ISA Server DMZ Scenarios.

by [Published on 27 June 2001 / Last Updated on 27 June 2001]

A subject that gets a good deal of attention on the www.isaserver.org message boards is that of ISA and DMZ network configuration. ISA Server supports setting up a DMZ segment that separates Internet traffic from your internal network. The DMZ is considered a security zone that allows the partitioning of all Internet traffic away from the internal network.

A subject that gets a good deal of attention on the www.isaserver.org message boards is that of ISA and DMZ network configuration. ISA Server supports setting up a DMZ segment that separates Internet traffic from your internal network. The DMZ is considered a security zone that allows the partitioning of all Internet traffic away from the internal network.

Setting up a DMZ segment allows you to avoid publishing servers on the internal network. ISA Server makes it easy to publish servers on the internal network. But when you publish an internal network server so that Internet clients can access it, you may create a security risk because if an intruder is able to compromise the internal network server, they may then have access to resources located on the internal network.

To get around this, you can create secure networks outside of the internal network. This is what a DMZ is. The term DMZ or Demilitarized Zone comes from military. The DMZ area is an area that both sides agree there will be no military actions. But if one side does violate the agreement, then both sides can start firing. This is a buffer zone between the two parties and is designed to protect the populace on both sides of the DMZ.

Configuring ISA Server 2000 : Building Firewalls for Windows 2000
By Deb and Tom Shinder

Amazon.com

The DMZ configurations we'll go over in this article are:
  • The Trihomed DMZ
  • The Back to Back Private Address DMZ
  • The Back to Back Public Address DMZ

Each of these DMZs has its own advantages and disadvantages and I'll try to address those in each section.

The Trihomed DMZ

The Trihomed DMZ (sometimes referred to as the "three-homed" DMZ) is created by placing three network cards on an ISA Server located on the edge of the network. The network card placement for the Trihomed DMZ is:

  • One network card is directly connected to the Internet
  • One network card is directly connected to the internal network
  • One network card is directly connected to the DMZ segment

The figure below is my weak attempt at drawing this configuration.

There are a few things to note about the Trihomed DMZ configuration:

  • The DMZ segment must use public IP addresses
  • The internal network segment should use private IP addresses
  • The external network segment is directly connected to the Internet

Trihomed DMZ Must Have Public IP Addresses

The fact that the DMZ segment on a Trihomed DMZ must have public addresses can't be overstated. We see a lot of people who have problems constructing their DMZ because they try to use private addresses on the DMZ segment. All you accomplish by doing this is to create two internal network interfaces or an external network interface that cannot access internal or external resources.

The DMZ must be configured as an external network interface. External resources are not trusted by the internal network. To configure the DMZ segment as an external network resource, you must NOT put IP addresses in the DMZ segment into the LAT. Only the internal network IP addresses are contained in the LAT.

Packets are Routed to the DMZ - NOT Translated

Packets from the Internet to the DMZ are actually routed to the DMZ. This is in contrast to how packets from the Internet to the internal network are handled. Packets from the Internet to the internal network are translated and not routed (in the strictest sense of the term) to the internal network.

In order to get your DMZ IP addresses in order, you are going to need to subnet your IP address block. One of your network IDs will have to be committed to the external interface of the ISA Server. Any remaining Network ID can be used for your DMZ segment.

Note:

You need to know how IP addressing, Variable Length Subnet Masking (VLSM), subnetting and supernetting work if you want to be able to manage your ISA Server and you TCP/IP networks competently. There are several good tutorials on these subnets available on the Internet. Check the "Learning Zone" here at www.isaserver.org for links to good TCP/IP tutorials.

Since packets are routed to the DMZ segment, they bypass the rules engine that would apply if the packets were moving between the internal and external network. The only rules that will be applied to packets moving between the DMZ and the Internet are packet filter rules. Inbound and outbound access to and from the DMZ segment will be controlled by packet filters only.

Configure Packet Filtering and IP Routing

In order for the packet filtering mechanism to work, you will have to enable packet filtering. You also need to enable IP Routing. This can be accomplished by right clicking the IP Packet Filters node in the left pane of the ISA Management console and clicking the Properties command. You will see what appears below:

Make sure both the Enable packet filtering and the Enable IP routing checkboxes are checked.

