• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about article on placing unihomed ISA firewall in P*X DMZ

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion about article on placing unihomed ISA firewall in P*X DMZ Page: [1]
Login
Message << Older Topic   Newer Topic >>
Discussion about article on placing unihomed ISA firewa... - 10.Aug.2004 6:19:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing the article on how to place a unihomed ISA firewall on a "hardware" firewall's DMZ segment to publish an OWA site at XXX.

Here are the answers to the questions in the article:

1. Most "hardware" firewalls provide only stateful filtering. In order to get both stateful filtering and advanced stateful application layer inspection, you need to use a firewall that moves beyond simple stateful filtering -- the ISA firewall provides the added protection required to secure against modern attacks at the application layer

2. FALSE. The ISA firewall is an ideal perimeter firewall that can be placed at the edge of the network or in-line with fast, simple stateful filtering firewalls.

3. FALSE. The ISA firewall, unlike the ISA Server 2000 firewall, does not have a dedicated caching-only installation mode. However, you can replicate the ISA Server 2000 configuration on the ISA firewall by installing the ISA firewall software on a single NIC machine.

4. The unihomed ISA firewall on the DMZ segment requires a default gateway if the packet filtering firewall in front of the ISA firewall preserves the source IP address of the external client making the incoming request for OWA resources. If the packet filter firewall in front of the unihomed ISA firewall replaces the source IP address with its own, then a default gateway is not required on the unihomed ISA firewall

5. The HOSTS file entry on the unihomed ISA firewall allows the ISA firewall to correctly resolve the name of the OWA site to the appropriate IP address. If you have a route relationship between the Internal network and the DMZ, then the HOSTS file entry includes the actual IP address of the OWA site. If you have a NAT relationship between the Internal network and the DMZ, then you would include the IP address on packet filter firewall's DMZ interface and publish (reverse NAT) that address so that the connection is forwarded to the OWA server on the Internal networ

6. FALSE. You do NOT need to create an access rule to allow outbound HTTP or SSL connections from the ISA firewall to the OWA site on the Internal network. The Web Publishing Rule does the heavy lifting. The unihomed ISA firewall we create dynamic packet filters using its stateful filtering mechanisms and allow the appropriate ports to be opened and closed in a secure manner.

7. All IP addresses are considered internal when using the unihomed ISA firewall configuration.

8. You should always use the same name from end to end. If the external user uses the URL http://owa.domain.com/exchange to reach the OWA site, then the redirect should be to the FQDN owa.domain.com. You can get the proper name resolution by using a HOSTS file on the unihomed ISA firewall.

[ August 10, 2004, 06:21 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion about article on placing unihomed ISA fi... - 11.Aug.2004 6:16:00 AM   
George_Ou

 

Posts: 31
Joined: 20.Jun.2004
From: Sunnyvale
Status: offline
Tom,

Excellent as usual. I can literally say that I can use this information right now!

Anyways, I think I can return the favor. You can indeed run ISA2004 in an enterprise environment that requires SIP compliance. Since enterprise networks never put the firewall in the same subnet as the users, there is a very simple solution to the SIP dilemma.

Most of these networks have a core layer 3 switch that acts as the default gateway for all of the users. Using this layer 3 switch, you can have 2 paths from the core L3 switch to the edge SPF firewall. One is a direct connection and one through a multi-homed ISA server. The core L3 switch has a default static route (with metric 100) to the Internet directly to the edge SPF firewall. However, the ISA server could advertise the default route to the core L3 switch via OSPF which would automatically override the core switches default static route. In the event that the ISA server should go down, the core switch would automatically revert to the static route bypassing the ISA server. This would be a very simple yet effective failover mechanism which would permit you to down the ISA server for maintenance or patching yet not disrupt access to the Internet.

Now what about our little SIP problem? A little feature called policy based routing can force SIP traffic destined for the ISA server (via OSPF route) could be forced to go to the Edge SIP compliant SPF firewall directly. This would work in either scenario if the ISA server was up or down. No more show stopper!

