Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 5: Configuring the Clients and DNS Infrastructure

Configure ISA 2004 as a Network Services Segment Perimeter Firewall —
Part 5: Configuring the Clients and DNS Infrastructure
by Thomas W Shinder MD, MVP



Have Questions about the article?
Ask at: http://tinyurl.com/9tsvo

 

 

If you missed the other parts of this series please read:

Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 1
Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 2
Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 3
Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 4


In the first four parts of this series on creating a network services segment using ISA firewalls, we discussed general DMZ and perimeter segment networking principles and design concepts, configuration of the network services segment ISA firewall, and routing principles and procedures required to make our solution work. We also configured the edge ISA firewall so that users on the Corpnet ISA firewall Network could gain access to Internet resources and external users could access Exchange Server resources located on the network services segment.

In this, part 5 of the article series, we’ll focus on the network client systems. We perform the following procedures in this article:

  • Create a Routing table Entry on the Network Clients (only required if there are no LAN routers installed)
  • Join the Network Clients to the Domain
  • Create Configure DNS Entries in the Domain DNS, Including WPAD Entries
  • Configure the Firewall Client Settings on the Edge ISA Firewall (including Web Proxy Client Configuration)
  • Install the Firewall Client Share on the Network Services Segment File Server
  • Install the Firewall Client on the Network Clients
  • Connect the Corporate Network Clients to Resources on the Network Services Segment and the Internet

Create a Routing table Entry on the Network Clients (only required if there are no LAN routers installed)

Clients on the Corpnet ISA firewall Network need to know the route to the network services segment. As discussed in part 1 of this article series, you have two options: use LAN routers that contain the appropriate routing table entries to reach the network services segment or configure the clients with a routing table entry.

In the example used in this article, we’ll create routing table entries on the clients. You can automate this process by using a log on script that contains the Route add command used to add the routing table entry. The command required is:

Route add –p 10.0.0.0 MASK 255.255.255.0 10.0.1.2

Where –p makes the routing table entry permanent, 10.0.0.0 is the network ID of the network services segment, 255.255.255.0 is the subnet mask for the network services segment, and 10.0.1.2 is the gateway address used to reach that network.

Join the Network Clients to the Domain

All the pieces are now in place to add the network clients to the domain. The network services perimeter ISA firewall has the appropriate Access Rules in place to join hosts on the Corpnet ISA firewall Network to the domain. The procedure varies with the operating system you’re joining to the domain. In the example used in this article series, we’re joining a Windows XP client to the domain.

Create Configure DNS Entries in the Domain DNS, Including WPAD Entries

DNS infrastructure design is critical for all Windows environments. One of the most common reasons for connectivity and performance issues is a poorly designed DNS infrastructure. Proper DNS infrastructure is critically important in ISA firewall networking because the ISA firewall uses DNS name resolution for access control and security monitoring.

Clients on the Corpnet ISA firewall Network will be configured as both Web proxy and Firewall clients. Web proxy and Firewall clients need to be able to locate the edge ISA firewall to access the Internet. While you can manually configure each host with the proper information, it’s much easier to automate the process using WPAD entries in DNS and/or DHCP.

Web proxy and Firewall clients use WPAD entries in DNS and/or DHCP to find the address of the ISA firewall. After the clients find the address of the ISA firewall, the clients obtain configuration information from the ISA firewall. By default the ISA firewall advertises configuration information on TCP port 80, which can be changed if required. However, if you use DNS-based WPAD entries, you must use TCP port 80. If you use DHCP for WPAD information, you can use any port you like to advertise autodiscovery information.

In the example used in this series, we will use DNS WPAD publishing. We will create a WPAD CNAME record based on the Host (A) record for the edge ISA firewall. The Host (A) record for the edge ISA firewall maps the name of the edge ISA firewall to the IP address on the internal interface of the edge ISA firewall.

