Allowing Intradomain Communications Through an ISA Server.

Of all the mysteries confronted by the ISA Server administrator, perhaps the most difficult one to solve is how to configure intradomain communications across the ISA Server. For over a year, it has been consensus opinion that intradomain communications could not take place across an ISA Server because of problem with dynamic protocol/port assignments, Kerberos, and a variety of other “hand-waving” explanations. I admit to being part of this hand-wavers crowd because I didn’t know precisely the cause of intradomain communications failure across an ISA Server.

This article seeks to correct this omission of fact. There is a way to allow intradomain communications across an ISA Server. Because this is possible, you can make a server on a DMZ segment become a member of the internal network domain. While I certainly do not recommend this configuration for security reasons, many ISA Server administrators have sought out the solution to this problem to meet corporate requirements, in spite of the high security risks of doing so.

In this article we’ll cover the following subjects:
 

After you have completed this article and perform the steps in this lab, you will be able to install and configure a DMZ host and join that DMZ host to the internal network domain without having to move the server into the internal network first.

Note:

This article provides an example of the type of content you will get in the ISA Server Lab Series. If you find this kind of content helpful, check out the lab series information and consider buying the entire lab series. You’ll be the smartest ISA Server Admin on the block!

Installing and Configuring the internal network Domain Controller

Installing and configuring the internal network domain controller is relatively straightforward. The only special changes you have to make include a couple of registry entries on the domain controller and configuration of the DNS.

In this section we will cover the following topics:

Installing the Server

First step is configuring the domain controller. When you install Windows 2000 on the domain controller you need to include the following services:

You will want the WWW service available in case you wish to run things like the Web based Certificates application. The DHCP server is not required, but you might find it handy if you want to experiment with WPAD settings or assign IP addresses to VPN clients. We won’t cover these topics in this lab, but will do so in future labs.

When configuring the NIC on the Domain Controller, use the following settings:

IP address: valid IP address on your subnet

Subnet Mask: valid subnet mask on your subnet

Default Gateway: internal IP address of the ISA Server

DNS Server: IP address of the interface of the Domain Controller

WINS Server: IP address of the interface of the Domain Controller

In this lab, the domain controller has the following IP address settings:

IP address: 10.0.0.2

Subnet Mask: 255.255.255.0

Default Gateway: 10.0.0.1

DNS Server: 10.0.0.2

WINS Server: 10.0.0.2

Note:

It is important that you configure the Domain Controller’s interface to register with DNS. You can configure this in the Advanced tab of the TCP/IP Properties of the interface.

The machine should use itself as its Preferred DNS server and WINS server. This insures that allow appropriate IP address information is entered into the DNS and WINS databases and is required to make the promotion of the machine to a Domain Controller go a smoothly as possible.

Configuring DNS

DNS configuration is critical for both proper communications with the DMZ host and the successful promotion of this machine to be a domain controller. Perform the following steps to configure DNS on the domain controller:

1. Open the DNS console from the Administrative Tools menu.
2. We need to create two Reverse Lookup Zones. One Reverse Lookup Zone is for the internal network. The second Reverse Lookup Zone is for the DMZ segment. Expand all the nodes in the left pane of the DNS console and then right click on the Reverse Lookup Zones node and click New Zone.
3. Click Next on the Welcome page.
4. On the Zone Type page, select Standard Primary and click Next.
5. On the Reverse Lookup Zone page, type in the network ID for the internal network. In this lab, we’ll use 10.0.0. Enter your network ID and click Next.

6. On the Zone File page accept the default zone file name and click Next.
7. Click Finish on the Completing the New Zone Wizard page.
8. Now, repeat the same procedure, but this time use the network ID for your DMZ segment. In this example, use the network ID 192.168.1.
9. You should now have two Reverse Lookup Zones.

10. Right click on the 10.0.0.x Subnet Reverse Lookup Zone and click Properties.
11. In the Properties dialog box of the Reverse Lookup Zone for the internal network, change the Allow Dynamic Updates setting to Yes. Click Apply and then click OK. Now repeat the process with the DMZ network Reverse Lookup zone.

