ISA Server 2004 in single interface mode protecting OWA - possible??

Hi there,

I have a requirement to protect an Exchange server running OWA. ISA Server 2004 seems to be the right product to do this, running as a reverse proxy. Problem is that all the literature I can find talks about using it as a firewall. It might be a great firewall, I don't know, but I don't need it to do that - I only need it as a layer 7 inspection device to protect some web servers on the internal network.

Am planning to install it in single interface mode on the DMZ, behind a Cisco PIX, and have the inbound web traffic routed to it. It then inspects it and makes sure there's nothing mallicious in there and reverse proxies the web servers which sit safely on the inside network.

I have read various topologies and rants by a variety of people but everyone seems to be adamant that the thing is going to be installed as a firewall. Is the config I propose possible? Does anyone have any other comments? For the record, the ISA IS NOT going to become the new firewall solution here. The PIX does a great job but needs a bit of help in this area, enter stage left the ISA.

Thanks in advance.

George
LVL 1
georgemasonAsked:
Who is Participating?
 
bbaoIT ConsultantCommented:
wait. please see the following statements from keith_alabaster's URL:

To publish a Web server on an Internal network, you need, at a minimum:
* A connection to the Internet.
* A computer to serve as the ISA Server computer. The ISA Server computer must have at least two network adapters. One adapter will be connected to the External network (representing the Internet), and one adapter will be connected to the Internal network.
* A computer that will be the Web server, located in the Internal network.
* To test the setup, a computer that is external to your network, with a connection to the Internet.

it sounds different as that KB said. you'd better have try in person, hehe.
0
 
bbaoIT ConsultantCommented:
you can do that but only a few features of ISA are available. see the following MS official KB article:

The features and limitations of a single-homed ISA Server 2004 computer
http://support.microsoft.com/kb/838364

hope it helps,
bbao
0
 
Keith AlabasterEnterprise ArchitectCommented:
Using the ISA in the DMZ as you mention in fine but as mentioned the options are just restricted. For example, the list of protocols is restricted. However, you can still publish a mail and web server
0
Protect Your Employees from Wi-Fi Threats

As Wi-Fi growth and popularity continues to climb, not everyone understands the risks that come with connecting to public Wi-Fi or even offering Wi-Fi to employees, visitors and guests. Download the resource kit to make sure your safe wherever business takes you!

 
georgemasonAuthor Commented:
That sounds perfect. Whilst I realise that this reduces the feature set of ISA a great deal, it will do what I need it to, namely deep inspection of HTTP(S) traffic to the webservers on the LAN, and protect the OWA server which can also reside on the LAN thereby removing the need to open loads of ports to get it talking to the Exchange box.

Does this sound about right?
0
 
Keith AlabasterEnterprise ArchitectCommented:
Thats it in a nutshell.

0
 
Keith AlabasterEnterprise ArchitectCommented:
0
 
Keith AlabasterEnterprise ArchitectCommented:
PS. One thing I meant to mention. You may have to create virtual devices using the loopback. If you need the link for this then shout.
0
 
georgemasonAuthor Commented:
Yeah that would be useful, I'm not well versed on ISA just yet although I have lots of applications for it so that won't be the case for long. The more info I have the better, though.

Thanks.
0
 
Keith AlabasterEnterprise ArchitectCommented:
Another interface (nic) can be created by using the loopback as well if you want it  but read on lol.

bbbao, you are a cynic; trust your judgement....... :)   The second interface is required for other parts, not for what George has specifically asked for.
Walk through is below.

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/single_adapter.mspx
0
 
bbaoIT ConsultantCommented:
hehe. actually i am not. :) you seem to be just opposite, as a backer of loopback, haha. :-))

i merely found that the two official documents seemed to be a bit conflicted, so i just reminded georgemason, hehe. i am sorry that i didnt notice the issue of loopback adapter. :) thanks for your reminding and further information explaining it.
0
 
Keith AlabasterEnterprise ArchitectCommented:
hahaha. Yes, I see your point.

Regards
K
0
 
georgemasonAuthor Commented:
Hi guys,

Sorry you lost me a bit there, could someone please clarify the loopback issue for me? What's good/bad about configuring a loopback adapter?

Thx.
0
 
bbaoIT ConsultantCommented:
loopback is a communication term, initially used for channel test, which means that a sender can receive its outgoing s from the same interface. in TCPIP network, loopback can be used for protocol stack test, local services call and virtual adapter etc.

since ISA needs two interfaces to handle IN and OUT traffic so we need to add a loopback adapter to simulate another network adapter on a single-adapter machine. the loopback adapter itself has no disadvantage. it is just a virtual adapter. the approach using one physical adapter might have security vulnerabilities because all the internal traffic (to be protected) and external traffic actually goes through one physical medium. a few examples are:

1. internal users may get around the proxy service and access the internet directly.
2. if the DMZ is unexpectedly accessible by an external malicious user, then the user can access the internal network directly
3. internal broadcast can be "listened" by computers staying in the DMZ zone, which means some internal information may be exposed.

anyway, if you are sure that your internal risks are low and your external firewall can efficiently block unwanted incoming visit, it is OK to use the single-adapter solution,

this is the MS official document for your reference.

How to install the Microsoft Loopback Adapter in Microsoft Windows Server 2003
http://support.microsoft.com/kb/842561

hope it helps,
bbao
0
 
Keith AlabasterEnterprise ArchitectCommented:
Nicely put.
0
 
Keith AlabasterEnterprise ArchitectCommented:
O well, nice bbao
0
 
georgemasonAuthor Commented:
Sorry, guess I should have awarded split points, didn't really think..... I'll get it sorted!
0
 
Keith AlabasterEnterprise ArchitectCommented:
:) Wasn't necessary but thank you for the consideration; always appreciated.
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.