virajw2310
asked on
PIX 515E Configuration
I am seeking for professional support in improving my existing network security levels and maximizing the business continuity by minimizing the risk in LAN & WAN.
I have 3 interfaces - inside - 192.168.150.0/24, outside - 202.155.135.0/29 and DMZ 10.10.10.1/24. My exchange server, proxy server and web server - (192.168.150.0/24), should be connected to “inside” interface and in “DMZ” – (10.10.10.1/24) I am planning to implement Trend Micro SMTP gateway which could pull all SMTP traffic which is forwarding by my ISP, my ISP is mail forwarding to 202.155.135.0/29 address. My“outside” interface is connected to VSAT modem (Gateway - 202.155.135.0/29). And from my exchange side all outgoing SMTP traffic is forwarded to ISP DNS address (202.155.0.0).
In addition all my proxy traffic must route through my ISA server which is in “inside” interface. I have plans to enable outlook web access in a additional front-end server; do you recommend this if it yes where should I keep the server in DMZ or Inside?
Thanks
Viraj
I have 3 interfaces - inside - 192.168.150.0/24, outside - 202.155.135.0/29 and DMZ 10.10.10.1/24. My exchange server, proxy server and web server - (192.168.150.0/24), should be connected to “inside” interface and in “DMZ” – (10.10.10.1/24) I am planning to implement Trend Micro SMTP gateway which could pull all SMTP traffic which is forwarding by my ISP, my ISP is mail forwarding to 202.155.135.0/29 address. My“outside” interface is connected to VSAT modem (Gateway - 202.155.135.0/29). And from my exchange side all outgoing SMTP traffic is forwarded to ISP DNS address (202.155.0.0).
In addition all my proxy traffic must route through my ISA server which is in “inside” interface. I have plans to enable outlook web access in a additional front-end server; do you recommend this if it yes where should I keep the server in DMZ or Inside?
Thanks
Viraj
ASKER
Thanks for quick respond;
Q - Are your three interfaces hosted by the ISA server? (Sorry! I am not that clear but let me explain)
A - ISA server will resides in "inside" interface and but need to establish a outbound connection to "outside" (all my inside clients will use ISA proxy client for internet browsing).
Further I need to use Outlook WEB access for remote and roaming users but I prefer to use VPN client to establish an inbound connection to “inside”.
Note – please omit the front end server.
(if you have a email I could send a draft network topology which I have prepared)
Q - Are your three interfaces hosted by the ISA server? (Sorry! I am not that clear but let me explain)
A - ISA server will resides in "inside" interface and but need to establish a outbound connection to "outside" (all my inside clients will use ISA proxy client for internet browsing).
Further I need to use Outlook WEB access for remote and roaming users but I prefer to use VPN client to establish an inbound connection to “inside”.
Note – please omit the front end server.
(if you have a email I could send a draft network topology which I have prepared)
You can contact me for EE business at keith_alabaster@experts-ex
To clarify my question, you state you have thre interfaces. Where are these interfaces? On the ISA server? On a router? On another firewall device?
To clarify my question, you state you have thre interfaces. Where are these interfaces? On the ISA server? On a router? On another firewall device?
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
1. Allow OWA from outside
A. Yes, provided proper authentication & if possible VPN client
2. Forward all outbound smtp traffic using Smarthost to ISP
A. Yes, if possible to direct all outbound smtp traffic directly to ISP's DNS server or forward to interscan viruswall.
3. Allow incoming smtp to trend which forwards smtp to Exchange
A. Yes, trend interscan virus wall
4. All users use ISA for Proxy services
A. Yes.
You do not mention if you wish to filter outbound traffic outside of ftp, http, https.
A. Yes i need to filter all traffic.
note - as i mentioned please refer to email which i already sent to your mail id.
Thanks
Viraj
A. Yes, provided proper authentication & if possible VPN client
2. Forward all outbound smtp traffic using Smarthost to ISP
A. Yes, if possible to direct all outbound smtp traffic directly to ISP's DNS server or forward to interscan viruswall.
3. Allow incoming smtp to trend which forwards smtp to Exchange
A. Yes, trend interscan virus wall
4. All users use ISA for Proxy services
A. Yes.
You do not mention if you wish to filter outbound traffic outside of ftp, http, https.
A. Yes i need to filter all traffic.
note - as i mentioned please refer to email which i already sent to your mail id.
Thanks
Viraj
I would change one item here that would have quite an impact. I would put a second NIC in the ISA server and turn that into an internal/back end firewall.
Internet
|
202.155.135.0/29
PIX 515E --------------- DMZ 10.10.10.1/24 including Trend SMTP relay
192.168.100.1/24
|
192.168.100.2/24
ISA server
192.168.150/24
|
--------------------------
| | |
Exchange Web Clients
Benefits:
1. You can use the ISA firewalls clients on your workstations to filter all protocols including socks or use SecureNAT
2. You can securely publish all internal applications through ISA (should you want to); proxy only allows the publishing of mail and web services.
3. You can use Active Directory groups to control access fully to the internet without users having the ability to 'bypass' the proxy.
4. Gives you an application-layer firewall as extra protection in addition to the standard packet filtering performed by the PIX.
5. Single point of control as all access to internal systems is controlled by the same GUI.
6. Extends the choice of VPN termination; on the PIX or on the ISA.
7. You can publish your internal mail server on the ISA server to the Trend unit as you requested but not have to allow the Trend to talk directly inside the LAN.
Hope this helps.
Regards
Keith
Internet
|
202.155.135.0/29
PIX 515E --------------- DMZ 10.10.10.1/24 including Trend SMTP relay
192.168.100.1/24
|
192.168.100.2/24
ISA server
192.168.150/24
|
--------------------------
| | |
Exchange Web Clients
Benefits:
1. You can use the ISA firewalls clients on your workstations to filter all protocols including socks or use SecureNAT
2. You can securely publish all internal applications through ISA (should you want to); proxy only allows the publishing of mail and web services.
3. You can use Active Directory groups to control access fully to the internet without users having the ability to 'bypass' the proxy.
4. Gives you an application-layer firewall as extra protection in addition to the standard packet filtering performed by the PIX.
5. Single point of control as all access to internal systems is controlled by the same GUI.
6. Extends the choice of VPN termination; on the PIX or on the ISA.
7. You can publish your internal mail server on the ISA server to the Trend unit as you requested but not have to allow the Trend to talk directly inside the LAN.
Hope this helps.
Regards
Keith
ASKER
Hi Keith
Thanks for your recomandation and it help me to have better understanding over the setup, anyway do you have a PIX sample configuration file which i could use as a template. In ISA side still i have conserns in how i am going to facilitate the above senario.
Thanks so much for the help...
Viraj
Thanks for your recomandation and it help me to have better understanding over the setup, anyway do you have a PIX sample configuration file which i could use as a template. In ISA side still i have conserns in how i am going to facilitate the above senario.
Thanks so much for the help...
Viraj
ASKER
Hi Keith
One more concern. As you suggest ISA server will be act a secondary gateway? Then all email traffic must go through that ? but if you consider the email traffic is it recommend to publish exchange in ISA? If i am not mistaken in this case we have to relay two times go to outside network?
Please provide your views..
Thanks
Viraj
One more concern. As you suggest ISA server will be act a secondary gateway? Then all email traffic must go through that ? but if you consider the email traffic is it recommend to publish exchange in ISA? If i am not mistaken in this case we have to relay two times go to outside network?
Please provide your views..
Thanks
Viraj
1. If you perform a search in experts-exchange for pix smtp dmz I think you will find plenty of sample configs :)
2. In ISA, you would select the backend firewall template after you had installed a 2nd NIC. All of your internal devices would have their default gateway pointed to the internal ISA NIC.
3. Yes, ISA wuld act as an internal firewall (rather than a secondary gateway).
4. Yes, it is recommended to publish Exchange in ISA (although if you wanted to, you could just make access rules in both directions). However, if you do not publish the Exchange services, you lose much of the firewall functionality.
5. No. The Exchange server will still send its traffic directly to the Smarthost that you had entered into the SMTP connector or, if you have selected dns delivery, straight out to the Internet. For incoming email, the PIX will deliver mail to the Trend smtp relay (as planned) and this will forward to the Exchange server (as planned). The difference is that ISA will play as middle-man by using the published service.
2. In ISA, you would select the backend firewall template after you had installed a 2nd NIC. All of your internal devices would have their default gateway pointed to the internal ISA NIC.
3. Yes, ISA wuld act as an internal firewall (rather than a secondary gateway).
4. Yes, it is recommended to publish Exchange in ISA (although if you wanted to, you could just make access rules in both directions). However, if you do not publish the Exchange services, you lose much of the firewall functionality.
5. No. The Exchange server will still send its traffic directly to the Smarthost that you had entered into the SMTP connector or, if you have selected dns delivery, straight out to the Internet. For incoming email, the PIX will deliver mail to the Trend smtp relay (as planned) and this will forward to the Exchange server (as planned). The difference is that ISA will play as middle-man by using the published service.
Q. Are your three interfaces hosted by the ISA server?
2. The Trend smtp gateway is fine and should be in your DMZ as normal.
3. Not enough info to be able to answer the owa question until you respond to point 1