Configuring Multiple DMZs on the ISA Firewall (2004) – Part 2: Installing the ISA Firewall and Creating the DMZ Networks

Configuring Multiple DMZs on the ISA Firewall (2004)
Part 2: Installing the ISA Firewall and Creating the DMZ Networks

By Thomas W Shinder MD

In the first part of this series on DMZ networking with ISA firewalls (ISA 2004), we discussed the DMZ concept and the differences between a typical DMZ segment and a perimeter network segment. Included in the discussion was a description of a four NIC setup on the ISA firewall, where one NIC was attached to an external network, the second NIC was attached to the Internal network, the third NIC was attached to a DMZ segment and the fourth NIC was attached to a perimeter network segment. If you haven’t read that article yet, you can catch it here: http://isaserver.org/articles/2004multidmzp1.html

In this article we will look at the details of creating and configuring the DMZ and perimeter network segments. The general procedures are:

• Install the ISA firewall software and define the Internal Network
• Create the Anonymous Access DMZ
• Create the Network (routing) Rule between the Anonymous Access DMZ and the Internal Network
• Create the Network (routing) Rule between the Anonymous Access DMZ and the External Network
• Create the Authenticated Access Perimeter Network Segment
• Create the Network (routing) Rule between the Authenticate Access Perimeter Network segment and the Internal Network
• Create the Network (routing) Rule Between the Authenticated Access Perimeter Network segment and the External Network

We need to start with the installation of the ISA firewall software because the Internal network is defined during installation.

Install the ISA firewall software and define the Internal Network

The first step is to install the ISA firewall software. During the setup process you will be asked to define your Internal network. In contrast to ISA Server 2000 firewalls, the ISA 2004 firewall (ISA firewall) sees the Internal network as a special network and this network does not implicitly trust all hosts on the Internal network.

Instead, the ISA firewall’s assumption is that key infrastructure servers are located on the Internal network. These include DHCP, DNS, Active Directory, Certificate, IAS (RADIUS), Management, SMS and other similar servers are located on the Internal network. The Internal network is defined during installation so that the default System Policy can allow the ISA firewall to communicate with these servers and these servers can communicate with the ISA firewall, during and immediately after installation.

The machine on which we’ll install the ISA firewall software is running Windows Server 2003. No extraneous services are installed on this machine and the machine is not yet a member of the Internal network domain. In a later article on this series, we’ll join this machine to the domain to demonstrate how this is done after the ISA firewall software is already installed.

Perform the following steps on the ISA firewall machine:

1. Put the ISA firewall CD into the CD tray and let it autorun. If it does not autorun or if you’re installing form a share, then open the ISAAutorun.exe file.
2. In the autorun menu, click the Install ISA Server 2004 link.
3. Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2004 page.
4. Select the I accept the terms in the license agreement option on the License Agreement page. Click Next.
5. Enter the User Name, Organization and Product Serial Number on the Customer Information page. Click Next.
6. On the Setup Type page, select the Typical option and click Next.
7. On the Internal Network page, click the Add button.
8. On the Internal network address page, click the Select Network Adapter button.
9. On the Select Network Adapter page, remove the checkmark from the Add the following private ranges checkbox. I recommend this configuration because it’s likely that you want to use subnets of the standard private ranges. If you were to leave this checkbox selected, you would imply that you are using all of these address ranges behind a single network interface on the ISA firewall. That isn’t true in this example, and it’s not true in any production situation that I’m familiar with. A much better solution is to select the Add address ranges based on the Windows Routing Table entry. Then put a checkmark in the checkbox next to the network adapter connected to the Internal network. In this example, we’ve renamed the network interfaces to make them easier to work with, so the Internal network interface is named LAN. Click OK to after choosing the Internal network’s adapter.

10. A Setup Message dialog box appears informing you about how the routing table on the ISA firewall must be configured correctly for this selection to work correctly. Always make sure that the ISA firewall’s routing table is correctly configured before installing the ISA firewall software. Click OK.
11. Click OK in the Internal network address range dialog box.

12. Click Next on the Internal Network page.

13. On the Firewall Client Connection Settings page, put a checkmark in the Allow computers running earlier version of Firewall Client software to connect checkbox only if you plan on running older versions of the Firewall client. If you plan to use only the new version of the Firewall client included with the ISA firewall, then leave the checkbox empty. The new version of the Firewall client encrypts connections between itself and the ISA firewall. This protects user credentials and other information moving between the Firewall client machine and the internal interface of the ISA firewall. We will leave the checkbox unchecked in this example and click Next.

14. Click Next on the Services page.
15. Click Install on the Ready to Install the Program page.
16. Click Finish on the Installation Wizard Completed page.
17. Click Yes on the Microsoft ISA Server dialog box informing you that a restart is required.
18. Log on as Administrator after the ISA firewall restarts.

Create the Anonymous Access DMZ

The ISA firewall now needs to learn about the networks to which its attached. One way to do this is to use a Network Template. The Network Templates automate some of the work of creating Networks the ISA firewall uses in its access control rules. One major problem with the Network Templates is that, while they were designed to make things easier for you, they really only make it easier if you already have a good understanding of how the ISA firewall works and how the Network Templates work.

I prefer to create the Networks and Network Relationships manually, and then create Access Rules after the Networks have been defined. This gives you a better knowledge of exactly what’s going on in your configuration and gives you insight into how the ISA firewall works. Later, after you have a better understanding of how the ISA firewall works, you might want to try out some of the Network Templates.

The first network we’ll create is the anonymous access DMZ network. This network comprises the network ID 172.16.0.0/16. This networks interface on the ISA firewall has the IP address 172.16.0.1.

Perform the following steps to create the anonymous access DMZ network:

1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Expand the Configuration node and then click the Networks node.
2. Click the Networks tab in the Details pane of the console. Click the Tasks tab in the Task Pane and then click the Create a New Network link.
3. On the Welcome to the New Network Wizard page, enter a name for the network in the Network name text box. In this example, we’ll name the network DMZ. Click Next.
4. On the Network Type page, select the Perimeter network option. Click Next.

5. On the Address Ranges page, click the Add Adapter button.
6. In the Select Network Adapter dialog box, put a checkmark in the checkbox next to the DMZ interface. In this example, we have renamed the interface using the name DMZ. We will put a checkmark into that checkbox. Note the Network Interfaces Information that appears in the lower part of the dialog box. Click OK.

7. Click Next on the Network Addresses page.

8. Click Finish on the Completing the New Network Wizard page.
9. The new Network appears in the list of Networks on the Networks tab.

Create the Network (routing) Rule between the Anonymous Access DMZ and the Internal Network

Unlike ISA Server 2000, the ISA firewall now supports the ability to choose between a NAT or ROUTE relationship between any two networks. A route relationship means that the ISA firewall routes between the two networks and that the firewall does not replace the source address of the host making the outgoing connection request. A NAT relationship hides the IP address of the host behind the NATed network by replacing the original host’s IP address with an IP address bound to the interface of the ISA firewall that the connection exits.

ISA Server 2000 did not give you this level of control over the routing relationship between any two networks. The only options you had we’re to NAT between LAT and non-LAT hosts, and route between LAT hosts.

In our current example, we want to NAT between the Internal network and the DMZ network. This allows us to hide the IP addresses of the hosts on the Internal network. When an Internal network host connects to a host on the DMZ network, the ISA firewall replaces the source IP address of the requesting host on the Internal network with the IP address bound to the interface on the DMZ network. NAT provides a modicum of security via its ability to hide the original source address of hosts behind the NATed network.

