Configuring Domain Members in a Back to Back ISA Firewall DMZ – Part 2: Configuring the Back-end ISA Firewall

By /

Configuring Domain Members in a Back to Back ISA Firewall DMZ —
Part 2: Configuring the Back-end ISA Firewall
By Thomas W Shinder MD, MVP



Have Questions about the article? 

Ask at: http://tinyurl.com/jb6k2

If you would like to read the other parts in this article series please go to:

In part 1 of this series on configuring a domain member server in a back to back ISA firewall network, we discussed important issues in designing security zones and network perimeters, and reinforced the importance of having a robust firewall infrastructure in place to segregate computers and other network devices belonging to different security zones.

In this, part 2 of the three part series, we’ll go over the configuration of the back-end ISA firewall and cover the following procedures:

  • Configure the Back-end ISA firewall with a DMZ ISA Firewall Network
  • Configure the Back-end ISA Firewall with a Network Rule Setting a Route relationship between the back-end ISA Firewall’s Default Internal Network and the DMZ ISA Firewall Network
  • Create Access Rules Enabling Intra-domain Communications between the DMZ Server and the Domain Controller on the Back-end ISA Firewall’s Default Internal Network
  • Create Access Rules Controlling Outbound Access from the Back-end ISA Firewall’s Default Internal Network to the DMZ and the Internet

Configure the Back-end ISA firewall with a DMZ ISA Firewall Network

One of the most prevalent misconceptions regarding ISA firewall Networks and how the ISA firewall sees the network world is how the ISA firewall deals with the default External Network. Let’s set the record straight: the default External Network on the ISA firewall is defined by any IP address that isn’t part of any other ISA firewall Network configured on the ISA firewall.

What this means is you can configure any set of IP addresses that aren’t part of another ISA firewall Network to be part of a custom ISA firewall Network. This includes the IP address bound to the external interface of the ISA firewall (although the IP address on the external interface of the ISA firewall will always belong to the Local Host Network).

This allows you to create a custom ISA firewall Network that includes the IP addresses in the DMZ Network between the front-end and back-end ISA firewalls. These addresses do not need to be part of the default External Network, even though the DMZ is on the same network ID as the external interface of the ISA firewall. The term “external interface” only means that it’s the interface with the default gateway configured on it, which typically is the closest to the Internet.

The value of making the DMZ between the front-end and back-end ISA firewalls on its own ISA firewall Network is that you can control the routing relationship between that Network and any other Network defined on the ISA firewall. In the example network used in this article, configuring a custom DMZ ISA firewall Network will enable us to create a route relationship between the default Internal Network behind the back-end ISA firewall and the DMZ Network between the front-end and back-end ISA firewalls. We can also create Access Rules controlling traffic moving to and from any ISA firewall Network.

Perform the following steps on the back-end ISA firewall to create the DMZ ISA firewall Network:

  1. In the ISA firewall console, expand the server name and then expand the Configuration node. Click the Networks node.
  2. On the Networks node, click the Networks tab in the details pane. Click the Tasks tab in the Task Pane and then click the Create a New Network link.
  3. On the Welcome to the New Network Wizard page, enter a name for the Network in the Network name text box. In this example we’ll name the Network DMZ. Click Next.
  4. On the Network Type page, select the Perimeter Network option and click Next.
  5. On the Network Address page, click the Add button.
  6. In the IP Address Range Properties dialog box, enter the Starting address and Ending Address for the DMZ Network. In this example we’ll enter 10.0.1.0 for the Starting Address and 10.01.255 for the Ending Address. Note that you don’t have to include the entire network ID; you can include only the addresses that are actually in use on that network, or you can get even more specific and include only those addresses that you want to have a route relationship with the default Internet Network behind the back-end ISA firewall, so that you can later create another ISA firewall Network representing other addresses in the DMZ segment that you want to create a NAT relationship with. Click OK.


Figure 1

  1. Click Next on the Network Addresses page.


Figure 2

  1. Click Finish on the Completing the New Network Wizard page.

Configure the Back-end ISA Firewall with a Network Rule Setting a Route relationship between the back-end ISA Firewall’s Default Internal Network and the DMZ ISA Firewall Network

In the scenario discussed in this article, the Web server on the DMZ Network is a member of the Active Directory domain who’s domain controllers are located behind the back-end ISA firewall. This allows the Web server on the DMZ Network to leverage the Active Directory database to authenticate users connecting to the Web site. This scenario is very similar to that seen in a front-end/back-end Exchange Server configuration, since the front-end/back-end Exchange Servers must be members of the same Active Directory domain.

This means we need to enable intradomain communications between the Web server on the DMZ Network and the domain controllers on the default Internal Network located behind the back-end ISA firewall. Intradomain communications require that you have a Route relationship between the source and destination networks. For this reason, we will create a Network Rule that sets a Route relationship between the DMZ Network and the default Internal Network located behind the back-end ISA firewall.

It’s important to note that although there will be a route relationship between the back-end ISA firewall’s default Internal Network and the DMZ Network, there will still be a NAT relationship between the back-end ISA firewall’s default Internal Network and the Internet. This is fully supported (and required), since private addresses are used on the corporate network.

It doesn’t matter if you use public or private addresses on the DMZ Network. Even if you use public addresses on the DMZ Network, you can still have a route relationship between the DMZ Network and the default Internal Network using private addresses behind the back-end ISA firewall because the ISA firewall is directly connected to both Networks and thus has full knowledge of how to reach both Networks.

Perform the following steps to create the Network Rule creating a route relationship between the DMZ Network and the default Internal Network behind the back-end ISA firewall:

  1. In the ISA firewall console, expand the server name and then expand the Configuration node in the left pane of the console. Click the Networks node.
  2. On the Networks node, click the Network Rules tab in the details pane of the console, then click the Create a New Network Rule link in the Tasks tab of the Task Pane.
  3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the Network rule name text box. In this example we’ll name the rule DMZ – Internal. Click Next.
  4. On the Network Traffic Sources page, click the Add button.
  5. In the Add Network Entities dialog box, click the Networks folder and then double click the DMZ Network. Click Close.


Figure 3

  1. Click Next on the Network Traffic Sources page.
  2. Click Add on the Network Traffic Destinations page.
  3. Click the Networks folder and then double click the Internal entry. Click Close.
  4. On the Network Relationship page, select the Route option and click Next.


Figure 4

  1. Click Finish on the Completing the New Network Rule Wizard page.

Have Questions about the article? 

Ask at: http://tinyurl.com/jb6k2

Create Access Rules Enabling Intra-domain Communications between the DMZ Server and the Domain Controller on the Back-end ISA Firewall’s Default Internal Network

Multiple protocols are required to allow intradomain communications between the DMZ host and the domain controllers on the corporate network. Table 1 provides the details of this Access Rule.

Name

Intradomain Communications

Action

Allow

Protocols

Microsoft CIFS (TCP)

Microsoft CIFS (UDP)

DNS

Kerberos-Adm(UDP)

Kerberos-Sec(TCP)

Kerberos-Sec(UDP)

LDAP

LDAP (UDP)

LDAP GC (Global Catalog)

RPC (all interfaces)

NTP (UDP)

Ping

From

DMZ Web Server

Domain Controller

To

Domain Controller

DMZ Web Server

Users

All

Schedule

Always

Content Types

All content types

Table 1: Access Rule allowing intradomain communications between the DMZ host and the DC on the default Internal Network behind the back-end ISA firewall

Perform the following steps to create this Access Rule:

  1. In the ISA firewall console, expand the server name and then click the Firewall Policy node in the left pane of the console.
  2. On the Firewall Policy node, click the Tasks tab in the Task Pane and click the Create New Access Rule link.
  3. On the Welcome to the New Access Rule Wizard page, enter the name of the rule in the Access Rule name text box. In this example, we’ll name the rule Intradomain DMZ—Internal and click Next.
  4. Select the Allow option on the Rule Action page.
  5. On the Protocols page, select the Selected protocols option from the This rule applies to list. Click Add.
  6. Click the Add Protocols folder and then double click the following protocols:

Microsoft CIFS (TCP)
Microsoft CIFS (UDP)
DNS
Kerberos-Adm(UDP)
Kerberos-Sec(TCP)
Kerberos-Sec(UDP)
LDAP
LDAP (UDP)
LDAP GC (Global Catalog)
RPC (all interfaces)
NTP (UDP)
Ping
Click Close in the Add Protocols dialog box.

