Setup DMZ with ISA 2004 and 2nd Cisco Pix 506E for ActiveSync

You are creating a nightmare for yourself here - 3 firewalls in series like this will be an administrative disaster and, no offence, but if you are a beginner in the PIX and ISA, you will spend the rest of your life on this board.

Do you actually have a design that you are working to?
If you can explain with some detail your ebvironemnt and what you are trying to achieve overall we may be able to help.

Obvious info such as versions of exchange, server positi9oning etc would be a start plus what each device is providing from a service point of view. Who needs to get to what?

putting in the pix(2) brings all sorts of route statement requirements into play just on its own.

Keith

Ok, let me explain the details of my design.

My firm is a small one in Fiji in which we cannot afford to purchase a Cisco Pix firewall (515) with 3 interfaces (one for the DMZ). The latest price I got for the Cisco Pix 515 here in Fiji is FJD$6000 which is alot of money to us.

We have 2 Cisco Pix 506E with the 2nd one being a spare currently and not used.

Before I can deploy the wireless ActiveSync email, I have to have a DMZ.

My environment is:
Windows 2003 SP1 native domain
Exchange 2003 SP2 in FE/BE configuration
2 ISA 2004 SP3 servers
2 Cisco Pix 506E firewalls.

Network diagram:

Internet----ADSL Modem-----Pix(1)-----HTTPS(ActiveSync)---ISA(2)(workgroup)-----Pix(2)
                                                |                                                                                          |
                                            SMTP                                                                          HTTPS(ActiveSync)
                                                |                                                                                          |
                        ISA(1)(SMTP relay/Internet Proxy)                                            Front-End Exchange 2k3
                                                |                                                                                          |
                                                ------------- Back-End Exchange 2k3--------------------------
Notes:
-Pix(1) is configured to allow only SMTP and HTTPS traffic in. It forwards the SMTP traffic to ISA(1) and the HTTPS traffic to ISA(2).
-Pix(1) cannot be moved as it dials out to the internet via the ADSL modem and our static public IP is assigned to its external NIC.
-ISA(1) and Pix(2) are both connected to the internal LAN switch with their internal NIC.
-Only ISA(2) is in a workgroup and uses a host file to forward the HTTPS ActiveSync traffic to the Front-End Exchange. The FE Exchange svr has ISA(2) IP as its default gateway.
-The SMTP traffic is trusted as it is coming in from our external 3rd content filtering service and not directly from the internet.
-Only the HTTPS traffic is untrusted as it comes directly from the internet and that is why we need a DMZ in place in case ISA(2) is compromised, we don't want the hacker to access our whole internal network.
-ISA(1) is the SMTP relay and Internet proxy server for the firm and is part of the domain.
-ISA(2) is only for ActiveSync and has a rule allowing only HTTPS ActiveSync traffic in. ISA(2) is NOT part of the domain but in a standalone workgroup.

The above is what I am proposing. Our production network is currently running without ISA(2) and Pix(2) and there is no ActiveSync service running nor is there a FE Exchange Svr.

My test lab have the ISA(2), Pix(2) and FE Exchange srvr running in a separate test domain with the production Pix(1) forwarding the HTTPS traffic to ISA(2).

The above is just to enable my bosses to receive their emails wireless via ActivSync on their Windows Mobile PDAs. We do not use OWA to access the emails externally from the internet. We just need the emails to be pushed out via ActiveSync to the PDAs.

Hope that is enough details.

OK - and thanks for the heads up.

So something like this?

                                                                             internet
                                                                                   |
                                                                          ADSL Router
                                                                                   |
                                                                         PIX 1 Firewall
                                                                                   |
                            Exchange FE Server -- DMZ1 -- isa server ---DMZ2--- (optional Wireless router?)
                                                                                   |
                                                                                   |
                                   Exchange BE Server ------ internal LAN -------------------- clients etc

ISA has never been compromised (hacked) in its history (any version) - although many people are not aware, ISA Server received its EAL4+ accreditation (the highest in the world for 'commercial' firewalls) before the Cisco PIX did.

looking at your picture, you are running message screener on ISA1?

Why not use ISA as the DMZ configuration? The cost becomes the cost of an additional NIC only?
By running the ISA server network templates wizard (three-legged wizard) it creates the dmz environment for you. DONT do this unless you have backed up your ISA config in advance - the wizard clears your existing configuration.

http://www.microsoft.com/technet/isa/2006/networks.mspx
This is worth a quick read -
Its cheaper than what you are doing butr delivers exactly the same benefits.
You can keep your 2nd PIX as a failover device for your PIX(1)
It reduces significantly the administrative overhead
Its far simpler
Could even add a 4th nic on ISA for other things - up to you AND it possibly frees up a server for you (ISA2).

For your own points:
1. PIX1 still only has to let in https and smtp
2. PIX1 doesn't have to move or be reconfigured except to send smtp to isa1 external interface and https to FE server in DMZ1
3. ISA2 becomes superfluous
4. ISA1 can still do message screener/port forward smtp traffic to internal excxhange server so no change
5. HTTPS traffic still goes to DMZ (to FE Exchange box)
6. Good - ISA is much more flexible when part of a domain.
7. Not necessary - you just need the port allowed from FE server to BE servers.

Im sure others will have a view but think it through yourself

Cheers
Keith

Thanks Keith for the quick response.

Just a little bit of background on our firm. We report to our international office overseas and the security team does not believe in ISA being a secure enough firewall since it is a software one running on top a Windows 2003 server which is prone to attacks and bugs, etc. Hence the reason why they wanted me to have a dedicated DMZ for the ISA in case it is compromised. The real firewall solution they advised us and which we implemented is the Cisco Pix hardware firewall.

Basically my solution is that the ISA server receiving the HTTPS traffic directly from the internet should never be directly connected to the internal LAN switch in case it is compromised. If the ISA is placed in a dedicated DMZ, the attacker will only be able to launch attacks based on what the ISA has been permitted access to through the firewall DMZ interface rules - in this case the ActiveSync fronted (not the entire internal domestic network).

I hope you get where I am coming from. I'm trying to follow international guidelines from our international office and at the same time not trying to blow our IT budget by recommending to purchase a Pix515 or Cisco ASA 5510 which will solve all my problems :(

                                                                            internet
                                                                                   |
                                                                          ADSL Router
                                                                                   |
                                                                         PIX 1 Firewall
                                                                                   |
                            Exchange FE Server -- DMZ1 -- ISA1 server ---DMZ2--- ISA2 in workgroup
                                                                                   |
                                                                                   |
                                   Exchange BE Server ------ internal LAN -------------------- clients etc

I hear you - most people who make such comments on ISA are either not aware of its capabilities or review it on their own prefverences. I am lucky, I am an MVP for ISA but am also qualified in Cisco so can make the choices based on the requirement rather than a prejudice for just one piece of equipment. Windows server alone has its security issues, no one can deny that, but with ISA installed on top it is absolutely rock solid. The EAL4+ is the accreditation from the German Government testing labs and is recognised world-wide as a non-biased control point. i haven't checked recently but earlier last year, only three products had made the list at this level. Secure Computings Siddewinder was the first, then ISA then Pix.

The above diagram may be a compromise but would need four nics in the ISA1. Works fine but ISA1 would need to be up to job obviously. If the head office is adamant though then you don't really have a choice. Your pix2 environment will be a nightmare to admimnistrate though.

Sorry Keith,

I don't want to keep you up this late in the night with you being on GMT time which is -12hrs behind FJ time.

But why is the Exchange FE Server on the DMZ? In my test lab in the Microsoft "Step-by-Step Guide to Deploying Microsoft Exchange Server 2003 SP2 Mobile Messaging with Windows Mobile 5.0-based devices" ( http://www.microsoft.com/technet/solutionaccelerators/mobile/deploy/msfpdepguide.mspx) , the FE Exc Svr is part of the domain on the LAN and not on the DMZ.

I thought the FE Exc Svr does not have to be in the DMZ since it is not directly accepting traffic from the internet. It just receives forwarded traffic from the ISA which should be in a workgroup in a DMZ as suggested by our office and the MS guide.

No, it doesn't have to be in the DMZ - I just placed it there to demonstrate the fact that the ISA could make the dmz environment rather than making it from an upgraded pix machine.

Not sure what guide you are referring to - the best practice for an ISA box is actually to be a domain member. this gives you huge flexibility but for your colleagues, this seems to be a moot point now :(

yep, 10.40PM here so bed time soon lol

>ISA has never been compromised (hacked) in its history (any version) - although
>many people are not aware, ISA Server received its EAL4+ accreditation (the
>highest in the world for 'commercial' firewalls) before the Cisco PIX did

C'mon, keith - I'm not trying to bust any cahones, but IMO these kinds of statements really need to be reserved for press releases.  Can anyone claim that no *machine* running ISA has ever been hacked?  Of course not - they're running MS OS's which have historically contained security holes large enough to fit several supertankers through (semi trucks are way too small for this analogy ;-)

The corporate security team has every right to be skeptical of a box running ISA - they're not necessarily skeptical of the security of ISA, they're skeptical of the security of the box *running* ISA.

I'm no ISA (or pix) guru, but I'm not sure why this situation is getting (or started out being) so complex.  

I see no need for the ISA machine (at least as far as its function as a traffic-controlling/restricting device).  According to diagrams provided by the author, both PIXs have dual ethernet interfaces.  I'm probably missing something, but why isn't the PIX that handles the internet connection also using one ethernet interface for the DMZ, and the other ethernet interface to connect to the other PIX (and of course the second PIX handles the local LAN connection on one ethernet interface and the connection to the primary PIX on the other interface).  Everything else should just be a matter of the proper NAT rules, routing entries, and ACLs...  (And what is up with actually editing the hosts file to achieve anything?  Is this 1990?)  Am I being obtuse?  

Cheers,
-Jon

P.S.  Sorry for what may turn out to be stupid comments - that's what happens sometimes when there is a general plea to all PEs to participate.  Hope you can forgive ;-)

The-Captain,

I am beginner in configuring this thing and there not much experts here in Fiji that can do the sort of things I wanna do and our firm cannot afford the charge out rates of engineers here in Fiji who charge like FJD$2000 can spend the whole day trying to figure it out themselves rather than come in and get the job done as not many firms here in Fiji do wireless HTTPS activesync deployments. We maybe the first one to do it. A few use Black Berry servers that is Black Berry and suited in my case.

Anyway, sorry if my diagrams were misleading. The Cisco Pix 506E is a SME model that only has 2 interfaces and no 3rd one for the DMZ. My diagram was showing the traffic flow and not the interface. I was showing the Pix(1) forwarding HTTPS to the ISA(2) while the SMTP traffic went to the SMTP relay server.

Since I am beginner in this area without any help I followed the MS Guide diligently. If you have a look at the MS guide on this link: http://www.microsoft.com/technet/solutionaccelerators/mobile/deploy/msfpdepguide.mspx

You will see where I am coming from with making the ISA(2) part of a standalone workgroup and using hosts file. Of course, it makes sense not to put any server that is part of the domain to be public facing and open to incoming internet traffic directly.

I have got a solution that works in my test lab and it is like this:

Internet--Pix(1)--- ISA 2004---Network Switch----Active Sync FE Ex Server---Internal Network Switch

So basically I put in a 2nd network card in the Active Sync FE Ex Server and put it on a different subnet as the internal LAN in which the 1st network card is connected to. The ISA 2004 internal NIC and the 2nd NIC in the AS FE server are on the same subnet and only these 2 computers are connected to that one switch. So if my ISA server is compromised, the only computer the hacker will have access to is the AS FE server and no other internal computers as they are on a different subnet on a different switch from the ISA internal NIC.

Now I will have to see if this satisfy our international security team..

Hey Jon - long time :)

The statements about ISA are factual regarding nthe OS/ISA combination. OS on its own... I make the same comment above that this is not secure. The detail on the EAL4+ accreditation etc is freely available and is run by the German Government - this is not a whitewash thing paid for my MS as a marketing tool. Of course ISA has been accessed illegally, the same as ANY firewall has been accessed illegally but that is due to poor configuration or security control - and that is not the same as being hacked/broken.

I agree that the solution is over engineered but it sounds like the asker is trying to do the best for his site and also fit in with the directives being passed by his security team - never an easy combination to deal with.

ISA as an internet  facing entity AND connected to the internal network is not an issue as long as it is correctly configured. No one suggests that Microsoft's Small Business Server should be scrapped but that functionality is exactly what SBS provides. ISA does the same for many organisations but we digress.

The PIX's concerned here do not have the benefit of a 3rd interface. Yes, in essence the DMZ coulod be formed between the two pix devices with a switch in the middle like a sandwich. You could also do away completely with pix2 and ISA2 and put everything internal and use pure NAT/PAT on pix1 with the ISA on the internal LAn. lots of options but the security team are driving requirements too.

Ok, the security team replied today and said the network switch is not good enough. I need a proper firewall device (which is the CIsco Pix)  to segregate my internal LAN from the ISA internal NIC.

From my test lab, I know the ISA and FE ActiveSync server are both configured correctly as they work properly.

Here is what I want:

Internet----- Pix(1)-----(DMZ) ISA 2004----Pix(2)-----Internal Network Switch----FE Active Sync

ISA 2004 internal NIC:
IP address - 192.168.2.1
Mask - 255.255.255.0

Pix external NIC:
IP address - 192.168.2.2
Mask - 255.255.255.0

Pix internal NIC:
IP address - 192.168.1.5
Mask - 255.255.255.0

FE Active Sync NIC:
IP address - 192.168.1.4
Mask - 255.255.255.0

My questions are:
-How do I get the ISA 2004 to forward the HTTPS traffic and setup a secure connection to the FE Active Sync server through the pix?

-What configuration commands should I put in Pix to enable only the required traffic for Active Sync (HTTPS) to work and pass through it?

-Which default gateway IP address should I use at the FE Active Sync server?

-Which IP address I should use for the host file on the ISA 2004?

Thanks for any help given.

>My questions are:
>-How do I get the ISA 2004 to forward the HTTPS traffic and setup a secure
>connection to the FE Active Sync server through the pix?

Using appropriate NAT rules and ACLs on the PIX in question...

>-What configuration commands should I put in Pix to enable only the required
>traffic for Active Sync (HTTPS) to work and pass through it?

Not a pix guru - sorry...:-(

>-Which default gateway IP address should I use at the FE Active Sync server?

The IP assigned to the local ethernet interface of the [closest] PIX, one would assume...

>-Which IP address I should use for the host file on the ISA 2004?

Adjusting the hosts file is generally a workaround at best, and a horrible hack at worst.  Needing to adjust the hosts file usually indicates a broken DNS config.  Can you explain again what entry you are (or were) adding to the hosts file, and why it seems to be necessary?

Cheers,
-Jon

>Using appropriate NAT rules and ACLs on the PIX in question<
Actually I tried what I "thought" were the appropriate rules and ACLs on the Pix but it doesn't work. So that's why I am asking for help.

>The IP assigned to the local ethernet interface of the [closest] PIX, one would assume<
I tried this in my test lab and nope. Not working too. I assume it is to do with my Pix configuration.

>Can you explain again what entry you are (or were) adding to the hosts file, and why it seems to be necessary?<
As suggested by the Microsoft guide, a host is needed as the ISA is not part of the Domain and is in a standalone workgroup and so does not use DNS. Without the host file, the incoming traffic to email.domain.com wont be resolved to an ip address and forwarded to the FE Active Sync server.

I hope that clarifies things abit.

Sorry about the PIX problems - as I said, I'm not too familiar with PIX, but I know it can do what you want if you can get the config straightened out.

As far as the hosts file is concerned, I think what you're saying is that the host (the one that needs a special entry in its hosts file) needs the special entry since it's not part of the domain, and not using the AD server for DNS...  Is that right?  If so, why can't you just point the host's DNS config at the AD server anyway, and just tell the AD server to permit resolver requests from your host in question?  As I also said, I'm not an MS guru, so I don't know if this is possible - maybe keith could chime in?

Cheers,
-Jon

Closed, 500 points refunded.
Vee_Mod
Community Support Moderator