12. Right click on the Forward Lookup Zones node in the left pane and click New Zone.
13. Click Next on the Welcome page.
14. On the Zone Type page, select the Standard Primary option and click Next.
15. On the Zone Name page, type in the name of your internal network domain. In this example, we’ll use internal.net. Click Next.

16. On the Zone File page, accept the default and click Next.
17. Click Finish on the Completing the New Zone Wizard page.
18. Click on the internal.net entry in the left pane of the console. Then right click on it and click New Host.
19. In the New Host dialog box, type in the name of the Domain Controller. In this example, the name of the Domain Controller is DC. Enter the IP address and place a checkmark in the Create associated point (PTR) record checkbox. Click Add Host. Click OK in the information dialog box that appears.

20. We now need to add a record for the DMZ host. In the New Host dialog box, type in the name of the DMZ host. In this lab, we’ll call the DMZ host dmzhost. Enter the DMZ host’s IP address and make sure the pointer record is created. In this lab the DMZ host will have the IP address 192.168.1.225. Click Add Host. Click OK in the information dialog box and then click Done in the New Host dialog box.
21. Click on the each of the Reverse Lookup Zones and make sure the PTR records were created. Refresh the display if the records don’t appear. You should have now have two Host (A) records for the internal.net domain.

22. Right click on the internal.net node in the left pane of the DNS console and click Properties. Change the Allow dynamic updates entry to Yes. Click Apply and then click OK.
23. Right click on your server name in the left pane of the DNS console. Point to the All Tasks command and then click on the Restart command. After the DNS service has restarted, close the DNS console.

Running the Active Directory Wizard

Now that DNS is configured, we can run the dcpromo application to promote the machine to a domain controller:

1. Click Run and then type dcpromo in the Open dialog box. Click OK.
2. Click Next in the Welcome dialog box.
3. Select Domain controller for a new domain option and click Next.
4. Select Create a new domain tree and click Next.
5. Select Create a new forest of domain trees and click Next.
6. In the New Domain Name page, type in the name of your internal network domain. In this lab we’ll use internal.net. Click Next.

7. On the NetBIOS Domain Name page, accept the default name and click Next.

8. Accept the default Database and Log Locations and click Next.
9. Accept the default Shared System Volume location and click Next.
10. You will see an error indicating the domain controller for the internal.net Active Directory cannot be found. Of course it can’t! We’re creating it now. Click OK.

11. On the Configure DNS page, select the No, I will install and configure DNS myself option. We definitely do not want the Active Directory Wizard to create our DNS server configuration. Click Next.
12. On the Permissions page, select the default and click Next.
13. On the Directory Services Restore Mode Administrator Password page, type in the password and confirm the password. Click Next.
14. Review the configuration on the Summary page and click Next.
15. The Wizard will proceed to configure the Active Directory. When the Wizard has completed the configuration, click the Finish button. Click the Restart Now button.

It’ll take awhile for the computer to restart as the machine adds the Active Directory related records to the dynamic DNS server and then attempt to find and configure itself based on the Active Directory related records added to the DDNS server. After the machine restarts, log in again as an Administrator.

Configure the Registry Entries

The DMZ host will need to use RPCs to communicate with the internal network DC. Because RPC is less than friendly to most Firewalls, we have to make some registry changes on the DC to allow the DMZ host to communicate with the internal network DC through the ISA Server.

You need to create the following registry entries:

Key: HKLM\SOFTWARE\Microsoft\RPC\Internet

Named Value: Ports
Type: REG_MULTI_SZ
Setting: Range of port.
4001-4039
9001-9099

Named Value: PortsInternetAvailable
Type: REG_SZ
Setting: Y

Named Value: UseInternetPorts
Type: REG_SZ
Setting: Y

You will need to create the Key and then create the value entries within the Key. We’ll create the first value to show how its done:

1. Click Start and then click Run. Type regedt32 in the Open dialog box and click OK.
2. Drill down to the HKLM\SOFTWARE\Microsoft\RPC key in the left pane of the Registry Editor. Click the Edit menu and then click the Add Key command.
3. In the Add Key dialog box, type Internet in the Key Name text box and click OK.

4. Click on the Internet key. Click the Edit menu and click the Add Value command.
5. In the Add Value dialog box, type Ports in the Value Name text box. Change the Data Type to REG_MULTI_SZ and click OK.

