Creating Multiple Security Perimeters with a Multihomed ISA Firewall Part 2: Defining the Goals and Configuring the ISA Firewall Networks and Network Rules with Specific Attention to the Front-end Exchange Server

Creating Multiple Security Perimeters with a Multihomed ISA Firewall
Part 2: Defining the Goals and Configuring the ISA Firewall Networks and Network Rules with Specific Attention to the Front-end Exchange Server
by Thomas W Shinder MD, MVP



Have Questions about the article? 
Ask at: http://tinyurl.com/7eeg2 

If you missed the other articles in this series, check them out at:

In part 1 of this article series on configuring a multihomed ISA firewall to support multiple DMZ segments, we went over DMZ design principles and discussed the different types of DMZs the ISA firewall can support. We also went over in detail the differences between authenticated access and anonymous DMZ segments, and how we can securely place a front-end Exchange Server on an authenticated access DMZ while removing the front-end Exchange Server from the same security zone on which the back-end Exchange Server lies.

In this, part two of the series, we’ll define our example network and the access controls we’ll create to allow communications through the ISA firewall.

Figure 1 provides a high level view of the example network. The ISA firewall has four network interfaces:

  • An external interface that connects the ISA firewall to the Internet. This is the interface with the default gateway configured on it. The external interface of the ISA firewall is configured with two IP addresses, so that we can create two Web listeners: one Web listener used for inbound connections to the OWA site, and the other used for other Exchange Server services, including OMA, Exchange ActiveSync, and Outlook 2003 RPC/HTTP
  • A default Internal Network containing the corporate network clients, domain controllers, and other corporate network servers and services. The default Internal Network is on network ID 10.0.0.0/24. The back-end Exchange Server is located on a domain controller, and the IP address of the back-end Exchange Server/DC is 10.0.0.2. The Internal interface of the ISA firewall is at IP address 10.0.0.1.
  • An authenticated access DMZ containing the front-end Exchange Server. The authenticated access DMZ is on network ID 10.0.1.0/24. The IP address of the front-end Exchange Server is 10.0.1.2 and the IP address of DMZ interface on the ISA firewall is 10.0.1.1. The default gateway on the front-end Exchange Server is the IP address on the DMZ interface (10.0.1.1)
  • An anonymous access DMZ segment containing a Windows Server 2003 IIS server hosting anonymous inbound SMTP and FTP connections. The SMTP server acts as an inbound SMTP relay for e-mail destined to the back-end ISA firewall. The anonymous access DMZ is on network ID 172.16.0.0/16. The IP address of the server in the anonymous access DMZ is 172.16.0.2. The IP address on the ISA firewall’s interface on the anonymous access DMZ is 172.16.0.1. The default gateway on the anonymous access DMZ is the IP address on the ISA firewall’s anonymous access DMZ interface, which is 172.16.0.1.


Figure 1

Firewall Policy Supporting the Front-end Exchange Server in the Authenticated Access DMZ

The ISA firewall will be configured to allow authenticated connections to the front-end Exchange Server in the authenticated access DMZ segment. Access Rules will be created to allow the following protocols from the Internet to the front-end Exchange Servers:

  • HTTPS to support inbound connections for OWA, OMA, Exchange ActiveSync and RPC over HTTP. The ISA firewall will be configured to pre-authenticate connections to these services before the connections are forwarded to the front-end Exchange Server. After the ISA firewall authenticates and authorizes the connection, then the connection is forwarded to the front-end Exchange Server.
  • POP3S to allow secure inbound POP3 connections to the front-end Exchange Server. The TLS secured connection will protect the user credentials that would otherwise be exposed to intruders on the Internet.
  • IMAP4S to allow secure inbound IMAP4 connections to the front-end Exchange Server. The TLS secured connection will protect the user credentials that would otherwise be exposed to intruders on the Internet.
  • SMTPS/SMTP to allow secure inbound SMTP connections to the front-end Exchange Server. The front-end Exchange Server will be configured to allow authenticated users, who have successfully created a TLS-secured connection, to relay to external domains from the front-end Exchange Server. This two-pronged approach helps prevent spammers from using the front-end Exchange Server as an inbound SMTP relay. However, we will limit the user account that can relay to a single account with an obscure name and complex password to simplify management and thwart password guessing attacks by spammers.


Figure 2

Figure 3 shows that the ISA firewall will be configured to allow required protocols from the front-end Exchange Server to the domain controller and back-end Exchange Server on the corporate network.

An Access Rule will be created to allow the following intradomain communications protocols from the front-end Exchange Server to the domain controller:

  • Kerberos-Adm (UDP)
  • Kerberos-Sec (TCP)
  • Kerberos-Sec (UDP)
  • LDAP
  • LDAP (UDP)
  • LDAP GC (Global Catalog)
  • Microsoft  CIFS (TCP)
  • Microsoft CIFS (UDP)
  •  NTP (UDP)
  • Ping
  • RPC (all interfaces)
  • DNS

A second Access Rule is created on the ISA firewall to allow the front-end Exchange Server to communicate with the back-end Exchange Server using the following protocols:

  • HTTP
  • IMAP4
  • POP3
  • Link State-Algorithm Routing

A third Access Rule will be created to allow the front-end Exchange Server outbound access from the authenticated access DMZ segment to the Internet using the SMTP protocol. This Access Rule allows the front-end Exchange Server to route Internet-bound e-mail from authenticated users to the appropriate Internet SMTP servers.

Note that the front-end Exchange Server also needs to be able to resolve these MX domain names. The front-end Exchange Server will be able to use the DNS server on the Internal network to resolve these names to the correct IP address of the destination domain’s SMTP server.


Figure 3

Firewall Policy Supporting Communications to and from the Anonymous Access DMZ Server

The ISA Firewall will be configured with Server Publishing Rules allowing inbound SMTP, DNS and FTP connections to the server on the anonymous access DMZ. No pre-authentication will be performed at the ISA firewall and no authentication will be required at the server itself.


Figure 4

Another Server Publishing Rule will be created to allow inbound connections from the anonymous access SMTP server to the back-end Exchange Server on the corporate network. The anonymous access SMTP server relays only e-mail destined for the corporate network domain. All other e-mail is dropped and authentication is disabled on the anonymous access inbound SMTP relay. This will help prevent spammers from trying to guess credentials and subsequently relaying through the SMTP server.


Figure 5

Server Publishing Rule to Support Secure Exchange RPC Publishing for Outlook MAPI Clients

The front-end Exchange Server does not support proxying of secure Exchange RPC communications, except for clients using Outlook 2003 and then they must use RPC/HTTP. If you have Outlook clients that do not support RPC/HTTP, you can still provide remote access support for the full Outlook client by using a Secure Exchange RPC Server Publishing Rule. We will create a Server Publishing Rule that publishes the back-end Exchange Server using the Secure Exchange RPC Protocol Definition to provide support for the non-Outlook 2003 full Outlook MAPI clients.


Figure 6

Outbound Access Rules Supporting Clients on the Default Internal Network

Hosts on the corporate network (default Internal Network) will need to access content on the Internet and on the anonymous access DMZ segment. We will create an Access Rule allowing all authenticated users access to all protocols on the Internet. Another Access Rule will enable the DNS server to use the DNS protocol anonymously when connecting to the Internet. We need to allow the DNS server to connect anonymously, since there are typically no logged on users at the DNS server, and we want to avoid installing the Firewall client on network servers. A third Access Rule will be created to allow authenticated users on the corporate network access to the FTP server on the DMZ segment.


Figure 7

Defining the Route Relationship between ISA Firewall Networks

A significant design decision for the multihomed multi-perimeter ISA firewall is the route relationship between the ISA firewall Networks. The ISA firewall enables you to create ISA firewall Networks, which exist as collections of IP addresses located behind each NIC on an ISA firewall.

In the example used in this article series, there are four ISA firewall Networks:

  • The default External Network
  • The default Internal Network
  • The Authenticated Access DMZ
  • The Anonymous Access DMZ

Each of these ISA firewall Networks consists of a collection of IP addresses behind the ISA firewall NIC connected to each of these Networks. Each of the ISA firewall Networks include a collection of IP addresses that you define, with the exception of the default External Network. The default External Network is defined as all addresses that are not part of any other ISA firewall Network.

We will create Network Rules that both connect and define the route relationship between the following ISA firewall Networks:

  • Default Internal Network to default External Network = NAT
  • Default Internal Network to Anonymous Access DMZ = NAT
  • Default Internal Network to Authenticated Access DMZ = Route
  • Authenticated Access DMZ to the default External Network = NAT
  • Anonymous Access DMZ to default External Network = NAT

We won’t create a rule for each of these relationships, as we can consolidate many of these relationships into the default Internet access Network Rule. We’ll go through the details of the Network Rules configuration later in this article.

Note that we’re using a Route relationship between the default Internal Network and the authenticated access DMZ. The reason for this is that we need to support intradomain communications between the authenticated DMZ segment and the default Internal Network. Kerberos does not work across a NAT device, so we must set the route relationship between the source and destination Networks.


Figure 8

In the following sections we will perform the following procedures:

  • Create the Anonymous Access DMZ ISA Firewall Network
  • Create the Authenticated Access DMZ ISA Firewall Network
  • Add the Anonymous Access DMZ and Authenticated Access DMZ ISA Firewall Networks as Source Networks to the Internet Access Network Rule
  • Create a Network Rule that sets a Route Relationship between the default Internal Network and the Authenticated Access DMZ
  • Create a Network Rule that sets a NAT Relationship between the default Internal Network and the Anonymous Access DMZ

Have Questions about the article? 
Ask at: http://tinyurl.com/7eeg2 

Create the Anonymous Access DMZ ISA Firewall Network

In order to create Access Rules and Network Rules controlling access and routing relationship between Networks, we need to first create the ISA firewall Networks. Perform the following steps to create the Anonymous Access DMZ ISA Firewall Network:

  1. In the ISA firewall console, expand the server name and then expand the Configuration node. Click the Networks node.
  2. On the Networks node, click the Networks tab in the details pane. Click the Tasks tab in the Task Pane and click the Create a New Network Rule link.
  3. On the Welcome to the New Network Wizard page, enter a name for the new ISA firewall Network in the Network name text box. In this example, we’ll name the Network Authenticated DMZ. Click Next.
  4. On the Network Type page, select the Perimeter Network option and click Next.


Figure 9

  1. On the Network Addresses page, click the Add button. In the IP Address Range Properties dialog box, put in the start and end address in the Authenticated Access DMZ. In this example the start address is 10.0.1.0 and the end address is 10.0.1.255. Enter those values and click OK.


Figure 10

  1. Click Next on the Network Addresses page.
  2. Click Finish on the Completing the New Network Wizard page.

Create the Authenticated Access DMZ ISA Firewall Network

Perform the following steps to create the Anonymous Access DMZ ISA firewall Network:

  1. In the ISA firewall console, expand the server name and then expand the Configuration node. Click the Networks node.
  2. On the Networks node, click the Networks tab in the details pane. Click the Tasks tab in the Task Pane and click the Create a New Network Rule link.
  3. On the Welcome to the New Network Wizard page, enter a name for the new ISA firewall Network in the Network name text box. In this example, we’ll name the Network Anonymous DMZ. Click Next.
  4. On the Network Type page, select the Perimeter Network option and click Next.


Figure 11

  1. On the Network Addresses page, click the Add button. In the IP Address Range Properties dialog box, put in the start and end address in the Authenticated Access DMZ. In this example the start address is 172.16.0.0 and the end address is 172.16.0.255. Enter those values and click OK.


Figure 12

  1. Click Next on the Network Addresses page.

  2. Click Finish on the Completing the New Network Wizard page.

Add the Anonymous Access DMZ and Authenticated Access DMZ ISA Firewall Networks as Source Networks to the Internet Access Network Rule

As mentioned earlier in the article, we need to set a NAT relationship between all of the ISA firewall Protected Networks and the Internet. We could create these rules individually, but its easier to just add the new ISA firewall Networks (Authenticated DMZ and Anonymous DMZ) as Source Networks to the existing Internet Access Network Rule, which already defines a NAT relationship for the default Internal and VPN Clients ISA firewall Networks.

Perform the following steps to add the Anonymous DMZ and Authenticated DMZ ISA firewall Networks to the Internet Access Network Rule:

  1. In the ISA firewall console, on the Networks node, click the Network Rules tab.

  2. On the Network Rules tab, double click on the Internet Access Network Rule.

  3. In the Internet Access Properties dialog box, click the Source Networks tab.

  4. On the Source Networks tab, click the Add button.

  5. In the Add Network Entities dialog box, click the Networks folder and then double click the Anonymous DMZ and Authenticated DMZ entries. Click Close.


Figure 13

  1. Click OK in the Internet Access Properties dialog box


Figure 14

Create a Network Rule that sets a Route Relationship between the default Internal Network and the Authenticated Access DMZ

We need to set a route relationship between the default Internal Network and the Authenticated DMZ ISA firewall Network. The reason for this is that the front-end Exchange Server is located in the Authenticated DMZ and intradomain communications must pass between the front-end Exchange Server and domain controller on the default Internal Network. Intradomain communications do not work properly across a NAT.

Perform the following step to create the Network Rule settings a Route relationship between the default Internal Network and the Authenticated DMZ ISA firewall Network:

  1. In the ISA firewall console, expand the server name and then expand the Configuration node. Click the Networks node.
  2. On the Networks node, click the Network Rules tab.
  3. On the Network Rules tab, click the Tasks tab in the Task Pane and click the Create a New Network Rule link.
  4. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the Network rule name text box. In this example we’ll name the rule Internal – Authenticated DMZ and click Next.
  5. Click Add on the Network Traffic Sources page.
  6. In the Add Network Entities dialog box, click the Networks folder and then double click the Authenticated DMZ entry. Click Close.
  7. Click Next on the Network Traffic Sources page.
  8. Click Add on the Network Traffic Destinations page.
  9. In the Add Network Entities dialog box, click the Networks folder and then double click the Internal entry. Click Close.
  10. Click Next on the Network Traffic Destinations page.
  11. On the Network Relationship page, select the Route option and click Next.


Figure 15

  1. Click Finish on the Completing the New Network Rule Wizard page.

Create a Network Rule that sets a NAT Relationship between the default Internal Network and the Anonymous Access DMZ

A Network Rule is required to connect the default Internal Network to the Anonymous DMZ ISA firewall Network. Since intradomain communications are not required between the default Internal Network and the Anonymous DMZ ISA firewall Network, we will use a NAT relationship and later use a Server Publishing Rule to allow the SMTP server on the anonymous DMZ to communicate with the back-end ISA firewall.

Perform the following steps to create the Network Rule setting a NAT relationship between the default Internal Network and the Anonymous DMZ ISA firewall Network:

  1. In the ISA firewall console, expand the server name and then expand the Configuration node. Click the Networks node.
  2. On the Networks node, click the Network Rules tab.
  3. On the Network Rules tab, click the Tasks tab in the Task Pane and click the Create a New Network Rule link.
  4. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the Network rule name text box. In this example we’ll name the rule Internal – Anonymous DMZ and click Next.
  5. Click Add on the Network Traffic Sources page.
  6. In the Add Network Entities dialog box, click the Networks folder and then double click the Internal entry. Click Close.
  7. Click Next on the Network Traffic Sources page.
  8. Click Add on the Network Traffic Destinations page.
  9. In the Add Network Entities dialog box, click the Networks folder and then double click the Anonymous DMZ entry. Click Close.
  10. Click Next on the Network Traffic Destinations page.
  11. On the Network Relationship page, select the NAT option and click Next.


Figure 16

  1. Click Finish on the Completing the New Network Rule Wizard page.

Have Questions about the article? 
Ask at: http://tinyurl.com/7eeg2 

Summary

In this article, part 2 in our series on configuring a multihomed ISA firewall to create multiple security perimeters, we went over the design goals for the example network we’re creating in this series. The design goals were displayed graphically and included the ISA firewall rules and route relationships between the various ISA firewall Networks. In the next article in these series we’ll continue the configuration by creating the Publishing and Access Rules required to support communications to and from the front-end Exchange Server through the ISA firewall.

If you missed the other articles in this series, check them out at:

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top