OCS 2007 and ISA 2006: Firewall Design and Architecture

[LEFT][CODE]http://www.isaserver.org/tutorials/OCS-2007-ISA-2006-Firewall-Design-Architecture.html[/CODE]

[SIZE=3][B]PART-1[/B][/SIZE]

How to configure ISA 2006 to support OCS 2007

[B]Assumptions[/B]


[LIST][*]10.0.0.0 /24 and 172.16.0.0 /24 will be considered part of the “public” IP space. We’re going to pretend those addresses would be publicly routable addresses in the real world.[*]The Edge server’s private NIC is directly connected to the internal network.[*]Clients will be accessing the OCS services by these names and IP addresses:[/LIST]
[B]IP Address[/B]
[B]DNS Name[/B]
[B]Function[/B]
172.16.0.2
sip.confusedamused.com
IM, Presence & Federation
172.16.0.3
lm.confusedamused.com
Web Conferencing
172.16.0.4
av.confusedamused.com
A/V Conferencing
10.0.0.2
ocs.confusedamused.com
Web Components
[B]Prerequisites[/B]


[LIST][*]A complete OCS 2007 Front-End server and Edge server setup is already configured.[*]ISA Server 2006 is installed as either a domain member or in a workgroup.[*]ISA 2006 can resolve the DNS name of the Front-End server. If not, a host file entry has been created.[*]The ISA machine should have 3 physical NICs, 1 connected to the Internal network, 1 to the DMZ, and 1 to the External network. In this example the NICs are configured as follows:
- Internal: 192.168.0.1 / 24, no gateway, DNS points to 192.168.0.10 (Domain Controller)
- DMZ: 172.16.0.1 /24, no gateway, no DNS
- External: 10.0.0.1 /24 and 10.0.0.6, no DNS[*]The binding order of the NICs should be: Internal, DMZ, External.[*]The root certificate for the certificate authority exists in the Trusted Root Certification Authorities Store of the Local Computer.[*]A certificate issued to ocs.confusedamused.com with the private key exists in the Personal Store of the Local Computer.[/LIST]
[B]Network Diagram[/B]

The layout of the network should follow this configuration.
[IMG]http://www.isaserver.org/img/upl/image0041212582481474.JPG[/IMG]
[B]ISA 2006 Configuration[/B]

[B]Configure Network Topology[/B]

[LIST=1][*] Open the ISA Management console by navigating to Start | All Programs | Microsoft ISA Server | ISA Server Management.[*]Click on [B]Networks[/B] in the left pane.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0061212582481474.jpg[/IMG]

[LIST=1][*]Click on [B]Templates | 3-Leg Perimeter[/B] in the right pane.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0081212582481489.jpg[/IMG]

[LIST=1][*]Press [B]Next[/B] to start the wizard.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0101212582727614.jpg[/IMG]

[LIST=1][*]Press [B]Next[/B] again to skip the configuration export, or follow it if desired. [I]This wizard will erase all existing rules in ISA. Proceed with caution. Step to Appendix A if you need to keep your existing rule set[/I].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0121212582727614.jpg[/IMG]

[LIST=1][*]Ensure that the [B]192.168.0.0 – 192.168.0.255[/B] is defined as the internal range and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0141212582727614.jpg[/IMG]

[LIST=1][*]For the Perimeter Network press [B]Add Adapter[/B]. Check the box for the DMZ NIC and press [B]OK[/B]. Press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0161212582752599.jpg[/IMG]

[LIST=1][*]For the Firewall Policy scroll down and pick [B]Allow unrestricted access[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0181212582752599.jpg[/IMG]

[LIST=1][*]Press [B]Finish[/B] to complete the wizard.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0201212582752614.jpg[/IMG]

[LIST=1][*]Press [B]Apply[/B] and then [B]OK[/B] to complete the changes. The fancy ISA diagram should now look like this.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0221212583256161.jpg[/IMG]
[B]Allow Outgoing Connections[/B]

[LIST=1][*]Click the [B]Firewall Policy[/B] object in the left pane.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0241212583256161.jpg[/IMG]

[LIST=1][*][B]Right-click [/B]the rule titled [B]VPN Clients to Internal Network [/B]and choose [B]Delete. [/B] Press [B]Yes[/B] when prompted for confirmation.[*][B]Double-click [/B]the rule titled [B]Unrestricted Internet Access[/B].[*]On the [B]From[/B] tab, press [B]Add[/B], choose [B]Perimeter[/B] from the list and press [B]OK[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0261212583256177.jpg[/IMG]

This last step will allow the Edge server to initiate outgoing requests for DNS and federation. You could be more specific with these rules if you wanted, but I don’t see a huge reason for being more restrictive on outgoing connections.
[B]Create Computer Objects[/B]

[LIST=1][*]Ensure the right-pane is open, click on [B]Toolbox | Network Objects | New | Computer[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0281212583612755.jpg[/IMG]

[LIST=1][*]Enter the name of [B]Access Edge[/B] and the IP address of [B]172.16.0.2[/B], the public IP which resolves to sip.confusedamused.com. Press [B]OK[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0301212583612755.jpg[/IMG]

[LIST=1][*]Create another computer object titled [B]Web Conferencing Edge[/B] with an IP of [B]172.16.0.3[/B][/LIST]
[IMG]http://www.isaserver.org/img/upl/image0321212583612755.jpg[/IMG]

[LIST=1][*]Create another computer object titled [B]A/V Edge[/B] with an IP of [B]172.16.0.4[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0341212583636380.jpg[/IMG]

[LIST=1][*]There should be 3 computer objects when finished.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0361212583636380.jpg[/IMG]
[B]Create Web Listener[/B]
[I]If the ISA server already has a web listener configured for SSL with no authentication created you could simply bind the ocs.confusedamused.com certificate to an additional IP address rather than creating a new Web Listener object.[/I]

[LIST=1][*]In the right-pane again click on [B]Toolbox | Network Objects | New | Web Listener[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0381212583636396.jpg[/IMG]

[LIST=1][*]Name the web listener something descriptive such as [B]No Authentication SSL[/B] so it can be reused for other applications and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0401212583655099.jpg[/IMG]

[LIST=1][*]Choose to [B]Require SSL secured connections with clients[/B] and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0421212583655099.jpg[/IMG]

[LIST=1][*]Check the box for the [B]External[/B] network and press [B]Select IP Addresses[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0441212583655099.jpg[/IMG]

[LIST=1][*]Select [B]Specified IP Address on the ISA Server computer in the selected network[/B], choose the 2nd IP address added to the NIC, [B]10.0.0.2[/B], press [B]Add[/B] and then [B]OK[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0461212583926239.jpg[/IMG]

[LIST=1][*]Press [B]Next [/B]to continue.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0481212583926239.jpg[/IMG]

[LIST=1][*]Select [B]Assign a certificate for each IP address[/B]. Press [B]Select certificate [/B]and choose the certificate issued to [B]ocs.confusedamused.com[/B]. Press [B]Select[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0501212583926255.jpg[/IMG]

[LIST=1][*]Press [B]Next[/B] to continue.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0521212583945177.jpg[/IMG]

[LIST=1][*]Choose [B]No Authentication[/B] as the method clients will provide credentials to ISA server and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0541212583945177.jpg[/IMG]

[LIST=1][*]Press [B]Next[/B] again because SSO cannot be used.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0561212583960521.jpg[/IMG]


[LIST=1][*]Press [B]Finish[/B] to complete the wizard.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0581212583960521.jpg[/IMG]
[B]Create Protocols[/B]
The default HTTPS protocol for most services is already defined, but ports for Federation and STUN need to be configured.

[LIST=1][*]In the right-pane again, click on [B]Toolbox | Protocols | New | Protocol[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0601212584479302.jpg[/IMG]

[LIST=1][*]Name the protocol [B]MTLS[/B] and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0621212584479302.jpg[/IMG]

[LIST=1][*]Click [B]New[/B] to define the protocol.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0641212584479302.jpg[/IMG]

[LIST=1][*]Choose [B]TCP [/B]for the protocol name, [B]Outbound[/B] as the direction, and the port range as [B]5061-5061[/B]. Press [B]OK[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0661212584501333.jpg[/IMG]

[LIST=1][*]Press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0681212584501349.jpg[/IMG]

[LIST=1][*]Press [B]Next[/B] to not use any secondary connections and then [B]Finish[/B] to complete the wizard.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0701212584501349.jpg[/IMG]

[LIST=1][*]Create another new protocol and name it [B]STUN[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0721212584521364.jpg[/IMG]

[LIST=1][*]Click [B]New[/B] to define the protocol. Choose Protocol Type: [B]TCP[/B],Direction: [B]Outbound[/B], Port Range From: [B]50000[/B], Port Range To: [B]59999[/B]. Press [B]OK[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0741212584521364.jpg[/IMG]

[LIST=1][*]Click [B]New [/B]again to define the protocol. Choose Protocol Type: [B]UDP[/B],Direction: [B]Send[/B], Port Range From: [B]50000[/B], Port Range To: [B]59999[/B]. Press [B]OK[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0761212584521380.jpg[/IMG]

[LIST=1][*]Click [B]New [/B]again to define the protocol. Choose Protocol Type: [B]UDP[/B],Direction: [B]Send[/B], Port Range From: [B]3478[/B], Port Range To: [B]3478[/B]. Press [B]OK[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0781212584536083.jpg[/IMG]

[LIST=1][*]When all is said and done the protocol definition should look like this.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0801212584536083.jpg[/IMG]

[LIST=1][*]Press [B]Next [/B]twice again and [B]Finish[/B] to close the wizard.[/LIST]
[B]Access Rules[/B]
Now that all of the necessary items have been defined, the actual access rules can be created.
[I]Access Edge[/I]

[LIST=1][*][B]Right-click[/B] the [B]Firewall Policy[/B] and choose [B]New | Access Rule[/B].[*]Name the rule something descriptive like [B]Inbound Access Edge Connections[/B] and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0821212584845052.jpg[/IMG]

[LIST=1][*]Choose [B]Allow[/B] and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0841212584845068.jpg[/IMG]

[LIST=1][*]Ensure the dropdown says [B]Selected Protocols[/B] and press the [B]Add[/B] button.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0861212584845099.jpg[/IMG]

[LIST=1][*]Choose [B]HTTPS [/B]from the Common Protocols folder and [B]MTLS[/B] from the User-Defined folder. Press [B]Add[/B] for each of those and then [B]Close[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0881212584865880.jpg[/IMG]

[LIST=1][*]Press [B]Next [/B]once the definition looks like this.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0901212584865880.jpg[/IMG]

[LIST=1][*]For the sources press [B]Add[/B], choose [B]External [/B]from the Networks folder, press [B]Close[/B], and then [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0921212584865880.jpg[/IMG]

[LIST=1][*]For the destination press [B]Add[/B], choose [B]Access Edge [/B]from the Computers folder, press [B]Close[/B], and then [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0941212584882739.jpg[/IMG]

[/LEFT]

[LEFT][SIZE=3][B]PART-2[/B][/SIZE]


[LIST=1][*]Leave the [B]All Users[/B] option and press [B]Next[/B]. Press [B]Finish [/B]to complete the wizard.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0961212584882739.jpg[/IMG]
[I]Web Conferencing Edge[/I]

[LIST=1][*][B]Right-click[/B] the [B]Firewall Policy[/B] and choose [B]New | Access Rule[/B].[*]Name the rule something descriptive like [B]Inbound Web Conferencing Connections[/B] and press [B]Next[/B].[*]Choose [B]Allow[/B] and press [B]Next[/B].[*]Ensure the dropdown says [B]Selected Protocols[/B] and press the [B]Add[/B] button.[*]Choose [B]HTTPS [/B]from the Common Protocols folder and press [B]Add,[/B] then [B]Close[/B]. Press [B]Next[/B].[*]For the sources press [B]Add[/B], choose [B]External [/B]from the Networks folder, press [B]Close[/B], and then [B]Next[/B].[*]For the destination press [B]Add[/B], choose [B]Web Conferencing Edge [/B]from the Computers folder, press [B]Close[/B], and then [B]Next[/B].[*]Leave the [B]All Users[/B] option and press [B]Next[/B]. Press [B]Finish [/B]to complete the wizard.[/LIST]
[I]A/V Edge[/I]

[LIST=1][*][B]Right-click[/B] the [B]Firewall Policy[/B] and choose [B]New | Access Rule[/B].[*]Name the rule something descriptive like [B]Inbound A/V Edge Connections[/B] and press [B]Next[/B].[*]Choose [B]Allow[/B] and press [B]Next[/B].[*]Ensure the dropdown says [B]Selected Protocols[/B] and press the [B]Add[/B] button.[*]Choose [B]HTTPS [/B]from the Common Protocols folder and [B]STUN[/B] from the User-Defined folder. Press [B]Add[/B] for each of those and then [B]Close[/B]. Press [B]Next[/B].[*]For the sources press [B]Add[/B], choose [B]External [/B]from the Networks folder, press [B]Close[/B], and then [B]Next[/B].[*]For the destination press [B]Add[/B], choose [B]A/V Edge [/B]from the Computers folder, press [B]Close[/B], and then [B]Next[/B].[*]Leave the [B]All Users[/B] option and press [B]Next[/B]. Press [B]Finish [/B]to complete the wizard.[/LIST]
[I]Web Components Reverse Proxy[/I]

[LIST=1][*][B]Right-click[/B] the [B]Firewall Policy[/B] and choose [B]New | Web Site Publishing Rule[/B].[*]Enter a descriptive name such as [B]Inbound Web Components Connections[/B] for the rule and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0981212585650880.jpg[/IMG]

[LIST=1][*]Choose [B]Allow[/B] and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1001212585650880.jpg[/IMG]

[LIST=1][*]Choose [B]Publish a single Web site or load balancer[/B] and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1021212585650880.jpg[/IMG]

[LIST=1][*]Choose [B]Use SSL to connect to the published Web server or server farm[/B] and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1041212585670505.jpg[/IMG]

[LIST=1][*]Enter [B]tap-ocs-2k7.ptown.com [/B]as the internal site name and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1061212585670505.jpg[/IMG]
[I]This is where SAN certificates can cause some headaches. This rule is pointing at the internal FQDN of the Front-End server where the web components are published. Be absolutely certain that the subject name matches the first SAN listed on the certificate. Both should be tap-ocs-2k7.ptown.com. You can read more about how ISA 2006 handles SAN certificates in a reverse proxy case here: [/I][URL="http://blogs.msexchange.org/walther/2007/03/28/san-certificates-and-isa-server-2006/"][I]http://blogs.msexchange.org/walther/2007/03/28/san-certificates-and-isa-server-2006/[/I][/URL]

[LIST=1][*]Enter [B]/* [/B]as the path and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1081212585835630.jpg[/IMG]

[LIST=1][*]Enter [B]ocs.confusedamused.com[/B] as the public name and leave the other defaults. Press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1101212585835630.jpg[/IMG]

[LIST=1][*]Choose the [B]No Authentication SSL[/B] web listener created earlier and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1121212585835630.jpg[/IMG]

[LIST=1][*]Change the drop-down to [B]No authentication, but client may authenticate directly[/B] and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1141212585858083.jpg[/IMG]

[LIST=1][*]Leave the [B]All Users[/B] default and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1161212585858083.jpg[/IMG]

[LIST=1][*]Press [B]Finish[/B] to complete the wizard.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1181212585858083.jpg[/IMG]

[LIST=1][*]Click the [B]Apply[/B] button at the top.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1201212585872989.jpg[/IMG]

[LIST=1][*]Press [B]OK[/B] once the changes are saved.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1221212585872989.jpg[/IMG]
[B]End Result[/B]

The final configuration should look similar to this.
[IMG]http://www.isaserver.org/img/upl/image1241212586205802.jpg[/IMG]
[B]Appendix A – Manual Route Configuration[/B]

This method should be used if existing ISA rules need to be preserved. The only downside to this method is that the Perimeter network is not defined and the access rule from the Internet to the DMZ will not be created. Do the following to create those objects. Depending on topology, a rule from the private LAN to the DMZ may be needed as well.

[LIST=1][*][B]Right-click[/B] the Networks icon in the left pane and choose [B]New | Network[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1261212586205818.jpg[/IMG]

[LIST=1][*]Name the Network something descriptive such as [B]Perimeter[/B]. Press [B]Next[/B] to continue.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1281212586205818.jpg[/IMG]

[LIST=1][*]Choose [B]Perimeter Network[/B] and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1301212586241771.jpg[/IMG]

[LIST=1][*]Press [B]Add Adapter[/B]. Check the box for the DMZ NIC and press [B]OK[/B]. Press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1311212586241771.jpg[/IMG]

[LIST=1][*]Press [B]Finish[/B] to complete the wizard.[*][B]Right-click[/B] the Networks icon in the left pane and choose [B]New | Network Rule[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1331212586241786.jpg[/IMG]

[LIST=1][*]Name the rule something descriptive such as [B]Perimeter Access[/B]. Press [B]Next[/B] to continue.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1351212586262896.jpg[/IMG]

[LIST=1][*]Press the [B]Add[/B] button.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1371212586262896.jpg[/IMG]

[LIST=1][*]Expand the [B]Networks[/B] folder, choose [B]External[/B] and press [B]Add[/B], then [B]Close[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1391212586262911.jpg[/IMG]

[LIST=1][*]Press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1411212586282318.jpg[/IMG]

[LIST=1][*]Expand the [B]Networks[/B] folder, choose [B]Perimeter [/B]and press [B]Add[/B], then [B]Close[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1431212586282318.jpg[/IMG]

[LIST=1][*]Press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1451212586282318.jpg[/IMG]

[LIST=1][*]Choose to [B]Route[/B] the traffic between these sources and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1471212586298911.jpg[/IMG]

[LIST=1][*]Press [B]Finish[/B] to complete the wizard.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image1491212586298911.jpg[/IMG]
The 3-Leg Perimeter topology has now been created, but will not be reflected in the ISA diagram. Functionally, this setup works fine.
© John Weber and Tom Pacyk

[/LEFT]