Perform the following steps to create the WPAD entry on the domain DNS server on the network services segment:

  1. At the DNS server, click Start, point to Administrative Tools and click DNS.
  2. In the DNS console, expand the server name and then expand the Forward Lookup Zones node. Click on the domain, which in this case is msfirewall.org.
  3. Right click the domain name and click New Alias (CNAME).
  4. In the New Resource Record dialog box, enter wpad in the Alias name (uses parent domain if left blank) text box. Click the Browse button.


Figure 1

  1. Double click the server name in the Records section, then double click the Forward Lookup Zone entry. Double click the domain name and then double click the entry for the edge ISA firewall. In this example the name of the edge ISA firewall is remoteisa, so I’ll double click that one.


Figure 2

  1. Click OK in the New Resource Record dialog box.


Figure 3

  1. The new CNAME record appears in the right pane of the console.


Figure 4

Note that the edge ISA firewall’s IP address is included in the domain DNS because it was automatically added when the firewall joined the domain. If your domain DNS is not configured to enable automatic registration of DNS records, then you’ll need to create the Host (A) record yourself before you can create the CNAME record.

Have Questions about the article?
Ask at: http://tinyurl.com/9tsvo

Configure the Firewall and Web Proxy Client Settings on the Edge ISA Firewall and Enable Autodiscovery

In my experience, who of the least understood issues with ISA firewall configuration relates to the settings in the Firewall client configuration on the ISA firewall. For each ISA firewall Network, you can configure Firewall client settings that are used by Firewall client systems located on that ISA firewall Network. These settings allow you to set how the Firewall client software finds the ISA firewall and what destination addresses should be remoted to the ISA firewall and which ones should not be serviced by the Firewall client software.

The best way to learn how these settings work is to get into the configuration interface. Perform the following steps on the edge ISA firewall to configure the Firewall client settings:

  1. In the ISA firewall console, expand the server name and then expand the Configuration node. Click the Networks node.
  2. On the Networks node, double click the default Internal Network entry.
  3. In the Internal Properties dialog box, click the Firewall Client tab. On the Firewall Client tab, confirm that there is a checkmark in the Enable Firewall client support for this network checkbox. When this option is enabled, the Firewall client listener port, TCP 1745, is enabled and listens for connections from the Firewall clients on that ISA firewall Network. In the ISA Server name or IP address text box, enter the fully qualified domain name of the ISA firewall. This is a critical setting. The default entry in this text box is the NetBIOS name of the ISA firewall, which can create problems with name resolution. The name you enter into this text box is the name Firewall clients on the network will use to access the ISA firewall. If you leave just the NetBIOS name in this text box, there could be problems with name resolution related to fully qualifying the unqualified name. While I am not saying that it won’t work to leave just the NetBIOS name in this text box, I am saying that you will avoid difficult to troubleshoot issues with Firewall clients if you use a FQDN in this text box. Put a checkmark in the Automatically detect settings checkbox and do not enable the Use automatic configuration script and Use a Web proxy server checkboxes. You will get autoconfiguration information by using autodiscovery, and you don’t need the Use a Web proxy server setting because the client will find the Web proxy filter component of the ISA firewall using the wpad settings.


Figure 5

  1. Click the Domains tab. On this tab you enter your internal domain names so that the Firewall clients do not use the Firewall client software to handle connections to hosts on the Internal domains. This is a tricky setting on multihomed ISA firewalls with multiple internal ISA firewall Networks, but in this example, the edge ISA firewall has only a single internal Network, so we won’t run into those issues. I will discuss in deep detail the configuration issues with the Domains tab on multihomed ISA firewalls with multiple internal ISA firewall Networks is another series on creating network services segments using multihomed ISA firewalls. In this example, we have a single internal domain, which is msfirewall.org. Click Add to enter the internal network domain.


Figure 6

  1. In the Domain Properties dialog box, enter the name of the internal domain in the Enter a domain name to include text box. Click OK.


