• RSS
  • Twitter
  • FaceBook

Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

Discussion about part 2 of article series on creating a wireless DMZ

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Discussion about part 2 of article series on creating a wireless DMZ Page: [1] 2 3   next >   >>
Login
Message << Older Topic   Newer Topic >>
Discussion about part 2 of article series on creating ... - 17.Apr.2005 2:08:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
This thread is for discussing part 2 of the article series on creating an untrusted wireless DMZ segment at http://isaserver.org/articles/2004wirelessdmzpart2.html

HTH,
Tom

[ April 17, 2005, 02:17 PM: Message edited by: tshinder ]
Post #: 1
RE: Discussion about part 2 of article series on creat... - 18.Apr.2005 12:17:00 AM   
Zapata

 

Posts: 28
Joined: 25.May2003
Status: offline
Great article Tom!

Is there a way to let the DMZ (wireless) users access the DHCP server on the internal network for IP adresses?

(in reply to tshinder)
Post #: 2
RE: Discussion about part 2 of article series on creat... - 18.Apr.2005 6:50:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Zapata,

Thanks! Might be able to do that with the DHCP relay agent, haven't tried it yet, though.

What would be the rationale for using an internal DHCP instead of the WAPs DHCP server?

Thanks!
Tom

(in reply to tshinder)
Post #: 3
RE: Discussion about part 2 of article series on creat... - 19.Apr.2005 12:00:00 PM   
Zapata

 

Posts: 28
Joined: 25.May2003
Status: offline
Hi Tom

My crappy AccessPoint does not have a built in DHCP Server.

Thanks
/Z

(in reply to tshinder)
Post #: 4
RE: Discussion about part 2 of article series on creat... - 19.Apr.2005 12:33:00 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Zapata,

OK, that's a good reason [Smile]

Thanks!
Tom

(in reply to tshinder)
Post #: 5
RE: Discussion about part 2 of article series on creat... - 21.Apr.2005 5:44:00 PM   
Zapata

 

Posts: 28
Joined: 25.May2003
Status: offline
BTW how do you enable the DHCP relay agent on ISA 2004?

Thanks!

(in reply to tshinder)
Post #: 6
RE: Discussion about part 2 of article series on creat... - 22.Apr.2005 4:57:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
Hi Zapata,

First, you need to install ISA 2004 SP1, else it won't work. That's why there isn't an article on it yet. Good topic though. I'll move that to the top of the article list for near-term release.

Thanks!
Tom

(in reply to tshinder)
Post #: 7
RE: Discussion about part 2 of article series on creat... - 22.Apr.2005 11:19:00 AM   
Zapata

 

Posts: 28
Joined: 25.May2003
Status: offline
Great stuff, looking forward to it!

/Z

(in reply to tshinder)
Post #: 8
RE: Discussion about part 2 of article series on creat... - 8.Jul.2005 8:31:00 AM   
jayr149

 

Posts: 1
Joined: 6.Jul.2005
From: Tampa, FL
Status: offline
I followed your instructions and made minor modifications since I have Small Business Server 2003 Premium SP1.

Problem is VPN connects and can see workstations but can not see the Server.

Firewall logs show Denied Connection messages and IP Spoofing.

I disabled the IP Spoofing feature according to some instructions found on Microsofts website but still getting Denied Connections due to Network rules.

Think my problem is that I can not go entirely to your Split DNS.

Do you know if any additional modifications are neccessary to fix this problem for SBS2003?

Jay

(in reply to tshinder)
Post #: 9
RE: Discussion about part 2 of article series on creat... - 9.Sep.2005 9:39:00 AM   
iraq it

 

Posts: 297
Joined: 1.Jul.2005
From: Iraq
Status: offline
Hi Tom,

Is the DMZ Interface IP will be the DNS for DMZ clients? i.e put it in the DHCP WAP options?

If we allow encrypted communications, such as SSL and VPN connections from untrusted users and computers to the Internet, those communications will be hidden from the ISA firewall and stateful application layer inspection is impossible. WHY?

Thanks,
Al-Taee

(in reply to tshinder)
Post #: 10
RE: Discussion about part 2 of article series on creat... - 12.Sep.2005 9:42:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Jay Ruyle:
I followed your instructions and made minor modifications since I have Small Business Server 2003 Premium SP1.

Problem is VPN connects and can see workstations but can not see the Server.

Firewall logs show Denied Connection messages and IP Spoofing.

I disabled the IP Spoofing feature according to some instructions found on Microsofts website but still getting Denied Connections due to Network rules.

Think my problem is that I can not go entirely to your Split DNS.

Do you know if any additional modifications are neccessary to fix this problem for SBS2003?

Jay

Hi Jay,

You'll need to configure Access Rules and System Policy to allow the required connections to the ISA firewall's Local Host Network.

HTH,
Tom

(in reply to tshinder)
Post #: 11
RE: Discussion about part 2 of article series on creat... - 12.Sep.2005 9:45:00 AM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:
Originally posted by Al-Taee:
Hi Tom,

Is the DMZ Interface IP will be the DNS for DMZ clients? i.e put it in the DHCP WAP options?

If we allow encrypted communications, such as SSL and VPN connections from untrusted users and computers to the Internet, those communications will be hidden from the ISA firewall and stateful application layer inspection is impossible. WHY?

Thanks,
Al-Taee

Hi Al,
You should configure the WAP to provide the untrusted users with your ISP's DNS servers. They should not be able to communicate with your internal production servers.

Outbound SSL (in contrast to inbound SSL to SSL bridging) and outbound VPN connections encrypt the communciations and hide the contents from the firewall. This is true for all firewalls and the reason why I never allow untrusted hosts outbound SSL and VPN access.

HTH,
Tom

(in reply to tshinder)
Post #: 12
RE: Discussion about part 2 of article series on creat... - 22.Sep.2005 7:23:00 AM   
romquick

 

Posts: 1
Joined: 12.Feb.2004
Status: offline
Hi Tom

Your article has got me thinking that it might fit my client's requirements quite nicely.

They have a untrusted unencrypted wireless network they want to keep for visitors to use but some trusted domain clients will need access to the internal network. Unfortunately the building doesn't allow us to Cat5 to their desks and installing a second secured wireless network is problematic.

Is VPN into the internal network the only option or can we automate it some way, maybe by using machine certificates.

Neville

(in reply to tshinder)
Post #: 13
RE: Discussion about part 2 of article series on creat... - 4.Oct.2005 10:49:00 PM   
thetoolman

 

Posts: 1
Joined: 4.Oct.2005
Status: offline
Excellent aticle.

I was wondering if there's a way to do this exercise securely using a dsl router that is also your wireless accespoint? ie using only 2 nics...

regards
the toolman

(in reply to tshinder)
Post #: 14
RE: Discussion about part 2 of article series on creat... - 3.Nov.2005 8:30:00 AM   
DKompe

 

Posts: 4
Joined: 14.Feb.2005
From: Germany
Status: offline
Hi!
Thanks for the article. One problem occurs in my installation. VPN-Clients in the DMZ can only connect over PPTP, L2TP (certificate or psk) connections fail with error code 678. L2tp connections from External work fine.
Has anyone an idea?
Thanks Daniel

(in reply to tshinder)
Post #: 15
RE: Discussion about part 2 of article series on creat... - 6.Dec.2005 8:56:42 PM   
Marck

 

Posts: 5
Joined: 21.Oct.2004
From: The Netherlands, Rotterdam
Status: offline
Next weekend I would like to implement a wireless DMZ at one of our locations. I have the same problem as Zapata, our access points don't have a DHCP function built in. So, should I install DHCP on isa 2004 sp1, and let it listen only on the wireless network NIC, or should I better use the internal DHCP via the relay agent.


