kvigor
asked on
On the ISA Server Manager how do I only allow a user/computer from the Perimeter Network to ping Internal Network
I have ISA Server 2006 SP1 SE installed on 1 server in the DMZ (Internal Network) and I want to only allow one computer from the Perimeter Network to Ping that server. However when I try to accomplish this by setting the System Policy Rule, it doesn't work. I can only ping when I change the Rule to "All Networks(and Local Host)" PLEASE SEE IMAGE...
ISA-Server.jpg
ISA-Server.jpg
ASKER
Yes, but everytime I do this I get:
Request time out.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
I'm new to ISA Server so is there any other rule that would be limiting HTTP Traffic?
Request time out.
Destination host unreachable.
Destination host unreachable.
Destination host unreachable.
I'm new to ISA Server so is there any other rule that would be limiting HTTP Traffic?
This setting is the ping TO ISA
What is defined in ICMP two lines above (what is ICMP FROM ISA)
What is defined in ICMP two lines above (what is ICMP FROM ISA)
Oh, how to you try to ping
IP adress, NETBIOS name or fully qualified domain name?
IP adress, NETBIOS name or fully qualified domain name?
ASKER
I'm currently allowing: "All Networks (and Local Host)" to ping to ISA Server. Next I've tried to ping using IP and Computer name.
What is defined in ICMP two lines down (what is ICMP FROM ISA)
ASKER
I think I have a bigger issues than expected. ISA isn't letting any traffic through. ICMP, HTTP/HTTPS nothing. However I set up rules stating to allow such traffic. My setup: I have a 3Leg Network configured. I have the ISA Server installed in the DMZ(Internal Netowrk) and I have a SharePoint Site published to it from a web server inside the Perimeter network. (The funny thing is when I turn off ISA Server by stopping all it's processes I can PING I can Browse the Internet and Everything??)
ISA-Server-1.jpg
ISA-Server-2.jpg
ISA-Server-1.jpg
ISA-Server-2.jpg
Just to make clear, how ISA is setup, the interesting things I can't see:
3 NICs
1 = LAN i.e. 192.168.1.10 /24
2 = WAN i.e. 212.212.212.212 /32 or any other public address range
3 = DMZ i.e 192.168.2.10 /24
Is it something like this?
Comments to what I can see:
All netwrok services like DNS, DHCP, PING are defined by the system rules 6 -12 (I can not see).
So you do not need additional settings in indiuvidual rules
For accessing servers over NAT, you may need a publishing rule, but depends on the configuration.
In my example above the LAN --> DMZ is routet and DMZ --> WAN and LAN --> WAN via NAT
So check your network configuration, how it is setup
--> configuration --> networks --> networkrules
It seem to be, that there is something, what should not be in this constalation. If ISA is down, you should not have access to any resource, whith the expception of a proxy only configuration (one NIC). In that case the firewall functionality would be obsolete.
3 NICs
1 = LAN i.e. 192.168.1.10 /24
2 = WAN i.e. 212.212.212.212 /32 or any other public address range
3 = DMZ i.e 192.168.2.10 /24
Is it something like this?
Comments to what I can see:
All netwrok services like DNS, DHCP, PING are defined by the system rules 6 -12 (I can not see).
So you do not need additional settings in indiuvidual rules
For accessing servers over NAT, you may need a publishing rule, but depends on the configuration.
In my example above the LAN --> DMZ is routet and DMZ --> WAN and LAN --> WAN via NAT
So check your network configuration, how it is setup
--> configuration --> networks --> networkrules
It seem to be, that there is something, what should not be in this constalation. If ISA is down, you should not have access to any resource, whith the expception of a proxy only configuration (one NIC). In that case the firewall functionality would be obsolete.
ASKER
Yes, I did define address ranges for the Internal and Perimeter networks. I didn't check network adapters just address ranges is this a problem? I have screen shots 6-12:
ISA-Server-3.jpg
ISA-Server-4.jpg
ISA-Server-5.jpg
ISA-Server-3.jpg
ISA-Server-4.jpg
ISA-Server-5.jpg
Do you have public addresses on the internal interface?
Are the perimeter network also public addresses?
Why do you have 3 different subnets on perimeter?
I assume, the network mask for all subnets is 255.255.255.0, is it?
Are the perimeter network also public addresses?
Why do you have 3 different subnets on perimeter?
I assume, the network mask for all subnets is 255.255.255.0, is it?
I should have the complete IP addresses and subnet mask.
