Problem ISA as a back-end server?

Oh man! Ad-blocking software has been detected! :'(

This website is run by the community, for the community... and it needs advertisements in order to keep running. Blocking our ads means your killing our stats!
Please disable your ad-block, or become a premium member to hide all advertisements and this notice.

I’ve been looking at improving the security on some customer networks I already look after today. One customer in particular has several servers on the LAN that are published along with other servers in the DMZ (mail filter etc.)

Anyways when I was looking through the firewall rules I realised that more resources on the LAN are published in comparison to the DMZ which is a concern.

I’ve been looking at putting an ISA server in to add a extra layer of protection for the published LAN resources however Im trying to get my head around the basic setup of the server.

For example I take it the ISA server is configured with an IP address on the LAN and then all the firewall rules are forwarded to the ISA server and then forwarded onto the required server. Is that all that’s needed or is there more to it?

Any pointers appreciated!

 

Hee hee!

This particular customer is getting a security audit soon (the info they hold is mega sensitive), so I’ve already added security services to the front end firewall (intrusion prevention etc.) and also installed a SSL VPN for remote users. They used to have TS open to any external IP!

Any ISA gurus about? I have installed ISA a few times as the only firewall on the network or as a web proxy but never as a backend server. Supposedly this is the best deployment for ISA server. :hhhmmm

 

Already forked out the wonga on the front end firewall which is working fine just now. I just need another physical box to add another layer of protection to the published LAN resources.

Need to start looking at the Cisco stuff again as the last box I worked on was PIX and that was ages ago.

 

Have a little look at this mate and the ISA gear further down. I'm quite chocka but I'll see if I can find you some info tomorrow. I'm quite sure we have every MS product there is

**Edit: I failed the ISA 06 exam . . . just! From what I remember ISA is handy at the backend providing not only application level protection but more importantly if its used in an auditing context, it provides unrivaled management information and general cr@p to keep managers happy

 

Nice one mate, I`ll have a read through the link.

Just an example of what I’m trying to do here. I have a front end firewall setup with multiple interfaces (LAN, WAN, and DMZ) and everything is working ok.

LAN – 192.168.1.x
DMZ – 192.168.2.x

So if I want to install an ISA server to protect the resources on the LAN do I give the ISA server a LAN IP and then forward all the required ports to the ISA server from the front end firewall. Then the ISA forwards the traffic onto the required servers so it is kinda acting like a proxy.

This is probably a straight forward thing to setup but I’ve not got access to my lab just now.

 

....another reason to install it. Look at the reports!!

 

Cheers for the input Zeb.

Just another question if I may. In regards to configuring IP addressing the clients on the LAN use the front end firewall as their default gateway just now (192.168.1.1).

I need to keep things this way as the firewall has a AD connector configured for web filtering and if a user doesn’t have a AD account then LDAP is used which is handy for guest users etc.

In regard to ISA how would I configure the public and private interfaces on the server? As the server is sitting on the LAN then I guess the private interface is a LAN IP but what about the public interface?

I was considering patching the public interface into the DMZ switch so I could forward the required ports from the front end firewall to there. I haven’t found any documentation to support this kinda config as yet ...

 

Yes, things do take time to get the all clear in IT from management. Just installed this today.

The server is now installed with a single NIC deployment in the DMZ so I have forwarded all published ports that were going to the LAN resources onto the ISA server and they are in turn forwarded from there.

Apart from configuring SSL for Exchange there wasn’t too many problems.

Anyways, now looking at other ways to deploy ISA but I guess I should really be having a look at Forefront Threat Management Gateway 2010, never ending this IT jazz!