Thanks

Marck

(in reply to DKompe)
Post #: 16
RE: Discussion about part 2 of article series on creat... - 8.Dec.2005 5:07:26 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: romquick

Hi Tom

Your article has got me thinking that it might fit my client's requirements quite nicely.

They have a untrusted unencrypted wireless network they want to keep for visitors to use but some trusted domain clients will need access to the internal network. Unfortunately the building doesn't allow us to Cat5 to their desks and installing a second secured wireless network is problematic.

Is VPN into the internal network the only option or can we automate it some way, maybe by using machine certificates.

Neville


Hi Neville,

VPN is the only way in such a scenario. Once the users get used to logging in via dial-up networking, they won't even realize they're on a VPN. And you can use the CMAK to create the VPN connectoid for them.

HTH,
Tom

_____________________________

Thomas W Shinder, M.D.

(in reply to romquick)
Post #: 17
RE: Discussion about part 2 of article series on creat... - 8.Dec.2005 6:45:36 PM   
tshinder

 

Posts: 50013
Joined: 10.Jan.2001
From: Texas
Status: offline
quote:

ORIGINAL: thetoolman

Excellent aticle.

I was wondering if there's a way to do this exercise securely using a dsl router that is also your wireless accespoint? ie using only 2 nics...

regards
the toolman


Hi Toolman,

I'm not sure what the goal would be here. Since the wireless NAT device in front of the firewall is already in an untrusted network, and in fact is a DMZ between the ISA firewall's external interface and the LAN interface of the wireless NAT device, the wireless DMZ is there by default. You can then enable the ISA firewall's VPN server component to allow trusted computers access to the internal network.

Maybe I'm missing something here. Let me know and I'll work up procedure.

Thanks!
Tom 

_____________________________

Thomas W Shinder, M.D.

(in reply to thetoolman)
Post #: 18
RE: Discussion about part 2 of article series on creat... - 3.Apr.2006 8:29:50 PM   
PCC

 

Posts: 199
Joined: 13.Nov.2001
From: Michigan
Status: offline
I'm also having a DHCP issue.  I need to put more than one WAP in the building so I need a central DHCP server to hand out addresses for all the WAP's.  I can't seem to find a WAP with DHCP that will hand out address through it's physical network connection.  They all seem to only had addresses out over the wireless connection which doesn't do me any good.

So What is the best setup to get DHCP on the anonymous WAP network to hand out address through multiple WAP's?  I don't really want another box sitting there just to hand out addresses.  Is it best to just configure a DHCP server on the ISA server and limit it to the anonymous WAP network interface?  Any suggestions would be appreciated.

< Message edited by PCC -- 3.Apr.2006 10:03:46 PM >

(in reply to tshinder)
Post #: 19
RE: Discussion about part 2 of article series on creat... - 4.Apr.2006 3:36:02 AM   
PCC

 

Posts: 199
Joined: 13.Nov.2001
From: Michigan
Status: offline
I went ahead and added a DHCP server on my ISA box and limited it to the anonymous WAP network interface IP address.  I then added a firewall rule allowing DHCP requests from the anonymous WAP network to localhost and added a rule to allow localhost to respond.  But I'm not getting an address on my wireless client.  It fails every time.  Any idea what I might be missing?

I also tried to set up the DNS so that the clients look at my ISP's DNS servers but it doesn't work.  I can only get DNS to work by pointing to my internal DNS servers.  I know that isn't a good idea but I can't install DNS on my ISA server now so I have to wait until I build my new server next month to set that up.  Could my DHCP problem be because it wasn't setup on the server before ISA server was installed?

Thanks.

(in reply to PCC)
Post #: 20

Page:   [1] 2 3   next >   >> << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Discussion about part 2 of article series on creating a wireless DMZ Page: [1] 2 3   next >   >>
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts