I have recently purchased the migration pack for SBS2000 so that I now have Backoffice 2000. I have moved Exchange onto a backend server and the ISA Server is now running on its own server.
For virus + spam checking, we use a 3rd party company, who provide us with a range of IP addresses to allow through the firewall on port 25. When I had the old SBS2000 setup, I simply set up packet filters to allow only them addresses through, worked a treat. No other machine could get onto port 25 via my main internet connection.
But now, with Exchange moving to a back-end server, I am unsure of how to make it secure. To get it working, it is currently set up like this.
A server publishing rule routes any requests to port 25 through to the internal IP of my Exchange server, and this works great, email is coming in fine. But how do I tie it down so that only a given set of ip ranges can utilize that port. I cannot use client address sets as this only does ip ranges, not subnets, which packet filtering does do. But whatever packet filters I put in to block/deny certain addresses, it just lets everything through via port 25
That has worked a treat, thanks. But 1 more thing. That rules works all well and good if you have a range ip addresses to use, but what happens if I want to run a web server/ftp server on the perimeter network via a server publishing rule? where do I specify the users who are allowed to connect to it? Can access only be restriced using the different types of authentication for the web site? Because isnt the port then still open to the world as the firewall will simply route through any requests
You said "That rules works all well and good if you have a range ip addresses to use, but what happens if I want to run a web server/ftp server on the perimeter network via a server publishing rule?". I'm not sure I understand well your question because you are talking about a perimeter network. Can you make a little network diagram to make things clear?
sorry Stefaan, maybe my terminology was a little out. I now have a Windows 2000 Member server, running only ISA Server. My internet connection comes in via this machine. all email requests are routed through to a back-end server via the server publishing rule we've been discussing.
So lets use another example. I want to publish a terminal server so that my users can work from home. I've created a server publishing rule and set it up to forward onto the correct server that is hosting Terminal Services. How do I make this secure? Because I cant use client address sets as I dont know which ip my users will be logging on from, it could be anywhere in the world in fact? Should I be using a Web Publishing Rule in this case?
in general it is quite useless to implement source IP address checking in publishing rules. The reason for it is that IP addresses are easily faked or spoofed. So, they are far from being reliable from an authentication point of view. Therefore, a better strategy is to require some form of user authentication. How that is best implemented depends on the service you want to publish.
In the example of the Terminal Server, you can only use the built-in authentication scheme. Moreover, to protect the login and password in transit, it is highly recommended you enforce high encryption in the RDP properties of the Terminal Service. So, for non-Web based services it is the service you want to publish who determines what is possible.
On the other hand, for Web based services, ISA FP1 have some built-in extensions to enforce strong user authentication at the ISA Web Proxy service level. So, even before the request will hit the published Web server.
It should be clear that enforcing strong user authentication is the key to securely publish internal services.