I want to implement the "The ISA Firewall in a PIX DMZ Configuration" but I was wondering if I had to deploy it on the lan with no NICs in the DMZ what features would not be available?
Would I still be able to do application layer filtering?
In this case, you could use the back to back firewall config, that would enable the ISA firewall to be inline and protect you from the exploits that pass easily through the PIX.
Thanks for your response. We have 2 ISA servers in an NBL cluster and they both have 2 NICs.
This is my network configuration:
Internet / \ PIX no NAT / \ DMZ Public Adresses / \ PIX with NAT enabled / \ LAN which is where ISA sits
The ISA servers have 2 NICs in them but they are both on the corporate LAN. One NIC is using NLB and thats where the clients connect and the other NIC is where the default gateway is so thats where the clients route out of the ISA server.
They are configured as follows:
LAN | | NLB NICS / \ ISA1 ISA2 | | NIC NIC without NAT enabled \ / LAN
So I do have 2 NICs my only concern is that in ISA both NICs are defined as internal.
Am I going to lose any functionallity with both NICs in the LAT table and routing to our internal NATted PIX firewall versus leaving one NIC on the LAN and putting 1 NIC in the DMZ?
I would prefer to put 1 NIC in the DMZ and one on the LAN but if I am not going to gain any functionality I can't justify it.
Putting the ISA fireawll array in the DMZ between the PIXs would be a good combination, because you can put it in the path between the users and Internet. They drawback is that users can potentially change their gateway addresses and bypass ISA firewall security by going through the back-end PIX.
RE: Discussion about article on using ISA to protect fr... - 1.Jul.2005 8:43:00 AM
Guest
Dear Dr. Shinder,
I have a question regarding using PIX and ISA Server 2004 in a back to back configuration.
I have ISA Server 2004 setup in a 3 leg configuration. The DMZ hosts the DNS servers/SMTP Relay and the Internal network hosts Exchange. To the external adapter of the ISA are bound 3 IPs. Two for the DNS servers and the other for OWA. This configuration works well and I have no problems with it.
I would like to add a PIX in front of the ISA Server so the external adapter of the ISA and internal interface of the PIX are on a network segment that uses private IP. How do I get my configuration described above to work with the PIX? Could you please give me some direction or point me to where I can find more information.
I just read your your article on Following the Path to Exchange in an ISA Firewall in PIX DMZ Environment. I also have your book on ISA Server 2004. I just wanted to know if you had a page for me to reference the configuration? I will be using a private ip address in my DMZ.
I ran across this article "Playing nicely with others" and it seems to best describe our implementation as we added the ISAs into an already existing (and paid for) PIX environment. I have read most of your other articles on implementing ISA and know this is not the ideal configuration but as you mention, there is some convincing to take place to traditional network engineers and CIO/CFOs that a Microsoft product is capable on its own.
My question is this: should I have a default gateway installed on both interfaces? I currently have the PIX lan interface for the DMZ subnet installed as the DG on the external interface, but I also have a DG installed on the internal interface as not all of the servers the ISA is publishing are on the same subnet as the internal interface itself. Does this sound correct? I am getting occasional proxy chain loop errors and am trying to determine if the two different DG's installed might be the fault here.
When used behind a PIX should the external I/F use the pix address as the DG?
I have a ISA Enterprise environment with 2 array members and it seems to work for a while this way and then one of the array members will start getting the 0xc004002d fwx_unreachable_address errors, at which time if I run a IPCONFIG /all on each machine I will see that the DG on the external I/F has dissapeared on one of the array members.
If I reset the DG I am fine for a while but it seems to be reoccuring..
Am I completely off here by setting a DG on both the internal and external I/Fs if I'm forced to operate behind a pix and host content on another internal subnet?
I am having trouble routing between the PIX and ISA in a back to back setup like you are discussing.
I have the PIX on the internet and on the private address of 10.9.1.1
The ISA is on the 10.10 network and the 10.9 network, using the PIX as the gateway.
The internal network uses the ISA as a gateway.
so basically it looks like this
VPNclient(192.168.1.x) --> internet --> PIX --> ISA --> internal network.
I setup a subnet rule in ISA, along with a network rule to route to the subnet 192.168.1 that PIX gives to vpn clients. There are also 2 firewall rules to allow traffic back and forth.
Internal for the ISA is defined as 10.10.0.0 to 10.10.255.255
The subnet is defined as 192.168.1.0 with a mask of 255.255.255.0
I can however only ping from the internal network to the subnet. I cant ping from the subnet back inside. The ISA server shows "denied connection".
Any ideas?
