Re: SBS R2 ISA2004 Dark Arts
- From: "SuperGumby [SBS MVP]" <not@xxxxxxxxxxx>
- Date: Wed, 22 Aug 2007 09:24:13 +1000
You suggest 'For the purposes of this discussion the front firewall is
merely acting as a front router (as I have disabled all of its firewall
functionality)' which suggests to me that this 'front' firewall is not an
ISA server. Is it?
The use of 'front-end/back-end' ISA configuration is only pertinent where
both the front-end and back-end are ISA.
In a 'classic' ISA on SBS implementation where SBS has only two NICs and a
NAT device sits in front of ISA you have an effective (if not formal) DMZ.
W.X.Y.Z
NAT device (192.168.1.1) -- DMZ 192.168.1.x
|
|
192.168.1.2
ISA on SBS
10.0.0.x (local LAN)
ISA in this configuration can be configured by the SBS CEICW and acts as an
'Edge Firewall'. Additional ISA rules would be built to allow traffic
to/from the DMZ. Minimal contol of public to DMZ traffic.
the slightly more formal config would use a firewall device in front of ISA.
(NOTE: This is similar to a setup where a simple router could be used, no
firewalling of the DMZ-public traffic, not a very nice alternative)
W.X.Y.z (subnet)
firewall device -- DMZ W.X.Y.b/c/d
|
|
W.X.Y.a
ISA on SBS
local subnet
again only requiring a 2 NIC ISA on SBS and again using ISA as an 'edge
firewall', from the perspective of the SBS LAN. Again, the CEICW would build
the base ISA configuration and additional rules would establish local-DMZ
traffic control. The 'firewall device' would control traffic from the
internet to the DMZ, which includes the external interface of ISA.
There's also a couple of other alternatives, depending on the complexity of
the 'firewall device' but the main scenario I can think of terminates VPN at
the device with the device having one interface 'inside' the SBS local LAN.
Curiously enough this can be done with the 2 NIC ISA on SBS, again with ISA
acting as an edge firewall, from the perspective of the SBS LAN.
What SBS does not handle automatically is the more formal ISA controlled DMZ
where ISA has 3 (or more) interfaces
W.X.Y.Z
ISA (3 legs, not normally SBS) -- DMZ (which may or may not be a private IP
range)
local subnet (say 10.0.0.x)
or indeed the ISA front-end/back-end config
W.X.Y.Z
ISAfe
|__possible 'middle net' DMZ
|
ISAbe
local subnet
"Marcus" <Marcus@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:6D48C99F-5C94-4758-AF87-5652D68627C1@xxxxxxxxxxxxxxxx
For me it's not that simple. I need the back firewall configuration as,
when
I get the simple case I have described to work, I'll then extend this to
include a DMZ in the perimeter network. The aim is to then place some
other
servers in the DMZ.
So, I have to get the back firewall configuration to work with the
perimeter
network (addresses as specified) in the rules/policies. If it can't work
without the DMZ then the chances of evolving to the DMZ configuration are
slim.
(Oh, I have lots of NICS on the server running SBS 2003 R2. So, specifying
another network should not be a problem.)
I'd happily take further advice, in particular if you have any pointers
(URLs) to sites with template/example policies and rules relevant to SBS
and
ISA deployments.
Thanks, Marcus
"Steve" wrote:
All my ISA 2004 installs also have another router in front of them. The
ISA
network configuration after running the CEICW is as an Edge Firewall not
a
Back Firewall. All functionality works fine. I suggest you just let the
CEICW do the configuration and setup the proper default ISA rules and
then
see if something still isn't working.
"Marcus" <Marcus@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote in message
news:DC20C4E6-F139-4FBE-9FB3-0064139240E1@xxxxxxxxxxxxxxxx
I'm having problems. I've posted on the ISA TecNet and it's not helped
(perhaps due to a SBS prejudice).
My infrastructure is this.
SBS2003 R2 Premium in the back-end fire wall configuration. Internal
network
NIC IP is 10.0.32.1 and perimeter (internet facing) NIC IP is
192.168.1.2.
There is a front firewall which has a perimeter (intranet facing) NIC
IP
of
192.168.1.1. It has an external static (internet facing) NIC IP of
W.X.Y.Z.
For the purposes of this discussion the front firewall is merely acting
as
a
front router (as I have disabled all of its firewall functionality).
I have installed SBS2003 R2 (and all service packs and WSUS updates).
I have configured the (non-ISA) Windows firewall, E-mail and remote
working
using CEICW.
So far, so good. Everything works. WSUS is fine. I get web pages (on
the
server and clients). E-mail is fine, including embedded images.
I install ISA2004 following the instructions exactly. I also downloaded
and
installed all of the service packs and WSUS updates, rebooting between
each
when prompted to do so.
It creates a proxy for IE clients. The proxy is also used by WSUS.
However,
I can't reach the internet from IE from the localhost or clients. WSUS
fails
to sync. E-mail arrives and goes out but I no longer get embedded
images.
I look at the ISA Management Console policies and rules. It doesn't
reflect
the back-firewall configuration I have so I run the back-firewall
template
granting full access. Still no joy.
I manually set the Computer->Front Firewall to 192.168.1.1 and the
perimeter
network to be 192.168.1.0 to 192.168.1.254.
None of the template generated rules includes either the perimeter
network
or the front fire wall. IE, WSUS and embedded images still don't work.
I bought Tom Shinder's book. It doesn't cover SBS and hints that SBS is
a
bad idea (waste of money for me). I went to isaserver.org (following
advice
from the ISA Server TechNet) and read all five parts of his series on
ISA
and
SBS, but I was waiting for parts 6 onwards which don't exist. Parts 1
to 5
were no help either.
I have visited every blog and site I can find and none tell me how to
write
rules or policies to get traffic out and back through the perimeter
network
and the front firewall.
I can't be the only person who has encountered this problem. How do I
get
out and back? Is there a site with examples of policies and rules which
work
in this configuration?
Finally, for clients which use the proxy, how do I ensure that the
experimental changes I make via ISA Server Management Console are
actually
employed when I test from a client? Do I have to log off and on each
time
I
make changes, or is there something else I can do?
.
- References:
- Re: SBS R2 ISA2004 Dark Arts
- From: Steve
- Re: SBS R2 ISA2004 Dark Arts
- From: Marcus
- Re: SBS R2 ISA2004 Dark Arts
- Prev by Date: Re: SBS 2003 - setup indicating "built-in administrator" on a DC?
- Next by Date: Re: SBS R2 ISA2004 Dark Arts
- Previous by thread: Re: SBS R2 ISA2004 Dark Arts
- Next by thread: Re: SBS R2 ISA2004 Dark Arts
- Index(es):
Relevant Pages
|
Loading
