OCS 2007 and ISA 2006: Firewall Design and Architecture

Assumptions



  • 10.0.0.0 /24 and 172.16.0.0 /24 will be considered part of the “public” IP space. We’re going to pretend those addresses would be publicly routable addresses in the real world.
  • The Edge server’s private NIC is directly connected to the internal network.
  • Clients will be accessing the OCS services by these names and IP addresses:























IP Address


DNS Name


Function


172.16.0.2


sip.confusedamused.com


IM, Presence & Federation


172.16.0.3


lm.confusedamused.com


Web Conferencing


172.16.0.4


av.confusedamused.com


A/V Conferencing


10.0.0.2


ocs.confusedamused.com


Web Components


Prerequisites



  • A complete OCS 2007 Front-End server and Edge server setup is already configured.
  • ISA Server 2006 is installed as either a domain member or in a workgroup.
  • ISA 2006 can resolve the DNS name of the Front-End server. If not, a host file entry has been created.
  • The ISA machine should have 3 physical NICs, 1 connected to the Internal network, 1 to the DMZ, and 1 to the External network. In this example the NICs are configured as follows:
    – Internal: 192.168.0.1 / 24, no gateway, DNS points to 192.168.0.10 (Domain Controller)
    – DMZ:  172.16.0.1 /24,  no gateway, no DNS
    – External: 10.0.0.1 /24 and 10.0.0.6, no DNS
  • The binding order of the NICs should be: Internal, DMZ, External.
  • The root certificate for the certificate authority exists in the Trusted Root Certification Authorities Store of the Local Computer.
  • A certificate issued to ocs.confusedamused.com with the private key exists in the Personal Store of the Local Computer.

Network Diagram


The layout of the network should follow this configuration.



ISA 2006 Configuration


Configure Network Topology




  1. Open the ISA Management console by navigating to Start | All Programs | Microsoft ISA Server | ISA Server Management.


  2. Click on Networks in the left pane.



  1. Click on Templates | 3-Leg Perimeter in the right pane.



  1. Press Next to start the wizard.



  1. Press Next again to skip the configuration export, or follow it if desired. This wizard will erase all existing rules in ISA. Proceed with caution. Step to Appendix A if you need to keep your existing rule set.



  1. Ensure that the 192.168.0.0 – 192.168.0.255 is defined as the internal range and press Next.



  1. For the Perimeter Network press Add Adapter. Check the box for the DMZ NIC and press OK. Press Next.



  1. For the Firewall Policy scroll down and pick Allow unrestricted access.



  1. Press Finish to complete the wizard.



  1. Press Apply and then OK to complete the changes. The fancy ISA diagram should now look like this.


Allow Outgoing Connections



  1. Click the Firewall Policy object in the left pane.



  1. Right-click the rule titled VPN Clients to Internal Network and choose Delete.  Press Yes when prompted for confirmation.
  2. Double-click the rule titled Unrestricted Internet Access.
  3. On the From tab, press Add, choose Perimeter from the list and press OK.



This last step will allow the Edge server to initiate outgoing requests for DNS and federation. You could be more specific with these rules if you wanted, but I don’t see a huge reason for being more restrictive on outgoing connections.


Create Computer Objects



  1. Ensure the right-pane is open, click on Toolbox | Network Objects | New | Computer.



  1. Enter the name of Access Edge and the IP address of 172.16.0.2, the public IP which resolves to sip.confusedamused.com. Press OK.



  1. Create another computer object titled Web Conferencing Edge with an IP of 172.16.0.3



  1. Create another computer object titled A/V Edge with an IP of 172.16.0.4.



  1. There should be 3 computer objects when finished.


Create Web Listener


If the ISA server already has a web listener configured for SSL with no authentication created you could simply bind the ocs.confusedamused.com certificate to an additional IP address rather than creating a new Web Listener object.



  1. In the right-pane again click on Toolbox | Network Objects | New | Web Listener.



  1. Name the web listener something descriptive such as No Authentication SSL so it can be reused for other applications and press Next.



  1. Choose to Require SSL secured connections with clients and press Next.



  1. Check the box for the External network and press Select IP Addresses.



  1. Select Specified IP Address on the ISA Server computer in the selected network, choose the 2nd IP address added to the NIC, 10.0.0.2, press Add and then OK.



  1. Press Next to continue.



  1. Select Assign a certificate for each IP address. Press Select certificate and choose the certificate issued to ocs.confusedamused.com. Press Select.



  1. Press Next to continue.



  1. Choose No Authentication as the method clients will provide credentials to ISA server and press Next.



  1. Press Next again because SSO cannot be used.




  1. Press Finish to complete the wizard.


Create Protocols


The default HTTPS protocol for most services is already defined, but ports for Federation and STUN need to be configured.



  1. In the right-pane again, click on Toolbox | Protocols | New | Protocol.



  1. Name the protocol MTLS and press Next.



  1. Click New to define the protocol.



  1. Choose TCP for the protocol name, Outbound as the direction, and the port range as 5061-5061. Press OK.



  1. Press Next.



  1. Press Next to not use any secondary connections and then Finish to complete the wizard.



  1. Create another new protocol and name it STUN.



  1. Click New to define the protocol. Choose Protocol Type: TCP, Direction: Outbound, Port Range From: 50000, Port Range To: 59999.  Press OK.



