Discussion about part 2 of article series on creating a wireless DMZ

Discussion about part 2 of article series on creating a wireless DMZ (Full Version)

All Forums >> [ISA Server 2004 Firewall] >> DMZ

Message

tshinder -> Discussion about part 2 of article series on creating a wireless DMZ (17.Apr.2005 2:08:00 PM)
This thread is for discussing part 2 of the article series on creating an untrusted wireless DMZ segment at http://isaserver.org/articles/2004wirelessdmzpart2.html HTH, Tom [ April 17, 2005, 02:17 PM: Message edited by: tshinder ]

Zapata -> RE: Discussion about part 2 of article series on creating a wireless DMZ (18.Apr.2005 12:17:00 AM)
Great article Tom! Is there a way to let the DMZ (wireless) users access the DHCP server on the internal network for IP adresses?

tshinder -> RE: Discussion about part 2 of article series on creating a wireless DMZ (18.Apr.2005 6:50:00 PM)
Hi Zapata, Thanks! Might be able to do that with the DHCP relay agent, haven't tried it yet, though. What would be the rationale for using an internal DHCP instead of the WAPs DHCP server? Thanks! Tom

Zapata -> RE: Discussion about part 2 of article series on creating a wireless DMZ (19.Apr.2005 12:00:00 PM)
Hi Tom My crappy AccessPoint does not have a built in DHCP Server. Thanks /Z

tshinder -> RE: Discussion about part 2 of article series on creating a wireless DMZ (19.Apr.2005 12:33:00 PM)
Hi Zapata, OK, that's a good reason Thanks! Tom

Zapata -> RE: Discussion about part 2 of article series on creating a wireless DMZ (21.Apr.2005 5:44:00 PM)
BTW how do you enable the DHCP relay agent on ISA 2004? Thanks!

tshinder -> RE: Discussion about part 2 of article series on creating a wireless DMZ (22.Apr.2005 4:57:00 AM)
Hi Zapata, First, you need to install ISA 2004 SP1, else it won't work. That's why there isn't an article on it yet. Good topic though. I'll move that to the top of the article list for near-term release. Thanks! Tom

Zapata -> RE: Discussion about part 2 of article series on creating a wireless DMZ (22.Apr.2005 11:19:00 AM)
Great stuff, looking forward to it! /Z

jayr149 -> RE: Discussion about part 2 of article series on creating a wireless DMZ (8.Jul.2005 8:31:00 AM)
I followed your instructions and made minor modifications since I have Small Business Server 2003 Premium SP1. Problem is VPN connects and can see workstations but can not see the Server. Firewall logs show Denied Connection messages and IP Spoofing. I disabled the IP Spoofing feature according to some instructions found on Microsofts website but still getting Denied Connections due to Network rules. Think my problem is that I can not go entirely to your Split DNS. Do you know if any additional modifications are neccessary to fix this problem for SBS2003? Jay

iraq it -> RE: Discussion about part 2 of article series on creating a wireless DMZ (9.Sep.2005 9:39:00 AM)
Hi Tom, Is the DMZ Interface IP will be the DNS for DMZ clients? i.e put it in the DHCP WAP options? If we allow encrypted communications, such as SSL and VPN connections from untrusted users and computers to the Internet, those communications will be hidden from the ISA firewall and stateful application layer inspection is impossible. WHY? Thanks, Al-Taee

tshinder -> RE: Discussion about part 2 of article series on creating a wireless DMZ (12.Sep.2005 9:42:00 AM)
quote: Originally posted by Jay Ruyle: I followed your instructions and made minor modifications since I have Small Business Server 2003 Premium SP1. Problem is VPN connects and can see workstations but can not see the Server. Firewall logs show Denied Connection messages and IP Spoofing. I disabled the IP Spoofing feature according to some instructions found on Microsofts website but still getting Denied Connections due to Network rules. Think my problem is that I can not go entirely to your Split DNS. Do you know if any additional modifications are neccessary to fix this problem for SBS2003? Jay Hi Jay, You'll need to configure Access Rules and System Policy to allow the required connections to the ISA firewall's Local Host Network. HTH, Tom

tshinder -> RE: Discussion about part 2 of article series on creating a wireless DMZ (12.Sep.2005 9:45:00 AM)
quote: Originally posted by Al-Taee: Hi Tom, Is the DMZ Interface IP will be the DNS for DMZ clients? i.e put it in the DHCP WAP options? If we allow encrypted communications, such as SSL and VPN connections from untrusted users and computers to the Internet, those communications will be hidden from the ISA firewall and stateful application layer inspection is impossible. WHY? Thanks, Al-Taee Hi Al, You should configure the WAP to provide the untrusted users with your ISP's DNS servers. They should not be able to communicate with your internal production servers. Outbound SSL (in contrast to inbound SSL to SSL bridging) and outbound VPN connections encrypt the communciations and hide the contents from the firewall. This is true for all firewalls and the reason why I never allow untrusted hosts outbound SSL and VPN access. HTH, Tom

romquick -> RE: Discussion about part 2 of article series on creating a wireless DMZ (22.Sep.2005 7:23:00 AM)
Hi Tom Your article has got me thinking that it might fit my client's requirements quite nicely. They have a untrusted unencrypted wireless network they want to keep for visitors to use but some trusted domain clients will need access to the internal network. Unfortunately the building doesn't allow us to Cat5 to their desks and installing a second secured wireless network is problematic. Is VPN into the internal network the only option or can we automate it some way, maybe by using machine certificates. Neville

thetoolman -> RE: Discussion about part 2 of article series on creating a wireless DMZ (4.Oct.2005 10:49:00 PM)
Excellent aticle. I was wondering if there's a way to do this exercise securely using a dsl router that is also your wireless accespoint? ie using only 2 nics... regards the toolman

DKompe -> RE: Discussion about part 2 of article series on creating a wireless DMZ (3.Nov.2005 8:30:00 AM)
Hi! Thanks for the article. One problem occurs in my installation. VPN-Clients in the DMZ can only connect over PPTP, L2TP (certificate or psk) connections fail with error code 678. L2tp connections from External work fine. Has anyone an idea? Thanks Daniel

Marck -> RE: Discussion about part 2 of article series on creating a wireless DMZ (6.Dec.2005 8:56:42 PM)
Next weekend I would like to implement a wireless DMZ at one of our locations. I have the same problem as Zapata, our access points don't have a DHCP function built in. So, should I install DHCP on isa 2004 sp1, and let it listen only on the wireless network NIC, or should I better use the internal DHCP via the relay agent. Thanks Marck

tshinder -> RE: Discussion about part 2 of article series on creating a wireless DMZ (8.Dec.2005 5:07:26 PM)
quote: ORIGINAL: romquick Hi Tom Your article has got me thinking that it might fit my client's requirements quite nicely. They have a untrusted unencrypted wireless network they want to keep for visitors to use but some trusted domain clients will need access to the internal network. Unfortunately the building doesn't allow us to Cat5 to their desks and installing a second secured wireless network is problematic. Is VPN into the internal network the only option or can we automate it some way, maybe by using machine certificates. Neville Hi Neville, VPN is the only way in such a scenario. Once the users get used to logging in via dial-up networking, they won't even realize they're on a VPN. And you can use the CMAK to create the VPN connectoid for them. HTH, Tom

tshinder -> RE: Discussion about part 2 of article series on creating a wireless DMZ (8.Dec.2005 6:45:36 PM)
quote: ORIGINAL: thetoolman Excellent aticle. I was wondering if there's a way to do this exercise securely using a dsl router that is also your wireless accespoint? ie using only 2 nics... regards the toolman Hi Toolman, I'm not sure what the goal would be here. Since the wireless NAT device in front of the firewall is already in an untrusted network, and in fact is a DMZ between the ISA firewall's external interface and the LAN interface of the wireless NAT device, the wireless DMZ is there by default. You can then enable the ISA firewall's VPN server component to allow trusted computers access to the internal network. Maybe I'm missing something here. Let me know and I'll work up procedure. Thanks! Tom

PCC -> RE: Discussion about part 2 of article series on creating a wireless DMZ (3.Apr.2006 8:29:50 PM)
I'm also having a DHCP issue. I need to put more than one WAP in the building so I need a central DHCP server to hand out addresses for all the WAP's. I can't seem to find a WAP with DHCP that will hand out address through it's physical network connection. They all seem to only had addresses out over the wireless connection which doesn't do me any good. So What is the best setup to get DHCP on the anonymous WAP network to hand out address through multiple WAP's? I don't really want another box sitting there just to hand out addresses. Is it best to just configure a DHCP server on the ISA server and limit it to the anonymous WAP network interface? Any suggestions would be appreciated.

PCC -> RE: Discussion about part 2 of article series on creating a wireless DMZ (4.Apr.2006 3:36:02 AM)
I went ahead and added a DHCP server on my ISA box and limited it to the anonymous WAP network interface IP address. I then added a firewall rule allowing DHCP requests from the anonymous WAP network to localhost and added a rule to allow localhost to respond. But I'm not getting an address on my wireless client. It fails every time. Any idea what I might be missing? I also tried to set up the DNS so that the clients look at my ISP's DNS servers but it doesn't work. I can only get DNS to work by pointing to my internal DNS servers. I know that isn't a good idea but I can't install DNS on my ISA server now so I have to wait until I build my new server next month to set that up. Could my DHCP problem be because it wasn't setup on the server before ISA server was installed? Thanks.

Page: [1] 2 3 next > >>