Solved

ISA Server 2004 in single interface mode protecting OWA - possible??

Posted on 2006-07-06
17
432 Views
Last Modified: 2013-12-04
Hi there,

I have a requirement to protect an Exchange server running OWA. ISA Server 2004 seems to be the right product to do this, running as a reverse proxy. Problem is that all the literature I can find talks about using it as a firewall. It might be a great firewall, I don't know, but I don't need it to do that - I only need it as a layer 7 inspection device to protect some web servers on the internal network.

Am planning to install it in single interface mode on the DMZ, behind a Cisco PIX, and have the inbound web traffic routed to it. It then inspects it and makes sure there's nothing mallicious in there and reverse proxies the web servers which sit safely on the inside network.

I have read various topologies and rants by a variety of people but everyone seems to be adamant that the thing is going to be installed as a firewall. Is the config I propose possible? Does anyone have any other comments? For the record, the ISA IS NOT going to become the new firewall solution here. The PIX does a great job but needs a bit of help in this area, enter stage left the ISA.

Thanks in advance.

George
0
Comment
Question by:georgemason
  • 9
  • 4
  • 4
17 Comments
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 17066908
you can do that but only a few features of ISA are available. see the following MS official KB article:

The features and limitations of a single-homed ISA Server 2004 computer
http://support.microsoft.com/kb/838364

hope it helps,
bbao
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17067191
Using the ISA in the DMZ as you mention in fine but as mentioned the options are just restricted. For example, the list of protocols is restricted. However, you can still publish a mail and web server
0
 
LVL 1

Author Comment

by:georgemason
ID: 17081158
That sounds perfect. Whilst I realise that this reduces the feature set of ISA a great deal, it will do what I need it to, namely deep inspection of HTTP(S) traffic to the webservers on the LAN, and protect the OWA server which can also reside on the LAN thereby removing the need to open loads of ports to get it talking to the Exchange box.

Does this sound about right?
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17083490
Thats it in a nutshell.

0
 
LVL 51

Assisted Solution

by:Keith Alabaster
Keith Alabaster earned 125 total points
ID: 17083514
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17083523
PS. One thing I meant to mention. You may have to create virtual devices using the loopback. If you need the link for this then shout.
0
 
LVL 1

Author Comment

by:georgemason
ID: 17088866
Yeah that would be useful, I'm not well versed on ISA just yet although I have lots of applications for it so that won't be the case for long. The more info I have the better, though.

Thanks.
0
 
LVL 37

Accepted Solution

by:
Bing CISM / CISSP earned 125 total points
ID: 17096029
wait. please see the following statements from keith_alabaster's URL:

To publish a Web server on an Internal network, you need, at a minimum:
* A connection to the Internet.
* A computer to serve as the ISA Server computer. The ISA Server computer must have at least two network adapters. One adapter will be connected to the External network (representing the Internet), and one adapter will be connected to the Internal network.
* A computer that will be the Web server, located in the Internal network.
* To test the setup, a computer that is external to your network, with a connection to the Internet.

it sounds different as that KB said. you'd better have try in person, hehe.
0
Top 6 Sources for Identifying Threat Actor TTPs

Understanding your enemy is essential. These six sources will help you identify the most popular threat actor tactics, techniques, and procedures (TTPs).

 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17096765
Another interface (nic) can be created by using the loopback as well if you want it  but read on lol.

bbbao, you are a cynic; trust your judgement....... :)   The second interface is required for other parts, not for what George has specifically asked for.
Walk through is below.

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/single_adapter.mspx
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 17096940
hehe. actually i am not. :) you seem to be just opposite, as a backer of loopback, haha. :-))

i merely found that the two official documents seemed to be a bit conflicted, so i just reminded georgemason, hehe. i am sorry that i didnt notice the issue of loopback adapter. :) thanks for your reminding and further information explaining it.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17096960
hahaha. Yes, I see your point.

Regards
K
0
 
LVL 1

Author Comment

by:georgemason
ID: 17147940
Hi guys,

Sorry you lost me a bit there, could someone please clarify the loopback issue for me? What's good/bad about configuring a loopback adapter?

Thx.
0
 
LVL 37

Expert Comment

by:Bing CISM / CISSP
ID: 17155870
loopback is a communication term, initially used for channel test, which means that a sender can receive its outgoing s from the same interface. in TCPIP network, loopback can be used for protocol stack test, local services call and virtual adapter etc.

since ISA needs two interfaces to handle IN and OUT traffic so we need to add a loopback adapter to simulate another network adapter on a single-adapter machine. the loopback adapter itself has no disadvantage. it is just a virtual adapter. the approach using one physical adapter might have security vulnerabilities because all the internal traffic (to be protected) and external traffic actually goes through one physical medium. a few examples are:

1. internal users may get around the proxy service and access the internet directly.
2. if the DMZ is unexpectedly accessible by an external malicious user, then the user can access the internal network directly
3. internal broadcast can be "listened" by computers staying in the DMZ zone, which means some internal information may be exposed.

anyway, if you are sure that your internal risks are low and your external firewall can efficiently block unwanted incoming visit, it is OK to use the single-adapter solution,

this is the MS official document for your reference.

How to install the Microsoft Loopback Adapter in Microsoft Windows Server 2003
http://support.microsoft.com/kb/842561

hope it helps,
bbao
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17156626
Nicely put.
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17281014
O well, nice bbao
0
 
LVL 1

Author Comment

by:georgemason
ID: 17286295
Sorry, guess I should have awarded split points, didn't really think..... I'll get it sorted!
0
 
LVL 51

Expert Comment

by:Keith Alabaster
ID: 17289581
:) Wasn't necessary but thank you for the consideration; always appreciated.
0

Featured Post

Free Gift Card with Acronis Backup Purchase!

Backup any data in any location: local and remote systems, physical and virtual servers, private and public clouds, Macs and PCs, tablets and mobile devices, & more! For limited time only, buy any Acronis backup products and get a FREE Amazon/Best Buy gift card worth up to $200!

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Virus or Ransom ware 6 321
Group Policies review 1 56
default domain policy in AD exemptions 3 55
deny local logon 12 62
Many people tend to confuse the function of a virus with the one of adware, this misunderstanding of the basic of what each software is and how it operates causes users and organizations to take the wrong security measures that would protect them ag…
Our Group Policy work started with Small Business Server in 2000. Microsoft gave us an excellent OU and GPO model in subsequent SBS editions that utilized WMI filters, OU linking, and VBS scripts. These are some of experiences plus our spending a lo…
Excel styles will make formatting consistent and let you apply and change formatting faster. In this tutorial, you'll learn how to use Excel's built-in styles, how to modify styles, and how to create your own. You'll also learn how to use your custo…
Access reports are powerful and flexible. Learn how to create a query and then a grouped report using the wizard. Modify the report design after the wizard is done to make it look better. There will be another video to explain how to put the final p…

708 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

13 Experts available now in Live!

Get 1:1 Help Now