Firewall Chaining and the Forefront Threat Management Gateway (TMG)
All versions of the ISA Firewall, as well as the TMG support Firewall chaining. Firewall chaining involve two or more ISA or TMG devices in an upstream and downstream configuration. The device closest to the Internet is considered the upstream device, while the device closest to the source requests is referred to at the downstream device.
The advantage of using Firewall chaining is that you can deploy the downstream firewalls in a way that is transparent to your routing infrastructure. The downstream firewall only need to know the route to the upstream ISA firewall, even if that route isn't the default gateway of the downstream ISA firewall. Once the downstream firewall knows the route, it sends the requests directly to the IP address of the upstream ISA or TMG firewall.
Firewall chaining forward requests from SecureNAT and Firewall clients for all protocol except for the HTTP and HTTPS. Those requests are automatically forwarded to the Web Proxy filter. Similarly, requests from Web Proxy clients are not handled through a Web chaining configuration. To route HTTP requests in a way similar to Firewall chaining, you will need to use Web Proxy chaining by creating a Web chaining rule.
Over the years there's been a bit of "rot" taking place in the Firewall chaining feature, but it really never was clearly documented. This is where the TMG firewall documentation comes in handy. The limitations of firewall chaining now include:
- Responses to firewall chaining requests are not cached. This makes sense, since it's the Web Proxy filter that's responsible for Web caching.
- Authentication on the upstream firewall is not supported. While you can enforce authentication on users on the downstream firewall, you cannot require that the upstream firewall authenticate the downstream firewall.
- Complex protocols might not work correctly, in spite of the fact that the downstream firewall is essentially a Firewall client to the upstream firewall. This is really problematic, was one of the major reasons to using the Firewall client is to support complex protocols that require secondary connections
- Firewall chaining does not work if you have defined an TMG Firewall network between the downstream and upstream TMG firewall. Again, this is really problematic, because in most cases where there is Firewall chaining, you will want to create an TMG Firewall Network between the upstream and downstream
Bottom line? Firewall chaining is really only useful if you're using only SecureNAT clients and simple protocols, or at least protocols that have application filters. If you have Firewall clients behind the downstream firewall, then Firewall chaining is not for you.
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP — Microsoft Firewalls (ISA)