6. In the Multi-String Editor dialog box, type in the ranges 4001-4039 and 9001-9039. Click OK.

7. Now go ahead and create the other two Registry Values in the Registry Editor. Close the Registry Editor when you’re done.

After the registry changes have been added, restart the Server.

Installing and Configuring ISA Server

Installation and configuration of the ISA Server will keep you a bit busier, mostly because you have a bunch of Protocol Definitions and Server Publishing Rules to create. There are a few other tweaks that you have to make to the ISA Server in order to allow you to open up ports for Direct Hosting.

In this section, we’ll go over the following subjects:

Note:

This is not a complete installation and configuration guide for ISA Server. The installation and configuration presented in this section addresses only the issue of allowing intradomain communications through the ISA Server from the DMZ host.

Installing the Server

When installing the Server, keep the following facts in mind:

Always remember that you do not want to make your ISA Server a general purpose File/Print/Whatever server. That means this ISA Server will not be a domain controller, a DNS server, a WINS server, a DHCP server, a Quake server, an Exchange server, a SQL Server, or any other kind of server. This ISA Server will be your firewall and Web caching server only.

Internal interface configuration on the ISA Server:

IP address: valid IP address on your subnet

Subnet Mask: valid subnet mask on your subnet

Default Gateway: EMPTY

DNS Server: IP address of the interface of the Domain Controller

WINS Server: IP address of the interface of the Domain Controller

In this lab, the ISA Server internal interface has the following IP address settings:

IP address: 10.0.0.1

Subnet Mask: 255.255.255.0

Default Gateway: EMPTY

DNS Server: 10.0.0.2

WINS Server: 10.0.0.2

External interface configuration of the ISA Server:

IP address: valid IP address on your DMZ

Subnet Mask: valid subnet mask on your DMZ

Default Gateway: internal interface of the external ISA Server, LAN interface of your router, or internal interface of your 3^rd party firewall

DNS Server: IP address of the internal network Domain Controller or empty

WINS Server: EMPTY

In this lab, the ISA Server external interface has the following IP address settings:

IP address: 192.168.1.220

Subnet Mask: 255.255.255.0

Default Gateway: 192.168.1.7

DNS Server: EMPTY

WINS Server: EMPTY

Install ISA Server

The ISA Server installation does not require any special considerations. In this lab, we’ll configure the ISA Server in integrated mode.

1. Begin the ISA Server installation. Click Continue on the Welcome page.
2. Enter the CD Key and click OK.
3. Write down the Product ID and click OK.
4. Click I Agree on the license agreement page.
5. Click Full Installation on the installation type page.
6. When the installation Wizard tells you that if can’t find the ISA Server schema objects, click Yes to continue.
7. Select the Integrated mode option.
8. Click OK to confirm that IIS will be stopped.
9. Set the cache size by entering a number of your liking and click Set. Then click OK.
10. On the LAT configuration page, click the Construct Table button.
11. Uncheck the option that adds all private network IDs. Enable the Add address range based on the Windows 2000 Routing Table option. Then select the adapter that presents the internal interface. Click OK. Click OK again in the Setup Message dialog box. Click OK.

12. Click OK to start the ISA Management console. Click OK to confirm successful setup of ISA Server.

Now that ISA Server is installed, we can begin entering the new Protocol Definitions required to create the Server Publishing Rules we need to allow intradomain communications through the ISA Server.

Creating new Protocol Definitions based on the entries in the following table:

In case you don’t know how to create a Protocol Definition, just expand your server name, and then expand the Policy Elements node. Right click on the Protocols Definitions node, point to New and click on Definition.

After creating the Protocol Definitions, create the Server Publishing Rules included in the following table:

In case you don’t know how to create a Protocol Rule, just expand your server name, and then expand the Publishing node. Right click on the Server Publishing Rules node and point to New and click on Rule. When you’re done, you’ll have the rules show in the figure below.

Packet filtering is enabled by default, so you don’t need to enable it manually. You can run the netstat -na command to confirm that the ports opened by the Server Publishing Rules are indeed open.

