more secure firewall than the existing firewall instructure. However, maybe they need the routing functionality in the current firewall setup. In that case, a parallel ISA Firewall array configuration would be more appropriate.

Thanks!
Tom



Page: [1]