The ISA firewall uses Network Rules to control this routing relationship. Perform the following steps to create the NAT relationship between the Internal and DMZ networks:

1. While still on the Networks node, click the Network Rules tab in the Details pane.
2. Click the Tasks tab in the Task Pane and click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter name for the Network Rule in the Network rule name text box. In this example we will name the rule Internal -> DMZ. Click Next.
4. On the Network Traffic Sources page, click the Add button.
5. In the Add Network Entities dialog box, click the Networks folder and then double click the Internal entry. Click Close.

6. Click Next on the Network Traffic Sources page.
7. On the Network Traffic Destinations page, click the Add button.
8. In the Add Network Entities dialog box, click the Networks folder and double click the DMZ entry. Click Close.
9. Click Next on the Network Traffic Destinations page.
10. On the Network Relationship page, select the Network Address Translation option. Click Next.

11. Click Finish on the Completing the New Network Rule Wizard page.
12. Your Network Rule should look like the one in the figure below.

The Source and Destination network entries in the NAT type Network Rule is critical. In our example, hosts on the Internal network have their connections NATed by the ISA firewall. That means the source IP address for outgoing connections from the Internal network to the DMZ network will have the source IP address of the connection replaced with the IP address on the DMZ interface.

NAT relationships do not work both ways.

When a host on the DMZ segment initiates a connection to a host on the Internal network, that connection will only be allowed if there is either a Web Publishing Rule or a Server Publishing Rule allowing the connection. The source address on the incoming connection is determined not by the Network Rule for these incoming connections from the DMZ network into the Internal network.

Instead, the source IP address that the destination host on the Internal network sees is determined by how you configure the Server Publishing Rule or the Web Publishing Rule. You can choose to preserve the original source IP address, or replace the source IP address with the IP address on the ISA firewall’s interface that connects to the Destination network. In this example, it would be the interface connecting to the Internal network.

Keep the above in mind when creating your Network Rules and troubleshooting connectivity issues between networks. I’ve already seen a number of people who have had problems with DMZ and VPN site to site networks because they did not understand exactly how the NAT Network Rule works and how it effects the flow of traffic between networks.

Create the Network (routing) Rule between the Anonymous Access DMZ and the External Network

The servers on the DMZ network also need to accept incoming connections from hosts on the External network and initiate new outbound connections to hosts on the External network.

The ISA firewall’s concept of External network is an interesting one. The default External network is defined as a Network that isn’t included in the address ranges defined by any other network on the ISA firewall. The default External network doesn’t have to mean the Internet. In the back to back ISA firewall configuration we’re working with in this scenario, the DMZ segment between the front-end ISA firewall and the back-end ISA firewall is consider as part of the default External network for the back-end ISA firewall.

You could, if you wanted to, define the DMZ segment between the back-end and front-end ISA firewalls as a custom external network. In this case, you could use this custom external network to get more granular access control between that DMZ segment and any of the ISA firewall’s protected networks.

The ISA firewall considers all networks that are not external networks to be protected networks. I’ll do articles in the future on how to leverage different types of external networks, but that subject fits into advanced DMZ networking techniques. This article series is aimed at getting you introduced to basic ISA firewall DMZ networking.

We will let the DMZ segment between the front-end and back-end ISA firewalls remain as part of the default External network. At this point, if a host on the DMZ network tried to access anything on the DMZ segment, or on the Internet, the connection would fail because there is not network relationship defined for connections made from DMZ hosts to hosts on the External network.

Our current example is also interesting because we are using private addresses on both the DMZ network and the DMZ network between the ISA firewalls. Since the back-end ISA firewall has “knowledge” of both these networks (that is to say, its routing table is complete for both of these networks), we could choose either a NAT or a route relationship. In our current scenario, we will consider the DMZ between the ISA firewalls as part of the back-end ISA firewall’s default External network. We’ll use a NAT relationship so that we can hide the IP addresses of the hosts on the DMZ network.

Perform the following steps to create the NAT relationship between the DMZ network and the External network:

1. While still on the Networks node, click the Network Rules tab in the Details pane.
2. Click the Tasks tab in the Task Pane and click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter name for the Network Rule in the Network rule name text box. In this example we will name the rule DMZ -> External. Click Next.
4. On the Network Traffic Sources page, click the Add button.
5. In the Add Network Entities dialog box, click the Networks folder and then double click the DMZ entry. Click Close.
6. Click Next on the Network Traffic Sources page.
7. On the Network Traffic Destinations page, click the Add button.
8. In the Add Network Entities dialog box, click the Networks folder and double click the External entry. Click Close.
9. Click Next on the Network Traffic Destinations page.
10. On the Network Relationship page, select the Network Address Translation option. Click Next.
11. Click Finish on the Completing the New Network Rule Wizard page.
12. Your Network Rule should look like the one in the figure below.

Create the Authenticated Access Perimeter Network Segment

Now that you have experience creating networks, we can get to the task of creating the Authenticated Access Perimeter network. As we discussed in the first article in this series, the Authenticated Access Perimeter network allows only authenticated connections. Exactly where the authentication takes place is an important consideration. You have the following options with the ISA firewall:

is responsible for authenticating users. The ISA firewall can authenticate the user with an authentication server. The authentication server can be an Active Directory domain controller, or some other directory server. If you use RADIUS authentication, the ISA firewall can authenticate with any RADIUS compliant directory, including the Active Directory. However, RADIUS authentication only works with Web Proxy mediated connections.

are responsible for authenticating the users. In this case, the ISA firewall passes the connection request to the servers on the perimeter network and the servers on the perimeter network are responsible for authenticating users. If you use this option, the servers will need to be domain members if you want them to authenticate against the Active Directory.

In this case, the ISA firewall does not authenticate the user, but it freezes the connection until the servers confirm the credentials of the user. The ISA firewall forwards the credentials to the servers on the perimeter network and the servers on the perimeter network send the credentials to the authentication servers, such as the Active Directory domain controllers on the internal network.

Which option is the most secure? When possible, I prefer that the ISA firewall freeze the connection at the firewall and forward the credentials to the servers on the perimeter network. This is what we call delegation of basic authentication. When used together with the ISA firewall’s unique SSL to SSL bridging, this provides what I consider one of the best security postures you can create for your organization. Note that the ISA firewall does not need to be a member of the domain to leverage the delegation of authentication feature.

We have the best of all possible worlds because the back-end ISA firewall is a member of the domain in the scenario we’re working with here: we can have the ISA firewall authenticate incoming connections, or we can have the servers on the perimeter network authenticate the connection.

The Authenticated Access Perimeter Network is on network ID 192.168.10.0/24 and the address on the ISA firewall connecting to this network is 192.168.10.1.

Perform the following steps to create the Authenticated Access Perimeter network:

1. Open the Microsoft Internet Security and Acceleration Server 2004 management console and expand the server name. Expand the Configuration node and then click the Networks node.
2. Click the Networks tab in the Details pane of the console. Click the Tasks tab in the Task Pane and then click the Create a New Network link.
3. On the Welcome to the New Network Wizard page, enter a name for the network in the Network name text box. In this example, we’ll name the network Perimeter. Click Next.
4. On the Network Type page, select the Perimeter network option. Click Next.

5. On the Address Ranges page, click the Add Adapter button.
6. In the Select Network Adapter dialog box, put a checkmark in the checkbox next to the Perimeter interface. In this example, we have renamed the interface using the name Perimeter. We will put a checkmark into that checkbox. Note the Network Interfaces Information that appears in the lower part of the dialog box. Click OK.

7. Click Next on the Network Addresses page.

8. Click Finish on the Completing the New Network Wizard page.
9. The new Network appears in the list of Networks on the Networks tab.

Create the Network (routing) Rule between the Authenticate Access Perimeter Network segment and the Internal Network

The servers in the Authenticated Access Perimeter Network need to be domain members so that they can authenticate with the Active Directory. For example, we might want to put a front-end Exchange Server or a secure authenticating SMTP relay in the Authenticated Access Perimeter network.