Disabling the Services

In order to get the Direct Hosting Server Publishing Rule to work correctly, you need to prevent NetBIOS over TCP/IP (NetBT) from binding to port 445. Unfortunately, the only way you can do this is by disabling nbt.sys. One of the side effects of disabling nbt.sys is that you won’t be able to run file and printer sharing on the ISA Server.

While this is generally considered a good thing, it will prevent clients from installing the Firewall client software from a share on the ISA Server machine. You’ll have to move the installation files to another machine, and manually configure the mspclnt.ini file in the shared folder. Subsequent changes to the file should be obtained directly from the ISA Server when the firewall client obtains is configured through autodetection.

Perform the following steps to disable nbt.sys and related services:

1. Right click the My Computer object on the desktop and click Properties.
2. On the System Properties tab, click on the Hardware tab.
3. On the Hardware tab, click on the Device Manager button.
4. In the Device Manager, click the View menu and click the Show Hidden Devices command.
5. Right click on NetBIOS over Tcpip and click Disable.
6. When you are asked if you want to restart the computer, click No.
7. Open the Services applet from the Administrative Tools menu.
8. In the Services console, double click on TCP/IP NetBIOS Helper. Change the Startup type to Manual. Click the Stop button. Click Apply and then click OK. Repeat the procedure for the DHCP Client service.

After making the changes, restart the ISA Server computer.

Installing and Configuring the DMZ Host

We’re almost done! All we have to do now is install the DMZ Host computer and then join that computer to the domain across the ISA Server. Topics we’ll cover here include:

The DMZ host computer can run any service you want it to run. The DMZ host computer should run all the services you want available for public access. Always remember that the DMZ host is your sacrificial lamb, and that you expect this machine to be compromised at some time. Whenever services are made available to the public you risk that they will be compromised. That’s why you put them on a DMZ host.

Installing the Server

When installing the DMZ host machine, keep the following considerations in mind:

Interface configuration on the DMZ host:

IP address: valid IP address on your DMZ

Subnet Mask: valid subnet mask on your DMZ

Default Gateway: the internal interface of the external ISA Server, the LAN interface of your router, or the internal interface of your 3^rd party firewall

DNS Server: IP address of the external interface of the ISA Server

WINS Server: EMPTY

In this lab, the domain controller has the following IP address settings:

IP address: 192.168.1.225

Subnet Mask: 255.255.255.0

Default Gateway: 192.168.1.7

DNS Server: 192.168.1.220

WINS Server: EMPTY

You should also disable File and Print sharing. However, if you need to access shared folders you will need to have File and Print sharing enabled. Be aware that this isn’t the optimal security configuration. However, since you’re joining the DMZ host to the internal network domain, optimal security configuration isn’t your foremost concern.

Configuring DNS

What we need to do now is make the DMZ host a secondary DNS server to the internal network’s DNS server. Perform the following steps to accomplish this task:

1. Open the DNS console from the Administrative Tools menu.
2. Right click Reverse Looks Zones and click New Zone.
3. Click Next on the Welcome page.
4. Select the Standard primary on the Zone Type page. Click Next.
5. Type in the network ID for your DMZ. In this example, type in 192.168.1 for the network ID. Click Next.
6. Accept the default file name and click Next.
7. Click Finish on the Completing the New Zone Wizard page.

Now let’s create the forward lookup zone:

1. Right click on the Forward Lookup Zones node and click New Zone.
2. Click Next on the Welcome page.
3. Select Standard secondary and click Next.
4. In the Zone Name page type in the name of the internal network domain. In this example type in internal.net.

5. On the DNS Master Servers page, type in the IP address of the external interface of the internal ISA Server that you have published the internal DNS server on. Click Add to add the server. Click Next.

6. Click Finish on the Completing the New Zone Wizard page.
7. The entries from the internal network domain should be transferred immediately. Click on the zone and confirm that the entries have been transferred. If you don’t see the entries, your can right click on the Zone name in the left pane of the console and force transfer from the master server. If the zone transfer doesn’t complete correctly, there is something wrong with your DNS Zone Transfer Server Publishing Rule.
8. Right click on the zone you just created and click the Properties command.
9. On the General tab, click the Change button.
10. On the Change Zone Type page, change the zone to a Standard primary. Click OK.
11. Click Apply. Click the Name Servers tab.
12. On the Name Servers tab, click the name server representing the internal network DNS server and then click the Remove button. Now click the Add button.
13. In the Server name text box, type in the FQDN of the DMZ host. In this lab, type in dmzhost.internal.net. Click the Resolve button to make sure the DNS server can resolve the address. Click OK.

