1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Problem ISA as a back-end server?

Discussion in 'Networks' started by Sparky, Mar 25, 2010.

  1. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,190
    296
    319
    I’ve been looking at improving the security on some customer networks I already look after today. One customer in particular has several servers on the LAN that are published along with other servers in the DMZ (mail filter etc.)

    Anyways when I was looking through the firewall rules I realised that more resources on the LAN are published in comparison to the DMZ which is a concern.

    I’ve been looking at putting an ISA server in to add a extra layer of protection for the published LAN resources however Im trying to get my head around the basic setup of the server.

    For example I take it the ISA server is configured with an IP address on the LAN and then all the firewall rules are forwarded to the ISA server and then forwarded onto the required server. Is that all that’s needed or is there more to it?

    Any pointers appreciated! :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  2. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Whats going on mate, you have time to think?

    They need to work you harder :D

    Seriously though, we have only one client using an ISA Server out of over 600, so I haven't had a play with them.
     
    Last edited: Mar 25, 2010
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  3. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,190
    296
    319
    Hee hee!

    This particular customer is getting a security audit soon (the info they hold is mega sensitive), so I’ve already added security services to the front end firewall (intrusion prevention etc.) and also installed a SSL VPN for remote users. They used to have TS open to any external IP!

    Any ISA gurus about? I have installed ISA a few times as the only firewall on the network or as a web proxy but never as a backend server. Supposedly this is the best deployment for ISA server. :hhhmmm
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  4. craigie

    craigie Terabyte Poster

    3,020
    173
    155
    Would the client consider spending some wonga and changing stuff around to some Cisco ASA's in an Active/Passive Failover.

    Have them manage the SSL VPN's, and also the DMZ.
     
    Certifications: CCA | CCENT | CCNA | CCNA:S | HP APC | HP ASE | ITILv3 | MCP | MCDST | MCITP: EA | MCTS:Vista | MCTS:Exch '07 | MCSA 2003 | MCSA:M 2003 | MCSA 2008 | MCSE | VCP5-DT | VCP4-DCV | VCP5-DCV | VCAP5-DCA | VCAP5-DCD | VMTSP | VTSP 4 | VTSP 5
  5. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,190
    296
    319
    Already forked out the wonga on the front end firewall which is working fine just now. I just need another physical box to add another layer of protection to the published LAN resources.

    Need to start looking at the Cisco stuff again as the last box I worked on was PIX and that was ages ago.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  6. jk2447

    jk2447 Petabyte Poster Moderator

    5,483
    354
    249
    Have a little look at this mate and the ISA gear further down. I'm quite chocka but I'll see if I can find you some info tomorrow. I'm quite sure we have every MS product there is

    **Edit: I failed the ISA 06 exam . . . just! From what I remember ISA is handy at the backend providing not only application level protection but more importantly if its used in an auditing context, it provides unrivaled management information and general cr@p to keep managers happy :)
     
    Last edited: Mar 25, 2010
    Certifications: BSc (Hons), HND IT, HND Computing, ITIL-F, MBCS CITP, MCP (270,290,291,293,294,298,299,410,411,412) MCTS (401,620,624,652) MCSA:Security, MCSE: Security, Security+, CPTS, VCP4, CCA (XenApp6.5), MCSA 2012, VCP5, VCP6-NV
  7. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,190
    296
    319
    Nice one mate, I`ll have a read through the link.

    Just an example of what I’m trying to do here. I have a front end firewall setup with multiple interfaces (LAN, WAN, and DMZ) and everything is working ok.

    LAN – 192.168.1.x
    DMZ – 192.168.2.x

    So if I want to install an ISA server to protect the resources on the LAN do I give the ISA server a LAN IP and then forward all the required ports to the ISA server from the front end firewall. Then the ISA forwards the traffic onto the required servers so it is kinda acting like a proxy.

