• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Need to setup DMZ to segment our web servers

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Need to setup DMZ to segment our web servers Page: [1]
Login
Message << Older Topic   Newer Topic >>
Need to setup DMZ to segment our web servers - 11.Nov.2009 3:36:29 PM   
inlining

 

Posts: 36
Joined: 23.Aug.2005
Status: offline
I need to create and configure a DMZ segment on my ISA2K4 Firewall machine and place 1 existing web server and 1 new web server in this DMZ for security reasons.

My ISA server currently has 2 NIC's - an inside and an outside so I think I have to install a 3rd NIC for the DMZ. Once installed, what IP, subnet and GW will I assign to this Nic?

The ISA box is currently config'd as an edge firewall that is a domain member and has 4 static IP's bound to the external NIC -
one for our Exchange email and VPN connections (SSL cert on Exchange
server for webmail)
one for the web site (SSL cert on this web server)
one for our sharepoint server (not currently used and will be used
new web server)
one for an application server

The ISA server is not running DNS server services.

The external NIC is configured as follows: (which is connected to our modem/router)
IP: 10.1.1.y
Sub: 255.255.255.xxx
GW: 10.1.1.x

The internal NIC is configured as follows:
IP: 192.168.x.x
Sub: 255.255.255.0
GW: None


If possible I would like to segment only the 2 web servers in the DMZ and leave our exchange server and sharepoint server as is.
What I need to know is which rules I need to create and what needs to be configured accordingly to make this config work the way I intend.

If anyone is able to help I would greatly appreciate it.
Post #: 1
RE: Need to setup DMZ to segment our web servers - 12.Nov.2009 9:59:36 AM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
Hi,

quote:

My ISA server currently has 2 NIC's - an inside and an outside so I think I have to install a 3rd NIC for the DMZ. Once installed, what IP, subnet and GW will I assign to this Nic?

You should configure it like this:
IP: 172.16.1.1 (or other range you want it)
Mask: 255.255.255.0 (or other you want it)
Gw: none
DNS: internal DNS server (as configured on internal NIC)

After that, you can place only the servers that you want. It doesn´t has to be all servers.

Create a Network Relationship between Perimeter and External, and between Internal and Perimeter Networks.

Create publishing/access rules accordingly

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to inlining)
Post #: 2
RE: Need to setup DMZ to segment our web servers - 12.Nov.2009 12:09:38 PM   
inlining

 

Posts: 36
Joined: 23.Aug.2005
Status: offline
Thank you Paulo, I relly appreciate your prompt response. Based on your response I have a few followup questions;

First, do I have to change the config of the ISA server from Edge to Perimeter? If so, is there a way to do this that limits downtime to my uesrs and web apps? I'll of course backup the current config before proceeding.

Second, I've looked for an article on this site for creating the publishing and access rules needed in a DMZ and have not found any, are you aware of any?

Thanks,

(in reply to paulo.oliveira)
Post #: 3
RE: Need to setup DMZ to segment our web servers - 12.Nov.2009 12:40:43 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
Forget the templates.  ISA is still an "Edge",...it is just now an Edge with a Tri-homed DMZ hanging off the side of it,...so don't worry about it.

Access Rules and Publishing rule work the same way.  The Source and Destination in the Rule just has to be correct.

_____________________________

Phillip Windell

(in reply to inlining)
Post #: 4
RE: Need to setup DMZ to segment our web servers - 19.May2010 3:28:15 PM   
inlining

 

Posts: 36
Joined: 23.Aug.2005
Status: offline
Phillip,
Thanks for adding your comments to this post. Can you tell me if the above description by Paulo creates a DMZ? I need to segment the 2 servers mentioned to be separate from the rest of the network for PCI compliance reasons and I need to configure a DMZ.

Thank you. 

(in reply to pwindell)
Post #: 5
RE: Need to setup DMZ to segment our web servers - 19.May2010 3:45:48 PM   
pwindell

 

Posts: 2244
Joined: 12.Apr.2004
From: Taylorville, IL
Status: offline
I believe Paulo and I are saying the same thing

_____________________________

Phillip Windell

(in reply to inlining)
Post #: 6
RE: Need to setup DMZ to segment our web servers - 19.May2010 4:14:14 PM   
paulo.oliveira

 

Posts: 3472
Joined: 3.Jan.2008
From: Amazon, Brazil
Status: offline
quote:

ORIGINAL: pwindell

I believe Paulo and I are saying the same thing

Agreed.

Regards,
Paulo Oliveira.

_____________________________

Microsoft Premier Field Engineer (PFE)
Blog: http://poliveirasilva.wordpress.com/
Twitter: https://twitter.com/poliveirasilva

(in reply to pwindell)
Post #: 7

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Need to setup DMZ to segment our web servers Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts