Getting Started Right with ISA Firewalls (v1.01)
by Thomas W Shinder MD, MVP
Have Questions about the article?
Working with new software can be a frustrating experience. Often people well-heeled in a particular software package will forget what its like to be a newbie with a particular piece of software. I was in this position not long ago when testing Small Business Server Service Pack 1.
I thought I knew what I was doing, since I’ve been setting up Windows Servers in enterprise environments since Windows NT 4.0 hit the streets. However, just because I thought I knew what I was doing didn’t mean I did. Like most newbs, I didn’t read the manual, and I made some critical mistakes which gave me the false impression that SBS SP1 wasn’t worth the bits it was printed on.
I see the same thing frequently happen with the ISA firewall. If you take care of a handful of issues, in advance, then you’ll bypass potentially frustrating and perplexing problems with your initial ISA firewall setup and you’ll be off to a good start. If you take into account these ISA firewall best practices, your life with the ISA firewall will go more smoothly, you’ll end up less frustrated and disappointed, and you’ll have a good impression of the ISA firewall instead of a negative one.
Key issues with ISA firewall configuration that will help you have a great install and configuration experience include the following:
Set up supporting network services before standing up the ISA firewall
The fact is the ISA firewall is a key part of network gear. While the ISA firewall might use Windows Server 2003 as its base operating system, the ISA firewall is a piece of the network infrastructure; it’s not a server. For this reason, you need to plan ahead in the same way you would plan when introducing any other core piece of network infrastructure.
The ISA firewall can work together with a number of other network infrastructure components; these include but aren’t limited to:
The ISA firewall can use a DHCP server to assign IP addressing information to VPN clients. You can use the DHCP server on the corporate network to assign basic IP addressing information to VPN clients, or you can install a DHCP relay agent on an ISA firewall that has ISA Server 2004 Service Pack 1 installed on it to assign DHCP options to VPN clients.
DNS servers The ISA firewall uses internal network DNS servers for a number or purposes. Web proxy and Firewall clients use the ISA firewall to perform DNS host name resolution on their behalf, and the ISA firewall can perform reverse DNS lookups to make sure that users are not violating network user policy by using IP addresses instead of FQDNs to access forbidden resources. The ISA firewall can also use the DNS server address(es) used on its network interface(s) to assign DNS name server address(es) to VPN clients.
WINS servers The ISA firewall can use an internal network WINS server to aid VPN clients access to internal network resources using a single label, NetBIOS name.
Certificate servers Certificate servers are used for assigning machine and user certificates. The ISA firewall can use a machine certificate to impersonate a Web server when using SSL to SSL bridging, or the ISA firewall can use accept user certificates for user authentication with an ISA firewall Web listener.
IAS (RADIUS) servers The ISA firewall can use RADIUS to authenticate users for both inbound and outbound access, via the ISA firewall’s Web proxy filter. The Web proxy filter can listen for outbound requests and authenticate users via RADIUS and the Web proxy filter can also authenticate users requesting inbound connections through the ISA firewall.
Active Directory domain controllers The ISA firewall can authenticate all TCP and UDP communications through the ISA firewall when joined to an Active Directory domain. Users can then transparently send their user credentials to the ISA firewall to authenticate. The enables the ISA firewall administrator to get very fine-tuned access control over what users or groups can access specific resources through the ISA firewall. In addition, the ISA firewall logs the user names, protocols, resources and more that are accessed through the ISA firewall, which enables compliance for regulatory requirements that hardware firewalls cannot provide (and thus, hardware firewalls can open you up to fines related to non-compliance)
Network routers and switches The ISA firewall is an access control device that can be used to segment the network into security zones. If your to do this, the ISA firewall needs to be integrated with your routing infrastructure. Sometimes you might need to renumber network segments, or you might need to create routing table entries on network routers and layer 3 "switches" to support the ISA firewall’s network segmentation scheme.
Existing firewalls Most organizations will have an existing firewall infrastructure that they’ll want to integrate with the ISA firewall deployment. In most cases, you can leave your existing firewall infrastructure in place and make minor configuration changes on the existing firewalls to support the enhanced security provided by the ISA firewall.
Make sure you have all these supporting network services in place and working correctly before deploying the ISA firewall. While the ISA firewall in all scenarios doesn’t require all of these services, having them in place in advance and confirming that they are all working correctly will great simplify your deployment options for the ISA firewall and will reduce the amount of "just in time" work you might have to do in the future.
Have Questions about the article?
Install at least two NICs on the ISA firewall
The ISA firewall is a firewall. In spite of the ISA firewall’s family history that included in its beginning Proxy Server 1.0, the fact is that the Web proxy gene in the ISA firewall’s DNA is only a small remnant of the firewall’s past. Now the Web proxy component is but a mere application filter and the Web proxy application filter is an extension of the ISA firewall’s firewall service. There is no Web proxy service. The ISA firewall’s firewall service statefully examines all traffic moving through the firewall, including those connections that are directly remoted to the Web proxy filter.
This means the ISA firewall is always a firewall. You can’t "un-firewall" the ISA firewall. This is a good thing, as the entire point of having a stateful packet and application layer inspection firewall is to insure strong access control and network security for all traffic moving to and through the firewall.
In order to deploy the ISA firewall so that it provides full firewall protection, you need to install two or more network interfaces. One or more interfaces on the internal network and one or more interfaces on non-internal networks. You can put as many NICs in your ISA firewall as you like, or you can use 802.1q VLAN tagging and the ISA firewall will work with your network driver to connect through the driver’s virtual interfaces. The figure below shows one ISA firewall with multiple NICs installed, although only three are in use at this time.
Put a router in front of the ISA firewall if you don’t have a dedicated IP address
The problem with DHCP is that in order to obtain an address from a DHCP server, the host issuing the DHCP request needs to broadcast the initial request and then accept the first lease offer given to it. These means people with less than good intensions would potentially take advantage of your ISA firewall by putting up a rogue DHCP server and assign your ISA firewall IP addressing information that better serves the intruder’s needs than yours.
In order to mitigate this issue to a certain extent, the ISA firewall sports a DHCP spoof detection mechanism. However, because of how some cable operators and other ISPs work, you might find your ISA firewall’s external interface won’t be able to obtain an IP address from the ISP’s DHCP server. This has caused a legion of ISA firewall admins more pain than they really needed to experience.
You can easily solve this problem by putting a router in front of the ISA firewall. If you have a PPPoE based DSL connection, a cable connection, or some other type of connection that depends on DHCP address assignment for the public interface, then put a router in front of the ISA firewall. This completely eliminates the DHCP issue and also will obviate DSL-related MTU problems.
Have Questions about the article?
The figure below shows a simple setup where there is a DSL router using PPPoE to connect to the ISP and Internet. The LAN interface of the DSL router is 10.0.0.1 and the external interface of the ISA firewall is 10.0.0.2. The key take-away here is that the LAN address of the DSL router (or cable router) needs to be on the same network ID as the external interface of the ISA firewall. The external interface of the ISA firewall must use the LAN address of the DSL router as its default gateway.
NOTE: In the figure above the default gateway on the ISA firewall is erroneously listed as 10.0.0.2. The default gateway on the ISA firewall should be 10.0.0.1
Configure the ISA firewall to use an internal DNS server and configure the internal interface of the ISA firewall to use this DNS server
This is one of the most important issues related to ISA firewall performance. I can’t tell you the number of times someone said to me that after introducing the ISA firewall into the network, everything was much slower. The problem was invariably related to DNS and adapter configuration.
First, you need a DNS server on the corporate network that is able to resolve Internet host names. Second, you need to configure the internal interface on the ISA firewall to use this internal DNS server as its primary DNS server, and last, you need to configure the internal interface as the top listed interface in the Advanced Properties of the Advanced Configuration dialog box in the Network Connections window.
You can reach the Advanced Setting dialog box by right clicking the My Network Places icon on the desktop and clicking Properties. In the Network Connections window, click the Advanced menu and click Advanced Settings. In the Advanced Settings dialog box, move the internal interface of the ISA firewall to the top of the list, as seen in the figure below.
The DNS server address or addresses on the internal interface should be the ONLY DNS servers configured on the ISA firewall’s interfaces. You should NEVER configure the ISA firewall to use an external DNS server if you have a domain-based network environment.
In the figure below, you see the Internet Protocol (TCP/IP) dialog box for the internal interface of a correctly configured ISA firewall. You’ll see an IP address and subnet mask entered, and two DNS server entries. If you only have one DNS server on the corporate network, then you can enter a single setting. If you have more than two DNS servers, and want the ISA firewall to use more than two, click the Advanced button and click the DNS tab to enter additional DNS servers.
The figure below shows the external interface of a correctly configured ISA firewall. The external interface of this ISA firewall is located on a private address segment and uses an upstream FiOS (15Mbps) line. The LAN interface of the FiOS router is 192.168.123.100, so the default gateway of the ISA firewall uses that IP address as its default gateway.
Last but not least, you need to create an Access Rule allowing the DNS server on the internal network outbound access to the DNS protocol.
If you set up your supporting network services, put a router in front of ISA firewalls that use dynamic addressing for the external interface, put two or more NICs in the ISA firewall and configure a DNS server on the internal interface and never use external DNS servers on the ISA firewall’s interfaces, your setup will go much more smoothly and you’ll have a great experience with your ISA firewall.