  1. Click Next on the Protocols page.


Figure 5

  1. On the Access Rule Sources page, click the Add button.
  2. In the Add Network Entities dialog box, click the New menu and then click Computer.
  3. In the New Computer Rule Element dialog box, enter a name for the Web server on the DMZ Network. In this example we’ll name the Computer Object DMZ Web Server. Enter the IP address of the DMZ Web server in the Computer IP Address text box. Enter an optional Description if you like. Click OK.


Figure 6

  1. In the Add Network Entities dialog box, click the New menu and then click Computer.
  2. In the New Computer Rule Element dialog box, enter a name for the domain controller on the Internal Network. In this example we’ll name the Computer Object Domain Controller. Enter the IP address of the domain controller in the Computer IP Address text box. Enter an optional Description if you like. Click OK.


Figure 7

  1. Click the Computers folder and double click the DMZ Web Server and Domain Controller entries.


Figure 8

  1. Click Next on the Access Rule Sources page.
  2. Click Add on the Access Rule Destinations page.
  3. In the Add Network Entities dialog box, click the Computers folder and then double click on the DMZ Web Server and Domain Controller entries. Click Close.
  4. Click Next on the Access Rule Destinations page.
  5. Accept the default setting, All Users, on the User Sets page and click Next.
  6. Click Finish on the Completing the New Access Rule Wizard page.

Create Access Rules Controlling Outbound Access from the Back-end ISA Firewall’s Default Internal Network to the DMZ and the Internet

Clients on the corporate network behind the back-end ISA firewall require access to both the Internet and perhaps the DMZ Network. Your access policy on a live network will be highly customized based on the principle of least privilege; so that users are allowed access to protocols and locations they require access in order to complete their work.

In the example network used in this article series, I’m going to create a simple outbound access policy that allows all hosts on the corporate network outbound access to all resources on the DMZ and the Internet. While you would never create such a rule on a production network, we can do this to simplify things a bit to demonstrate the principles we want to demonstrate in this article.

Perform the following steps to create the Access Rule:

  1. At the back-end ISA firewall, in the ISA firewall console expand the name of the server and then click the Firewall Policy node in the left pane of the console.
  2. Click the Create New Access Rule link on the Tasks tab in the Task Pane.
  3. In the Welcome to the New Access Rule dialog box, enter a name for the rule in the Access Rule name text box. In this example we’ll name the rule All Open Internal to DMZ/External. Click Next.
  4. On the Rule Action page, select the Allow option and click Next.
  5. On the Protocols page, select the All outbound traffic option from the This rule applies to list and click Next.
  6. On the Access Rule Sources page, click the Add button.
  7. In the Add Network Entities dialog box, click the Networks folder and double click the Internal entry. Click Close.
  8. Click Next on the Access Rule Sources page.
  9. On the Access Rule Destinations page, click the Add button.
  10. In the Add Network Entities dialog box, click the Networks folder. Double click both the DMZ and External Networks. Click Close.
  11. Click Next on the Access Rule Destinations page.
  12. On the User Sets page, accept the default entry, All Users, and click Next.
  13. Click Finish on the Completing the New Access Rule Wizard page.
  14. Click Apply to save the changes and update the firewall policy.
  15. Click OK in the Apply New Configuration dialog box.

Have Questions about the article? 

Ask at: http://tinyurl.com/jb6k2

Summary

In this article we went over the step by step details on how to configure the back-end ISA firewall in a back to back ISA firewall configuration where there is a domain member server in the DMZ segment between the ISA firewalls. Procedures included creating an ISA firewall Network for the DMZ segment, creating a Network Rule creating a Route relationship between the default Internal Network behind the back-end ISA firewall and DMZ Network, creating an Access Rule controlling traffic from the back-end ISA firewall’s default Internal Network to the DMZ and the Internet, and another Access Rule controlling intradomain communications between DMZ Web server and the domain controller on the default Internal Network behind the back-end ISA firewall.

In part 3 of this article series will finish up by configuring the DMZ Web server’s network and routing table settings, and setting up the front-end ISA firewall. See you then!

If you would like to read the other parts in this article series please go to:

About The Author

Tom Shinder is a Program Manager at Microsoft and has two decades of networking and security experience. He has written dozens of books, thousands of articles, and spoken at large industry conferences on the topics of IT infrastructure, Cloud computing, and cybersecurity. In his free time, Tom enjoys participating in equine prediction markets.

Read Next

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top