Configure ISA 2004 as a Network Services Segment Perimeter Firewall - Part 2: Configuring the Network Service Perimeter ISA Firewall

by [Published on 18 Oct. 2005 / Last Updated on 20 May 2013]

In the first part of this multipart article series on configuring a network services segment using a perimeter ISA firewall, we discussed concepts and issues in perimeter network design and issues related to the ISA firewall’s stateful packet inspection mechanisms. We also went over the sample network design used in this article series. In this, part 2 of the article series, we’ll move our attention to the network services segment perimeter ISA firewall.

Configure ISA 2004 as a Network Services Segment Perimeter Firewall --
Part 2: Configuring the Network Service Perimeter ISA Firewall
by Thomas W Shinder MD, MVP

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=26;t=000555

If you missed the other parts of this series please read:

Configure ISA 2004 as a Network Services Segment Perimeter Firewall - Part 1
Configure ISA 2004 as a Network Services Segment Perimeter Firewall - Part 3
Configure ISA 2004 as a Network Services Segment Perimeter Firewall - Part 4
Configure ISA 2004 as a Network Services Segment Perimeter Firewall - Part 5

In the first part of this multipart article series on configuring a network services segment using a perimeter ISA firewall, we discussed concepts and issues in perimeter network design and issues related to the ISA firewall’s stateful packet inspection mechanisms. We also went over the sample network design used in this article series. In this, part 2 of the article series, we’ll move our attention to the network services segment perimeter ISA firewall.

In this, part 2 of the article series, we’ll move our attention to the network services segment perimeter ISA firewall. We’ll do the following in this article:

  • Create the ISA Firewall Network Representing the Corporate Network on the Network Services Perimeter ISA firewall
  • Create the Network Rule on the Network Services Perimeter ISA Firewall Setting a Route Relationship between the Corporate Network and the Network Services Segment
  • Create an Intradomain Communications Access Rule on the Network Services Perimeter ISA Firewall and a DNS Server Publishing Rule
  • Create Access Rules Controlling Outbound Access from the Network Services Segment on Perimeter ISA Firewall

As a reminder, the figure below provides a high level view of the sample network used in this article series.


Figure A

Create the ISA Firewall Network Representing the Corporate Network on the Network Services Perimeter ISA firewall

One of the most prevalent misconceptions regarding ISA firewall Networks and how the ISA firewall sees the network world is how the ISA firewall deals with the default External Network. Let’s set the record straight: the default External Network on the ISA firewall is defined as any IP address that isn’t part of any other ISA firewall Network configured on the ISA firewall.

What this means is you can configure any collection of IP addresses that aren’t part of another ISA firewall Network to be part of a custom ISA firewall Network. This includes the IP address(es) bound to the external interface of the ISA firewall (although the addresses on the external interface of the ISA firewall will always belong to the Local Host Network).

This allows us to create a custom ISA firewall Network that includes the IP addresses used on the corporate network that lies between the edge ISA firewall and the network services perimeter ISA firewall. These addresses do not need to be part of the default External Network, even though the corporate network is on the same network ID as the external interface of the ISA firewall. The term “external interface” only means that it’s the interface with the default gateway configured on it, which typically is the closest to the Internet.

NOTE:
While the term external interface is used to denote the NIC that has the default gateway configured on it, the fact is that you can configure an ISA firewall that has no default gateway. This ISA firewall won’t be able to access the Internet and hosts serviced that that ISA firewall won’t be able to access the Internet, but it does illustrate that an ISA firewall does not require an external interface.

The value of making the corporate network between the edge ISA firewall and the network services perimeter ISA firewall a separate ISA firewall Network is that you can control the routing relationship between that Network and any other Network defined on the ISA firewall. In the example network used in this article, configuring a custom corporate ISA firewall Network will enable us to create a route relationship between the default Internal Network behind the back-end ISA firewall and the corporate network between the edge ISA firewall and the network services ISA perimeter ISA firewall. We can also create Access Rules controlling traffic moving to and from any ISA firewall Network.