If you want to hide the original address, replace them by letters, like xx for 10, and yy fo 11 and so on, I have to see which are identical and which not.
How many thousand machines do you have in the perimeter network?
I count about 4080 IP addresses.
If you want to hide the original address, replace them by letters, like xx for 10, and yy fo 11 and so on, I have to see which are identical and which not.
How many thousand machines do you have in the perimeter network?
I count about 4080 IP addresses.
ASKER
Do you have public addresses on the internal interface?
**No, However the web listener is configured to respond to a public address
Are the perimeter network also public addresses?
**No they are all our corporate network addresses.
Why do you have 3 different subnets on perimeter?
Because perimeter = or corporate network, many clients.
I assume, the network mask for all subnets is 255.255.255.0, is it? No
**No, However the web listener is configured to respond to a public address
Are the perimeter network also public addresses?
**No they are all our corporate network addresses.
Why do you have 3 different subnets on perimeter?
Because perimeter = or corporate network, many clients.
I assume, the network mask for all subnets is 255.255.255.0, is it? No
ASKER
I should have the complete IP addresses and subnet mask.
If you want to hide the original address, replace them by letters, like xx for 10, and yy fo 11 and so on, I have to see which are identical and which not.
How many thousand machines do you have in the perimeter network?
I count about 4080 IP addresses.
Internal: 1 Box,
Perimeter: over 1000 clients none are identical: ISA won't allow identical or overlapping of IP's any defined networks.
If you want to hide the original address, replace them by letters, like xx for 10, and yy fo 11 and so on, I have to see which are identical and which not.
How many thousand machines do you have in the perimeter network?
I count about 4080 IP addresses.
Internal: 1 Box,
Perimeter: over 1000 clients none are identical: ISA won't allow identical or overlapping of IP's any defined networks.
Just for clarification:
The DC as any internal clients resides inside the local network. A DMZ (demilitarized zone) conatins usually only servers, which should available to the internal network as well as for the public. This are usually DNS server, web server and maybe Mail gateway server. A DNZ zone as lesser security settings to allow the public to access them.
So, I'm not quite sure, why you put your clients into the DMZ. The clients needs usually full access to the DC and are communication on a lot of ports.
The DC as any internal clients resides inside the local network. A DMZ (demilitarized zone) conatins usually only servers, which should available to the internal network as well as for the public. This are usually DNS server, web server and maybe Mail gateway server. A DNZ zone as lesser security settings to allow the public to access them.
So, I'm not quite sure, why you put your clients into the DMZ. The clients needs usually full access to the DC and are communication on a lot of ports.
ASKER
*No the ISA Server sits in the DMZ.
*All my clients are in the local network.
*There are 0 Clients in the DMZ. Just the ISA Server. I'm just using the ISA Server to dictate who accesses our SharePoint Server that's behind the local network firewall.
What my question is: Why do my PINGS and HTTP Traffic get blocked when I already set a network rule and policy rule to allow traffic to the perimeter network (which you named above as the local network). Also note that as soon as I stop the Microsoft Firewall service I can PING, Connect via HTTP no problem. I just don't know what the offending rule is.
*All my clients are in the local network.
*There are 0 Clients in the DMZ. Just the ISA Server. I'm just using the ISA Server to dictate who accesses our SharePoint Server that's behind the local network firewall.
What my question is: Why do my PINGS and HTTP Traffic get blocked when I already set a network rule and policy rule to allow traffic to the perimeter network (which you named above as the local network). Also note that as soon as I stop the Microsoft Firewall service I can PING, Connect via HTTP no problem. I just don't know what the offending rule is.
As more as you write, as more unsure I'm about your configuration.
You have a 3 NIC configuration.
1 NIC = LAN = Internal = all clients including DCs and everything what is internal
2 NIC = DMZ = Perimeter = at least 1 Server (WEB, Sharepoint, Mail, DNS or whatever)
3 NIC = WAN = External = your router to the public.
4 The ISA itself = Local, not belonging to any of the subnets on the NICs
According to your 3 NIC configuration, you should have
1 subnet (or more) = internal
2 subnet for the perimeter / DMZ
3 subnet for the connection ISA / router
You have a 3 NIC configuration.
