Configure ISA2004 as edge device

Khattab

Hi,

I'm trying to set up a relatively simple network, but i'm confused because i'm dealing with something i've never done before and hoping i could get some advice which will save me lots of going round in circles.

Basically, i have a 32bit Windows 2003 Server Virtual machine running ISA Server which i want to set up as an EDGE Device on a new (very small and simple) network, but im not sure as to how i do it because i've never set up ISA on a virtual machine before.

I'm assuming i need to set the virtual machine with 2 NICS - one being an internal IP (192.168.1.x) and an External NIC (220.x.x.x)... but what about the internal ADSL modem/router? What setup would i give to the interface of the internal router? (its just a simple SOHO ADSL modem router).

I tried a few web searches but i couldnt find anything really relevant to what i needed... i found a few articles about configuring the NICs ont he ISA Server, but i already know how to do that... what i'm confused about is what the config should be for the ADSL router and how the ISA firewall and ADSL router talk to one another??

Eagerly awaiting any tips....

dynamik

I believe that goes against best practices and isn't a supported solution... just FYI.

Regardless, what virtualization software are you using? I've never done this before, but I think you'd either need to use a separate physical NIC for each network and bridge/map the internal and external virtual NICs to their own physical NIC, or if you have something like ESX, you could potentially tag each NIC for a separate VLAN.

Hyper-Me

ISA is supported to be run on Hyper-V

http://www.microsoft.com/windowsserver2008/en/us/hyperv-app-support.aspx


They even tell you how to plan for it

Security Considerations with Forefront Edge Virtual Deployments


And this blog post looks to describe the answers you are seeking on how to lay the physical and virtual networks.

Subodh's Blog - Running ISA Server 2006 under Hyper-V

dynamik

Which is fine if he's running Hyper-V. He didn't say which product he was using, so I didn't want to assume anything. They only added support for that (and various other 3rd party virtualization products) in late August of 2008. The level of support and whether they recommend the solution for production use varies quite a bit (i.e. they support, but don't recommend using Virtual Server).

Regardless, most people consider it a best practice to not mix perimeter and internal virtual machines on the same physical host.

brad-

we have a similar setup at work, not virtualized...but the cable provider gave us the external IP's to configure the modem with as well as the DNS IP's.

With that set, we did just like you mentioned, and have ISA set with one internal address, adn one external address.

HeroPsycho

Any design with ANY edge device exposed to raw internet traffic running on ANY virtualization platform is simply not taking security seriously. Every virtualization product has security vulnerabilities. Very poor design from a security perspective, pure and simple.

Khattab

Hi

I'm using vmware for virtualization. From my understanding I have no choice but to run ISA using virtualisation cox all the servers we have are x64 which ISA does not run on a x64 OS.

What are my options and how should I be setting it up?

dynamik

Do you already have the software? Forefront TMG (the next iteration) runs on x64: Download Microsoft Forefront Threat Management Gateway 2010

HeroPsycho

Khattab wrote: »

I'm using vmware for virtualization. From my understanding I have no choice but to run ISA using virtualisation cox all the servers we have are x64 which ISA does not run on a x64 OS.

Agreed with dynamik, but I just want to put this out there.

Would you expose any server that will be running on the physical host you're gonna run this ISA server on to raw internet traffic?

I would guess no.

There are just things you don't do. You don't hook your LAN into the internet without a firewall for example. There's no excuse to justify doing that. This kinda falls under that umbrella. At least put a packet filter device in front of a physical device running VMware, Hyper-V, etc.

Khattab

Hi,

Thanks for your help so far.

Maybe it would help if i clarify exactly what it is that i am confused about...

Basically, i'm trying to set up the network similar to what is laid out in the attached diagram (obviously it's not my diagram - but i've changed it around a bit to resemble what im trying to do).

Now, what i am confused about is:

1. How do i actually connect the server to the internet? I know i can configure the server to dial directly to the internet - but i know (as suggested by fellow posters) that this is not good security practice. I havent actually done this before - i presume that if i wanted to go down this route, i would need to configure the Internet connection on the server and then what? How does the server actually dial the connection without a modem connected to it? (if this method isnt all that safe, i dont really want to do it, i just want to understand how it works)

2. The other option i was thinking of - is there some way that i can have the ISA sit behind the ADSL Modem Router, have it configured with 2 NIC's? If so, how would i set up each of the interfaces on the ADSL router and how do i set up the External NIC on the ISA Server?

I've spent so much time looking at this issue that i cant make sense of it anymore - its all become a bit of a blur to me now and cant see through it clearly anymore. I would appreciate any support you could provide because i'm kinda confused now.

Cheers (Yes, I'm an Aussie)

RobertKaucher

Does your physical host have 2 NICs?

Hyper-Me

Oh I definitely agree that it shouldnt be done this way.

I was just pointing out that it is technically supported and technically doable if he really wants to.

Khattab

Hi,

RobertKaucher wrote: »

Does your physical host have 2 NICs?

Yes it does.

Khattab

Anyone.......?

Anyone at all........?

dynamik

Connect your DSL modem to the NIC you designate as external. Have they given you a public IP address to assign to a device behind the modem, or is the modem also routing and performing NAT?

Khattab

Hi,

Thanks for the response dynamik. It's greatly appreciated.

Currently, the ISP has only given us 1 public IP (so the DSL device is doing the routing and NAT). I am in the process of having a 2nd one orderd... why do you ask? If we had a 2nd public IP - how would that change the proposed solution?

netstat

If your modem handles the public IPs that means you will probably have NAT on the modem, meaning that you will require another NAT on the ISA. The link between the ISA and the modem will be via private IP scheme.

If your modem is a (CIP is what we call them here) bridge, meaning it performs no form of routing but simply handles the telecom conversion - this allows the connected system (ISA in your case) to be configured via Public IP directly. In other words, the ISA is directly on the internet and all hits just flow across the modem untouched (since it will be at a lower layer) and into the ISA.

Apart from all this i would also consider ISA 2004 hardening documentation and configuration. Personally, i would prefer if my modem performs NAT and another NAT drom the ISA. This would mean more NAT work due to port forwarding, but it depends on your scenario, if then you plan on setting up a web server or a VPN etc.

dynamik

Yea. You'd still connect the external physical NIC to the modem, you'd just need to tweak your addressing and do port forwarding. It's actually recommended to have a fast packet-filter work on traffic before it hits the ISA server since you're not wasting CPU cycles on basic packet filtering. Save that for the application-level stuff. You can bridge it too. Given your load, it's probably not going to be a big deal.