EBS 2008, TMG and external firewall. Don't want double NAT
- From: Freaky <wontsay@xxxxxxxxxx>
- Date: Wed, 30 Dec 2009 16:26:46 +0100
Hi there,
this is actually somewhat of a double post. As the topic has shifted to
TMG instead of e-mail issues (see my thread on EBS 2008 and e-mail issues).
If I reset the firewall rules to default SMTP is published to
the internal interface of the security server. It is then
accessible through the external IP (whilst NAT is still turned on as is
default on medium-high security).
If I turn off NAT, it stops working however (on the external IP thus, if
I forward from the firewall to the internal interface it works (external
firewall knows the route),
apparently this does use the publishing rule for acceptance of the
traffic but not for the NAT part. Removing the publishing rule removes
access to SMTP on the internal IP as well). My guess would be because
the NAT setting is turned off and publishing requires some form of NAT
(dst nat). If I forward to the Exchange server (yes I know I'm not
supposed to do this, it's just for testing) a publishing rule works
fine. Which leads me to conclude that DNAT on it's own interfaces (ie
within the same box) won't
work with NAT turned off. Which actually makes sense. I shouldn't need
publishing in routing mode in the first place, unless I want to point to
the security server IP and forward it internally (which thus leads to
double dnat), but I could just
create an access rule and dnat it from the external firewall to the
internal one. This works as well.
Something nice to point out, if you just change the setting to NAT and
then change it back to routing, so one would assume nothing has changed,
rerunning the change security level wizard is not possible. Apparently
upon changing nat/routing mode it changes some other things and the
wizard can not handle this. It will advise to reset the rule set to default.
Need some advise now as I'm not really familiar with ISA/TMG. The
customer here wants to exclude some users from internet. Our external
firewall can only do this on IP basis (well I could work with FSAE which
needs to be installed and then allow AD traffic from external firewall
to internal, but this has issues with terminal users and opens holes in
the TMG/middle firewall I rather not have), unfortunately we can't do it
that
simple here as users roam across workstations, so some form of
authentication is required.
I do NOT like double NAT. In fact I hate it :). It makes logs in my
external firewall nearly useless as everything passing it appears to
come from the security server. And I've seen in the past that some
applications don't work (well) with double NAT, although theory states
it should not be an issue (all applications that don't NAT well due to
random ports etc).
As I must run the ISA/TMG, it might as well do something. So I figured
I'd take the easy route, set the security level to medium-high, ISA/TMG
will then filter etc. and just turn off the NAT and voila. This doesn't
work thus.
Setting the security level to low allows SMTP on the external interface.
All rules except the first one are made useless as the
first rule states:
"From anywhere, to anywhere, any protocol, accept."
This will obviously remove any firewalling on the external interface and
thus opens 25 (in fact it reduces ISA to a basic router with a caching
proxy). The publishing rule which remains further down doesn't do
anything any more. All other features are disabled. No authentication,
no packet filtering, no virusscanning, nothing but webcaching according
to the manual.
I'm thinking about doing the following now:
Setting security level to medium-high.
Changing to route mode.
Remove the default SMTP publishing rule.
Create an access (not publishing thus) rule for SMTP to the security server.
Go past other rules and see what I can trash.
Add a rule to allow all traffic out (for authenticated users and some
static IPs).
Whilst TMG isn't my favorite firewall, not using any of it's features if
I must run it would be a shame. It might as well provide an additional
level of defense and be used to block internet for users that aren't
allowed (still have to figure out how to do this, but other issues now
first.. like the rest of the migration :D).
Would this be a setup you'd recommend, or am I better of with security
level low and adding all the features myself? Does anyone predict any
problems with proposed setup? There are several rules in the TMG that
seem to act like a reverse proxy rewriting URLs. Mainly the rules
allowing access to the OWA, RWW, companyweb etc. Not sure what these
will do.
TIA :)
.
- Follow-Ups:
- Re: EBS 2008, TMG and external firewall. Don't want double NAT
- From: Cliff Galiher
- Re: EBS 2008, TMG and external firewall. Don't want double NAT
- Prev by Date: Re: EBS 2008 and e-mail issues
- Next by Date: Re: Exchange 2003, Google DNS, and IMF Connection Filtering RBL Failures
- Previous by thread: Re: What's the best antivirus solution for SBS 2008?
- Next by thread: Re: EBS 2008, TMG and external firewall. Don't want double NAT
- Index(es):
Relevant Pages
|