Create the Corpnet ISA Firewall Network

Perform the following steps on the network services perimeter ISA firewall to create the Corpnet ISA firewall Network:

  1. In the ISA firewall console, expand the server name and then expand the Configuration node. Click the Networks node.
  2. On the Networks node, click the Networks tab in the details pane. Click the Tasks tab in the Task Pane and then click the Create a New Network link.
  3. On the Welcome to the New Network Wizard page, enter a name for the Network in the Network name text box. In this example we’ll name the Network Corpnet. Click Next.
  4. On the Network Type page, select the Perimeter Network option and click Next.
  5. On the Network Address page, click the Add button.
  6. In the IP Address Range Properties dialog box, enter the Starting address and Ending Address for the Corpnet ISA firewall Network. In this example we’ll enter 10.0.1.0 for the Starting Address and 10.01.255 for the Ending Address. Note that you don’t have to include the entire network ID; you can include only the addresses that are actually in use on that network, or you can get even more granular and include only those addresses that you want to have a route relationship with the default Internet Network behind the network service perimeter ISA firewall so that you can later create another ISA firewall Network representing other addresses on the corporate network that you want to create a NAT relationship with. Click OK.


Figure 1

  1. Click Next on the Network Addresses page.


Figure 2

  1. Click Finish on the Completing the New Network Wizard page.


Figure 3

Create the Network Rule on the Network Services Perimeter ISA Firewall Setting a Route Relationship between the Corporate Network and the Network Services Segment

In the scenario discussed in this article, the hosts the corporate network are members of a domain that has its domain controllers located behind the network services perimeter ISA firewall.

An Access Rule must be created that allows hosts on the corporate network to communicate with the DCs on the network services segment. Intradomain communications require that you have a Route relationship between the source and destination networks. For this reason, we will create a Network Rule that sets a Route relationship between the corporate network and the default Internal Network located behind the network services perimeter ISA firewall.

It’s important to note that although there will be a route relationship between the network services perimeter ISA firewall’s default Internal Network and the Corpnet Network, there will still be a NAT relationship between the network services perimeter ISA firewall’s default Internal Network and the Internet. This is fully supported (and required), since private addresses are used on all networks behind the edge ISA firewall.

Create the Network Rule Defining a Route Relationship between the Corpnet ISA Firewall Network and the Default Internal Network

Perform the following steps to create the Network Rule creating a route relationship between the Corpnet Network and the default Internal Network behind the network services perimeter ISA firewall:

  1. In the ISA firewall console, expand the server name and then expand the Configuration node in the left pane of the console. Click the Networks node.
  2. On the Networks node, click the Network Rules tab in the details pane of the console, then click the Create a New Network Rule link in the Tasks tab of the Task Pane.
  3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the Network rule name text box. In this example we’ll name the rule Corpnet – Internal (the default Internal Network behind the network services perimeter ISA firewall represents the network services segment). Click Next.
  4. On the Network Traffic Sources page, click the Add button.
  5. In the Add Network Entities dialog box, click the Networks folder and then double click the Corpnet Network. Click Close.


Figure 4

  1. Click Next on the Network Traffic Sources page.
  2. Click Add on the Network Traffic Destinations page.
  3. Click the Networks folder and then double click the Internal entry. Click Close.
  4. On the Network Relationship page, select the Route option and click Next.


Figure 5

  1. Click Finish on the Completing the New Network Rule Wizard page.


Figure 6

Create an Intradomain Communications Access Rule on the Network Services Perimeter ISA Firewall and a DNS Server Publishing Rule

Multiple protocols are required to allow intradomain communications between hosts on the corporate network and domain controllers on the corporate network. Table 1 provides the details of this Access Rule. Table 2 provides details of the DNS Server Publishing Rule.