14. Click the Start of Authority tab. Change the name of the Primary Server to the DMZ host machine. In this lab, change it to dmzhost.internal.net. Click Apply and then click OK. You might get a dialog box asking if it’s OK to delete the old name server name. Click OK. Click OK again.

15. Click on the forward lookup zone and then double click on the name of the internal network domain controller. Change the IP address of the internal network domain controller to be the external interface of the ISA Server that you created the publish rules on. In this lab, the internal network domain controller is named dc. Make sure you also update the PTR record. Click Apply and then click OK.

16. Click on the Reverse Lookup Zone for the DMZ network ID and confirm that the entry was created. Refresh the display if you don’t see the record. If the record does not appear, manually create the record. Also manually create a PTR record for the DMZ host computer.
17. Double click on the (same as parent folder) host record (seen in the figure below)

18. Change the IP address to match the external IP address of the ISA Server that you published the services. Make sure the PTR record is updated as well. Click Apply and then click OK.

19. Restart the DMZ Host computer

Now for the moment of truth! Let’s join the DMZ host to the internal network domain.

1. First, change the IP address of the Preferred DNS server to be the address of the DMZ host computer.
2. Right click on the My Computer object on the desktop and click Properties.
3. Click on the Network Identification tab.
4. Click the Properties button.
5. On the Identification Changes dialog box, select the Domain option button and type in the name of the internal network domain in the text box. In this lab, type internal.net. Then click OK.

6. Enter the Administrator name and password in the Domain Username and Password dialog box. Click OK.

7. Wait a few moments and you’ll be rewarded with what you see below! Click OK to close the Welcome dialog box. Click OK to acknowledge that you must reboot the computer. Click OK on the Network Identification tab.

8. Click Yes in the information dialog box to restart the computer.

After the computer restarts, log on as Administrator in the internal network domain.

Want to have some fun? Try this:

1. Open the Run dialog box and type in \\dc (the name of the internal domain controller) and click OK.
2. You’re be treated to a list of the shared resources on the DC, as seen below.

How about some more fun? Create a Protocol Rule that allows outbound access to Direct Hosting. Do this:

1. Open the ISA Management console, expand your server name, and then expand the Policy Elements node. Right click on the Protocol Definitions node, point to New and click on Definition.
2. For the name, type in Direct Hosting outbound and click Next.
3. On the Primary Connection Information page, type 445 for the Port number. Leave the Protocol type as TCP and the Direction as Outbound. Then click Next.
4. There are no secondary connections, so leave the default No and click Next.
5. Click Finish on the Completing the New Protocol Definition Wizard page.

After creating the Protocol Definition for the Direct Hosting Outbound Protocol, create a Protocol Rule that allows internal network access to the protocol. After creating the Protocol Rule, open the Run command and type \\DMZHOST on an internal network computer. (Note that this will NOT work on the ISA Server itself). You’ll be treated to the shared folders on the DMZ host, as seen below.

Conclusion

As you can see after performing the steps described in this article, it is indeed possible to join a server in a DMZ to the internal network. There are security concerns, some of which can be addressed after joining the machine to the internal network domain. If you don’t need File and Printer sharing on the DMZ host, disable that feature. This will disable the server service on the machine. The Directing Hosting Server Publishing Rule is also somewhat concerning. However, you can create access controls that will mitigate, to a certain extent, what can be accessed from the external network. Another thing to consider is to limit access to the Server Publishing Rules to the DMZ Host(s) only.

No matter how you cut it, you violate the DMZ security zone when you join a DMZ host to the internal network domain. But I’ve seen a lot of people ask for this functionality, so I’m delivering the info. Please let me know how this works for you, and how you handle the security implications of this configuration.

This article discussed advanced ISA Server concepts. If you are new to ISA Server, or need some help with the ISA Server “big picture” and want to know how and why this stuff works, check out the Learning Zone and as always, you must buy the book!