< Message edited by jhood -- 6.Jun.2006 11:48:24 PM >
Really odd, after adding the local host to the "subnet to internal" in the firewall rules, I can ping the 10.10 side of the ISA, but thats it. ISA gives a denied connection to anything else.
The ISA has 2 nics and I can ping as far as the 10.10.1.1 gateway and thats it.
Any idea what rule I need to add to make it all the way. Again I can ping internally to the vpn client no problem. Maybe need another subnet for the 10.9.x.x network defined and give it access.Really odd, after adding the local host to the "subnet to internal" in the firewall rules, I can ping the 10.10 side of the ISA, but thats it. ISA gives a denied connection to anything else.
The ISA has 2 nics and I can ping as far as the 10.10.1.1 gateway and thats it.
Any idea what rule I need to add to make it all the way. Again I can ping internally to the vpn client no problem. Maybe need another subnet for the 10.9.x.x network defined and give it access in the firewall rules?
My first post on these forums. i was lead here by the "playing well with others" article which is proving very useful, but at the same time it has confused me somewhat. heres the situation:
we currently have no dmz, pix firewall or isa box, but due to a recent take over and their security policies we are required to buy a pix and have a dmz set up. ive been searching around for ways we can set this up effectivly and securely, whilst using isa server and surfcontrol as the inner firewall and internet proxy for end users. the thing that confuses me is the difference between the back to back set up and the isa in a pix dmz setups. we will be using voip between sites, its server is located on this site, we will also need to allow webmail access to users off-site, as well as access to the exchange server via VPN from the other sites, who will be using our isa box as there web proxy/filter.
the only advantage i can see from your article is that voip is better supported using the third setup. is there no way of getting voip to work through the isa firewall?
sorry if these questions seem a little daft. isa is not my strong point so im hoping this project will be a chance to gain some better knowlegde on this kind of thing.
ok, kind of answering my own question maybe, but prehaps someone can atleast nod and smile so i know im getting something right (IF im getting something right). my idea is a combination of the 2 configurations mentioned in the above article. since the link from the pix to the corprate network is only for specialist servers that are not going to work easily through an isa server, how about creating a seperate dmz just those servers, ie:
internet | PIX / \ VoIP Web servers/ftp servers/etc. | ISA | Corporate LAN inc. exchange server
atleast this way the pix is not in direct contact with the lan, and this should remove the problem of VoIP and ISA. i suppose the big question is; can the VoIP server talk to devices that are in the corporate lan? or will all the phones need to be in the VoIP DMZ?
Hi everybody, I am looking for feedback and advice on a new setup. Keep in mind we are Exchange and ISA newbies here so be gentle (but very detailed) with us.
We have just installed our new Exchange 2003 System and have the Front-End and Back-End servers located on our Internal LAN, which is protected by a traditional firewall (Checkpoint, I believe). Because we were under a time-crunch to get Exchange up and running, we implimented Exchange without having and ISA server in place to make it available to our external users. So what we have done is opened up the required ports on our firewall to allow access to our Exchange front-end from the outside world for the standard ports (IMAP, SSL, SMTP, etc.).
Now we are trying to go back and take care of the things that were not done prior to going live with our new system and getting an ISA server in place is one of these tasks. We want to use ISA Server 2004 Enterprise Edition so we can take advantage of ISA's NLB capabilities. Our Network Administrator wants every machine that has access from the outside world to live in the DMZ off of our firewall. He also wants us to use a singe network card configuration as he will not allow a machine in the DMZ to have direct access back to the Internal LAN. So my plan is to have the ISA CSS server live on our Internal LAN while the NLB Array lives out in the DMZ. I would like all machines to be a member of our Server 2003 AD Domain. One other thing to keep in mind with our setup is that there will be no NAT in use, all machines in the DMZ and on the internal LAN have "real" IP addresses.
As far as I understand it, here is what we WILL be able to do in this configuration: - Standard Outlook Web Access features such as sending and receiving e-mail, calendars, and other features - Exchange Outlook Mobile Access, ActiveSync, and Outlook RPC over HTTP - Forms-based authentication - HTTP and HTTPS
What I WILL NOT be able to do: - Server publishing - This would mean that we would have to leave IMAP and SMTP (and possibly other ports) open through our traditional firewall to our Exchange front-end servers on the Internal LAN, correct?
The only traffic that we want going through the ISA server is Exchange related traffic. At this point, all our internal clients should not be going through the ISA box for general internet traffic.
I believe that about covers off our scenario. Can anybody point out any flaws in the layout or anything I may have missed?
Is it best to have all the ISA machines be domain members, even in the DMZ?