Table 1: Access Rule allowing intradomain communications between the DMZ host and the DC on the default Internal Network behind the back-end ISA firewall

Name

Intradomain Corpnet -- Internal

Action

Allow

Protocols

Microsoft CIFS (TCP)
Microsoft CIFS (UDP)
Kerberos-Adm(UDP)
Kerberos-Sec(TCP)
Kerberos-Sec(UDP)
LDAP
LDAP (UDP)
LDAP GC (Global Catalog)
RPC (all interfaces)
NTP (UDP)
Ping

From

Corpnet

To

Domain Controller

Users

All

Schedule

Always

Content Types

All content types

Table 2: DNS Server Publishing Rule

Name

Publish Domain DNS

Action

Allow

Protocols

DNS Server

Listener

Corpnet

To

10.0.0.2

Schedule

Always

Note that we are using an Access Rule instead of a publishing rule to allow access from the Corpnet ISA firewall Network and the network services segment network. The reason for this is that we have a route relationship between these two Networks. Since we have a route relationship, we have no need or ability to hide the addresses of the servers on the network services segment.

You might be concerned that won’t be able to leverage the ISA firewall’s deep application layer inspection application filters when using Access Rules, but the fact is that you can benefit from the application layer filters for most protocols. If you check the protocol definitions associated with the Protocol Definitions associated application filters, you’ll see that both inbound and outbound Protocol Definitions for the protocols have the application layer inspection filters bound to them.

Unfortunately, the DNS filter is not one of the filters that you can use for both inbound and outbound access stateful application layer inspection. Even though you can bind the DNS application layer inspection filter to the outbound DNS Protocol Definition, the filter will have no effect.

You can test this yourself by binding the DNS application layer inspection filter to the outbound DNS protocol and then create an Access Rule from the Corpnet to the network services segment network using this DNS Protocol Definition. Then block DNS zone transfers in the Enable Intrusion Detection and DNS Attack Detection dialog box. After creating the Access Rule and configuring the DNS intrusion detection, try to perform a DNS zone transfer using the nslookup utility and issuing the ls –d <domain_name.> command. You’ll find that you can perform the zone transfers. In contrast, if you performed a DNS Server Publishing Rule, the zone transfer will fail because the DNS application layer inspection filter detected the intrusion.

For this reason, we will create two publishing rules: one for DNS communications and another for all other intradomain communications. While we could simplify the configuration by including the DNS protocol in the intradomain communications Access Rule, we would miss out on the added protection provided by the DNS filter.

Create the Intradomain Communications Rule

Perform the following steps to create the intradomain communications Access Rule on the network services perimeter ISA firewall:

  1. In the ISA firewall console, expand the server name and then click the Firewall Policy node in the left pane of the console.
  2. On the Firewall Policy node, click the Tasks tab in the Task Pane and click the Create New Access Rule link.
  3. On the Welcome to the New Access Rule Wizard page, enter the name of the rule in the Access Rule name text box. In this example, we’ll name the rule Intradomain Corpnet —Internal and click Next.
  4. Select the Allow option on the Rule Action page.
  5. On the Protocols page, select the Selected protocols option from the This rule applies to list. Click Add.
  6. Click the Add Protocols folder and then double click the following protocols:
    Microsoft CIFS (TCP)
    Microsoft CIFS (UDP)
    DNS
    Kerberos-Adm(UDP)
    Kerberos-Sec(TCP)
    Kerberos-Sec(UDP)
    LDAP
    LDAP (UDP)
    LDAP GC (Global Catalog)
    RPC (all interfaces)
    NTP (UDP)
    Ping
    Click Close in the Add Protocols dialog box.
  7. Click Next on the Protocols page.


Figure 7

  1. On the Access Rule Sources page, click the Add button.
  2. In the Add Network Entities dialog box, double click the Corpnet entry and then click Close.
  3. Click Next on the Access Rule Sources page.
  4. Click Add on the Access Rule Destinations page.
  5. In the Add Network Entities dialog box, click the New menu and then click Computer.
  6. In the New Computer Rule Element dialog box, enter a name for the domain controller on the Internal Network (the network services segment). In this example we’ll name the Computer Object Domain Controller. Enter the IP address of the domain controller in the Computer IP Address text box. Enter an optional Description if you like. Click OK.


