Configuring Sites for Direct Access:
Part 2 – Configuring Direct Access for Firewall Clients and Publishing Scenarios
By Thomas W Shinder MD, MVP
Got Questions? Go to:
http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=20;t=000938 and ask!
In the first part of this two part series on configuring the ISA firewall to support Direct Access, we discussed how to configure the ISA firewall to support Direct Access for Web Proxy clients so that Web Proxy could access problematic Web sites. If you missed that article, check it out at http://isaserver.org/articles/2004directaccessp1.html
In this, part 2 of the series, we’ll talk about Direct Access for Firewall clients and we’ll also discuss how Direct Access is important in Web and Server Publishing scenarios. As a review, Direct Access works a bit differently based on the type of ISA client using the Direct Access configuration and the scenario you’re working with:
Let’s take a look at some examples to help illustrate these issues.
In the figure below we have a server on the default ISA firewall’s Internal Network and we’ve published that server using with a Web or Server Publishing Rule. An external client connects to the published server via an IP address on the external interface of the ISA firewall and then the ISA firewall forwards the connection to the published server on the Internal Network. There are no problems here and Direct Access isn’t an issue.
In the next figure we see an example of a loop back condition. We always want to avoid looping back through the ISA firewall to access resources on the same ISA firewall Network as the host making the request.
In this example, the Firewall client computer on the default Internal Network makes a request to connect to the published Web server www.domain.com. The Firewall client resolves this name to the IP address on the external interface of the ISA firewall and attempts to loop back through the ISA firewall to access resources situated on the same ISA firewall Network as the client making the request (in this example, both the Firewall client making the request and the server are located on the default Internal Network).
Problems with this configuration are:
Looping back through the ISA firewall to connect to resources on the same ISA firewall Network should be avoided at all costs. Jim Harrison refers to this condition as "isotropic bounce" http://www.isaserver.org/articles/14120_Errors_Discussion_and_Solution.html. Isotropism depends on directional independence, which clearly isn’t the case when dealing with IP networking and firewalls.
The figure below shows how Direct Access solves the isotropic bounce problem. The Firewall (and Web Proxy client) is configured to use Direct Access to connect to resources on the same ISA firewall Network. The requesting client resolves the name to the actual IP address of the host on the default Internal Network and bypasses its Web Proxy and Firewall client configuration to connect directly to that resource, completely avoiding the ISA firewall.
This configuration requires that we have a split DNS in place so that external and internal clients resolve the same name differently. When we have a split DNS in place, the external client resolves the name of the published resource, www.domain.com to the IP address on the external interface of the ISA firewall used to publish the server. Internal clients use the internal side of the split DNS to resolve the same name, www.domain.com, to the server’s internal IP address. This allows the Firewall and Web Proxy clients to leverage the Direct Access configuration to bypass the ISA firewall when connecting to resources located on the same ISA firewall Network.
Note that the Firewall and Web Proxy clients need to be configured with a DNS server address in their TCP/IP interface configuration. In contrast to non-Direct Access scenarios, the Firewall and Web Proxy clients do not need to be configured with a DNS server address because the ISA firewall can perform "proxy" DNS services on behalf of Firewall and Web Proxy clients. However, the scenario where the Firewall and Web Proxy clients are not configured for Direct Access and not configured with an internal DNS server is limited to only the smallest of organizations that do not use Active Directory domains and do not host their own DNS services.
I’ve done articles on the split DNS before, and I’ll do more in the future. If you want to see some of the previous work I’ve done with split DNS, check out http://www.isaserver.org/tutorials/You_Need_to_Create_a_Split_DNS.html I think I might have gone into too much detail in that article, so the next article I do on this subject will focus more on the small/medium sized business user.
The key concept with Direct Access is that you bypass either the Web Proxy service or the entire ISA firewall itself based on the client’s requirements.
Configuring Direct Access for Firewall Clients
The Direct Access configuration for Firewall clients is done in the Properties of the Network from which the Firewall client connects to the ISA firewall. In this example, the Firewall clients and the resources are both connected to the default Internal Network. In this Microsoft Internet Security and Acceleration Server 2004 management console, expand the server name and then expand the Configuration node. Click on the Networks node. While on the Networks node, click the Networks tab in the details pane and then double click on the Internal Network.
In the Internal Properties dialog box, click the Domains tab. On the Domains tab, click the Add button. In the Domain Properties dialog box, enter the domain name or the FQDN of the resource that you want to enable for Direct Access. In this example, we want to allow connections to all servers in domain.com to be via Direct Access. We use a wildcard at the beginning of the domain name to include all servers in the domain, as seen in the figure below. Click OK.
The list of domains should include all domains you want Firewall clients to use Direct Access when connecting to servers in those domains. You also always want to include all your internal-only domains (Active Directory domains) in the list of Domain Names, so that that Firewall clients bypass their Firewall client configuration when connecting to resources in the same domain. Note that this can become a bit tricky when you span your Active Directory domain across multiple ISA firewall Networks. This is a special case and we discuss this in our book Configuring ISA Server 2004.
You should also include all domains for which you have a split DNS configured. For example, if you have configured a split DNS for domain.com, mydomain.com, and newdomain.com, then you want to make sure that Firewall clients on the same Network that these servers are located on use Direct Access to connect to those servers, which allows them to bypass their Firewall client configuration to access these resources and not loop back through the ISA firewall to reach these servers.
You can also leverage this list of domains configured on the Domains tab to enable Web Proxy clients to use Direct Access for these domains. Click on the Web browser tab. On the Web browser tab, put a checkmark in the Directly access computers specified in the Domain tab checkbox. Click Apply and then click OK. Click Apply to save the changes and update the firewall policy. Click OK in the Apply New Configuration dialog box.
Remember to refresh the Firewall client and Web Proxy client configuration so that the changes take effect; otherwise, it can take up to six hours. Another important consideration when configuring Direct Access for Web Proxy clients is that they need to be configured to use the autoconfiguration script. The easiest way to do this is during installation of the Firewall client, but there are many other ways to automatically provision the Web Proxy client to use the autoconfiguration script. We spend a lot of time on this subject in Configuring ISA Server 2004, so check out chapter 5 for everything you want to know about ISA client provisioning and configuration.
In this article we discussed how to use Direct Access to enable Firewall clients to bypass their Firewall client configuration to access resources hosted located on the same ISA firewall Network on which the Firewall client computer is located. Direct Access for Firewall clients allows Firewall client computers to connect directly to servers located on the same Network and prevents them from looping back through the ISA firewall to connect to local resources. We also discussed the implications of Direct Access in Web and Server Publishing scenarios and how Direct Access can be paired with a split DNS to create a high performance solutions to allows hosts to bypass the firewall when connecting to local resources.
Click HERE to download a PDF version of this article!
I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=20;t=000938 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom
If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our 'Real-Time Article Update' by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.