Figure 7

We can also configure the Web proxy client settings in the Properties dialog box of the ISA firewall Network. Continue with the following steps to configure the Web proxy client configuration:

In the Internal Properties dialog box, click the Web Browser tab. On the Web Browser tab, confirm that there are checkmarks in the Bypass proxy for Web server in this network and Direct access computers specified in the Domains tab. The Bypass proxy for Web servers in this network setting allows the Web proxy client machines to bypass their Web proxy configuration when connecting to servers using a single label name. For example, http://server1 is a single label name. When the single label name is used, the Web browser ignores the Web proxy settings and connects directly to the Web server. This is known as Direct Access. When Direct Access is used, the client system must be able to resolve the name itself, as the ISA firewall does not handle the connection and therefore does not perform name resolution on behalf of the client.

The Directly access computers specified in the Domains tab option enables the Web proxy client system to bypass the Web proxy configuration when connecting to hosts that belong to a domain included in the Domains tab. This is a useful option because the Web proxy client bypasses its Web proxy configuration and the ISA firewall when connecting to internal, trusted servers on the corporate network.

You can also add servers, domains and addresses for Direct Access by clicking the Add button next to the Directly access these servers or domains list. You might want to put all the addresses in the ISA firewall Network in the Direct Access list. For example, since we’re in the Internal Properties dialog box, we could include all the addresses in the default Internal network. In a multihomed, multiple internal Network design, this can be used for authenticated access control, but we’ll talk about these issues in the series on creating network services segments using a multihomed ISA firewall.

Confirm that there is a checkmark in the If ISA Server is unavailable, use this backup route to connect to the Internet checkbox and that the Direct Access option is selected.






Figure 8

The last thing we need to do in the Internal Properties dialog box is enable Autodiscovery publishing. Perform the following steps to enable the ISA firewall to publish autodiscovery information:

  1. Click Auto Discovery tab in the Internal Properties dialog box.

  2. On the Auto Discovery tab, put a checkmark in the Publish automatic discovery information checkbox. Leave the default port listed in the Use this port for automatic discovery request text box as 80. We must use TCP port 80 since we are using DNS for out WPAD entry.


Figure 9

  1. Click OK in the Internal Properties dialog box.

  2. Click Apply to save the changes and update the firewall policy.

  3. Click OK in the Apply New Configuration dialog box.

Install the Firewall Client Share on the Network Services Segment File Server

The Firewall client software will be installed on all the client systems on the Corpnet ISA firewall Network. Note that you should only install the Firewall client software on network client systems, and avoid installing it on servers. While it is possible to install the Firewall client software on servers, there is little reason to do so, since servers typically do not have logged on users (interactive log ons, that is). You will avoid difficult to diagnose connectivity issues if you do not install the Firewall client software on network servers.

While some ISA firewall administrators choose to install the Firewall client share on the ISA firewall itself, I highly recommend against this practice, as it requires Windows file sharing protocol connections to be made to the ISA firewall device itself. This opens a potential security hole that does not need to be opened. Instead, install the Firewall client share on a file server on the network services segment. Remember, the ISA firewall is a network level security device and connections to and from the ISA firewall device should be severely limited.

Perform the following steps on the file server computer on the network services segment:

  1. At the file server on the network services segment, place the ISA Server 2004 CD into the CD-ROM drive. The autorun menu will appear. If the autorun menu does not appear, double click the isaautorun.exe file on the CD.

  2. In the ISA Server 2004 Setup autorun menu, click the Install ISA Server 2004 link.

  3. Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2004 page.

  4. Select the I accept the terms in the license agreement option on the License Agreement page and click Next.

  5. Enter your user information and product serial number on the Customer Information page and click Next.

  6. Select the Custom option on the Setup Type page.

  7. On the Custom Setup page, click the ISA Server Management icon and click the This feature will not be available option. Click the Firewall Client Installation Share icon and click the This feature, and all subfeatures, will be installed on local hard drive option. Click Next.


