RE: ISA Network Elements and System Network Interfaces
- From: "Geldrop, Paul van" <paul.van.geldrop@xxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 16 Jan 2006 22:33:33 +0100
Hi Tom,
I'd ask you to describe to us all the lovely benefits of a unihomed ISA server,
but I'm afraid you'd choke on the first sentence. ;)
Gerald, unihomed systems are severely crimped in their functionality; it
basically reduces all the lovely sparkle that is ISA 2004 to a mere heap of
simple proxy and caching services. Judging from your post, that doesn't quite
sound like your goal. So, let's not torment Tom any longer and put that second
NIC in there!
Regards,
Paul.
PS: Definitely read those books. :P Books are your friend. They'll love you,
milk your cats, feed your children and vacuum the house.
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Mon 16-1-2006 22:21
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA Network Elements and System Network Interfaces
http://www.ISAserver.org
Hi Paul,
Whatever do you mean? Gimp mode is
just..f..fff..f.ffffff...ffffffff........fine :\
Thomas W Shinder, M.D.
Site: www.isaserver.org <http://www.isaserver.org/>
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
**Who is John Galt?**
________________________________
From: Geldrop, Paul van [mailto:paul.van.geldrop@xxxxxxxxxxxxx]
Sent: Monday, January 16, 2006 3:15 PM
To: [ISAserver.org Discussion List]
Subject: RE: [isalist] RE: ISA Network Elements and System Network
Interfaces
Tread carefully, Gerald.. Tom tends to get a bit touchy when the
subject of unihomed ISA servers comes up.. ;o)
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Mon 16-1-2006 21:50
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: ISA Network Elements and System Network
Interfaces
http://www.ISAserver.org
Hi Gerald,
Yes, I go into assiduous detail regarding this topic in the book. I even
mentioned that crip mode (unihomed ISA firewall) sees only one network
"internal".
Tom
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**
> -----Original Message-----
> From: Young, Gerald G [mailto:Gerald.Young@xxxxxxxxxx]
> Sent: Monday, January 16, 2006 2:03 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] ISA Network Elements and System Network Interfaces
>
> http://www.ISAserver.org
>
> Tom,
>
> I haven't read your books on ISA Server as of yet but, it is
> on my list
> of things to do.
>
> Having said that, do you go into depth on the differences between the
> network elements in ISA, in which you can define IP networks
> and use as
> a basis for firewall rules, and the network interfaces on a system?
>
> Most of the problems I'm currently dealing with - read: cleaning up
> other peoples' messes *8^) - are caused by a misconfiguration of the
> network elements with relation to the network interfaces they
> "represent". Usually, an engineer has arbitrarily configured network
> elements in ISA to match their sense of organization/propriety without
> any consideration of what the routing table on the local system looks
> like.
>
> One of the more insidious problems, which ISA server doesn't seem to
> know how to report out on, is when engineers split IP
> networks that are
> bound to the same network interface on the system between two ISA
> network elements.
>
> Case in point:
> ISA Server 2004 Standard Edition
> Single Network Adapter
>
> This box sits in our DMZ (with a firewall in front and behind) and
> services an OWA site over HTTPS that sits in our trusted network.
>
> An OWA Rule and SSL Listener were created and work fine. The problem
> came when our organization was attempting to monitor the box
> and connect
> from other sources that exist in our trusted networks.
>
> Since there is a single interface on that box, the routing table knows
> only of one route: the default gateway (192.168.0.1). Any destination
> IP address not of the local IP network (let's say 192.168.0.1/24) will
> have to be reached via the default gateway.
>
> In their enthusiasm for maintaining security on this box, they broke
> apart IP networks from which traffic would be hitting the ISA server
> into two network elements. They added IP networks from our trusted
> network into the Internal network element and created a new network
> element named Management, into which they added others (IP
> networks from
> which we monitor and manage the box). The IP networks were split
> between the two network elements along the following lines:
>
> Internal Network Element Addresses
> 192.168.100.1 - 192.168.103.255
> 192.168.150.32 - 192.168.150.63
> 192.168.180.1 - 192.168.180.255
>
> Management Network Element Addresses
> 10.0.1.224 - 10.0.1.255
> 10.0.3.74 - 10.0.3.74
>
> A rule was then created that allowed all traffic between the
> Local Host,
> Internal, and Management network elements, in both directions.
>
> This resulted in network traffic to/from the Internal network element
> being allowed but, network traffic to/from the Management network
> element was not; ISA happily logged the latter traffic as being denied
> without giving any reason whatsoever.
>
> Once I moved the IP networks from the Management network
> element to the
> Internal network element, however, traffic started flowing correctly
> to/from those IP networks.
>
> Now, on ISA Server 2004 Enterprise Edition, with multiple NICs on the
> system, it at least flags configuration issues like this by
> complaining
> about IP addresses being treated as spoofed addresses in
> Alerts. It even
> flags a denied connection in the Monitor as being denied
> because it was
> treating the traffic as if it came from a spoofed IP address.
>
> Is this a difference of version or is it a difference between
> multi-homed and single-interface systems?
>
> In any case, though, at a very basic level, it appears as if the
> following are good guidelines for configuring network elements:
>
> 1. You only ever want one network element per network interface.
> 2. The IP networks defined in a network element must match
> what's bound
> to the network interface.
>
> In the case of a multi-homed system, number 2 becomes much more
> important as the person configuring ISA really, really,
> really needs to
> understand subnetting and routing tables. Properly done, a
> multi-homed
> system will have one default gateway and static route(s) for the other
> interface(s). If you have an IP network defined in a network element
> for a network interface with static routes defined for it but the IP
> network is not part of those static routes, you'll run into problems.
>
> And I'd hate to see what kind of grief you'd run into if you
> configured
> a multi-homed ISA server with more than one default route!
>
> Thoughts?
>
> Cordially yours,
> Jerry G. Young II
> MCSE (4.0/W2K)
> Atlanta EES Implementation Team Lead
> HHS Engineering
> Unisys
>
> 11493 Sunset Hills Rd.
> Reston, VA 20190
> Office: 703-579-2727
> Cell: 703-625-1468
>
> THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE
> PROPRIETARY
> MATERIAL and is thus for use only by the intended recipient. If you
> received this in error, please contact the sender and delete
> the e-mail
> and its attachments from all computers.
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
paul.van.geldrop@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
paul.van.geldrop@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
This e-mail and any attachment is for authorised use by the intended
recipient(s) only. It may contain proprietary material, confidential
information and/or be subject to legal privilege. It should not be copied,
disclosed to, retained or used by, any other party. If you are not an intended
recipient then please promptly delete this e-mail and any attachment and all
copies and inform the sender. Thank you.
Other related posts:
