Welcome to ISAserver.org

Forums | Register | Login | My Profile | Inbox | RSS RSS icon | My Subscription | My Forums | Address Book | Member List | Search | FAQ | Ticket List | Log Out

RE: Discussion about part 1 of the SBS install series

Users viewing this topic: none

Logged in as: Guest
  Printable Version
All Forums >> [ISA Server 2004 General ] >> ISA 2004 SBS >> RE: Discussion about part 1 of the SBS install series Page: <<   < prev  1 [2]
Login
Message << Older Topic   Newer Topic >>
RE: Discussion about part 1 of the SBS install series - 7.Sep.2005 10:06:00 PM   
tshinder

 

Posts: 46971
Joined: 10.Jan.2001
From: Texas
Status: offline 		Hi Kevin,

This article might give you a better idea of how to work with, and segment, security zones:

http://www.isaserver.org/articles/2004multidmzp1.html

Yes, the DMZ between the front-end device and the SBS/ISA firewall computer is a security zone.

The problem is that DCs/SQL servers/Web servers, etc belong to different security zones, all of which should be demarcated by security perimeters, which is what the ISA firewall can provide, using multiple ISA firewalls, or a single ISA firewall with multiple NICs.

I have already created three series of articles on using multihomed ISA firewall's and multiple ISA firewalls to create these security zones. They'll be posted over time on www.isaserver.org

Thanks!
Tom

(in reply to tshinder)
Post #: 21
RE: Discussion about part 1 of the SBS install series - 29.Sep.2005 12:38:00 PM   
Tyler

 

Posts: 24
Joined: 18.Dec.2002
From: Tampa, FL
Status: offline
quote:
Originally posted by tshinder:
quote:
Originally posted by Tyler White:
New question (RE: Scenario 3):

Here's my existing network config:

SBS 2k > ISA 2k (separate Win2k Server box)

ISA 2k has 2 NICs, one to cable modem, one to LAN.

I'm getting ready to replace the SBS 2k with an entirely new box, so the config will be:

SBS 2k3 Premium > ISA 2k (no change from above).

Here's the question/situation: I would like to implement Scenario 3 since I have all of the building blocks, but is there an issue with the SBS 2k3 running ISA 2004 on the inside and having ISA 2k on the outside?

Thanks!
Hi Tyler,

That's a great question!

This would be the back to back ISA firewall configuration, with a twist [Big Grin]

There are many ways you could approach this configuration:

1. Make the SBS 2003 SP1 box a Web proxy client of the front-end ISA2k firewall

2. Make the SBS 2003 SP1 box a Firewall client of the front-end ISA2k firewall

3. Make the SBS 2003 SP1 box a SecureNAT client of the front-end ISA2k firewall

4. Some combination of the above

I would do all three. However, there is a bug in ISA 2004 that doesn't allow authentication when doing Firewall Chaining (Web Proxy chaining auth works fine). So, don't require auth for non-Web protocols.
Ok... I now have a twist that I would like somebody (Tom...please?) to comment on/respond to.

Once I saw ISA 2004 on the SBS and its relative ease-of-use when compared to ISA 2000, I realized I *must* upgrade to ISA 2004.

Here's the question: any specific areas of concern with Scenario 3 now that I'm going to have SBS2k3 w/ ISA2004 on the "inside" and ISA 2004 on the outside?

Thanks,

Tyler

(in reply to tshinder)
Post #: 22
RE: Discussion about part 1 of the SBS install series - 1.Oct.2005 5:47:00 AM   
Dredd123

 

Posts: 5
Joined: 12.May2003
From: UK
Status: offline
quote:
Do you think it would be worthwhile to show how to do it with a clean ISA2k install? The reason I ask is because the upgrade conversations are pretty whacky. But now that I say that, it would be an interesting exercise.

OK! You got it! Once I finish the clean install article, let's work together on a upgrade install article series.
Hi Tom,

I'd be interested to know the results of this compared to an off the bat installation of SBS2003 SP1. Media with SP1 slipstreamed has only recently started filtering through in the channel, and there are plenty of people with SBS 2003 non SP media. What happens if a server has to be rebuilt and the customer has non SP media?
Between SBS2003 SP1 becoming available for download and the slipstreamed media becoming available, I did a few SBS2003 SP1 installs which consisted of installing SBS non SP in it's entirety including premium components (i.e. ISA 2000), then installing the SP1 components on top.
It would be interesting to compare the differences by going this route with installing from native SP1 media.

(in reply to tshinder)
Post #: 23
RE: Discussion about part 1 of the SBS install series - 24.Nov.2005 9:08:59 PM   
terribleted

 

Posts: 4
Joined: 24.Nov.2005
Status: offline 		Tom,

First off, thanks for such a wonderful asset. I found you from an obscure link on techsoup.org. I am in the process of reading every article about ISA on your site that covers our plans. Security is of main concern as is fending off garbage traffic.
-----

I have both Server 2003 (web and mail) and SBS 2003 in configuration stages. The web server is up and running but with only a minimal, and I mean MINIMAL, firewall in place.

The SBS box will eventually be running only the DC, DNS, and ISA configurations with SQL put off on another box.

We are currently set up with Scenario 1 in place (sort of). Scenario 2 looks like the most promising for our budget.

Question revolves around the NAT appliance in Scenario 2:

We have an Efficient 5800 with 16 IP's. No NAT enabled nor hardware Firewall. We run NPF for the clients.

The 5800 can be changed to NAT and firewall. The firewall in that device is rudimentry and our ISP discourages using it as a front line for any firewall scheme.

Q: Would the 5800 with NAT enabled qualify as the device in your schematic?

If so, I guess the next question is regarding the ISA NIC configuration for the SBS/ISA external NIC. Guide me to any of your articles that are pertinent. I do have your Network Configuration articles downloaded.

I will post my other question regarding Mail Servers later.





(in reply to tshinder)
Post #: 24
RE: Discussion about part 1 of the SBS install series - 9.Jul.2007 3:52:04 AM   
marcus.naraidoo@blue

 

Posts: 1
Joined: 9.Jul.2007
Status: offline 		Hello Tom,

The article on ISA Server 2004 SP1 with SBS 2003 is very interesting.

I was wondering whether there was a newer version which covers ISA Server SP 3 and SBS 2003 R2?

I specifically would like to know whether there are any major differences between what's in this articla for scenario 2 and what would be written about the newer software release configuration.

Thanks for any pointers.

Marcus

(in reply to tshinder)
Post #: 25
RE: Discussion about part 1 of the SBS install series - 11.Apr.2008 11:11:02 AM   
mikemike2

 

Posts: 1
Joined: 11.Apr.2008
Status: offline 		What about tri-homed DMZ with SBS, I see you are avoiding the subject , is it supported? and should we consider it?

(in reply to tshinder)
Post #: 26

Page:   <<   < prev  1 [2] << Older Topic    Newer Topic >>
All Forums >> [ISA Server 2004 General ] >> ISA 2004 SBS >> RE: Discussion about part 1 of the SBS install series Page: <<   < prev  1 [2]
Jump to:

New Messages No New Messages
Hot Topic w/ New Messages Hot Topic w/o New Messages
Locked w/ New Messages Locked w/o New Messages
 Post New Thread
 Reply to Message
 Post New Poll
 Submit Vote
 Delete My Own Post
 Delete My Own Thread
 Rate Posts