Re: ISA 3-Leg Config Question

"Kurt Loy" <KurtLoy@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:5EA79164-53A9-4045-8C2A-EE61A8A0FB49@xxxxxxxxxxxxxxxx
1. The relationship is currently setup as a route. Perimeter, source and
Internal destination. My understanding is that source and destination
don't
matter in a route since it is a two-way street. Why do they ask you that?

Why...
NAT is one-way
Routed is two-way
Think about what can't work if it was set to NATed.

2. a.) All outbound traffic is allowed from the Perimeter to the All
Networks network set.
b.) All outbound traffic is allowed from Local Host to the All Networks
network set.
c.) All outbound traffic is allowed from the Internal network, and VPN
clients to the All Networks network set.
d.)All outbound traffic is allowed from VPN clients to the Internal
Network
------------------------------------------------------------------------------------

Stop using "All Networks". Be specifc with the Rules.

The Perimeter Rule.......
a)Source: Internal, Perimeter
Destin: Internal, Perimeter
Protocol: <whatever> Be specific here
Users: either All Users for "anonymous" or use a specific User Set
Be specific with the Protocol and possibly the Users. What good is a
Perimeter Network if it is "wide open" in both directions between it and the
Internal?,...that is pointless. It just becomes a second "internal" Network
in that case.

The LocalHost Rule.......
b) LocalHost does not need a Rule. System Policy covers the requirements.
Your firewall (ISA) is not supposed to be "wide open" to all networks. If
you have a "situation" requiring an Access Rule for LocalHost to the LAN,
then follow this pattern:
Source: Internal, LocalHost
Destin: Internal, LocalHost
Protocol: <whatever> I recommend you be specific here
Users: either All Users for "anonymous" or use a specific User Set

The VPN Clients Rule.......
c)Source: Internal, VPN Clients
Destin: Internal, VPN Clients
Protocol: <whatever>
Users: either All Users for "anonymous" or use a specific User Set

The Internal to External Rules.....
c)Source: Internal (maybe also VPN Clients, maybe also LocalHost but only if
required)
Destin: External
Protocol: <whatever>
Users: either All Users for "anonymous" or use a specific User Set

--------------------------------------------------------------------------------------
Followed by the Default deny rule, in that order.
3. a.) The Perimeter is defined as the entire 10.0.0.0 through
10.255.255.255 range. No domains are defined nor are Web Proxy or the
Firewall Client used. Web access is set to access directly in the event
ISA
is down. The adapter for this network is located at 10.1.0.1 with a
255.255.0.0 subnet. This address is set as the gateway for the Perimeter
clients.

Subnet containing Hosts should not be allow to get larger than 250-300
Hosts. Use a 24bit mask (255.255.255.0) or higher. Set the Range to match
what the mask establishes,...like 10.0.0.0--10.0.0.255

I can't imagine anyone having more than 254 Hosts in a DMZ Segment

b.) The Internal network is defined as the entire 192.168.0.0 through
192.168.255.255 range with the same options as the Perimeter. It's adapter
is
configured with 192.168.1.105 with a 255.255.255.0 subnet. This address is
set as the gateway for the Internal clients.

That's fine.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
Understanding the ISA 2004 Access Rule Processing
http://www.isaserver.org/articles/ISA2004_AccessRules.html

Troubleshooting Client Authentication on Access Rules in ISA Server 2004
http://download.microsoft.com/download/9/1/8/918ed2d3-71d0-40ed-8e6d-fd6eeb6cfa07/ts_rules.doc

Microsoft Internet Security & Acceleration Server: Partners
http://www.microsoft.com/isaserver/partners/default.mspx

Microsoft ISA Server Partners: Partner Hardware Solutions
http://www.microsoft.com/forefront/edgesecurity/partners/hardwarepartners.mspx
-----------------------------------------------------


.

Relevant Pages

  • RE: DDoS to microsoft sites
    ... sense that these are network aware. ... The primary difference between the two clients is that the first port scan I ... > - netbios (brute force attack on Administrator account) ... > connected to the Internet. ...
    (Incidents)
  • Re: How to add static routes to ISA Server
    ... I think that the route add should be: ... you want it to represent the whole network and also the subnet should be ... If you want to make your VPN clients like internal users, ... internal network" and "Internet access") so your VPN clients will be ...
    (microsoft.public.isa)
  • drone armies C&C report - July/2005
    ... 3356 LEVEL3 Level 3 Communications ... 3491 BTN-ASN - Beyond The Network A ... 3801 MISNET - Mikrotec Internet Ser ... 15857 DIALOG-AS DIALOG-NET Autonomuo ...
    (Bugtraq)
  • Re: [Fedora] Re: Wireless Access Point
    ... I can't enforce that on all of our clients. ... clients which in effect would not allow them to get to any network other ... I just need to figure out how to tell it to have connecting clients fetch an IP from the linux server once I turn off it's internal DHCP. ... However, if one of our employees were to bring in their laptop, they can connect to the same WAP and would be able to see everything "through" that server and access everything on the network (and internet.) So there's some configuration that I need to figure out on the linux server to start with. ...
    (Fedora)
  • Masquerading problem... can you help?
    ... server to masquerade a simple network and allow access to ... My server uses a modem to dial the internet. ... `SuSE-FW-DROP-DEFAULT' ...
    (comp.os.linux.security)
Loading