    This is probably a straight forward thing to setup but I’ve not got access to my lab just now.
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  8. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,190
    296
    319
    ....another reason to install it. Look at the reports!! :biggrin
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  9. zebulebu

    zebulebu Terabyte Poster

    3,748
    330
    187
    Yep, pretty much. I generally tend to see ISA deployed as a reverse proxy for Outlook Web Access, Sharepoint & stuff like that. People are still reluctant to chuck it right out there as an edge firewall which, although it's perfectly capable of doing this, is the right approach, as far as I'm concerned. ISA really shines as a layer 7 ALG rather than as a 'dumb' packet filter - the content inspection available in, for instance, HTTP, is second to none - and reporting (as you;ve already seen) is awesome.

    The main trouble I see with ISA is that it can get a bit spiteful when dealing with websites that serve active HTTP content (i.e. stuff buried inside links like Excel reports) because the http-inspect by default sees anything being delivered back from a website other than 'regular' content as suspicious. We suffer from this in my company because the report-delivery features of the subscriber-based products we sell are heavily used by clients - and lots of them have had consultants chuck an ISA box in (usually as part of a 1U appliance) and set the http-inspect features on, left them as default, pocketed the dough and pi55ed off - leaving the local IT (ahem) 'support' on the client site utterly clueless as to why content is being delivered - and, since this content is inline, leaving the client with no feedback as to why it's not working. :biggrin

    Be prepared to put some legwork in to get it configured the way the client wants (things like online Payroll Processing & Contracts Management software that is outsourced seem to be a particular pain in the ass). Of course, you could just implement it as a traditional web proxy, funnel OWA through it as well and leave it at that - which will probably be enough to please the client (especially as they can go through weblogs to their heart's content and see the EXACT requests their employees have been making to websites)
     
    Certifications: A few
    WIP: None - f*** 'em
  10. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,190
    296
    319
    Cheers for the input Zeb.

    Just another question if I may. In regards to configuring IP addressing the clients on the LAN use the front end firewall as their default gateway just now (192.168.1.1).

    I need to keep things this way as the firewall has a AD connector configured for web filtering and if a user doesn’t have a AD account then LDAP is used which is handy for guest users etc.

    In regard to ISA how would I configure the public and private interfaces on the server? As the server is sitting on the LAN then I guess the private interface is a LAN IP but what about the public interface?

    I was considering patching the public interface into the DMZ switch so I could forward the required ports from the front end firewall to there. I haven’t found any documentation to support this kinda config as yet ...
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  11. Sparky
    Highly Decorated Member Award

    Sparky Zettabyte Poster Moderator

    10,190
    296
    319
    Yes, things do take time to get the all clear in IT from management. Just installed this today.

    The server is now installed with a single NIC deployment in the DMZ so I have forwarded all published ports that were going to the LAN resources onto the ISA server and they are in turn forwarded from there.

    Apart from configuring SSL for Exchange there wasn’t too many problems.

    Anyways, now looking at other ways to deploy ISA but I guess I should really be having a look at Forefront Threat Management Gateway 2010, never ending this IT jazz!
     
    Certifications: MSc MCSE MCSA:M MCSA:S MCITP:EA MCTS(x5) Security+ Network+ A+
    WIP: Exchange 2007\2010
  12. Theprof

    Theprof Petabyte Poster Forum Leader

    4,570
    68
    196
    LOL nice one! Things do take forever to get done when money is involved, been there dude. To be quite honest, I would of done it the same way, in fact it's how we have our ISA server setup, simple yet effective!
     
    Certifications: A+ | CCA | CCAA | Network+ | MCDST | MCSA | MCP (270, 271, 272, 290, 291) | MCTS (70-662, 70-663) | MCITP:EMA | VCA-DCV/Cloud/WM | VTSP | VCP5-DT | VCP5-DCV
    WIP: VCAP5-DCA/DCD | EMCCA

Share This Page

Loading...