[Okta Webinar] Learn how to a build a cloud-first strategyRegister Now

x
  • Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 459
  • Last Modified:

ISA Server 2004 in single interface mode protecting OWA - possible??

Hi there,

I have a requirement to protect an Exchange server running OWA. ISA Server 2004 seems to be the right product to do this, running as a reverse proxy. Problem is that all the literature I can find talks about using it as a firewall. It might be a great firewall, I don't know, but I don't need it to do that - I only need it as a layer 7 inspection device to protect some web servers on the internal network.

Am planning to install it in single interface mode on the DMZ, behind a Cisco PIX, and have the inbound web traffic routed to it. It then inspects it and makes sure there's nothing mallicious in there and reverse proxies the web servers which sit safely on the inside network.

I have read various topologies and rants by a variety of people but everyone seems to be adamant that the thing is going to be installed as a firewall. Is the config I propose possible? Does anyone have any other comments? For the record, the ISA IS NOT going to become the new firewall solution here. The PIX does a great job but needs a bit of help in this area, enter stage left the ISA.

Thanks in advance.

George
0
georgemason
Asked:
georgemason
  • 9
  • 4
  • 4
2 Solutions
 
bbaoIT ConsultantCommented:
you can do that but only a few features of ISA are available. see the following MS official KB article:

The features and limitations of a single-homed ISA Server 2004 computer
http://support.microsoft.com/kb/838364

hope it helps,
bbao
0
 
Keith AlabasterCommented:
Using the ISA in the DMZ as you mention in fine but as mentioned the options are just restricted. For example, the list of protocols is restricted. However, you can still publish a mail and web server
0
 
georgemasonAuthor Commented:
That sounds perfect. Whilst I realise that this reduces the feature set of ISA a great deal, it will do what I need it to, namely deep inspection of HTTP(S) traffic to the webservers on the LAN, and protect the OWA server which can also reside on the LAN thereby removing the need to open loads of ports to get it talking to the Exchange box.

Does this sound about right?
0
Put Machine Learning to Work--Protect Your Clients

Machine learning means Smarter Cybersecurity™ Solutions.
As technology continues to advance, managing and analyzing massive data sets just can’t be accomplished by humans alone. It requires huge amounts of memory and storage, as well as the high-speed power of the cloud.

 
Keith AlabasterCommented:
Thats it in a nutshell.

0
 
Keith AlabasterCommented:
0
 
Keith AlabasterCommented:
PS. One thing I meant to mention. You may have to create virtual devices using the loopback. If you need the link for this then shout.
0
 
georgemasonAuthor Commented:
Yeah that would be useful, I'm not well versed on ISA just yet although I have lots of applications for it so that won't be the case for long. The more info I have the better, though.

Thanks.
0
 
bbaoIT ConsultantCommented:
wait. please see the following statements from keith_alabaster's URL:

To publish a Web server on an Internal network, you need, at a minimum:
* A connection to the Internet.
* A computer to serve as the ISA Server computer. The ISA Server computer must have at least two network adapters. One adapter will be connected to the External network (representing the Internet), and one adapter will be connected to the Internal network.
* A computer that will be the Web server, located in the Internal network.
* To test the setup, a computer that is external to your network, with a connection to the Internet.

it sounds different as that KB said. you'd better have try in person, hehe.
0
 
Keith AlabasterCommented:
Another interface (nic) can be created by using the loopback as well if you want it  but read on lol.

bbbao, you are a cynic; trust your judgement....... :)   The second interface is required for other parts, not for what George has specifically asked for.
Walk through is below.

http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/single_adapter.mspx
0
 
bbaoIT ConsultantCommented:
hehe. actually i am not. :) you seem to be just opposite, as a backer of loopback, haha. :-))

i merely found that the two official documents seemed to be a bit conflicted, so i just reminded georgemason, hehe. i am sorry that i didnt notice the issue of loopback adapter. :) thanks for your reminding and further information explaining it.
0
 
Keith AlabasterCommented:
hahaha. Yes, I see your point.

Regards
K
0
 
georgemasonAuthor Commented:
Hi guys,

Sorry you lost me a bit there, could someone please clarify the loopback issue for me? What's good/bad about configuring a loopback adapter?

Thx.
0
 
bbaoIT ConsultantCommented:
loopback is a communication term, initially used for channel test, which means that a sender can receive its outgoing s from the same interface. in TCPIP network, loopback can be used for protocol stack test, local services call and virtual adapter etc.

since ISA needs two interfaces to handle IN and OUT traffic so we need to add a loopback adapter to simulate another network adapter on a single-adapter machine. the loopback adapter itself has no disadvantage. it is just a virtual adapter. the approach using one physical adapter might have security vulnerabilities because all the internal traffic (to be protected) and external traffic actually goes through one physical medium. a few examples are:

1. internal users may get around the proxy service and access the internet directly.
2. if the DMZ is unexpectedly accessible by an external malicious user, then the user can access the internal network directly
3. internal broadcast can be "listened" by computers staying in the DMZ zone, which means some internal information may be exposed.

anyway, if you are sure that your internal risks are low and your external firewall can efficiently block unwanted incoming visit, it is OK to use the single-adapter solution,

this is the MS official document for your reference.

How to install the Microsoft Loopback Adapter in Microsoft Windows Server 2003
http://support.microsoft.com/kb/842561

hope it helps,
bbao
0
 
Keith AlabasterCommented:
Nicely put.
0
 
Keith AlabasterCommented:
O well, nice bbao
0
 
georgemasonAuthor Commented:
Sorry, guess I should have awarded split points, didn't really think..... I'll get it sorted!
0
 
Keith AlabasterCommented:
:) Wasn't necessary but thank you for the consideration; always appreciated.
0

Featured Post

Industry Leaders: We Want Your Opinion!

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!

  • 9
  • 4
  • 4
Tackle projects and never again get stuck behind a technical roadblock.
Join Now