    Figure 10

  8. Click Install on the Ready to Install the Program page.
  9. Click Finish on the Installation Wizard Completed page.
  10. Close the Internet Explorer window that presents a page on how to Protect the ISA Server Computer.
  11. Click the Exit link on the ISA autorun menu.

Install the Firewall Client on the Network Clients

The Firewall client share is now installed on the file server and can be accessed using the \\server_name\mspclnt\setup.exe UNC path. Any user logged on as a local administrator can install the Firewall client software. However, if not all your users run as local administrators, you’ll need to find another way to install the Firewall client software.

Fortunately, the ideal solution to this problem is Active Directory Group Policy based software installation. Since the client machines must be domain members to fully utilize the flexibility and increased security provided by the Firewall client, those domain members can have their Firewall client software installed automatically via Group Policy.

In the following procedure we will create an OU for machines that should have the Firewall client software automatically installed. We do this to prevent the Firewall client software from being installed on servers. There may be more elegant ways to approach this, such as using Group Policy filtering, but I’ll leave that up to the Active Directory guys to figure out the most efficient way to assigning the Firewall client software only to client systems and not servers.

Note that in the following example we’ll create an OU that provides a GPO linked to the OU that installs the Firewall client software. In a production environment, you will want to link other GPOs to the OU and order the GPO links appropriately.

Perform the following steps to create the OU, place a client system in the OU, and then use Software Installation to assign the Firewall client software to members of the OU:

  1. On the domain controller on the network services segment, open the Active Directory Users and Computers console from the Administrative Tools menu.
  2. Right click on the domain name, point to New and click Organizational Unit.
  3. In the New Object – Organizational Unit page, enter Firewall Client Systems in the Name text box. Click OK.
  4. Click the Computers node and right click the client system name in the right pane of the console. Click Move.
  5. In the Move dialog box, click the Firewall Client Systems node and click OK.
  6. Right click the Firewall Client Systems OU and click Properties.
  7. In the Firewall Client Systems Properties dialog box, click the Group Policy tab.
  8. On the Group Policy tab, click the New button. Name the new GPO Firewall Client Installation and click Edit.
  9. In the Group Policy Object Editor console, expand the Computer Configuration node and then expand the Software Settings node. Right click Software installation, point to New and click Package.
  10. In the Open dialog box, enter the UNC path to the Firewall client installation package file. In this example, the path is \\Win2k\mspclnt\MS_FWC.msi. Click Open.


Figure 11

11.   In the Deploy Software dialog box, select the Assigned option and click OK.


Figure 12

  1. Close the Group Policy Object Editor.

  2. Close the Firewall Client Systems Properties dialog box.

  3. Close Active Directory Users and Computers.

  4. Open a command prompt on the domain controller and enter gpupdate and press ENTER.

  5. When the client systems restart, the Firewall client software will install automatically.

Connect the Corporate Network Clients to Resources on the Network Services Segment and the Internet

Now the clients on the Corpnet ISA firewall Network are ready to connect to resources on the network services segment and the Internet.

Open the Web browser on the client and go to www.isaserver.org. You’ll see log file entries on the edge ISA firewall that appear similar to those in the figure below.


Figure 13

Now open a share on the File server on the network services segment. You’ll see entries like those in the figure below.


Figure 14

Have Questions about the article?
Ask at: http://tinyurl.com/9tsvo

Summary

In this article series on configuring a network services segment using an ISA firewall, we began with an in depth discussion on network perimeters and how to design a functional network services segment via perimeterization. The following articles provided detailed concepts and step by step details on how to configure the edge and network services perimeter ISA firewall to support secure connections from hosts located on the corporate network outside the perimeter and to selected Exchange Server services from Internet hosts.

If you missed the other parts of this series please read:

Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 1
Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 2
Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 3
Configure ISA 2004 as a Network Services Segment Perimeter Firewall – Part 4



Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top