Placing ISA Server 2000 into Networks with an Existing Firewall Infrastructure and Other ISA Server 2000 Firewall Topologies


Placing ISA Server 2000 into Networks with an Existing Firewall Infrastructure
and Other ISA Server 2000 Firewall Topologies


By Thomas W Shinder M.D.


Most organizations already have a firewall infrastructure in place. Smaller companies may have a simple SOHO NAT router with basic packet filtering and forwarding capabilities and large companies have high performance packet filtering-based firewall solutions. Companies of all sizes have a significant investment both in terms of up front costs of the hardware devices themselves and administrator education required to maintain these firewalls. It’s not realistic to expect organizations with a significant capital outlay to “rip and replace” their current firewall infrastructure and use ISA Server 2000 firewalls in their place.


Get the Book!


Companies without a current firewall infrastructure don’t have these issues. However, they do have questions about where to place their ISA Server 2000 firewalls, how many are required, and what scenarios require them to place the ISA Server 2000 firewalls in specific configurations.


Questions from firewall administrators from both of these groups appear on the ISAServer.org Web boards and mailing list every day. Answers to these questions vary based on the specific requirements brought up in each question. However, there are a core number of firewall topologies that form the basis of most answers for the question “where should I place the ISA Server 2000 firewall?”


In this article we’ll review a set of common and popular ISA Server 2000 firewall topologies. Some of these topologies include how to place the ISA Server 2000 firewall into an existing firewall infrastructure and some of them demonstrate how to configure a secure, ISA Server 2000-only firewall solution.


The specific topologies or scenarios discussed include:



  • ISA Server 2000 Back-end Firewall Topology
  • ISA Server 2000 Front-end and Back-end Firewall Topology
  • ISA Server 2000 Application Layer Filtering Proxy Web Proxy in a DMZ
  • Secure Exchange RPC Publishing Scenario – ISA Server 2000 as front-end firewall
  • Secure Exchange RPC Publishing Scenario – ISA Server 2000 back to back firewalls
  • Secure Exchange RPC Publishing Scenario – Mixed ISA Server 2000 and Packet filtering firewall on the Front-end and ISA Server 2000 Firewall on the Back End
  • Secure Exchange RPC Publishing Scenario – ISA Server 2000 as back-end firewall
  • SMTP Filter and Message Screener Scenarios: SMTP Relay and Message Screener on the Corporate Network
  • SMTP Filter and Message Screener Scenarios: SMTP Relay and Message Screener on the ISA Server 2000 Firewall


  • ISA Server 2000 Front-end Firewall Topology


    Smaller organizations that do not already have a large investment in a current firewall infrastructure may wish to make the ISA Server 2000 firewall a front-end firewall. The front-end firewall has a network interface on the corporate network and a network interface directly connected to the Internet. All communications into and out of the corporate network are exposed to ISA Server 2000’s deep application layer inspection.


    The advantages of this configuration include:



  • All communications into and out of the corporate network are exposed to firewall policy
  • You only need to learn how to configure the ISA Server 2000 firewall software; this help avoid potential firewall misconfiguration when multiple vendor firewalls are used
  • All inbound and outbound access can be controlled on a granular, user or group basis. Users only access the content and servers you want them to access, based on the rules you configure
  • This configuration is easy to setup and maintain

  • The figure below shows the network topology for the ISA Server 2000 front-end firewall placement.



    ISA Server 2000 Back-end Firewall Topology


    Organizations with an existing firewall infrastructure may prefer to leave the current firewalls in place and put the ISA Server 2000 firewall behind the current firewalls. This topology allows third party firewalls to provide high speed packet filtering (stateful filtering) before forwarding the remaining packets to the application aware (stateful inspection) ISA Server 2000 firewall. The network between the third party front-end firewalls is a perimeter network where publicly accessible services can be placed.


    The third-party packet filtering firewalls have an interface directly connected to the Internet and an interface connected to a perimeter network between the third-party packet filtering firewalls and the ISA Server 2000 application layer aware firewall. The ISA Server 2000 firewall has an interface on the perimeter network and an interface on the protected, corporate LAN.


    Advantages of this configuration include:



  • Organizations do not need to perform a major redesign their current firewall infrastructure
  • Third party hardware-based firewalls can perform high-speed packet filtering. This offloads packet filtering overhead from the ISA Server 2000 firewall and increases the resources available on the ISA Server 2000 firewall to perform deep application layer inspection (stateful inspection)
  • Resources located on the corporate network are protected by the ISA Server 2000 firewall’s enhanced application layer inspection mechanisms
  • Granular inbound and outbound access control can be done on a user/group basis

  • The figure below shows the topology of the ISA Server 2000 back-end firewall topology.