Because these machines need to communicate with domain controllers on the Internal network, we want to make sure that the communications between the perimeter network and the Internal network are secured. We can do this by using IPSec transport mode connections between the perimeter network servers and the domain controllers on the Internal network. IPSec transport mode requires a routed connections between the networks because NAT breaks IPSec. We will create a route relationship between the Authenticated Access Perimeter Network and the Internal network so that we can use IPSec security.

Perform the following steps to create the Network Rule establishing the route relationship between the perimeter network and the Internal network:

1. While still on the Networks node, click the Network Rules tab in the Details pane.
2. Click the Tasks tab in the Task Pane and click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter name for the Network Rule in the Network rule name text box. In this example we will name the rule Perimeter -> Internal. Click Next.
4. On the Network Traffic Sources page, click the Add button.
5. In the Add Network Entities dialog box, click the Networks folder and then double click the Perimeter entry. Click Close.
6. Click Next on the Network Traffic Sources page.
7. On the Network Traffic Destinations page, click the Add button.
8. In the Add Network Entities dialog box, click the Networks folder and double click the Internal entry. Click Close.
9. Click Next on the Network Traffic Destinations page.
10. On the Network Relationship page, select the Route option. Click Next.
11. Click Finish on the Completing the New Network Rule Wizard page.
12. Your Network Rule should look like the one in the figure below.

Create the Network (routing) Rule between the Authenticated Access Perimeter Network segment and the External Network

Like the situation we had with the DMZ network and the External network, we have the choice of using a route or a NAT relationship between the perimeter network segment and the External network. We will chose a NAT relationship between the perimeter network and the External network because we want to hide the addresses of the servers on the perimeter network segment.

Perform the following steps to create the network rule between the perimeter network and the External network:

1. While still on the Networks node, click the Network Rules tab in the Details pane.
2. Click the Tasks tab in the Task Pane and click Create a New Network Rule.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the Network Rule in the Network rule name text box. In this example we will name the rule Perimeter -> External. Click Next.
4. On the Network Traffic Sources page, click the Add button.
5. In the Add Network Entities dialog box, click the Networks folder and then double click the Perimeter entry. Click Close.
6. Click Next on the Network Traffic Sources page.
7. On the Network Traffic Destinations page, click the Add button.
8. In the Add Network Entities dialog box, click the Networks folder and double click the External entry. Click Close.
9. Click Next on the Network Traffic Destinations page.
10. On the Network Relationship page, select the Network Address Translation (NAT) option. Click Next.
11. Click Finish on the Completing the New Network Rule Wizard page.
12. Your Network Rule should look like the one in the figure below.

13. Click Apply to save the changes and update the firewall policy.
14. Click OK in the Apply New Configuration dialog box.

Test Yourself

If you can answer these questions, you understand the concepts and procedures discussed in this article:

1. When a NAT relationship is defined between the Internal and External Network, what IP address does the destination host see as the source IP address of the connection?
2. If you want to allow IPSec traffic between two networks, should you use a NAT or a Route relationship in the Network Rule for those networks?
3. Does the ISA firewall need to be a member of the domain when you use delegation of basic authentication?
4. What addresses does the ISA firewall include in the default External network?
5. What addresses are part of the ISA firewall’s Protected Network Set?
6. What are the advantages of making the ISA firewall a member of the domain?

Answer these questions and then visit the discussion link for this article over at http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=29;t=000030.

Summary

In this article we went over the some of the concepts and the procedures required to create the Internal, DMZ and Perimeter networks for our ISA firewall’s DMZ networking scenario. In the next article in this series, we’ll create the Access Rules used to control traffic between the DMZ network and the Internal network. See you then!

I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=29;t=000030 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

If you would like us to email you when Tom Shinder releases another article on ISAserver.org, subscribe to our ‘Real-Time Article Update’ by clicking here. Please note that we do NOT sell or rent the email addresses belonging to our subscribers; we respect your privacy.