Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 4: Configuring the Edge ISA Firewall

By /

Configure ISA 2004 as a Network Services Segment Perimeter Firewall —
Part 4: Configuring the Edge ISA Firewall
by Thomas W Shinder MD, MVP



Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=29;t=000181

If you missed the other parts of this series please read:

Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 1
Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 2
Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 3
Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 5


In the first three parts of this series on configuring a network services segment behind an ISA firewall, we began by going over concepts and considerations in creating perimeter networks. In part 2, we discussed the initial configuration of the network services perimeter ISA firewall. In part 3 we continued configuring the network services perimeter ISA firewall by adding Web Publishing Rules, Server Publishing Rules and Access Rules. In this, part 4 of the series, we’ll move out attention to the edge ISA firewall.

In this, part 4 of the series, we’ll move out attention to the edge ISA firewall. In this article we’ll perform the following procedures on the edge ISA firewall:

  • Configure the Default Internal Network and Create a Routing Table Entry on the Edge ISA Firewall
  • Join the Front-end ISA Firewall to the Active Directory Domain
  • Create Access Rules on the Edge ISA Firewall Controlling Outbound Access from Corpnet Hosts and Hosts on the Network Services Segment
  • Create Publishing Rules on the Edge ISA Firewall to Allow Inbound Connections to the Exchange Server Mail Services

As a reminder, the figure below provides a high level view of the sample network used in this article series.


Figure A

Configure the Default Internal Network on the Edge ISA Firewall

When the edge ISA firewall was installed, it took its definition of the default Internal Network from the routing table on the edge ISA firewall device. The routing table entries indicated to the ISA firewall installer that the addresses 10.0.1.0-10.0.1.255 should be included in the definition of its default Internal Network. This is a correct configuration if the only network behind the edge ISA firewall was on network ID 10.0.1.0/24. However, in our scenario this is an incorrect configuration and will cause problems with access controls on connections to and from the network services segment through the edge ISA firewall.

The reason for the problem with the initial settings for the default Internal Network on edge ISA firewall is that there is a Route relationship between the Corpnet ISA firewall Network (which is the edge ISA firewall’s default Internal Network) and the default Internal Network behind the network services segment ISA firewall. Because there is a route relationship, connections from SecureNAT clients located behind the network services perimeter ISA firewall will reach the edge ISA firewall with their original client IP address included as the source address (note that this is not the case with proxied connections by Winsock [Firewall] and Web proxy clients). If we leave the edge ISA firewall’s default Internal Network definition as it is now, then connections from SecureNAT clients located behind the network services perimeter ISA firewall will be detected as spoofed packets.

ISA firewall Networks are used to determine the validity of connections reaching the interface that is the “root” of a particular ISA firewall Network. For the edge ISA firewall, the root of its default Internal Network is the internal interface which is on network ID 10.0.1.0/24. Any connections with a source IP address on that network ID are seen as valid.

However, if a connection with a source IP address that is not part of the edge ISA firewall’s default Internal Network’s definition is made through the interface that is the root of the edge ISA firewall’s default Internal Network (which is the internal interface of the edge ISA firewall), then the connection is dropped as a spoof attempt. The ISA firewall assumes that it’s not possible for an interface to accept a connection from a host on an ISA firewall Network that isn’t the same as that for which the interface is root.

Note:
I’m using the term “root” to represent a point of exit and departure. The term “root” does not imply that the NIC’s IP address or network ID defines what network IDs or subnets can be placed behind a NIC. You can put contiguous or discontinuous network IDs behind any NIC. The only requirements are that all IP addresses located behind any NIC on the ISA firewall must be included in the ISA firewall Network for which that NIC is “root” and that no other ISA firewall Network includes the same addresses.

We can easily solve this problem by adding the IP addresses included in the network services perimeter ISA firewall’s default Internal Network (which is the network services segment) to the definition of the edge ISA firewall’s default Internal Network definition.

Add IP Addresses of the Network Services Perimeter Segment to the Front-End ISA Firewall’s Default Internal Network

Perform the following steps to add the IP addresses of the network services perimeter ISA firewall’s default Internal Network to the definition of the front-end ISA firewall’s default Internal Network:

  1. In the ISA firewall console, expand the server name and then expand the Configuration node. Click on the Networks node.
  2. On the Networks node, click the Networks tab in the details pane, then double click the Internal Network.
  3. In the Internal Properties dialog box, click the Addresses tab.
  4. On the Addresses tab, click the Add button.
  5. In the IP Address Range Properties dialog box, enter the Starting address and the Ending address in the text boxes. In this example we’ll enter 10.0.0.0 and 10.0.0.255, respectively. Click OK.


Figure 1

  1. Click OK in the Internal Properties dialog box


Figure 2

IP addressing information for hosts on the Corpnet is determined by your requirements. The most secure configuration is to not provide users with a default gateway address that provides a route to the Internet. This forces all users to use the Firewall client and Web proxy configuration, which can be used to enforce strong user/group-based access controls, as well as block applications installed on users’ computers from accessing the Internet. This also prevents users from using non-Winsock or Web proxy compliant applications, such as ICMP utilities like PING and TRACERT.

Administrative users and servers can be configured with gateway addresses that route to the Internet. Administrators require the use of ICMP based utilities, and servers do not have logged on users, so both admins and servers require the facilities provided by the SecureNAT client configuration.

Create a Routing Table Entry on the Edge ISA Firewall

A routing table entry must be configured on the edge ISA firewall so that it knows the path to take to reach the network services segment. The ISA firewall should always be configured with routing table entries for all network IDs that can’t be reached using the default gateway. In practice, this usually means that, except for Internet addresses, there should be a routing table entry on the ISA firewall for all network IDs on your corporate network.

Note that if your ISA firewall is configured with a default gateway pointing to a LAN router, and all network IDs are reachable from that router, then there’s no reason to enter all network IDs in the ISA firewall’s routing table, since the LAN router is doing the router duties.

At the edge ISA firewall, open a command prompt and enter the following:

route add –p 10.0.0.0 MASK 255.255.255.0 10.0.1.2

Where 10.0.0.0 is the network ID for the network services segment behind the network service perimeter ISA firewall, 255.255.255.0 is the subnet mask for that network ID, and 10.0.1.2 is the IP address on the external interface of the back-end ISA firewall.

The figure below shows an example of configuring the routing table entry.


Figure 3

Join the Edge ISA Firewall to the Domain

The edge ISA firewall should be a member of the domain so that you can fully leverage both the Firewall and Web proxy client configuration. While you can use RADIUS authentication for Web proxy clients, there are significant limitations to RADIUS authentication in both the logging and management realms. For this reason, I recommend that you avoid RADIUS authentication if at all possible. In addition, you must make the edge ISA firewall a domain member if you want to fully leverage the enhanced security and flexibility provided by the Firewall client.

The edge ISA firewall will be able to use the intradomain communications Access Rule created on the network services perimeter ISA firewall to access the domain controller. The edge ISA firewall is configured to use the DNS server on the network services segment and the DNS server on the network services segment is configured to support name resolution within the network and also for Internet host names.

Create Access Rules on the Edge ISA Firewall Controlling Outbound Access from Corpnet Hosts and Hosts on the Network Services Segment

Firewall policy on the edge ISA firewall will be highly customized based on your own network’s security requirements. You will need to decide together with your network security team who should have access to what sites and Web site at what times of day. Firewall policy is definitely something where one size does not fit all.

In the example provided by our sample network configuration, all hosts on the Corpnet ISA firewall Network are configured as Firewall and Web proxy clients and are not configured as SecureNAT clients. The only exception is for administrator workstations, since network administrators will need access to non-Winsock protocols and utilities, such as PING and TRACERT.

We will create the following Access Rules:

  • An Access Rule allowing the DC on the network services segment access to DNS outbound
  • An Access Rule allowing all authenticated users outbound access to all protocols. Note that in a production environment, you would create more granular access controls and create ISA firewall Groups that allow users to access only the content they require to get their jobs done
  • An Access Rule allowing the servers on the network services segment access to the Windows reporting and Microsoft Update sites. We need this rule because the servers on the network services segment do not have logged on users, so we will not be able to leverage the Firewall client to force authentication from server connections.

Table 1 shows the salient characteristics of these Access Rules.

Table 1: Access Rules on the edge ISA Firewall

Order

Name

Action

Protocols

From/Listener

To

Condition

1

MU and Error Reporting – Servers

Allow

HTTP

HTTPS

Network Service Segment

Microsoft Error Reporting Sites

System Policy Allowed Sites

All Users

2

Outbound DNS for DNS Server

Allow

DNS

DNS Server*

External

All Users

3

All Open – Authenticated

Allow

All Outbound Traffic

Internal

External

All Authenticated Users

* Note discussion below on the From configuration for this Access Rule

Create the Outbound DNS for DNS Server Access Rule

Perform the following steps to create the Access Rule allowing the domain controller on the network services segment outbound access to the DNS protocol:

  1. On the edge ISA firewall, open the ISA firewall console and click the Firewall Policy node.
  2. On the Firewall Policy node, click the Tasks tab on the Task Pane and click Create New Access Rule
  3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we’ll name the rule Outbound DNS for DNS Server and click Next.
  4. Select the Allow option on the Rule Action page. Click Next.
  5. On the Protocols page, select the Selected protocols option from the This rule applies to list and click Add.
  6. In the Add Protocols dialog box, click the Common Protocols folder and double click on the DNS entry. Click Close.
  7. Click Next on the Protocols page.
  8. On the Access Rule Sources page, click the Add button.
  9. In the Add Network Entities dialog box, click the New menu and click Computer.
  10. In the New Computer Rule Element dialog box, enter a name for the computer in the Name text box. In this example we’ll name the computer DNS Server. Enter the IP address of the external interface of the network services segment perimeter ISA firewall. Note that we use the IP address of the external interface of the perimeter ISA firewall because there is a NAT relationship between the perimeter ISA firewall’s default Internal Network and its default External Network. Since the DNS queries the DNS server makes are to Internet-based DNS server, the connection will be NATed. When the connection is NATed, the source IP address of the outbound connection is the primary IP address on the external interface of the perimeter ISA firewall. In this example, the IP address is 10.0.1.2, so we’ll enter that address. Enter an optional description if you like. Click OK.


Figure 4

  1. In the Add Network Entities dialog box, click the Computers folder and double click the DNS Server entry. Click Close.


Figure 5

  1. Click Next on the Access Rule Sources page.

  2. Click Add on the Access Rule Destinations page.

  3. In the Add Network Entities dialog box, click the Networks folder and then double click External. Click Close.

  4. Click Next on the Access Rule Destinations page.

  5. Click Next on the User Sets page.

  6. Click Finish on the Completing the New Access Rule Wizard page.

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=29;t=000181

Create the All Open Rule for Authenticated Users

Perform the following steps to create the outbound Access Rule allowing all authenticated users outbound access to all protocols and sites:

  1. On the edge ISA firewall, open the ISA firewall console and click the Firewall Policy node.
  2. On the Firewall Policy node, click the Tasks tab on the Task Pane and click Create New Access Rule
  3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we’ll name the rule All Open — Authenticated and click Next.
  4. Select the Allow option on the Rule Action page. Click Next.
  5. On the Protocols page, select the All outbound traffic option from the This rule applies to list and click Next.
  6. Click Next on the Protocols page.
  7. On the Access Rule Sources page, click the Add button.
  8. In the Add Network Entities dialog box, click the Networks folder and then double click Internal. Click Close.
  9. Click Next on the Access Rule Sources page.
  10. Click Add on the Access Rule Destinations page.
  11. In the Add Network Entities dialog box, click the Networks folder and then double click External. Click Close.
  12. Click Next on the Access Rule Destinations page.
  13. On the User Sets page, click the All Users entry and click Remove. Click Add.
  14. In the Add Users dialog box, double click on the All Authenticated Users entry and click Close.


Figure 6

  1. Click Next on the User Sets page.
  2. Click Finish on the Completing the New Access Rule Wizard page.

Create the Microsoft Update and Error Reporting Sites Access Rule

Perform the following steps to create the Access Rule allowing servers on the network services segment access to the Windows Update sites and the Microsoft Error Reporting sites:

  1. On the edge ISA firewall, open the ISA firewall console and click the Firewall Policy node.
  2. On the Firewall Policy node, click the Tasks tab on the Task Pane and click Create New Access Rule
  3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we’ll name the rule MU and Error Reporting — Servers and click Next.
  4. Select the Allow option on the Rule Action page. Click Next.
  5. On the Protocols page, select the Selected protocols option from the This rule applies to list and click Add.
  6. In the Add Protocols dialog box, click the Common Protocols folder and double click on the HTTP and HTTPS entries. Click Close.
  7. Click Next on the Protocols page.


Figure 7

  1. On the Access Rule Sources page, click the Add button.
  2. In the Add Network Entities dialog box, click the New menu and click Address Range.
  3. In the New Address Range Rule Element dialog box, enter a name for the address range in the Name text box. In this example we’ll name it Network Services Segment. Enter the start and end addresses in the Start Address and End Address text boxes. Enter an optional description and then click OK


Figure 8

  1. In the Add Network Entities dialog box, click the Address Ranges folder and double click the Network Services Segment entry. Click Close.


Figure 9

  1. Click Next on the Access Rule Sources page.

  2. Click Add on the Access Rule Destinations page.

  3. In the Add Network Entities dialog box, click the Domain Name Sets folder and double click Microsoft Error Reporting sites and System Policy Allowed Sites. Click Close.


Figure 10

  1. Click Next on the Access Rule Destinations page.
  2. Click Next on the User Sets page.
  3. Click Finish on the Completing the New Access Rule Wizard page.

Before applying the configuration to the ISA firewall’s firewall policy, make sure that you put the unauthenticated Access Rules before the authenticated rules. This is a good general approach to ordering firewall rules on your ISA firewall.

Click Apply to save the changes and update the firewall policy. Click OK in the Apply New Configuration dialog box. Your firewall policy should look like that in the figure below.


Figure 11

Create Publishing Rules on the Edge ISA Firewall to Allow Inbound Connections to the Exchange Server Mail Services

Now we’re ready to create publishing rules allowing access to Exchange Server services for users on the Internet. We’ll create Server Publishing Rules that allow access to the OWA, Secure Exchange RPC, SMTP, POP3 and IMAP4 services.

Create an SSL Server Publishing Rule on the Network Services Perimeter ISA Firewall

We begin by creating an SSL Server Publishing Rule on the front end ISA firewall. We must create a Server Publishing Rule instead of a Web Publishing Rule because the OWA form generated by the network services perimeter ISA firewall cannot deliver the log on form through a Web proxy connection on the edge ISA firewall. The SSL Server Publishing Rule will enable a secure end to end connection but will not allow the edge ISA firewall to perform stateful application layer inspection on the SSL connection moving through the edge ISA firewall.

This is a limitation of our sample network design and should not be construed to imply that you can never use OWA FBA in a back to back ISA firewall configuration. For example, suppose you have a back to back ISA firewall configuration with a DMZ between the front-end and back-end ISA firewalls. You can use FBA on the front-end ISA firewall and configure the front-end ISA firewall’s OWA Web Publishing Rule to forward basic credentials to the back-end ISA firewall’s Web Publishing Rule. The back-end ISA firewall is configured to use basic authentication. In this case, we have single sign-on with FBA.

Create the Network Services Perimeter Network OWA Web Publishing Rule

Perform the following steps on the edge ISA firewall to enable inbound access to the network services perimeter ISA firewall’s OWA Web Publishing Rule:

  1. In the ISA firewall console, expand the server name and click the Firewall Policy node.
  2. On the Firewall Policy node, click the Tasks tab on the Task Pane and then click the Publish a Secure Web Server link.
  3. On the Welcome to the SSL Web Publishing Rule Wizard page, enter a name for the rule in the SSL Web Publishing Rule name text box. In this example we’ll name the rule SSL tunnel to OWA and click Next.
  4. On the Publishing Mode page, select the SSL Tunneling option and click Next.


Figure 12

  1. On the Select Server page, enter the IP address of the external interface of the network services perimeter ISA firewall. This is the address used by the listener on the OWA Web Publishing Rule on the network services perimeter ISA firewall. In this example the IP address is 10.0.1.2, so we’ll enter that address and click Next.


Figure 13

  1. On the IP Addresses page, put a checkmark in the External checkbox and click Next.

  2. Click Finish on the Completing the New SSL Web Publishing Rule Wizard page.

At this point, your firewall policy should look like that in the figure below.


Figure 14

Create Secure Exchange RPC, SMTP, POP3 and IMAP4 Server Publishing Rules

The next step is to create the Server Publishing Rules on the edge ISA firewall that provide access to the Server Publishing Rules configured on the network services perimeter ISA firewall. These Server Publishing Rules enable Internet based hosts access to the Exchange Server services on the network services segment.

Create the Mail Server Publishing Rules

Perform the following steps to create the Server Publishing Rules on the edge ISA firewall:

  1. In the ISA firewall console, expand the server name and then click the Firewall Policy node.
  2. On the Firewall Policy node, click the Tasks tab on the Task Pane and click the Publish a Mail Server link.
  3. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name text box. In this example, we’ll name the rule Exchange Server and click Next.
  4. On the Select Access Type page, select the Client access: RPC, IMAP, POP3, SMTP option and click Next.


Figure 15

  1. On the Select Services page, put a checkmark in each of the checkboxes. This will allow us to connect to the Exchange Server on the network services segment through the network services perimeter ISA firewall for all the services listed on this page. Note the comment on the page regarding the SMTP Message Screener. We will not deploy the message screener in this example, but you might want to consider it in your own deployment. You can install the SMTP Message Screener on the ISA firewall to filter both inbound and outbound mail. Even though the SMTP Message Screener won’t be enabled, the SMTP filter is enabled and will protect SMTP communications. Click Next.


Figure 16

  1. On the Select Server page, enter the IP address of the Exchange Server on the network services segment in the Server IP address text box. In this example, the IP address is 10.0.0.2, so we enter that value. Click Next.

  2. On the IP Addresses page, put a checkmark in the External checkbox. Click Next.

  3. Click Finish on the Completing the New Mail Server Publishing Rule Wizard page.

Your Firewall Policy should appear similar to that in the figure below. Note that the Mail Server Publishing Rule Wizard added seven new Server Publishing Rules. Click Apply to save the changes and update the firewall policy. Click OK in the Apply New Configuration dialog box.


Figure 17

There is one more thing we need to do on the edge ISA firewall to make the Server Publishing Rules work correctly. Because there is a Route relationship between the Corpnet ISA firewall Network and the network services segment, we will need to change the Server Publishing Rules on the edge ISA firewall so that the client requests appear to come from the edge ISA firewall. This allows us to use the Server Publishing Rules we created on the network services perimeter ISA firewall where the listener is listening on the Corpnet ISA firewall Network.

Configure the Server Publishing Rules to Use the ISA Firewall’s Address as the Source IP Address

For each of the Server Publishing Rules created by Mail Server Publishing Wizard, perform the following steps:

  1. Double click on one of the Server Publishing Rules created by the Server Publishing Rule Wizard.
  2. In the Properties dialog box for that rule, click the To tab.
  3. On the To tab, select the Request appear to come from the ISA Server computer option. Click OK.


Figure 18

  1. Repeat the procedure for all the Server Publishing Rules created by the Mail Server Publishing Rule Wizard.
  2. Click Apply to save the changes and update the firewall policy.
  3. Click OK in the Apply New Configuration dialog box.

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=29;t=000181

Summary

In this, part 4 of our series on creating a network service segment using an internal ISA firewall, we moved our attention to the edge ISA firewall. We created Server Publishing Rule publishing rules that allowed inbound access to Exchange Server services through the edge ISA firewall so that users located on the Internet are able to reach Exchange services from any location in the world. In the next article in this series, we’ll configure hosts on the Corpnet ISA firewall Network, configure the internal DNS and configure the settings used by Firewall and Web proxy clients.

 

If you missed the other parts of this series please read:

Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 1
Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 2
Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 3
Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 5


About The Author

Tom Shinder is a Program Manager at Microsoft and has two decades of networking and security experience. He has written dozens of books, thousands of articles, and spoken at large industry conferences on the topics of IT infrastructure, Cloud computing, and cybersecurity. In his free time, Tom enjoys participating in equine prediction markets.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top