Re: Is this ISA server setup right or wrong?
From: Phillip Windell (_at_.)
Date: 07/06/04
- Next message: Priyank: "Re: FTP Problme in firewall client"
- Previous message: Priyank: "Re: FTP Problme in firewall client"
- In reply to: Devante: "Is this ISA server setup right or wrong?"
- Messages sorted by: [ date ] [ thread ]
Date: Tue, 6 Jul 2004 12:05:55 -0500
"Devante" <anonymous@discussions.microsoft.com> wrote in message
news:25e8701c4616c$fa58c3a0$a501280a@phx.gbl...
> I am planning on implementing an ISA firewall at our
> company HQ. We have two other branch offices that access
> the HQ network via citrix. At all sites we have a cisco
> pix 501 and a vpn between the sites. The cisco pix ay
> each site connects directly to the internet, so each
> office has their own access to the internet. The plan is
> to implement an ISA server behind the pix firewall at the
> main office.
> I'm wondering if the following setup will work ...
No. The ISA must be "side-by-side" with the Pix with each representing a
separate and distinct way out to the Net. The remote VPN subnets (private IP
ranges) must be added to the ISA's LAT.
--PIX/VPN--
/ \
Users--> --->Router-->Internet
\ /
----ISA ----
> Will the users have to have the second NIC's address of
> the ISA firewall as their gateway to the internet?
No. That could never happen because a DFG must always be in the same subnet
as the sending client,...the ISA external nic obviously isn't. Besides that,
the Layer3 Routing Scheme only needs to route the VPN traffic to the PIX and
the "unspecified" traffic (the Internet) to whatever device you want to use
for *unauthenticated* Internet usage.
The Users will use the ISA based on either the Web Bowser's "proxy settings"
(the Web Proxy Service) or by having the Firewall Client installed (the
Firewall [Winsock] Service). Only the ISA's SecureNAT Service use Layer3
Routing to function and you don't have to even use it.
In our system the "humans" go out via the ISA using the Web and Firewall
Services. The Secure Nat Serivce isn't used. Servers and other "utility"
machines that "don't have humans" use the hardware-based firewall. The VPN
also runs out the hardware based firewall and is a proprietary setup between
identical firewalls on the other end.
Layer3 Routing is done with a separate LAN Router and it is the DFG of all
machines on the LAN. The LAN Router's own DFG is the firewall device. The
firewall device rejects all outbound Internet requests except for the
Servers and the "utility" machines to prevent Users from using it to bypass
the ISA.
If you don't have a LAN Router then the DFG of all machines (except ISA)
will be the PIX. The PIX should reject all outbound Internet requests except
for special situations (this won't effect the VPN). The users will access
the ISA by the Browser's settings or by the Firewall Client being installed
on the machine. The remote VPN subnets (private IP ranges) must be added to
the ISA's LAT. The ISA will then have a Static Route added so that the
proper VPN traffic gets sent to the PIX as a "safety" in case some VPN
traffic incorrectly gets sent to the ISA or if the ISA itself needs to use
the VPN.
A second option is to make the ISA the DFG of all machines and reject all
Internet requests at the PIX which relegates the PIX to only doing the VPN.
The remote VPN subnets (private IP ranges) must be added to the ISA's LAT.
The ISA will then have a Static Route added so that the proper VPN traffic
gets sent to the PIX.
As you see,...things can get complex and there is more than one way to do
it.
-- Phillip Windell [MCP, MVP, CCNA] www.wandtv.com
- Next message: Priyank: "Re: FTP Problme in firewall client"
- Previous message: Priyank: "Re: FTP Problme in firewall client"
- In reply to: Devante: "Is this ISA server setup right or wrong?"
- Messages sorted by: [ date ] [ thread ]
Relevant Pages
|
