Placing ISA Server 2000 into Networks with an Existing Firewall Infrastructure and Other ISA Server 2000 Firewall Topologies

Most organizations already have a firewall infrastructure in place. Smaller companies may have a simple SOHO NAT router with basic packet filtering and forwarding capabilities and large companies have high performance packet filtering-based firewall solutions. Companies of all sizes have a significant investment both in terms of up front costs of the hardware devices themselves and administrator education required to maintain these firewalls. It’s not realistic to expect organizations with a significant capital outlay to “rip and replace” their current firewall infrastructure and use ISA Server 2000 firewalls in their place.

Companies without a current firewall infrastructure don’t have these issues. However, they do have questions about where to place their ISA Server 2000 firewalls, how many are required, and what scenarios require them to place the ISA Server 2000 firewalls in specific configurations.

Questions from firewall administrators from both of these groups appear on the ISAServer.org Web boards and mailing list every day. Answers to these questions vary based on the specific requirements brought up in each question. However, there are a core number of firewall topologies that form the basis of most answers for the question “where should I place the ISA Server 2000 firewall?”

In this article we’ll review a set of common and popular ISA Server 2000 firewall topologies. Some of these topologies include how to place the ISA Server 2000 firewall into an existing firewall infrastructure and some of them demonstrate how to configure a secure, ISA Server 2000-only firewall solution.

The specific topologies or scenarios discussed include:

Smaller organizations that do not already have a large investment in a current firewall infrastructure may wish to make the ISA Server 2000 firewall a front-end firewall. The front-end firewall has a network interface on the corporate network and a network interface directly connected to the Internet. All communications into and out of the corporate network are exposed to ISA Server 2000’s deep application layer inspection.

The advantages of this configuration include:

The figure below shows the network topology for the ISA Server 2000 front-end firewall placement.

Organizations with an existing firewall infrastructure may prefer to leave the current firewalls in place and put the ISA Server 2000 firewall behind the current firewalls. This topology allows third party firewalls to provide high speed packet filtering (stateful filtering) before forwarding the remaining packets to the application aware (stateful inspection) ISA Server 2000 firewall. The network between the third party front-end firewalls is a perimeter network where publicly accessible services can be placed.

The third-party packet filtering firewalls have an interface directly connected to the Internet and an interface connected to a perimeter network between the third-party packet filtering firewalls and the ISA Server 2000 application layer aware firewall. The ISA Server 2000 firewall has an interface on the perimeter network and an interface on the protected, corporate LAN.

Advantages of this configuration include:

The figure below shows the topology of the ISA Server 2000 back-end firewall topology.

The ISA Server 2000 front-end and back-end firewall configuration uses ISA Server 2000 as the Internet edge firewall and the corporate LAN edge firewall. The front-end ISA Server 2000 firewall has an interface directly connected to the Internet and an interface on the DMZ segment between the two ISA Server 2000 firewalls. The back-end ISA Server 2000 firewall has an interface on the perimeter network and an interface on the protected, corporate LAN.

Advantages of this configuration include:

The figure below shows the topology for the ISA Server 2000 front-end back-end firewall configuration.

Some organizations already have an existing firewall infrastructure including both front-end and back-end firewalls. These organizations have a large investment in their current firewall infrastructure and prefer to leave it intact. These companies can still leverage ISA Server 2000’s application layer filtering features by making the ISA Server an application layer filtering proxy. This ISA Server 2000 Web proxy can be placed on the DMZ segment between front-end and back-end third party packet filtering firewalls or you can place the ISA Server 2000 application layer proxy on the corporate network.

Advantages of the application layer filtering proxy configuration include:

The figure below shows the topology of the application layer filtering proxy configuration.

Secure Exchange RPC Publishing Rules allow your full Outlook MAPI clients to access the full range of Exchange Server services on the corporate network. This method of access also provides the highest level of security can you attain for inbound connections to the corporate Exchange Server. Secure Exchange RPC publishing also affords users the greatest level of satisfaction as they can use the same Outlook client while on the corporate network or when they’re on the road.

There are three scenarios specific to secure Exchange RPC publishing that do not require static packet filters on a front end firewall and one requiring static packet filters.

The first scenario uses the ISA Server 2000 firewall as the front end firewall. This provides a very high level of protection for the corporate network and obviates the need for static packet filters which could endanger network segments located behind a traditional stateful packet filtering device. A secure Exchange RPC Server Publishing Rule is the only requirement. The secure Exchange RPC filter listens for incoming connections on TCP port 135 and dynamically manages ephemeral ports required for the secure Outlook MAPI client connections.

The figure below shows the ISA Server 2000 front-end firewall topology.

The second secure Exchange RPC publishing scenario involves using ISA Server 2000 as the front-end and back-end firewall. In this scenario the front-end ISA Server 2000 firewall publishes the external IP address on the back-end ISA Server 2000 firewall. The front-end ISA Server 2000 firewall provides a high level of protection for servers placed on the DMZ segment between the ISA Server 2000 firewalls and for machines located on the corporate network. The back-end ISA Server 2000 firewall publishes the IP address of the Exchange Server on the corporate network. No static packet filters are required and only TCP port 135 is allowed inbound on both the front-end and back-end ISA Server 2000 firewalls.

The figure below shows the topology for the front-end and back-end ISA Server 2000 secure RPC Server Publishing scenario.

Organizations with an existing firewall infrastructure may wish to take advantage of the rapid packet-passing features of their current firewall solution, but still want to provide the very high level of protection a front-end ISA Server 2000 firewall provides. The solution to this problem is to use a mixed firewall infrastructure. The existing packet filtering firewall provides very fast hardware-based packet transmission (because it cannot perform stateful inspection), and the intelligent ISA Server 2000 firewall provides crucial application aware security (stateful inspection) for the published Exchange Server via its secure Exchange RPC application filter.

The packet filtering firewall can be configured to receive inbound communications for machines on the DMZ segment that have been subjected to an intensive host-based hardening program. The packet filtering firewall is not be able to examine exploits contained within the application layer, so host-based system hardening is the primary method of defense for these servers. Inbound connections to secure Exchange RPC and other Microsoft services (OWA, IIS, Sharepoint, SMTP, POP3, DNS) can be secured by the ISA Server 2000 firewall.

The figure below shows the topology for the ISA Server 2000 and packet filtering firewall front-end firewalls and ISA Server 2000 back end firewall scenario.

Many organizations already have an existing front-end firewall solution in place and wish to keep the current front-end firewall infrastructure. These companies can place an intelligent ISA Server 2000 application layer filtering firewall behind the current front-end firewall infrastructure. This configuration takes advantage of reduced overhead by avoiding a reconfiguration of the current firewall infrastructure and it also takes advantage of the advanced firewall protection ISA Server 2000 can provide the corporate network.

The front-end firewall requires a number of static packet filters to support the secure Exchange RPC Server Publishing Rule. Special care is required when configuring the static packet filters to prevent servers located on the perimeter network from being compromised. The corporate network located behind the ISA Server 2000 firewall is protected by the secure Exchange RPC filter (and other application filters) and therefore is at reduced risk of attack.

The figure below shows the packet filtering front-end firewall ISA Server 2000 back-end firewall topology.

The SMTP filter always runs on the ISA Server 2000 firewall computer. However, you can place the SMTP Message Screener on another computer located on the protected network behind the ISA Server 2000 firewall. The SMTP Message Screener can be installed in the following locations:

Message filtering requires a significant amount of processing power. For this reason, most organizations prefer to put the SMTP Message Screener on the ISA Server 2000 firewall computer or on an SMTP relay located somewhere on the corporate network.

The SMTP Message Screener can be installed on an SMTP relay computer on the corporate network running the IIS 5.0 or IIS 6.0 SMTP service. The ISA Server 2000 firewall publishes the SMTP relay on the internal network and the Message Screener blocks dangerous email at the SMTP relay computer. The SMTP Message Screener communicates with the SMTP filter to obtain information about what email should be blocked.

The figure below shows the topology of the SMTP Message Screener on a dedicated SMTP relay configuration.

Many organizations prefer to use a “one box” solution. In the one-box solution the SMTP Message Screener is located on the ISA Server 2000 firewall itself. This simplifies setup and management of the SMTP Message Screener and reduces hardware and software configuration overhead.

In this scenario the ISA Server 2000 firewall acts as an spam and attachment filtering SMTP relay. The IIS SMTP service is installed on the ISA Server 2000 firewall and processes the incoming SMTP Messages. The SMTP Message Screener filters spam, viruses and attachments and relays the safe email messages to the Exchange Server on the corporate network.

Note:
In both this scenario and the one where the SMTP Message Screener is installed on a dedicated SMTP relay, the ISA Server 2000 firewall can be integrated into an existing firewall infrastructure. The ISA Server 2000 firewall can act as a back-end firewall or an application layer filtering SMTP proxy located on the perimeter network. The only requirement is that the front-end firewall forward inbound SMTP messages to the ISA Server 2000 firewall machine.

This is the most popular configuration because of the lower hardware and configuration overhead. The remainder of this document provides detailed step by step procedures for configuring the ISA Server 2000 firewall as a secure, spam and virus filtering SMTP relay.

ISA Server 2000 firewalls can be placed on networks with an existing firewall infrastructure and on networks without a current firewall solution. ISA Server 2000 flexibility allows you to take advantage of its sophisticated application layer filtering features without requiring you to remove or make major changes to your current firewall configuration. In this article we examined several different firewall topologies where ISA Server 2000 is configured as a front-end firewall, back-end firewall and application layer filtering (stateful inspection) proxy.