    ISA Server 2000 Front-end and Back-end Firewalls


    The ISA Server 2000 front-end and back-end firewall configuration uses ISA Server 2000 as the Internet edge firewall and the corporate LAN edge firewall. The front-end ISA Server 2000 firewall has an interface directly connected to the Internet and an interface on the DMZ segment between the two ISA Server 2000 firewalls. The back-end ISA Server 2000 firewall has an interface on the perimeter network and an interface on the protected, corporate LAN.


    Advantages of this configuration include:



  • A single firewall system; this reduces training overhead and the probability of a configuration error
  • Sophisticated application layer filtering protecting hosts on the perimeter network and the corporate network
  • You can leverage Web Proxy chaining and firewall chaining to significantly increase access control from the DMZ network servers and users on the internal network. This prevents attackers from using compromised servers on the DMZ segment from being used as a launch point for outbound attacks from the perimeter network
  • Granular outbound user/group based access control for hosts on both the corporate network and the DMZ segment
  • Excellent support for highly secure VPN passthrough allowing access to protected resources on the corporate network

  • The figure below shows the topology for the ISA Server 2000 front-end back-end firewall configuration.



    Get the New Book!


    ISA Server 2000 Application Layer Filtering Web Proxy in the Perimeter Network


    Some organizations already have an existing firewall infrastructure including both front-end and back-end firewalls. These organizations have a large investment in their current firewall infrastructure and prefer to leave it intact. These companies can still leverage ISA Server 2000’s application layer filtering features by making the ISA Server an application layer filtering proxy. This ISA Server 2000 Web proxy can be placed on the DMZ segment between front-end and back-end third party packet filtering firewalls or you can place the ISA Server 2000 application layer proxy on the corporate network.


    Advantages of the application layer filtering proxy configuration include:



  • The ability to leave the current firewall infrastructure intact; you can “drop in” the ISA Server 2000 application layer filtering proxy virtually anywhere
  • The third party front-end and back-end packet filtering firewalls can pass packets at high speed while allowing the ISA Server 2000 to provide a very high level of security for communications passed through its application layer inspection mechanisms
  • A hardened ISA Server 2000 proxy can be placed on the perimeter network segment to reduce the attack surface
  • In reverse Web Proxy scenarios, the ISA Server 2000 application layer filtering proxy can forward user credentials across the back-end firewall to pre-authenticate remote users

  • The figure below shows the topology of the application layer filtering proxy configuration.



    Secure Exchange RPC Publishing Scenario – ISA Server 2000 as front-end firewall


    Secure Exchange RPC Publishing Rules allow your full Outlook MAPI clients to access the full range of Exchange Server services on the corporate network. This method of access also provides the highest level of security can you attain for inbound connections to the corporate Exchange Server. Secure Exchange RPC publishing also affords users the greatest level of satisfaction as they can use the same Outlook client while on the corporate network or when they’re on the road.


    There are three scenarios specific to secure Exchange RPC publishing that do not require static packet filters on a front end firewall and one requiring static packet filters.


    The first scenario uses the ISA Server 2000 firewall as the front end firewall. This provides a very high level of protection for the corporate network and obviates the need for static packet filters which could endanger network segments located behind a traditional stateful packet filtering device. A secure Exchange RPC Server Publishing Rule is the only requirement. The secure Exchange RPC filter listens for incoming connections on TCP port 135 and dynamically manages ephemeral ports required for the secure Outlook MAPI client connections.


    The figure below shows the ISA Server 2000 front-end firewall topology.



    Secure Exchange RPC Publishing Scenario – ISA Server 2000 back to back firewalls


    The second secure Exchange RPC publishing scenario involves using ISA Server 2000 as the front-end and back-end firewall. In this scenario the front-end ISA Server 2000 firewall publishes the external IP address on the back-end ISA Server 2000 firewall. The front-end ISA Server 2000 firewall provides a high level of protection for servers placed on the DMZ segment between the ISA Server 2000 firewalls and for machines located on the corporate network. The back-end ISA Server 2000 firewall publishes the IP address of the Exchange Server on the corporate network. No static packet filters are required and only TCP port 135 is allowed inbound on both the front-end and back-end ISA Server 2000 firewalls.


    The figure below shows the topology for the front-end and back-end ISA Server 2000 secure RPC Server Publishing scenario.



    Secure Exchange RPC Publishing Scenario – Mixed ISA Server 2000 and Packeting filtering firewall on the Front-end and ISA Server 2000 Firewall on the Back End


    Organizations with an existing firewall infrastructure may wish to take advantage of the rapid packet-passing features of their current firewall solution, but still want to provide the very high level of protection a front-end ISA Server 2000 firewall provides. The solution to this problem is to use a mixed firewall infrastructure. The existing packet filtering firewall provides very fast hardware-based packet transmission (because it cannot perform stateful inspection), and the intelligent ISA Server 2000 firewall provides crucial application aware security (stateful inspection) for the published Exchange Server via its secure Exchange RPC application filter.


    The packet filtering firewall can be configured to receive inbound communications for machines on the DMZ segment that have been subjected to an intensive host-based hardening program. The packet filtering firewall is not be able to examine exploits contained within the application layer, so host-based system hardening is the primary method of defense for these servers. Inbound connections to secure Exchange RPC and other Microsoft services (OWA, IIS, Sharepoint, SMTP, POP3, DNS) can be secured by the ISA Server 2000 firewall.


    The figure below shows the topology for the ISA Server 2000 and packet filtering firewall front-end firewalls and ISA Server 2000 back end firewall scenario.



    Secure Exchange RPC Publishing Scenario – ISA Server 2000 as back-end firewall


    Many organizations already have an existing front-end firewall solution in place and wish to keep the current front-end firewall infrastructure. These companies can place an intelligent ISA Server 2000 application layer filtering firewall behind the current front-end firewall infrastructure. This configuration takes advantage of reduced overhead by avoiding a reconfiguration of the current firewall infrastructure and it also takes advantage of the advanced firewall protection ISA Server 2000 can provide the corporate network.


    The front-end firewall requires a number of static packet filters to support the secure Exchange RPC Server Publishing Rule. Special care is required when configuring the static packet filters to prevent servers located on the perimeter network from being compromised. The corporate network located behind the ISA Server 2000 firewall is protected by the secure Exchange RPC filter (and other application filters) and therefore is at reduced risk of attack.


    The figure below shows the packet filtering front-end firewall ISA Server 2000 back-end firewall topology.



    Get the New Book!


    SMTP Filter and Message Screener Scenarios: SMTP Relay and Message Screener on the Corporate Network


    The SMTP filter always runs on the ISA Server 2000 firewall computer. However, you can place the SMTP Message Screener on another computer located on the protected network behind the ISA Server 2000 firewall. The SMTP Message Screener can be installed in the following locations:



  • On the ISA Server 2000 firewall itself
  • On an independent SMTP relay located behind the ISA Server 2000 firewall
  • On the Exchange Server

  • Message filtering requires a significant amount of processing power. For this reason, most organizations prefer to put the SMTP Message Screener on the ISA Server 2000 firewall computer or on an SMTP relay located somewhere on the corporate network.


    The SMTP Message Screener can be installed on an SMTP relay computer on the corporate network running the IIS 5.0 or IIS 6.0 SMTP service. The ISA Server 2000 firewall publishes the SMTP relay on the internal network and the Message Screener blocks dangerous email at the SMTP relay computer. The SMTP Message Screener communicates with the SMTP filter to obtain information about what email should be blocked.


    The figure below shows the topology of the SMTP Message Screener on a dedicated SMTP relay configuration.



    SMTP Filter and Message Screener Scenarios: SMTP Relay and Message Screener on the ISA Server 2000 Firewall


    Many organizations prefer to use a “one box” solution. In the one-box solution the SMTP Message Screener is located on the ISA Server 2000 firewall itself. This simplifies setup and management of the SMTP Message Screener and reduces hardware and software configuration overhead.


    In this scenario the ISA Server 2000 firewall acts as an spam and attachment filtering SMTP relay. The IIS SMTP service is installed on the ISA Server 2000 firewall and processes the incoming SMTP Messages. The SMTP Message Screener filters spam, viruses and attachments and relays the safe email messages to the Exchange Server on the corporate network.



    Note:
    In both this scenario and the one where the SMTP Message Screener is installed on a dedicated SMTP relay, the ISA Server 2000 firewall can be integrated into an existing firewall infrastructure. The ISA Server 2000 firewall can act as a back-end firewall or an application layer filtering SMTP proxy located on the perimeter network. The only requirement is that the front-end firewall forward inbound SMTP messages to the ISA Server 2000 firewall machine.



    This is the most popular configuration because of the lower hardware and configuration overhead. The remainder of this document provides detailed step by step procedures for configuring the ISA Server 2000 firewall as a secure, spam and virus filtering SMTP relay.


    Get the Book!


    Summary


    ISA Server 2000 firewalls can be placed on networks with an existing firewall infrastructure and on networks without a current firewall solution. ISA Server 2000 flexibility allows you to take advantage of its sophisticated application layer filtering features without requiring you to remove or make major changes to your current firewall configuration. In this article we examined several different firewall topologies where ISA Server 2000 is configured as a front-end firewall, back-end firewall and application layer filtering (stateful inspection) proxy.


    I hope you enjoyed this article and found something in it that you can apply to your own network. If you have any questions on anything I discussed in this article, head on over to http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=2;t=011393 and post a message. I’ll be informed of your post and will answer your questions ASAP. Thanks! –Tom

    Leave a Comment

    Your email address will not be published.

    This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

    Scroll to Top