To sum up the Trihomed DMZ, make sure of the following:

  1. Do not put the DMZ IP addresses in the LAT
  2. The DMZ uses a subnet of your public IP Address block
  3. Enable packet filtering and IP Routing on the ISA Server
  4. Create packet filters to allow inbound and outbound access from the DMZ

Back to Back DMZ with Private Addresses on DMZ Segment

The back to back DMZ using private addresses is the most secure DMZ configuration that an ISA Server setup has to offer. This configuration uses private IP address ranges on the DMZ segment between the ISA Servers. Because you are using private IP addresses and including the DMZ segment on the external ISA Server's LAT, you can take advantages of many of the ISA Server features that are not available using a Trihomed DMZ that requires the use of public, untrusted IP addresses on the DMZ.

The back to back private address DMZ has the following features:

  • There are two ISA Servers: an 'internal' and an 'external' ISA Server
  • The external ISA Server has an interface on the Internet and one on the DMZ segment
  • The internal ISA Server has an interface on the DMZ segment and internal network
  • The DMZ uses private IP addresses
  • The DMZ network is in the LAT of the external ISA Server
  • The DMZ network is not in the LAT of the internal ISA Server
  • You can use Web and Server publishing rules to control access to the DMZ

The back to back private address DMZ is shown in the figure below.

External ISA Server Configuration

The external (or edge) ISA Server has an interface directly connected to the Internet and an interface on the DMZ segment. The DMZ segment IP addresses should be in the LAT. By placing the DMZ segment IP addressing in the LAT, you can control access using Web and Server publishing rules.

Note that even though we have placed the DMZ segment in the LAT of the external ISA Server, Internet traffic is still not trusted by the internal network. Therefore, the traffic generated by Internet requests and responses remain segregated from the internal network. This affords the same sort of protection from Internet traffic as the Trihomed DMZ segment does, and it does it better.

Unlike the unwieldy process of creating packet filters to allow inbound and outbound access from the DMZ, the back to back private IP address DMZ can use publishing rules. If you have Web Servers on the DMZ segment you can use Web Publishing rules created on the external ISA Server. If you have other servers, such as SMTP mail servers, you can use Server Publishing Rules on the external ISA Server.

Internal ISA Server Configuration

The internal ISA Server is configured so that only the IP addresses on the internal network are in the LAT. The DMZ segment, even though it contains private IP address, is considered an untrusted network and therefore should not have its IP addresses contained in the LAT. By removing the DMZ IP addresses from the internal ISA Server's LAT, you successfully segregate traffic on the DMZ away from the internal network.

Note:

When configuring your LAT, make sure that you only include the internal IP address ranges. There is an option in the LAT configuration dialog box that allows you to configure the LAT to include all private Network ID address ranges. You do not want to do that because the DMZ includes private IP addresses in a back to back private address DMZ configuration.

Allowing DMZ Servers Access to the Internal Network

If you need to make resources on the internal network available to a server on the DMZ, you can configure a publishing rule that allows only a particular server on the DMZ to access the internal server. You might want to do this if you have a Web Server on the DMZ that needs access to a SQL server on the internal network. You would create a Client Address Set that includes the Web Server's IP address and only allow access to that client address set.

Allowing Outbound and Inbound Traffic to and from the Internal Network

Finally, we need to address the issue of traffic from the internal network leave the external ISA Server. You can configure protocol rules on the external ISA Server that allows the same traffic as that of the internal ISA Server. But you might not want to do that for security reasons.

A better solution is to configure the internal ISA Server to use the external ISA Server in a server chain arrangement. You can configure both the Firewall Service and the Web Proxy service to chain with the external ISA Server. In that way, you do not need to reconfigure a bunch of Protocol Rules to allow outbound access to the allowed protocols configured on the internal ISA Server.

Summing Up Back to Back Private Address DMZ Configuration

To sum up the back to back private address DMZ configuration:

  1. Two ISA Servers - an internal and an external ISA Server
  2. The external ISA Server should have the DMZ segment IP addresses in its LAT
  3. The external ISA Server uses private IP addresses on the DMZ segment
  4. Access control to servers on the DMZ is accomplished using publishing rules on the external ISA Server. Do not use packet filters to control access to the DMZ.
  5. The internal ISA Server has the internal network IP address in the LAT; do not put the DMZ addresses in the internal ISA Server's LAT.
  6. You can use publishing rules if you need a server on the DMZ to access a server on the internal network.
  7. You should enable packet filtering on the internal and external ISA Server to optimize security.
  8. Configure the Web and Firewall chaining configuration on the internal ISA Server.

to Back DMZ with Public Addresses on DMZ Segment

Some people might want to configure a back to back ISA Server solution and still use public IP addresses on their DMZ. It might be that they already have a DMZ with machines on it and these machines already have hard coded IP address in the public DNS, and they don't want to have to change the addresses to match the IP address on the external interface of the ISA Server. Or, perhaps their bosses just told them to do it this way.

Whatever the reason, you can implement a back to back ISA Server configuration using public IP addresses on the DMZ segment. However, these are some special considerations you should be aware of:

  • You will have to use packet filters to control ingress and egress into and out of the DMZ
  • You need to install a bogus NIC and assign it a bogus IP address
  • The external ISA Server will have three interfaces: external, DMZ and Bogus
  • You will need to subnet your block to assign addresses to the DMZ
  • The DMZ segment will not be on the LAT of the external ISA Server

An example of such a configuration is seen in the figure below.

Create a Bogus NIC

The trick to making the back to back public IP address DMZ configuration to work is to configure the external ISA Server to be a Trihomed ISA Server. The difference between the normal Trihomed ISA Server and this one is that you must configure a bogus NIC. The bogus NIC can be the Microsoft Loopback adapter so that you don't have to spend extra money on a physical device that you won't be using.

The reason why you need to install the bogus NIC is that you have to have a NIC on a private network. ISA Server won't let you install two NICs and make them both external interfaces. If you don't include any addresses in the LAT you'll get an error message that tells you that you must include some addresses in the LAT. If you don't, ISA Server won't work.

Therefore, you need to install the bogus NIC and assign it a private IP address and include that private IP address in the LAT. Once you do that ISA Server will be happy. You don't have to connect it to anything (and if you use the loopback adapter you won't be able to), you just need to assign it an IP address.

It's Just Like a Trihomed ISA Server Configuration

All the other rules that apply to a Trihomed DMZ apply to this scenario as well. You will need to create packet filters to allow outbound and inbound access into and out of the DMZ. You will also have to create packet filters to allow outbound traffic from the internal network as well, since this traffic will leave the internal network and travel through the DMZ to the external ISA Server.

As you can see, the back to back public IP address ISA Server setup can turn out to be a bit of a pain in the neck because of the packet filter requirements. However, if you are accustomed to setting up other firewalls, you find the procedure is similar to that of configuring a packet filtering router as a low end firewall.

To sum up the issues with the back to back public IP address DMZ:

  1. You need to create a Trihomed DMZ on the external ISA Server.
  2. The third NIC is a bogus NIC that has a bogus private IP address
  3. You need to configure packet filters to allow inbound access to and from the DMZ segment
  4. You need to configure packet filters to all inbound and outbound access to and from the internal network through the DMZ and out to the Internet.
  5. You will not be able to take advantage of Web and Server publishing rules on the external ISA Server.

Summary

In this article we covered three different ISA Server DMZ scenarios. We took a look at the advantages and disadvantage of the Trihomed DMZ configuration, the back to back private IP address DMZ configuration and the back to back public IP address configuration. Using this information from the article, you'll be able to make an accurate assessment as to what type of DMZ configuration will best meet you needs.

I hope you found this article interesting and/or helpful. If you have any comments or questions on the material in this article, please feel free to post them on the www.isaserver.org message board in the DMZ section. You can also write to me at tshinder@isaserver.org and I'll get to your questions ASAP. Please be sure to put the title of this article in the subject line of the email. Thanks! -Tom.

Featured Links