Of all the mysteries confronted by the ISA Server administrator, perhaps the most difficult one to solve is how to configure intradomain communications across the ISA Server. For over a year, it has been consensus opinion that intradomain communications could not take place across an ISA Server because of problem with dynamic protocol/port assignments, Kerberos, and a variety of other “hand-waving” explanations. I admit to being part of this hand-wavers crowd because I didn’t know precisely the cause of intradomain communications failure across an ISA Server. This article seeks to correct this omission of fact. There is a way to allow intradomain communications across an ISA Server. Because this is possible, you can make a server on a DMZ segment become a member of the internal network domain. While I certainly do not recommend this configuration for security reasons, many ISA Server administrators have sought out the solution to this problem to meet corporate requirements, in spite of the high security risks of doing so. In this article we’ll cover the following subjects: |
Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder |
||||||||||||||||||||||||||||||||||||||||||||||||||||
After you have completed this article and perform the steps in this lab, you will be able to install and configure a DMZ host and join that DMZ host to the internal network domain without having to move the server into the internal network first. Note: This article provides an example of the type of content you will get in the ISA Server Lab Series. If you find this kind of content helpful, check out the lab series information and consider buying the entire lab series. You’ll be the smartest ISA Server Admin on the block!
Installing and Configuring the internal network Domain Controller Installing and configuring the internal network domain controller is relatively straightforward. The only special changes you have to make include a couple of registry entries on the domain controller and configuration of the DNS. In this section we will cover the following topics:
Installing the Server First step is configuring the domain controller. When you install Windows 2000 on the domain controller you need to include the following services:
You will want the WWW service available in case you wish to run things like the Web based Certificates application. The DHCP server is not required, but you might find it handy if you want to experiment with WPAD settings or assign IP addresses to VPN clients. We won’t cover these topics in this lab, but will do so in future labs. When configuring the NIC on the Domain Controller, use the following settings: IP address: valid IP address on your subnet Subnet Mask: valid subnet mask on your subnet Default Gateway: internal IP address of the ISA Server DNS Server: IP address of the interface of the Domain Controller WINS Server: IP address of the interface of the Domain Controller In this lab, the domain controller has the following IP address settings: IP address: 10.0.0.2 Subnet Mask: 255.255.255.0 Default Gateway: 10.0.0.1 DNS Server: 10.0.0.2 WINS Server: 10.0.0.2
Note: It is important that you configure the Domain Controller’s interface to register with DNS. You can configure this in the Advanced tab of the TCP/IP Properties of the interface. The machine should use itself as its Preferred DNS server and WINS server. This insures that allow appropriate IP address information is entered into the DNS and WINS databases and is required to make the promotion of the machine to a Domain Controller go a smoothly as possible. Configuring DNS DNS configuration is critical for both proper communications with the DMZ host and the successful promotion of this machine to be a domain controller. Perform the following steps to configure DNS on the domain controller:
Running the Active Directory Wizard Now that DNS is configured, we can run the dcpromo application to promote the machine to a domain controller:
It’ll take awhile for the computer to restart as the machine adds the Active Directory related records to the dynamic DNS server and then attempt to find and configure itself based on the Active Directory related records added to the DDNS server. After the machine restarts, log in again as an Administrator. Configure the Registry Entries The DMZ host will need to use RPCs to communicate with the internal network DC. Because RPC is less than friendly to most Firewalls, we have to make some registry changes on the DC to allow the DMZ host to communicate with the internal network DC through the ISA Server. You need to create the following registry entries: Key: HKLM\SOFTWARE\Microsoft\RPC\Internet Named Value: Ports Named Value: PortsInternetAvailable Named Value: UseInternetPorts You will need to create the Key and then create the value entries within the Key. We’ll create the first value to show how its done:
After the registry changes have been added, restart the Server. Installing and Configuring ISA Server Installation and configuration of the ISA Server will keep you a bit busier, mostly because you have a bunch of Protocol Definitions and Server Publishing Rules to create. There are a few other tweaks that you have to make to the ISA Server in order to allow you to open up ports for Direct Hosting. In this section, we’ll go over the following subjects:
Note: This is not a complete installation and configuration guide for ISA Server. The installation and configuration presented in this section addresses only the issue of allowing intradomain communications through the ISA Server from the DMZ host.
Installing the Server When installing the Server, keep the following facts in mind:
Always remember that you do not want to make your ISA Server a general purpose File/Print/Whatever server. That means this ISA Server will not be a domain controller, a DNS server, a WINS server, a DHCP server, a Quake server, an Exchange server, a SQL Server, or any other kind of server. This ISA Server will be your firewall and Web caching server only. Internal interface configuration on the ISA Server: IP address: valid IP address on your subnet Subnet Mask: valid subnet mask on your subnet Default Gateway: EMPTY DNS Server: IP address of the interface of the Domain Controller WINS Server: IP address of the interface of the Domain Controller In this lab, the ISA Server internal interface has the following IP address settings: IP address: 10.0.0.1 Subnet Mask: 255.255.255.0 Default Gateway: EMPTY DNS Server: 10.0.0.2 WINS Server: 10.0.0.2 External interface configuration of the ISA Server: IP address: valid IP address on your DMZ Subnet Mask: valid subnet mask on your DMZ Default Gateway: internal interface of the external ISA Server, LAN interface of your router, or internal interface of your 3rd party firewall DNS Server: IP address of the internal network Domain Controller or empty WINS Server: EMPTY In this lab, the ISA Server external interface has the following IP address settings: IP address: 192.168.1.220 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.1.7 DNS Server: EMPTY WINS Server: EMPTY
Install ISA Server The ISA Server installation does not require any special considerations. In this lab, we’ll configure the ISA Server in integrated mode.
Now that ISA Server is installed, we can begin entering the new Protocol Definitions required to create the Server Publishing Rules we need to allow intradomain communications through the ISA Server. Creating new Protocol Definitions based on the entries in the following table:
In case you don’t know how to create a Protocol Definition, just expand your server name, and then expand the Policy Elements node. Right click on the Protocols Definitions node, point to New and click on Definition. After creating the Protocol Definitions, create the Server Publishing Rules included in the following table:
In case you don’t know how to create a Protocol Rule, just expand your server name, and then expand the Publishing node. Right click on the Server Publishing Rules node and point to New and click on Rule. When you’re done, you’ll have the rules show in the figure below. Packet filtering is enabled by default, so you don’t need to enable it manually. You can run the netstat -na command to confirm that the ports opened by the Server Publishing Rules are indeed open. Disabling the Services In order to get the Direct Hosting Server Publishing Rule to work correctly, you need to prevent NetBIOS over TCP/IP (NetBT) from binding to port 445. Unfortunately, the only way you can do this is by disabling nbt.sys. One of the side effects of disabling nbt.sys is that you won’t be able to run file and printer sharing on the ISA Server. While this is generally considered a good thing, it will prevent clients from installing the Firewall client software from a share on the ISA Server machine. You’ll have to move the installation files to another machine, and manually configure the mspclnt.ini file in the shared folder. Subsequent changes to the file should be obtained directly from the ISA Server when the firewall client obtains is configured through autodetection. Perform the following steps to disable nbt.sys and related services:
After making the changes, restart the ISA Server computer. Installing and Configuring the DMZ Host We’re almost done! All we have to do now is install the DMZ Host computer and then join that computer to the domain across the ISA Server. Topics we’ll cover here include:
The DMZ host computer can run any service you want it to run. The DMZ host computer should run all the services you want available for public access. Always remember that the DMZ host is your sacrificial lamb, and that you expect this machine to be compromised at some time. Whenever services are made available to the public you risk that they will be compromised. That’s why you put them on a DMZ host. Installing the Server When installing the DMZ host machine, keep the following considerations in mind:
Interface configuration on the DMZ host: IP address: valid IP address on your DMZ Subnet Mask: valid subnet mask on your DMZ Default Gateway: the internal interface of the external ISA Server, the LAN interface of your router, or the internal interface of your 3rd party firewall DNS Server: IP address of the external interface of the ISA Server WINS Server: EMPTY In this lab, the domain controller has the following IP address settings: IP address: 192.168.1.225 Subnet Mask: 255.255.255.0 Default Gateway: 192.168.1.7 DNS Server: 192.168.1.220 WINS Server: EMPTY You should also disable File and Print sharing. However, if you need to access shared folders you will need to have File and Print sharing enabled. Be aware that this isn’t the optimal security configuration. However, since you’re joining the DMZ host to the internal network domain, optimal security configuration isn’t your foremost concern. Configuring DNS What we need to do now is make the DMZ host a secondary DNS server to the internal network’s DNS server. Perform the following steps to accomplish this task:
Now let’s create the forward lookup zone:
Now for the moment of truth! Let’s join the DMZ host to the internal network domain.
After the computer restarts, log on as Administrator in the internal network domain. Want to have some fun? Try this:
How about some more fun? Create a Protocol Rule that allows outbound access to Direct Hosting. Do this:
After creating the Protocol Definition for the Direct Hosting Outbound Protocol, create a Protocol Rule that allows internal network access to the protocol. After creating the Protocol Rule, open the Run command and type \\DMZHOST on an internal network computer. (Note that this will NOT work on the ISA Server itself). You’ll be treated to the shared folders on the DMZ host, as seen below. Conclusion As you can see after performing the steps described in this article, it is indeed possible to join a server in a DMZ to the internal network. There are security concerns, some of which can be addressed after joining the machine to the internal network domain. If you don’t need File and Printer sharing on the DMZ host, disable that feature. This will disable the server service on the machine. The Directing Hosting Server Publishing Rule is also somewhat concerning. However, you can create access controls that will mitigate, to a certain extent, what can be accessed from the external network. Another thing to consider is to limit access to the Server Publishing Rules to the DMZ Host(s) only. No matter how you cut it, you violate the DMZ security zone when you join a DMZ host to the internal network domain. But I’ve seen a lot of people ask for this functionality, so I’m delivering the info. Please let me know how this works for you, and how you handle the security implications of this configuration. This article discussed advanced ISA Server concepts. If you are new to ISA Server, or need some help with the ISA Server “big picture” and want to know how and why this stuff works, check out the Learning Zone and as always, you must buy the book! |