I think this would make a good article wouldn't you say?

George Ou
Network Systems Architect
www.LANArchitect.net

(in reply to tshinder)
Post #: 2
RE: Discussion about article on placing unihomed ISA fi... - 11.Aug.2004 11:25:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi George,

Great! As always, you've provided some key fixes here.

Thanks!
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion about article on placing unihomed ISA fi... - 11.Aug.2004 8:07:00 PM   
George_Ou

 

Posts: 31
Joined: 20.Jun.2004
From: Sunnyvale
Status: offline
Do you think you can rekindle that cancelled project now using this technique?

(in reply to tshinder)
Post #: 4
RE: Discussion about article on placing unihomed ISA fi... - 12.Aug.2004 2:32:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi George,

We just might. I'll let you know what happens.

Thanks!
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion about article on placing unihomed ISA fi... - 17.Aug.2004 1:21:00 AM   
jbone

 

Posts: 1
Joined: 17.Aug.2004
From: Hungary
Status: offline
Hi,
I need to use the unihomed schematic ISA2004 in the DMZ of a "packet filter hw firewall", just as you described in the article.
I want to use ISA for publishing of the webservers (not owa) that are also in the DMZ, with HTTP filtering.

The DMZ is a public IP range (which we have plenty free addresses),.no NAT.

The webservers in the DMZ are currently published with primitive packetfiltering by the hw fw.
I want to migrate step by step one webserver each time.
What do you suggest for the following approach?

I bind the original IP address of a webserver to the ISA NIC (and a new listener), and then give the webserver a new address (in the same range, not published through the hw fw). Then I create a webpublishing rule that references this new address...
Would this work?

(in reply to tshinder)
Post #: 6
RE: Discussion about article on placing unihomed ISA fi... - 5.Jan.2005 8:16:00 PM   
chi

 

Posts: 1
Joined: 5.Jan.2005
From: Sunnyvale
Status: offline
Hi Tom,

I'm trying to test this ISA2004 server on a production network in a single-homed configuration as a simple WEB Proxy server for an Outlook 2003 portal. I followed the instructions on your tutorial and I'm not having any luck. I already had the ISA2004 software installed so I couldn't follow it exactly so I used the wizard to put ISA in single-homed mode. Here is what the configuration looks like.



I've also exported the Network configuration XML so you may be able to see if I did something wrong in there. For the firewall configuration, I followed your tutorial verbatim. I've also exported the Firewall configuration XML for you to see.

I also set up the hosts file and DNS records to point to the physical server and the ISA interface respectively.

My set up is a little different than the tutorial but it should be simpler, I'm not even trying to test it through a firewall or a NAT. I just want to see the Web proxy work on an internal network before I can move it in to the DMZ and cause an outage. Here is what the topology looks like.



All I want to test is to access webmail.fjcs.net from the workstation through the ISA2004 server in Web Proxy mode. The workstation resolves to the IP address of the ISA2004 server "SV-ISA2004" via DNS and the ISA2004 server resolves to the physical exchange server "SV-EXCHANGE" via HOSTS file. For some reason, I can't get this to work. The strange thing is, I can't even get to webmail.fjcs.net from the ISA2004 server itself using a browser even though I can open TCP 80 to it. I'm not using any kind of HTTPS for testing purposes.

Help [Frown]

(in reply to tshinder)
Post #: 7
RE: Discussion about article on placing unihomed ISA fi... - 16.Jan.2005 3:55:00 PM   
patmhkwan

 

Posts: 1
Joined: 16.Jan.2005
Status: offline
Tom,

I've read thruough your article, it was a very
good that I can reference which match my case exactly. Thanks.

And I've some questions about this configuration that need your help to clarify:

1. Can I also enable RPC over http AND Publich OWA at the same time using this config. If yes, any doc that I can reference to configure RPC over http using isa 2004 with this configuration

2. Does the isa 2004 server need to join the win domain controller which behend the traditional firewall(checkpoint).

Thanks a lot.