If our ISA servers in the DMZ are going to be domain members, what ports are going to have to be opened up on our Checkpoint firewall to allow them to be domain members? I would assume that I would have to also add rules to the ISA servers to allow domain communications, correct? What about DNS on the DMZ machines? We have a split DNS situation here with all the DMZ machines using the external DNS, and our AD Domain is using our Internal DNS. Will the hosts file be enough to get around this issue?
I think that about covers it. As I said before, we are new to both Exchange and ISA here so we are learning as we go. Any comments, help, or suggestions are much appreciated. Thanks everyone!
Posts: 6022
Joined: 16.Sep.2004
From: Lebanese in Kuwait
Status: offline
i have a question this time.
i dont have visio at the moment , so i used paint for the time being
This is the Network layout of the company i work in .
i have 2 MAIN networks. in short, the PIX ( 2 PIX with Failover option enabled )on LAN 2 is ONLY used for VPN from support comapnies ( sony , Omnibus , ...)
now , we need to allow some machines on LAN 2 VLANs to surf the internet. i DO NOT want to use PIX for this.that why iam thinking to add the red connection as shown above.so that users in LAN 2 will be able to surf the internet using ISA 2004.
note that each LAN has its own Domain , with no relation between each other at all!
On PIX:
Allow > HTTP > From LAN 2 > To ISA_DMZ
then on ISA :
Allow > HTTP > From ISA_DMZ > to Selected_Websites > LAN2_Group
LAN 2 clients will be Firewall clients only(well be set manually )and well be authenticated from the DC on LAN 1 .
well that work ???
< Message edited by elmajdal -- 20.Oct.2006 3:22:53 PM >
Hi, my first post here also, but few searches have brought me as close to our issue as this one.
We have recently moved from PIX only, to Internet > PIX > ISA > Private LAN much as you describe. One difference is that for a migratory approach, we configured the ISA External and DMZ as the same interface connected to the DMZ interface of the PIX (questionable I'm hearing, but this was with MS Consulting assistance about a year ago). We eventually will shut down the 'PIX 'inside' interface with all Internet external and DMZ traffic going through the PIX DMZ to Outside. We recently moved our IE browsing to the ISA server by configuring it to run WPAD services and setting our customers IE clients to use this setting via AD policy. We then set our Network default route to the ISA server. Since the default route change we are having difficulty with FTP now going through the ISA (command line). We have an internal FTP server that moves files around internally OK, and stages files on an FTP server on the DMZ OK (both MS Win2K Advanced servers w SP4). The DMZ server can FTP to the Internet OK. Problem is when FTP from ISA Internal to Internet (i.e. through both firewalls, both NAT'ing) we get mixed results. Your article refers to issues with certain protocols and specifically FTP when dual NAT'ing or with the FTP filter in the PIX. Do you have any information on configuring for FTP specifically in this scenario ?
Posts: 144
Joined: 20.May2006
From: Kingdom of Bahrain
Status: offline
Hi All,
I have implemented a Setup companion of Pix as a Back-end Firewall and ISA Server as a front-end Firewall.
Pix has got the Public Interface static IP Address from ISP Pix has got Internal IP Address 192.168.1.0 Network and Interface is assigned 192.168.1.1 No Access rules are defined in Pix, it means everything is allowed from the Network Behind Pix.
ISA has got two interfaces, External and Internal
External Interface has got an IP Address as part of the Internal Interface of Pix Firewall 192.168.1.50 Internal Interface has got an IP Address as part of the Corporate Network 128.104.30.12
All internal Clients has got the 128.104.30.12 as the default Gateway.
Internet is working fine, but the DNS is configured in the External Interface of ISA Server " Which is result in wrong Setup of ISA Server"
All the DNS query out to External should be done via the DNS Server which is located in the Corporate Network on 128.104.30.40. and this DNS Server is configured to forward DNS Queries to the ISP DNS Servers.
The internal Interface of ISA Server is configured with the Corporate Network DNS Server 128.104.30.40, it can nslookup, but when i query another external DNS Server from any clients it won't work. Also, from the DNS Server itself the NSLookup to external Domain it doesn't work. ????
I have the same setup Back-to-Back Firewall, with two ISA Servers and everything works great.
What is the problem with the pix Firewall then?
Any help or input please welcome
< Message edited by habibalby -- 10.Mar.2008 12:25:07 AM >
Hi folks. We are running into a weird problem and wanted to ask for help. We have the following setup for our e-mail system: MX Logic - > Our ISP -> Our PIX - > DMZ - > ISA - > Exchange! We published Exchange and internal tests show that SMTP traffic is allowed from our ISP to the exchange. MX Logic however requires a banner response in order to direct our mail to us and connectivity tests fail. We are stuck and would greatly appreciate any help.
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> Network Infrastructure >> Discussion about article on using ISA to protect from PIX 
Discussion about article on using ISA to protect from PIX - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread