First, you need to install ISA 2004 SP1, else it won't work. That's why there isn't an article on it yet. Good topic though. I'll move that to the top of the article list for near-term release.
I followed your instructions and made minor modifications since I have Small Business Server 2003 Premium SP1.
Problem is VPN connects and can see workstations but can not see the Server.
Firewall logs show Denied Connection messages and IP Spoofing.
I disabled the IP Spoofing feature according to some instructions found on Microsofts website but still getting Denied Connections due to Network rules.
Think my problem is that I can not go entirely to your Split DNS.
Do you know if any additional modifications are neccessary to fix this problem for SBS2003?
Is the DMZ Interface IP will be the DNS for DMZ clients? i.e put it in the DHCP WAP options?
If we allow encrypted communications, such as SSL and VPN connections from untrusted users and computers to the Internet, those communications will be hidden from the ISA firewall and stateful application layer inspection is impossible. WHY?
quote:Originally posted by Jay Ruyle: I followed your instructions and made minor modifications since I have Small Business Server 2003 Premium SP1.
Problem is VPN connects and can see workstations but can not see the Server.
Firewall logs show Denied Connection messages and IP Spoofing.
I disabled the IP Spoofing feature according to some instructions found on Microsofts website but still getting Denied Connections due to Network rules.
Think my problem is that I can not go entirely to your Split DNS.
Do you know if any additional modifications are neccessary to fix this problem for SBS2003?
Jay
Hi Jay,
You'll need to configure Access Rules and System Policy to allow the required connections to the ISA firewall's Local Host Network.
Is the DMZ Interface IP will be the DNS for DMZ clients? i.e put it in the DHCP WAP options?
If we allow encrypted communications, such as SSL and VPN connections from untrusted users and computers to the Internet, those communications will be hidden from the ISA firewall and stateful application layer inspection is impossible. WHY?
Thanks, Al-Taee
Hi Al, You should configure the WAP to provide the untrusted users with your ISP's DNS servers. They should not be able to communicate with your internal production servers.
Outbound SSL (in contrast to inbound SSL to SSL bridging) and outbound VPN connections encrypt the communciations and hide the contents from the firewall. This is true for all firewalls and the reason why I never allow untrusted hosts outbound SSL and VPN access.
Your article has got me thinking that it might fit my client's requirements quite nicely.
They have a untrusted unencrypted wireless network they want to keep for visitors to use but some trusted domain clients will need access to the internal network. Unfortunately the building doesn't allow us to Cat5 to their desks and installing a second secured wireless network is problematic.
Is VPN into the internal network the only option or can we automate it some way, maybe by using machine certificates.
Hi! Thanks for the article. One problem occurs in my installation. VPN-Clients in the DMZ can only connect over PPTP, L2TP (certificate or psk) connections fail with error code 678. L2tp connections from External work fine. Has anyone an idea? Thanks Daniel
Posts: 5
Joined: 21.Oct.2004
From: The Netherlands, Rotterdam
Status: offline
Next weekend I would like to implement a wireless DMZ at one of our locations. I have the same problem as Zapata, our access points don't have a DHCP function built in. So, should I install DHCP on isa 2004 sp1, and let it listen only on the wireless network NIC, or should I better use the internal DHCP via the relay agent.
Your article has got me thinking that it might fit my client's requirements quite nicely.
They have a untrusted unencrypted wireless network they want to keep for visitors to use but some trusted domain clients will need access to the internal network. Unfortunately the building doesn't allow us to Cat5 to their desks and installing a second secured wireless network is problematic.
Is VPN into the internal network the only option or can we automate it some way, maybe by using machine certificates.
Neville
Hi Neville,
VPN is the only way in such a scenario. Once the users get used to logging in via dial-up networking, they won't even realize they're on a VPN. And you can use the CMAK to create the VPN connectoid for them.
I was wondering if there's a way to do this exercise securely using a dsl router that is also your wireless accespoint? ie using only 2 nics...
regards the toolman
Hi Toolman,
I'm not sure what the goal would be here. Since the wireless NAT device in front of the firewall is already in an untrusted network, and in fact is a DMZ between the ISA firewall's external interface and the LAN interface of the wireless NAT device, the wireless DMZ is there by default. You can then enable the ISA firewall's VPN server component to allow trusted computers access to the internal network.
Maybe I'm missing something here. Let me know and I'll work up procedure.
I'm also having a DHCP issue. I need to put more than one WAP in the building so I need a central DHCP server to hand out addresses for all the WAP's. I can't seem to find a WAP with DHCP that will hand out address through it's physical network connection. They all seem to only had addresses out over the wireless connection which doesn't do me any good.
So What is the best setup to get DHCP on the anonymous WAP network to hand out address through multiple WAP's? I don't really want another box sitting there just to hand out addresses. Is it best to just configure a DHCP server on the ISA server and limit it to the anonymous WAP network interface? Any suggestions would be appreciated.
< Message edited by PCC -- 3.Apr.2006 10:03:46 PM >
I went ahead and added a DHCP server on my ISA box and limited it to the anonymous WAP network interface IP address. I then added a firewall rule allowing DHCP requests from the anonymous WAP network to localhost and added a rule to allow localhost to respond. But I'm not getting an address on my wireless client. It fails every time. Any idea what I might be missing?
I also tried to set up the DNS so that the clients look at my ISP's DNS servers but it doesn't work. I can only get DNS to work by pointing to my internal DNS servers. I know that isn't a good idea but I can't install DNS on my ISA server now so I have to wait until I build my new server next month to set that up. Could my DHCP problem be because it wasn't setup on the server before ISA server was installed?
|
My Subscription |
My Forums |
Address Book |
Member List |
Search |
FAQ |
Ticket List |
Log Out
Printable Version
All Forums >> [ISA Server 2004 Firewall] >> DMZ >> Discussion about part 2 of article series on creating a wireless DMZ 
Discussion about part 2 of article series on creating ... - 
![[Smile]](/image/smiles/smile.gif)
RE: Discussion about part 2 of article series on creat... - 
New Messages
No New Messages
Hot Topic w/ New Messages
Hot Topic w/o New Messages
Locked w/ New Messages
Locked w/o New Messages
Post New Thread