1 NIC = LAN = Internal = all clients including DCs and everything what is internal
2 NIC = DMZ = Perimeter = at least 1 Server (WEB, Sharepoint, Mail, DNS or whatever)
3 NIC = WAN = External = your router to the public.
4 The ISA itself = Local, not belonging to any of the subnets on the NICs
According to your 3 NIC configuration, you should have
1 subnet (or more) = internal
2 subnet for the perimeter / DMZ
3 subnet for the connection ISA / router
ASKER
You are Close but my setup is as follows:
1) Local Network (Big IP Range) - All clients including DCs and everything that is internal
2) DMZ (1 IP Address) - ISA Server Alone - The ISA Server DOES belong to the DMZ Subnet
3) External (This is predefined by ISA Server) I had bo choice on this
Please note that my ISA Server isn't installed within my local network it's installed in the DMZ. Hopefully this last image will give you insight on my setup and what I'm trying to accomplish...
ISA-Server-6.jpg
1) Local Network (Big IP Range) - All clients including DCs and everything that is internal
2) DMZ (1 IP Address) - ISA Server Alone - The ISA Server DOES belong to the DMZ Subnet
3) External (This is predefined by ISA Server) I had bo choice on this
Please note that my ISA Server isn't installed within my local network it's installed in the DMZ. Hopefully this last image will give you insight on my setup and what I'm trying to accomplish...
ISA-Server-6.jpg
OK, a quick and dirty picture, I assume we have some different definitions for DMZ / Perimeter.
The upper picture is a typical DMZ / 2 FW configuration. You have a frontend firewall, which makes servers available, which are connected to the DMZ = Perimeter. The DMZ has either public or private addresses, this depend a little bit from the backend FW. Private addresses hide the server IPs for the public (NAT), public addresses make them visible (Route). The Fontend FW has 2 NICs in this case.
The picture at the bottom is, what I understand from your configuration. So you have two DMZ subnets. This can make sense, if you have servers which should be visible to the public and others, which should not. In that case the ISA DMZ can have public IPs, the other DMZ
private. The 3rd NIC in ISA in one DMZ (2), the network between the Firewalls the second.
From the ISA perspective, the inner NIC is connected to your inner FW.
If there is no other server between the Firewalls, there is no really sense to have a third NIC inside ISA. In that case, DMZ1 is just a cable and you have always two firewalls with the same settings between the DMZ and the internal network. This make configuration more complicate and has no additional secirity effect. The 3 NIC configuration for ISA is intended to replace the upper configuration by one single machine instead of two.
Following up this and you picture, I'm wondering about the address ranges of your ISA. As the internal NIC of ISA is connected to the external NIC of the inner FW, you need only 2 IP addresses. For the ISA DMZ / Perimeter setup, you need 1 IP for every server and 1 IP for the ISA NIC. You have a few thousands there within the DMZ.
What would make a difference is, if you have several internal subnets, which should have different firewall rules. In this case, it depends from, if the inner FW or the ISA server handles the rules. See the second picture. Only the configuration at the bottom would make sense in my mind (in that case, the inner FW do not have a lot to do).
If this is your intension, I would put the public server(s) between the firewalls (Picture 1 top) and handle the rules for the different subnets on the backend FW (Picture 2 top.
Just for understanding: The definitions in the ISA network configuration is simply to define, where the subnets are located on belonging to, and which traffic to route, and which to NAT. It is NOT a router by itself. The routing functionality of ISA is following the network rules, you can see with the command route print (command promt). Or use tracert to see, how the traffic is flowing.
Just adding network definitions or rules in ISA do not change the routing table.
If enhanced routing is needed, you can add Routing and RAS to ISA to get better control over the routes.
NetworkFW.jpg
NetworkFW2.jpg
The upper picture is a typical DMZ / 2 FW configuration. You have a frontend firewall, which makes servers available, which are connected to the DMZ = Perimeter. The DMZ has either public or private addresses, this depend a little bit from the backend FW. Private addresses hide the server IPs for the public (NAT), public addresses make them visible (Route). The Fontend FW has 2 NICs in this case.
The picture at the bottom is, what I understand from your configuration. So you have two DMZ subnets. This can make sense, if you have servers which should be visible to the public and others, which should not. In that case the ISA DMZ can have public IPs, the other DMZ
private. The 3rd NIC in ISA in one DMZ (2), the network between the Firewalls the second.
From the ISA perspective, the inner NIC is connected to your inner FW.
If there is no other server between the Firewalls, there is no really sense to have a third NIC inside ISA. In that case, DMZ1 is just a cable and you have always two firewalls with the same settings between the DMZ and the internal network. This make configuration more complicate and has no additional secirity effect. The 3 NIC configuration for ISA is intended to replace the upper configuration by one single machine instead of two.
Following up this and you picture, I'm wondering about the address ranges of your ISA. As the internal NIC of ISA is connected to the external NIC of the inner FW, you need only 2 IP addresses. For the ISA DMZ / Perimeter setup, you need 1 IP for every server and 1 IP for the ISA NIC. You have a few thousands there within the DMZ.
What would make a difference is, if you have several internal subnets, which should have different firewall rules. In this case, it depends from, if the inner FW or the ISA server handles the rules. See the second picture. Only the configuration at the bottom would make sense in my mind (in that case, the inner FW do not have a lot to do).
If this is your intension, I would put the public server(s) between the firewalls (Picture 1 top) and handle the rules for the different subnets on the backend FW (Picture 2 top.
Just for understanding: The definitions in the ISA network configuration is simply to define, where the subnets are located on belonging to, and which traffic to route, and which to NAT. It is NOT a router by itself. The routing functionality of ISA is following the network rules, you can see with the command route print (command promt). Or use tracert to see, how the traffic is flowing.
Just adding network definitions or rules in ISA do not change the routing table.
If enhanced routing is needed, you can add Routing and RAS to ISA to get better control over the routes.
NetworkFW.jpg
NetworkFW2.jpg
ASKER
Bembi, Thanks for the help. Sorry for the confusion. I only have one Firewall so I should have shown that the DMZ is indeed behind the 1 and only firewall.
You mean, you have only one ISA server?
NetworkFW3.jpg
NetworkFW3.jpg
ASKER
Yes, I only have 1 ISA Server. The main purpose for the ISA Server is to serve as a Reverse Proxy not a firewall. I am a newbie so forgive my ignorance.
Only 1 ISA Server that sits in the DMZ behind our Firewall. Also I've tested HTTP | PING from the ISA Server and the both work until I turn on the "ISA Firewall Service" then I loose connectivity to the Internal Network and External ( can't browse Internet). To the best of my knowledge I do have rules to allow for such traffic. I read an article that stated even though you have rules configured you still have to change a particular setting, and for the life of me, I cannot find that article again.
Only 1 ISA Server that sits in the DMZ behind our Firewall. Also I've tested HTTP | PING from the ISA Server and the both work until I turn on the "ISA Firewall Service" then I loose connectivity to the Internal Network and External ( can't browse Internet). To the best of my knowledge I do have rules to allow for such traffic. I read an article that stated even though you have rules configured you still have to change a particular setting, and for the life of me, I cannot find that article again.
ASKER
1 ISA Server 1 NIC.
Now I'm totally confused, what you say it not what you posted before. A single NIC configuration can't have a perimeter configuration.
If ISA works in single NIC / web proxy configuration, for what do you install firewall client? I would understand web proxy client.
Have a look at networking - networks
Right click internal
Here you can see the configuration for Firewall and Web Proxy clients. Also take notice of the task pane on the right side --> Configure Firewall client settings.
Each method has a different purpose but also different lags.
See this site for the general arcchitecture of ISA and which client is used for which
http://technet.microsoft.com/en-us/library/bb794762.aspx
http://technet.microsoft.com/en-us/library/bb794774.aspx
If ISA works in single NIC / web proxy configuration, for what do you install firewall client? I would understand web proxy client.
Have a look at networking - networks
Right click internal
Here you can see the configuration for Firewall and Web Proxy clients. Also take notice of the task pane on the right side --> Configure Firewall client settings.
Each method has a different purpose but also different lags.
See this site for the general arcchitecture of ISA and which client is used for which
http://technet.microsoft.com/en-us/library/bb794762.aspx
http://technet.microsoft.com/en-us/library/bb794774.aspx
ASKER
What I mean by 1 NIC is that the ISA Server only has one NIC attached.
If the ISA has 1 single NIC, you can have only one network definition. You sceenshots are showing three. Internal, Perimeter and also External within the rules. Or have you assigned all the IP Adresses to one single NIC?
ASKER
Yes, I was initially reading up on a different Microsoft Technet Article to guide me through. I now realize that what I really need is the Single Network Adapter Template. So I'll apply that Network Template, Set some Rules, Publish my Site, and go from there. If this solves my connectivity issues I'll award points. I'm about 1/2 way through the first article and I'm getting the info I need. THANKS!
Fine... :-)
Read the last to articles, as they help to understand, how ISA works. If your ISA has the only job to cache, usually it can reside behind the firewall, so no further protection is needed. You can just setup this server as the proxy in internet explorer.
If you use ISA to publish internal server or i.e. Outlook web access or similar things, then it can make sense to put the servers into a perimeter network and ISA as frontend, but in that case use the configuration as shown in my first picture. To put ISA (1NIC) itself into a perimeter makes no sense as ISA is a firewall by its own and do not need protection by another firewall.
Read the last to articles, as they help to understand, how ISA works. If your ISA has the only job to cache, usually it can reside behind the firewall, so no further protection is needed. You can just setup this server as the proxy in internet explorer.
If you use ISA to publish internal server or i.e. Outlook web access or similar things, then it can make sense to put the servers into a perimeter network and ISA as frontend, but in that case use the configuration as shown in my first picture. To put ISA (1NIC) itself into a perimeter makes no sense as ISA is a firewall by its own and do not need protection by another firewall.
ASKER
Are you saying that putting ISA in the DMZ/Perimeter by itself wont work? I only want to use it for it's "Reverse Proxy" abilities. That's all. I do want it in the DMZ. I know ISA is an Enterprise Firewall, but I truly only need it's Reverse Proxy abilities, do you have any technical objections?
No, this is ok, you can use it, the question is only, why to put it into a DMZ.
ISA is setup as
You clients are setup with ISA as Web Proxy, just by putting the ISA address
ISA is setup as
You clients are setup with ISA as Web Proxy, just by putting the ISA address
OK, another try (wrong button)
ISA in 1 NIC setup do not really need any protection. You can use ISA as WebProxy (HTTP, HTTPS, FTP) and all other traffic can be handled by the firewall in front of your network. You can also use ISA for all other traffic, but then you have to rulesset.
As shown in the picture, you can setup a rule on your firewall, that ISA is allowed to forward port 80, 443, 21 to the outside world, i.e.
port 80, outgoing, source = ISA, destination = external
port 443, outgoing, source = ISA, destination = external
port 21, outgoing, source = ISA, destination = external
The client requests are sent to ISA and ISA forwards the traffic through the frontend firewall. If I client takes out proxy settings, the traffic is sent either to ISA (GW = x.x.x.10) or to the frontend firewall (GW = x.x.x.9). In that case, the clients acts as SecureNAT client and forwards all traffic to the default gateway, which then has to decide, to let is pass or not.
Using (GW = x.x.x.9) with only the settings above, the clients gets only access to the internet via proxy and all other traffic is blocked (controlled by the frontend firewall).
As long as you do not have Websites, you want to publish through ISA, there is no need to put ISA into a DMZ.
NetworkFW4.jpg
ISA in 1 NIC setup do not really need any protection. You can use ISA as WebProxy (HTTP, HTTPS, FTP) and all other traffic can be handled by the firewall in front of your network. You can also use ISA for all other traffic, but then you have to rulesset.
As shown in the picture, you can setup a rule on your firewall, that ISA is allowed to forward port 80, 443, 21 to the outside world, i.e.
port 80, outgoing, source = ISA, destination = external
port 443, outgoing, source = ISA, destination = external
port 21, outgoing, source = ISA, destination = external
The client requests are sent to ISA and ISA forwards the traffic through the frontend firewall. If I client takes out proxy settings, the traffic is sent either to ISA (GW = x.x.x.10) or to the frontend firewall (GW = x.x.x.9). In that case, the clients acts as SecureNAT client and forwards all traffic to the default gateway, which then has to decide, to let is pass or not.
Using (GW = x.x.x.9) with only the settings above, the clients gets only access to the internet via proxy and all other traffic is blocked (controlled by the frontend firewall).
As long as you do not have Websites, you want to publish through ISA, there is no need to put ISA into a DMZ.
NetworkFW4.jpg
ASKER
OK, but I want to publish sites to the ISA Server in the DMZ. Because the ISA Server Reverse Proxy feature will listen for the request and go get the the requested page from the server without an internet user having direct access to our Application Server. This layer of abstraction is what I'm trying to accomplish.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Great you're definitely making the sky clearer for me. ISA does give you the ability to Publish a SharePoint site to ISA. In the sense that the web listener will forward the traffic to the Server the SharePoint site resides. You define the Site and Server name in the Site Publishing and Web Listener wizards.
ASKER
Thanks for all your help you've been more that patient and very helpful.
Have you trie to restart all service or to reboot after these change?