Re: Modeling Remote Subnets as Networks in ISA 2006

I will answer my own question. Further testing shows that modeling a
disconnected subnet as an ISA "Network" object creates very serious problems
and should be avoided.

I was however able to model remote subnets as either address ranges or
subnet objects and use those objects in Network Rules directly *without any
Network object*, and it was absolutely reliable in carefully shaping the
network routing / NAT behavior.

Unfortunately, going with Network Rules that reference subnets as anything
other than Network objects means the External Network object will overlap
those subnets / address ranges. So you have to be careful about the use of
External.

--
Will


"Will" <westes-usc@xxxxxxxxxxxxxx> wrote in message
news:w_ydnSNIMLvdvY3VnZ2dnUVZ_v6rnZ2d@xxxxxxxxxxxxxxx
There is a small internal contradiction in some of the ISA Server
documentation and tech notes on the Microsoft site concerning use of
Network objects in ISA. Bear with me while I describe the contradiction
then I'll ask the question. For example this site:

http://www.microsoft.com/technet/isa/2006/networks.mspx

has the statement about Network objects that:

"Networks typically correspond to a physical network. A network always
has a network adapter associated with it, and represents one or more IP
address range or ranges that can be reached from the associated network
adapter. "

That's certainly the easiest way to think about Networks, and it is what
98% of all people who have studied and used the ISA product would use to
define a Network object.

Other documents such as the Hardening Guide for ISA Server 2004 at:

http://technet.microsoft.com/en-us/library/cc302492.aspx

contain guidance for creating a "disconnected network", which they define
as "...a range of IP addresses that are not physically connected to the
ISA Server computer." Their instructions on how to create such a
network leave no doubt that they do mean Network objects and not an
address range or subnet object. Their use case for example is isolating
infected clients into a Network object that has no Network Rules.

I have used Network objects both ways (restricting them to network
adapters on the ISA Server, and also to describe networks not connected to
ISA), and my use case for "Disconnected Networks" is remote subnets that
are in front of ISA server's external adapter, but behind some other
firewall, or on some partner's protected intranet. I am finding that by
making such ISA-forward subnets "disconnected networks" instead of subnet
or address range objects, you get one fringe benefit, which is that the
network addresses that are disconnected are automatically removed from the
External network object. *If* you want the power of making all of the
Network Rules and Firewall Rules explicit for each disconnected network,
and you do not want to accidentally extend privileges into a disconnected
network by granting access to the External network object, then
disconnected networks appear to work very well. They do provide extra
control for traffic going through ISA to and from sensitive subnets that
are not directly connected to the ISA Server.

The final benefit is that Network Objects can be placed into a reasonably
implemented "Group" concept named Network Groups. ISA subnet and address
ranges have no convenient grouping concept incredible as that is.

All of this background is to ask the question: can anyone come up with
some reason why remote subnets should never be modeled as ISA Network
Objects? I understand that it is simpler to start out with the ISA
product using External to cover a broad range of addresses in front of
ISA. But assuming you do not mind the extra effort needed to accomodate
the harder approach, is use of a disconnected network going to break
anything?

--
Will


.

Relevant Pages

  • Re: Windows 2003 Improper Handling of 10.0.0.0 Subnets?
    ... router does not know how to reach the destination network, ... But in general I do agree that when you first deal with ISA it is very very ... You can use a larger Class Network on the NIC, then define subnets in ISA ... the Firewall Rule column with just blank information. ...
    (microsoft.public.windows.server.networking)
  • Re: ISA Internal Network Problems
    ... It is a SBS network, with a few other subnets. ... > I take it this is not a small business server network ... > I don't pretend to be a ISA network, but the first thing I would do is to make all subnets part of the "Internal Network" ...
    (microsoft.public.windows.server.sbs)
  • Re: ISA 2006 configuration question - multiple VLANs and domains
    ... very familiar with network segments vs. domains et. al. ... multihomed ISA 2006 server forward a DHCP request to the proper VLAN ... ISA is a Firewall Product designed to protect a network from the Internet. ...
    (microsoft.public.isa.configuration)
  • Re: Disable dynamic route entries in Windows 2003?
    ... and how they're configured/managed by the network folks. ... My ISA servers have two NIC's: one in a VLAN that is an "internal" DMZ, ... So, from the standpoint of ISA Server, there are two separate interfaces ... the "Internal VLAN can NOT route to the Internet VLAN, ...
    (microsoft.public.windows.server.networking)
  • Re: Internet Intermittent Connection
    ... Here are my IPs for the network: ... ISA Internal NIC: 192.168.100.1 ... Modem External: Public IP Address ... I have an intermittent Internet connection that has been going on for ...
    (microsoft.public.isa)
Loading