I'm not now- HTTPS out is available, but not for long-- that's after I build
the Front End Exchange Server segment on the internal back-end ISA server.
I'll do that in the next hour or so-- Again, I'll start with no access rules
at all, and monitor the connection to only allow minimum rulesets. I'm
assuming Kerberos-Sec for user auth, LDAP (UDP) for AD lookups from the FE
server to AD to find out what BE server has the mailbox, and HTTP from the
FE to BE for tunneled authentication and content delivery. After that, I'll
work on IPSec between the DMZ FE server and the internal BE servers as
FE-to-BE auth and content requires HTTP. I'll let you guys know what I find
out.
t
http://www.ISAserver.org
OK, got it. Good idea. So you're limiting them to HTTP/HTTPS/tunneled FTP connections only?
Actually, you're probably allowing HTTPS only to a select number of approved sites, since you know how kids can be when they can tunnel through the firewall.
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?**
-----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Monday, December 05, 2005 10:54 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: To Chain, or Not To Chain?
http://www.ISAserver.org
"Yep" on all points, other than internal DNS forwarding... I choose to keep root zones on my AD DNS because I don't want any internal host to be able to resolve anything that I don't know about, unless they are doing so via the web proxy. Keeps "nasties" from being able to get "home."
t
----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, December 05, 2005 6:51 AM
Subject: [isalist] RE: To Chain, or Not To Chain?
http://www.ISAserver.org
Hi Tim, Yes, authenticating the back-end ISA firewall to the front-end, using an account that exists on the FE ISA firewall. We're not authenticating the users behind the back-end ISA firewall, since the BE ISA firewall has already done its user/group authentication. The goal of having the FE require Web proxy authentication is to prevent interlopers that might "visit" the DMZ use an unauthenticated connection to gain outbound access to the Internet (at least for Web connections).
OK, the DNS is a hardened box on a DMZ and is working as a resolver only -- that's a good sec design. Don't mix resolvers with advertisers. But you might want to configure the BE ISA firewall to use the internal DNS, and configure the internal DNS to use the DMZ located DNS resolver as a forwarder, make sure to remember to turn off recursion for that zone (not that you would forget, but others would :)
The goal of having the internal DNS use your hardened DNS server as its forwarder is that you trust the configuration of that DNS server, you know that its protected from common and maybe uncommon DNS attacks, which wouldn't be the case if the internal DNS server were performing recursion itself, or using an untrusted or unknown ISPs DNS server as a forwarder.
I don't find that there is that much overhead in publishing my DNS servers, except for those times when my DNS servers get DDoS'ed. Then I have to bring in the ISP to handle things on their fat-end of the pipe, since there's nothing I can do on my straw side re: DDoS. But you're right, when they're hosting the thing, that takes out one layer 8 issue. When I use external DNS hosters, the configuration interfaces for updating records is pretty simple, or a e-mail or phone call gets the records changed right quick (I've been lucky when it comes to ISPs, but I try to stay away from dolts cf - the big boys).
OK, getting to the bottom of your messages shows what you can do with a trusted and competant ISP. If you trust your ISP (like I do with Speakeasy) and have confirmed they understand how to secure a DNS server, then configuring your resolvers to use the ISP's DNS servers as your forwarders is a good deal. In that case, you can configure your resolver to use them as a forwarder, and then use recursion in the event that there servers go down for some reason.
Next week, GMT
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?**
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Sunday, December 04, 2005 3:21 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: To Chain, or Not To Chain?
>
> http://www.ISAserver.org
>
> Ah- I see... You mean authenticating the chain connection
> itself, and not
> trying to authenticate internal users to external rules via
a chained
> connection. That's what threw me off there. Sorry...
>
> Thanks for the links-- My DNS had always been a hardened box
> on the external
> segment. When we rebuilt the DMZ this weekend, I moved DNS
> into the DMZ--
> so while my actual "Internal" DNS box cannot resolve Internet
> host names
> (its a . root zone AD DNS), my DMZ DNS box can. So I'm still
> trying to nail
> down exactly who does what and where regarding DNS, but I too
> was thinking
> that the back-end (internal -> DMZ) ISA box would do the name
> resolution and
> not the edge (DMZ -> Internet) box... just seemed to make sense.
>
> As I've got it designed, I'm not even publishing my DNS
> server now-- Though
> I control the primary zones and my commercial provider is set
> to receive
> push updates on their secondary servers from my box, I've
> told the root
> registry services that my primary DNS servers are my ISP's
> boxes, not mine.
> After all, they are a tier 1 provider--- this way, I fully
> control my zone
> files, yet don't have to assume the security and
> administrative overhead of
> publishing the services, all the while being able to
> immediately resolve
> Internet hosts for internal users locally while external
> resolution of my
> hosts is performed in a more efficient manner. This config
> also allows me
> to remove the default DNS "to anywhere" rules (which are not
> safe). In
> fact, all of the aforementioned functionality is available
> through a single
> rule on my edge ISA box that only allows DNS from the DMZ DNS
> box out.
> Everything else is internal (respectively). So far so good ;)
>
> t
>
>
>
> ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Sunday, December 04, 2005 12:17 PM
> Subject: [isalist] RE: To Chain, or Not To Chain?
>
>
> http://www.ISAserver.org
>
> You use a local account on the front-end ISA firewall, and have the
> back-end ISA firewall use the local account to authenticate.
>
> So, no Active Directory access is required.
>
> Actually, if your DNS is well-designed (i.e., your internal
DNS server
> can resolve Internet host names) you can allow the back-end
to resolve
> names) you won't have problems. Check out
> http://support.microsoft.com/default.aspx?scid=kb;en-us;292018
> for more
> info.
>
> I don't see any reason to have the front-end perform name
resolution,
> since the access controls are being done on the back-end. Check out
> http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/dis
> ablenamere
> solution.mspx
>
> The problem I have is with the terminology. Downstream and
> upstream are
> good when talking about rivers and streams, where the "flow" is
> unidirectional. But is a bit confusing with network
connections, where
> are bidirectional :)
>
>
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > Sent: Sunday, December 04, 2005 1:47 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: To Chain, or Not To Chain?
> >
> > http://www.ISAserver.org
> >
> > OK- I'm a bit confused-- probably because I haven't had any
> > Jaeger yet.
> >
> > Regarding authentication, how can the front-end server
> > authenticate? The
> > front end would have to have access to AD, which you would
> > never do through
> > the DMZ - that'd be nuts... Or is that just an example of
> > where chaining in
> > and of itself serves a purpose? I'm thinking to just keep
> > the internal
> > back-end guy thinking the DMZ is the internet as I did before.
> >
> > Regarding the "config the back end not to perform name
> > resolution," how do I
> > do that? That's a new one on me.
> >
> > t
> >
> >
> >
> > ----- Original Message ----- > > From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Sunday, December 04, 2005 9:42 AM
> > Subject: [isalist] RE: To Chain, or Not To Chain?
> >
> >
> > > http://www.ISAserver.org
> > >
> > > Er - I think you mean "configure only the front-end
> > firewall to perform
> > > name resolution"?
> > > If the back-end does name resolution, this will slow your ISA
> > > considerably.
> > >
> > > -----Original Message-----
> > > From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> > > Sent: Sunday, December 04, 2005 8:55 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: To Chain, or Not To Chain?
> > >
> > > http://www.ISAserver.org
> > >
> > > If you chain, you can authenticate. Otherwise, you use only
> > IP address
> > > based access control.
> > >
> > > Configure only the back-end ISA firewall to perform name
> resolution.
> > >
> > > Don't enable caching on the front-end ISA firewall.
> > >
> > > Now you might say "hey Tom, why not just do Firewall
> > chaining if all you
> > > want is authenticated connections from the back-end" and
> > that would be
> > > an excellent question.
> > >
> > > HTH,
> > > Tom
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://spaces.msn.com/members/drisa/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > > **Who is John Galt?**
> > >
> > >
> > >
> > >> -----Original Message-----
> > >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > >> Sent: Sunday, December 04, 2005 1:54 AM
> > >> To: [ISAserver.org Discussion List]
> > >> Subject: [isalist] To Chain, or Not To Chain?
> > >>
> > >> http://www.ISAserver.org
> > >>
> > >> So, in a back-to-back ISA config, how do you guys configure
> > >> web access from
> > >> the internal network's border ISA server to the edge
> > >> network's ISA server?
> > >> Do you tell the internal ISA server to chain to the external
> > >> ISA server and
> > >> create an allow rule for 8080, or do you just tell the
> > >> internal ISA that
> > >> it's got a direct connection by pointing the external
> > >> interface gateway to
> > >> the internal interface of the edge ISA box (with
> > >> corresponding rules to
> > >> allow the traffic)??
> > >>
> > >> I've done it both ways, and am just digging for more info as
> > >> to which method
> > >> is better than the other and why.
> > >>
> > >> t
> > >>
> > >> -----
> > >> "And yet, even if one person finds his way... that means
> > >> there is a Way. Even if I personally fail to reach it."
> > >>
> > >> Mr. Nobusuke Tagomi
> > >> Top Place, Ranking Imperial Trade Mission
> > >> Pacific States of America
> > >>
> > >>
> > >> ------------------------------------------------------
> > >> List Archives:
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > >> ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > >> ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > >> ------------------------------------------------------
> > >> Visit TechGenix.com for more information about our other sites:
> > >> http://www.techgenix.com
> > >> ------------------------------------------------------
> > >> You are currently subscribed to this ISAserver.org Discussion
> > >> List as: tshinder@xxxxxxxxxxxxxxxxxx
> > >> To unsubscribe visit
> > >> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > >> Report abuse to listadmin@xxxxxxxxxxxxx
> > >>
> > >>
> > >
> > > ------------------------------------------------------
> > > List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > jim@xxxxxxxxxxxx
> > > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > > All mail to and from this domain is GFI-scanned.
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter:
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ:
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org
> > Discussion List as:
> > > thor@xxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