  1. Click New again to define the protocol. Choose Protocol Type: UDP, Direction: Send, Port Range From: 50000, Port Range To: 59999.  Press OK.



  1. Click New again to define the protocol. Choose Protocol Type: UDP, Direction: Send, Port Range From: 3478, Port Range To: 3478.  Press OK.



  1. When all is said and done the protocol definition should look like this.



  1. Press Next twice again and Finish to close the wizard.

Access Rules


Now that all of the necessary items have been defined, the actual access rules can be created.


Access Edge



  1. Right-click the Firewall Policy and choose New | Access Rule.
  2. Name the rule something descriptive like Inbound Access Edge Connections and press Next.



  1. Choose Allow and press Next.



  1. Ensure the dropdown says Selected Protocols and press the Add button.



  1. Choose HTTPS from the Common Protocols folder and MTLS from the User-Defined folder. Press Add for each of those and then Close.



  1. Press Next once the definition looks like this.



  1. For the sources press Add, choose External from the Networks folder, press Close, and then Next.



  1. For the destination press Add, choose Access Edge from the Computers folder, press Close, and then Next.



  1. Leave the All Users option and press Next. Press Finish to complete the wizard.


Web Conferencing Edge



  1. Right-click the Firewall Policy and choose New | Access Rule.
  2. Name the rule something descriptive like Inbound Web Conferencing Connections and press Next.
  3. Choose Allow and press Next.
  4. Ensure the dropdown says Selected Protocols and press the Add button.
  5. Choose HTTPS from the Common Protocols folder and press Add, then Close. Press Next.
  6. For the sources press Add, choose External from the Networks folder, press Close, and then Next.
  7. For the destination press Add, choose Web Conferencing Edge from the Computers folder, press Close, and then Next.
  8. Leave the All Users option and press Next. Press Finish to complete the wizard.

A/V Edge



  1. Right-click the Firewall Policy and choose New | Access Rule.
  2. Name the rule something descriptive like Inbound A/V Edge Connections and press Next.
  3. Choose Allow and press Next.
  4. Ensure the dropdown says Selected Protocols and press the Add button.
  5. Choose HTTPS from the Common Protocols folder and STUN from the User-Defined folder. Press Add for each of those and then Close. Press Next.
  6. For the sources press Add, choose External from the Networks folder, press Close, and then Next.
  7. For the destination press Add, choose A/V Edge from the Computers folder, press Close, and then Next.
  8. Leave the All Users option and press Next. Press Finish to complete the wizard.

Web Components Reverse Proxy



  1. Right-click the Firewall Policy and choose New | Web Site Publishing Rule.
  2. Enter a descriptive name such as Inbound Web Components Connections for the rule and press Next.



  1. Choose Allow and press Next.



  1. Choose Publish a single Web site or load balancer and press Next.



  1. Choose Use SSL to connect to the published Web server or server farm and press Next.



  1. Enter tap-ocs-2k7.ptown.com as the internal site name and press Next.


This is where SAN certificates can cause some headaches. This rule is pointing at the internal FQDN of the Front-End server where the web components are published. Be absolutely certain that the subject name matches the first SAN listed on the certificate. Both should be tap-ocs-2k7.ptown.com. You can read more about how ISA 2006 handles SAN certificates in a reverse proxy case here: http://blogs.msexchange.org/walther/2007/03/28/san-certificates-and-isa-server-2006/



  1. Enter /* as the path and press Next.



  1. Enter ocs.confusedamused.com as the public name and leave the other defaults. Press Next.



  1. Choose the No Authentication SSL web listener created earlier and press Next.



  1. Change the drop-down to No authentication, but client may authenticate directly and press Next.



  1. Leave the All Users default and press Next.



  1. Press Finish to complete the wizard.



  1. Click the Apply button at the top.



  1. Press OK once the changes are saved.


End Result


The final configuration should look similar to this.



Appendix A – Manual Route Configuration


This method should be used if existing ISA rules need to be preserved. The only downside to this method is that the Perimeter network is not defined and the access rule from the Internet to the DMZ will not be created. Do the following to create those objects. Depending on topology, a rule from the private LAN to the DMZ may be needed as well.



  1. Right-click the Networks icon in the left pane and choose New | Network.



  1. Name the Network something descriptive such as Perimeter. Press Next to continue.



  1. Choose Perimeter Network and press Next.



  1. Press Add Adapter. Check the box for the DMZ NIC and press OK. Press Next.



  1. Press Finish to complete the wizard.
  2. Right-click the Networks icon in the left pane and choose New | Network Rule.



  1. Name the rule something descriptive such as Perimeter Access. Press Next to continue.



  1. Press the Add button.



  1. Expand the Networks folder, choose External and press Add, then Close.



  1. Press Next.



  1. Expand the Networks folder, choose Perimeter and press Add, then Close.



  1. Press Next.



  1. Choose to Route the traffic between these sources and press Next.



  1. Press Finish to complete the wizard.


The 3-Leg Perimeter topology has now been created, but will not be reflected in the ISA diagram. Functionally, this setup works fine.


© John Weber and Tom Pacyk

Leave a Comment

Your email address will not be published.

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top