Pat

(in reply to tshinder)
Post #: 8
RE: Discussion about article on placing unihomed ISA fi... - 4.Aug.2005 7:11:00 PM   
jrosen

 

Posts: 1
Joined: 4.Aug.2005
Status: offline
Should the unihomed ISA server be a member server or part of an (AD) domain?

What are the benefits/drawbacks of doing this?

(in reply to tshinder)
Post #: 9
RE: Discussion about article on placing unihomed ISA fi... - 7.Feb.2006 10:16:17 AM   
rogerroger

 

Posts: 22
Joined: 17.Dec.2004
From: Indianapolis
Status: offline
Tom, or anyone else with knowledge.  In the article you stated I can use this configuration to publish OWA, OMA, and RPC over HTTP sites.  I understand the OWA, but how do I get Active-sync (OMA) and RPC over HTTP to work as well.  My ISA server is in "proxy" mode and not a member of the domain.  What direction do I need to go.  Thanks anyone!

-Jason

(in reply to jrosen)
Post #: 10
RE: Discussion about article on placing unihomed ISA fi... - 7.Feb.2006 3:51:04 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: jbone

Hi,
I need to use the unihomed schematic ISA2004 in the DMZ of a "packet filter hw firewall", just as you described in the article.
I want to use ISA for publishing of the webservers (not owa) that are also in the DMZ, with HTTP filtering.

The DMZ is a public IP range (which we have plenty free addresses),.no NAT.

The webservers in the DMZ are currently published with primitive packetfiltering by the hw fw.
I want to migrate step by step one webserver each time.
What do you suggest for the following approach?

I bind the original IP address of a webserver to the ISA NIC (and a new listener), and then give the webserver a new address (in the same range, not published through the hw fw). Then I create a webpublishing rule that references this new address...
Would this work?


Not a good design. You should use at least two NICs in the ISA firewall in order to get the best security.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jbone)
Post #: 11
RE: Discussion about article on placing unihomed ISA fi... - 7.Feb.2006 3:52:52 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: patmhkwan

Tom,

I've read thruough your article, it was a very
good that I can reference which match my case exactly. Thanks.

And I've some questions about this configuration that need your help to clarify:

1. Can I also enable RPC over http AND Publich OWA at the same time using this config. If yes, any doc that I can reference to configure RPC over http using isa 2004 with this configuration

2. Does the isa 2004 server need to join the win domain controller which behend the traditional firewall(checkpoint).

Thanks a lot.

Pat


Hi Pat,

Yes, as long as you deploy the ISA firewall as a firewall (two or more NICs) you'll have no problems. The single NIC "hork mode" config creates many problems and is not a security solution, IMHO.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to patmhkwan)
Post #: 12
RE: Discussion about article on placing unihomed ISA fi... - 7.Feb.2006 3:53:47 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: jrosen

Should the unihomed ISA server be a member server or part of an (AD) domain?

What are the benefits/drawbacks of doing this?


Hi J,

Bag the unihomed config and fully deploy the ISA firewall. You paid for a network firewall so you should use it.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to jrosen)
Post #: 13
RE: Discussion about article on placing unihomed ISA fi... - 7.Feb.2006 3:54:46 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: rogerroger

Tom, or anyone else with knowledge.  In the article you stated I can use this configuration to publish OWA, OMA, and RPC over HTTP sites.  I understand the OWA, but how do I get Active-sync (OMA) and RPC over HTTP to work as well.  My ISA server is in "proxy" mode and not a member of the domain.  What direction do I need to go.  Thanks anyone!

-Jason


Hi Roger,

Have you fully deployed the ISA firewall? I mean, with two or more NICs? That's the only way you'll get full functionality.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to rogerroger)
Post #: 14

Page:   [1] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> Exchange Publishing >> Discussion about article on placing unihomed ISA firewall in P*X DMZ Page: [1]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts