Want to protect your cyber security and still get fast solutions? Ask a secure question today.Go Premium

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 814
  • Last Modified:

Tri-Homed ISA Server - running Exchange and DNS on DMZ

I am having trouble allowing DNS and smtp to pass on my DMZ.

ISA = tri-homed intergrated
first nic external to isp 200.200.200.1
second nic perimeter network 200.200.200.2
third nic internal 192.168.10.1

My exchange and DNS are running on the same box.

I am not sure if the perimeter server should have a gateway designated
I am not sure if the second nic should be a isp assigned IP
I am not sure if the second nic should have a gateway designated.
I am not sure if I should include the second nic in the LAT

I have created an allow rule for all protocals
I have created an allow rule for all IP packets

The proxy service is working fine for my internal clients all 192.168.10.x clients can hit any web site they want.

The problem is the perimeter network setup.


THANKS
0
David_Letterman
Asked:
David_Letterman
  • 7
  • 7
  • 2
  • +1
1 Solution
 
schmutzboyCommented:
Just to verify - are you having trouble getting DNS and SMTP out from the DMZ to the ISP, or to (or even behind) the ISA box?

Also, if the ISP and DMZ are on the same subnet, are they physically separated?

is it like this:

Internet
    |
Router
    |
SWITCH --- DMZ
    |                 |
ISA ---------
    |
LAN

or like this:

Internet
    |
Router
    |
ISA --- DMZ
    |
LAN
0
 
David_LettermanAuthor Commented:
Internet
    |
 Router
    |
   ISA---DMZ (dns, exchange)
    |
Intenal LAN


ISA is one machine (isp provided IP),
DNS and exchange on second machine (isp provided IP)

Router is wide open (no blocked ports)



0
 
schmutzboyCommented:
OK - in this setup, you need to have IP routing and packet filtering turned on.

Configure the LAT to include the private subnet. The LAT should not include any other addresses.

In ISA management, add an IP packet filter for the Exchange server.  The filter type should be "predefined" and choose SMTP.

Remote computer should be Any Computer (or a specific computer, if access is limited to specific computers).

Do another packet filter for DNS requests.
0
Concerto Cloud for Software Providers & ISVs

Can Concerto Cloud Services help you focus on evolving your application offerings, while delivering the best cloud experience to your customers? From DevOps to revenue models and customer support, the answer is yes!

Learn how Concerto can help you.

 
schmutzboyCommented:
OK - in this setup, you need to have IP routing and packet filtering turned on.

Configure the LAT to include the private subnet. The LAT should not include any other addresses.

In ISA management, add an IP packet filter for the Exchange server.  The filter type should be "predefined" and choose SMTP.

Remote computer should be Any Computer (or a specific computer, if access is limited to specific computers).

Do another packet filter for DNS requests.
0
 
David_LettermanAuthor Commented:
I have tried adding SMTP and DNS filters.... I have aslo (just for testing) ALLOWED ALL IP UDP traffic... and I am still having DNS issues.

When I move the DNS/Exchnge server from behind the ISA server SMTP/DNS work fine.

I am not sure if I need a gateway on the DNS/Exchange box when it is behind the ISA server... also not sure if the nic on the ISA needs to be ISP provided
(the nic directly connected to the DMZ) and does the nic need a gateway ?

0
 
schmutzboyCommented:
If I remember correctly, Nic2 must NOT have a gateway - it will screw up the routing tables.  (try it both ways, but I'm almost certain this is true.)

The interfaces on the perimeter network, including the ISA's perimiter interface, must have public (ISP assigned) addresses.

On the other hand, the DNS/Exchange box MUST have a gateway - set it to 200.200.200.1 (IP address of ISA nic facing perimiter network)  If it works when plugged directly into the ISP subnet, then it has the gateway set for the ISP router - but it won't be able to reach that address when plugged into the perimeter net, because they are physically separated.  This is most likely your root issue.


Also, are you sure you have IP routing turned on?
 From the ISA help:
-------------
To enable IP routing

In the console tree of ISA Management, right-click IP Packet Filters and then click Properties.
Where?

Internet Security and Acceleration Server
Servers and Arrays
Name
Access Policy
IP Packet Filters
On the General tab, click Enable packet filtering.
Click Enable IP routing.
-------------
0
 
David_LettermanAuthor Commented:
Yes IP routing is on

I have tried all of the above config's (with and without gateways)

0
 
schmutzboyCommented:
To sum up as I understand it:

Internet
   |
ISP Router (200.200.200.254/24)
   |
(NIC1)
  ISA(NIC2)---(PERIM1)DNS/Exchg
(NIC3)
   |
(LANHOST)

Where:
NIC1
  IP 200.200.200.1/24
  GW 200.200.200.254
NIC2
  IP 200.200.200.2/24
  GW <blank>
NIC3
  IP 192.168.10.1
  GW <blank>
Perim1
  IP 200.200.200.3/24
  GW 200.200.200.2
Lanhost
  IP 192.168.10.x
  GW 192.168.10.1

------
Can you please make a matrix that states success on pings?

For example:

ISA box can successfully ping Internet, LAN, but not DNS
DNS cannot ping LAN or internet, but can ping ISA box.
Internet can ping ISA but not DNS
LAN can ping...
etc.
------
Also, please clarify the problem hosts - are you trying to query the DNS of the server in the DMZ from the LAN, or from the internet to the DMZ, or from the DMZ to the Internet?  Can you telnet to the SMTP port of the DMZ host from the LAN?  From the internet?
0
 
kdearingCommented:
I believe the main problem is your IP scheme.

The external NIC and the DMZ (preimeter) NIC MUST be on separate subnets.

This should fix it:

On the Exchange/DNS server -
IP address 192.168.11.2
Gateway 192.168.11.1

On the ISA Server -
NIC2 IP address 192.168.11.1
Open ISA and expand 'Publishing'
Right-click 'Server Publishing Rules'
Select 'Secure Mail Server'
Go through the wizard using 192.168.11.2 as your mail server ip address
Set up a protocol rule allowing DNS

Make sure you configure the DNS Server to use a Forwarder for domains that is it not authoritative.
Also, there must be a publicly available DNS MX record pointing to the external nic of the ISA server.

Let me know if this helps.
0
 
YcoreCommented:
I agree with kdearing.  Your isp network and your perimeter network are on the same subnet, so your routing is all screwy.  Choose a different subnet for your perimiter network, and it should work.


Ycore
0
 
David_LettermanAuthor Commented:
I have the DNS listed with internic as 200.200.200.x
How can I change my DNS to 192.168.1.x ????/

Where will the 200.200.200.x be ?

Are you suggesting I add a second IP to me external nic ?
0
 
schmutzboyCommented:
Actually, what they said is partially true - The address space of the DMZ must be on a different subnet than the public subnet.  I apologize, I just glazed over that part of it without thinking hard enough.  However, the DMZ *MUST* be publicly addressable... so no 192.168.x.x numbers.  

Say your subnet is 200.200.200.0/24
You must split the subnet again, so you have network 1 as 200.200.200.0/25 and network 2 as 200.200.200.128/25.

Network 1 would be on the public side of the ISA box, and network 2 would be on the DMZ.  (Actually, whatever address contains the ISP router/gateway address, that part must be on the public interface)

It would then look like this:

Internet
  |
ISP Router (200.200.200.1/24) <----- note subnet mask
  |
(NIC1)
 ISA(NIC2)---(PERIM1)DNS/Exchg
(NIC3)
  |
(LANHOST)

Where:
NIC1
 IP 200.200.200.2/25 <----- note subnet mask
 GW 200.200.200.1
NIC2
 IP 200.200.200.129/25 <----- note address and mask
 GW <blank>
NIC3
 IP 192.168.10.1
 GW <blank>
Perim1
 IP 200.200.200.130/25 <----- note address and mask
 GW 200.200.200.129  <----- note gateway is Nic2
Lanhost
 IP 192.168.10.x
 GW 192.168.10.1

If you need help splitting up different a different number of assigned addresses, tell us how many you have been assigned.
0
 
David_LettermanAuthor Commented:
I am working with the comments above.... I will update this question as soon as I make changes.

Thanks for the comments so far.
0
 
kdearingCommented:
I disagree with schmutzboy.

So does Microsoft and Cisco.

Your DMZ should be private IP addresses. They must be a different subnet from your internal network, but still private.

Standard 'Best Practice' is that public IP addresses should be outside the firewall.

Your external DNS MX record is pointing to the outside interface of the ISA Server. Ths ISA Server will redirect SMTP traffic to the specified IP address. As you can see, With ISA redirecting traffic, there is absolutely no reason to have a public IP on the mail server.

Check out this tutorial:

http://www.isaserver.org/tutorials/Publishing_A_Mail_Server_With_ISA_Server.html

Especially the sections marked:
"External IP Addresses"
and
"Running The Secure Mail Server Publishing Wizard"

Or, better yet, here is the installation guide from Microsoft:

http://www.microsoft.com/isaserver/techinfo/deployment/2000/wp_installationguide.doc
See page 51+

Let me know what happens.
0
 
schmutzboyCommented:
kdearing is only half right, but his (her?) response does not address the original question.

Respectfully, Cisco has nothing to do with Microsoft or ISA server.

The original question dealt with a three-homed ISA server, with a DMZ interface.  The last post deals specifically with locating *ALL* hosts in the private address space and mapping public addresses using NAT to a host on the private net.

It's not my place to tell someone how to structure their network and force them to do NAT - some situations require NAT to not be present, and I don't know the original poster's intent for wanting to include a DMZ.  So, assuming they know what they want to do, and that they know the pros and cons of NAT, I choose simply to answer the question as posed instead of getting into a semi-religious argument over the state of the structure of a network.

Dealing with three-homed "perimiter" networks, please see below for support for my suggestions:

http://support.microsoft.com/default.aspx?scid=kb;en-us;313562

As you can see, both public and private addresses are supported, but for a three-homed scenario, private addresses in the DMZ can only occur if the ISA server itself is behind a NAT box.

Sorry for any confusion, but there is indeed (to borrow a line from the Perl documentors) more than one way to do things.
0
 
David_LettermanAuthor Commented:
FYI -

I changed the exchange server to an internal IP.
I added the external IP of the exchange server to the ISA servers first nic.
Example:
Nic#1 200.200.200.1/24 (second IP 200.200.200.2)
Nic#2 192.168.x.x (exchange server 192.168.x.x)

The MX record now points to the second logical interface on the first nic on my ISA server.

I also asked my ISP to host DNS (mainly to take that element out of the equation)

I then used the Config. secure mail wizard to add the approp. filters.

Email, DNS and packet filtering are all wrking 100% !!!




0
 
David_LettermanAuthor Commented:
I would like to thank ALL the submitted comments !

Although the answer was not perfectly clear... the comments and help are GREATLY apprec.


Experts-exchange is a very valuable tool !


Again THANKS TO ALL !!!
0

Featured Post

Prepare for your VMware VCP6-DCV exam.

Josh Coen and Jason Langer have prepared the latest edition of VCP study guide. Both authors have been working in the IT field for more than a decade, and both hold VMware certifications. This 163-page guide covers all 10 of the exam blueprint sections.

  • 7
  • 7
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now