Figure 8

  1. In the Add Network Entities dialog box, click the Computers folder and then double click on the Domain Controller entry. Click Close.
  2. Click Next on the Access Rule Destinations page.


Figure 9

  1. Accept the default setting, All Users, on the User Sets page and click Next.
  2. Click Finish on the Completing the New Access Rule Wizard page.

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=26;t=000555

Create the DNS Server Publishing Rule

The next step is to create the DNS Server Publishing Rule. Perform the following steps on the network service perimeter ISA firewall to create the DNS Server Publishing Rule:

  1. In the ISA firewall console, expand the server name and then click the Firewall Policy node.
  2. On the Firewall Policy node, click the Tasks tab in the Task Pane and then click the Creae a New Server Publishing Rule link.
  3. On the Welcome to the New Server Publishing Rule Wizard page, enter a name for the rule in the Server Publishing Rule name text box. In this example, we’ll name the rule Publish Domain DNS and click Next.
  4. On the Select Server page, enter the IP address of the DNS server for the domain in the Server IP address text box. In this example, the domain’s DNS server is located on the domain controller, which is at IP address 10.0.0.2. We enter this IP address into the text box and click Next.


Figure 10

  1. On the Select Protocol page, select the DNS Server option from the Selected protocol list. Click Next.


Figure 11

  1. On the IP Address page, put a checkmark in the checkbox next to Corpnet and click Next. There is an interesting vagary to this setting, which I’ll talk more about at the end of this section.


Figure 12

  1. Click Finish on the Completing the New Server Publishing Rule Wizard page.

I mentioned that there is an interesting twist to Server Publishing Rules when you have a route relationship between the source and destination ISA firewall Network. To fully appreciate the situation, let’s first examine what happens when there is a NAT relationship between the published server and the external client.

When there is a NAT relationship between the published server and the external client, the external client reaches the published server using the IP address on the external interface of the ISA firewall configured to listen for incoming connections for that specific Server Publishing Rule. For example, if there were a NAT relationship between the published DNS server and the Corpnet, then we could choose the IP address 10.0.1.2 on the external interface of the network services perimeter ISA firewall as the listening address. Hosts that need to reach the published server would send DNS queries to the IP address used in the Server Publishing Rule listener, not the actual IP address of published Web server.

In contrast, when there is a route relationship between the source and destination ISA firewall Network, the external client reaches the published DNS server (or any other server except a Web server published using a Web Publishing Rule) using the actual IP address of the published server. So, even through we’ve created a DNS Server Publishing Rule that has a listener on the external interface of the network services perimeter ISA firewall, the external clients must use the actual IP address to reach the DNS server, which in this case is 10.0.0.2.

Create Access Rules Controlling Outbound Access from the Network Services Segment on Perimeter ISA Firewall

You must create Access Rules allowing new outbound connections from hosts on the network services segment and any other Network. In most cases, the only outbound connections you’ll want to allow are those that enable access to the Windows update site or the WSUS server on the corporate network. You would also likely want to enable outbound access to public DNS servers, if you’re domain DNS servers are also providing Internet host name resolution.

Exactly what you want allow outbound from the servers on the network services segment is going to be very specific to your own implementation. In our current example, we’re only going to allow outbound DNS from the DNS server and outbound HTTP and HTTPS from all hosts on the network services segment to the Windows Update sites.

NOTE:
You do not need to create outbound Access Rules from the network services segment to the Corpnet ISA firewall Network to support the inbound access rules from the Corpnet ISA firewall Network to the network services segment network. The ISA firewall is a stateful packet inspection firewall and will automatically allow the responses to requests made from hosts on the Corpnet Network.

Create the Access Rule Allowing DNS from the DNS Server to the Internet

Perform the following steps to create the Access Rule:

  1. At the back-end ISA firewall, in the ISA firewall console expand the name of the server and then click the Firewall Policy node in the left pane of the console.
  2. Click the Create New Access Rule link on the Tasks tab in the Task Pane.
  3. In the Welcome to the New Access Rule dialog box, enter a name for the rule in the Access Rule name text box. In this example we’ll name the rule DNS to External. Click Next.
  4. On the Rule Action page, select the Allow option and click Next.
  5. On the Protocols page, select the Selected protocols option from the This rule applies to list. Click Add.
  6. Click the Common Protocols folder and then double click the DNS entry. Click Close.
  7. Click Next on the Protocols page.
  8. On the Access Rule Sources page, click the Add button.
  9. In the Add Network Entities dialog box, click the Computers folder and double click the Domain Controller entry. Click Close.
  10. Click Next on the Access Rule Sources page.
  11. On the Access Rule Destinations page, click the Add button.
  12. In the Add Network Entities dialog box, click the Networks folder. Double click the External Network. Click Close.
  13. Click Next on the Access Rule Destinations page.
  14. On the User Sets page, accept the default entry, All Users, and click Next.
  15. Click Finish on the Completing the New Access Rule Wizard page.

Create the Access Rule allowing Outbound Windows Update and Microsoft Reporting

Perform the following steps to create the HTTP/HTTPS Access Rule allowing access to the Windows Update and Reporting Sites:

  1. At the back-end ISA firewall, in the ISA firewall console expand the name of the server and then click the Firewall Policy node in the left pane of the console.
  2. Click the Create New Access Rule link on the Tasks tab in the Task Pane.
  3. In the Welcome to the New Access Rule dialog box, enter a name for the rule in the Access Rule name text box. In this example we’ll name the rule Outbound to WU and MS Reporting . Click Next.
  4. On the Rule Action page, select the Allow option and click Next.
  5. On the Protocols page, select the Selected protocols option from the This rule applies to list. Click Add.
  6. Click the Common Protocols folder and then double click the HTTP and HTTPS entries. Click Close.
  7. Click Next on the Protocols page.
  8. On the Access Rule Sources page, click the Add button.
  9. In the Add Network Entities dialog box, click the Networks folder and double click the Internal entry. Click Close.
  10. Click Next on the Access Rule Sources page.
  11. On the Access Rule Destinations page, click the Add button.
  12. In the Add Network Entities dialog box, click the Domain Name Sets folder. Double click the Microsoft Error Reporting sites and System Policy Allowed Sites entries. Click Close.
  13. Click Next on the Access Rule Destinations page.
  14. On the User Sets page, accept the default entry, All Users, and click Next.
  15. Click Finish on the Completing the New Access Rule Wizard page.
  16. Click Apply to save the changes and update the firewall policy.
  17. Click OK in the Apply New Configuration dialog box.

Your firewall policy should look like the figure below.


Figure 13

Have Questions about the article?
Ask at: http://forums.isaserver.org/ultimatebb.cgi?ubb=get_topic;f=26;t=000555

Summary

In this part 2 of our article series on creating network services segment protected by a perimeter ISA firewall, we began the process by configuring the network services perimeter ISA firewall. Procedures included creating the ISA firewall Network defining the corporate network, creating a Network Rule that sets a route relationship between the network service segment and corporate network, and created a number of Access Rules and a Server Publishing Rule to allow communications inbound and outbound to and from the network services segment. In the next part of this article series we will complete the firewall policy on the network services perimeter ISA firewall.

If you missed the other parts of this series please read:

Configure ISA 2004 as a Network Services Segment Perimeter Firewall - Part 1
Configure ISA 2004 as a Network Services Segment Perimeter Firewall - Part 3
Configure ISA 2004 as a Network Services Segment Perimeter Firewall - Part 4
Configure ISA 2004 as a Network Services Segment Perimeter Firewall - Part 5

Featured Links