OCS 2007 and ISA 2006: Firewall Design and Architecture
[LEFT][CODE]http://www.isaserver.org/tutorials/OCS-2007-ISA-2006-Firewall-Design-Architecture.html[/CODE]
[SIZE=3][B]PART-1[/B][/SIZE]
How to configure ISA 2006 to support OCS 2007
[B]Assumptions[/B]
[LIST][*]10.0.0.0 /24 and 172.16.0.0 /24 will be considered part of the “public” IP space. We’re going to pretend those addresses would be publicly routable addresses in the real world.[*]The Edge server’s private NIC is directly connected to the internal network.[*]Clients will be accessing the OCS services by these names and IP addresses:[/LIST]
[B]IP Address[/B]
[B]DNS Name[/B]
[B]Function[/B]
172.16.0.2
sip.confusedamused.com
IM, Presence & Federation
172.16.0.3
lm.confusedamused.com
Web Conferencing
172.16.0.4
av.confusedamused.com
A/V Conferencing
10.0.0.2
ocs.confusedamused.com
Web Components
[B]Prerequisites[/B]
[LIST][*]A complete OCS 2007 Front-End server and Edge server setup is already configured.[*]ISA Server 2006 is installed as either a domain member or in a workgroup.[*]ISA 2006 can resolve the DNS name of the Front-End server. If not, a host file entry has been created.[*]The ISA machine should have 3 physical NICs, 1 connected to the Internal network, 1 to the DMZ, and 1 to the External network. In this example the NICs are configured as follows:
- Internal: 192.168.0.1 / 24, no gateway, DNS points to 192.168.0.10 (Domain Controller)
- DMZ: 172.16.0.1 /24, no gateway, no DNS
- External: 10.0.0.1 /24 and 10.0.0.6, no DNS[*]The binding order of the NICs should be: Internal, DMZ, External.[*]The root certificate for the certificate authority exists in the Trusted Root Certification Authorities Store of the Local Computer.[*]A certificate issued to ocs.confusedamused.com with the private key exists in the Personal Store of the Local Computer.[/LIST]
[B]Network Diagram[/B]
The layout of the network should follow this configuration.
[IMG]http://www.isaserver.org/img/upl/image0041212582481474.JPG[/IMG]
[B]ISA 2006 Configuration[/B]
[B]Configure Network Topology[/B]
[LIST=1][*] Open the ISA Management console by navigating to Start | All Programs | Microsoft ISA Server | ISA Server Management.[*]Click on [B]Networks[/B] in the left pane.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0061212582481474.jpg[/IMG]
[LIST=1][*]Click on [B]Templates | 3-Leg Perimeter[/B] in the right pane.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0081212582481489.jpg[/IMG]
[LIST=1][*]Press [B]Next[/B] to start the wizard.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0101212582727614.jpg[/IMG]
[LIST=1][*]Press [B]Next[/B] again to skip the configuration export, or follow it if desired. [I]This wizard will erase all existing rules in ISA. Proceed with caution. Step to Appendix A if you need to keep your existing rule set[/I].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0121212582727614.jpg[/IMG]
[LIST=1][*]Ensure that the [B]192.168.0.0 – 192.168.0.255[/B] is defined as the internal range and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0141212582727614.jpg[/IMG]
[LIST=1][*]For the Perimeter Network press [B]Add Adapter[/B]. Check the box for the DMZ NIC and press [B]OK[/B]. Press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0161212582752599.jpg[/IMG]
[LIST=1][*]For the Firewall Policy scroll down and pick [B]Allow unrestricted access[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0181212582752599.jpg[/IMG]
[LIST=1][*]Press [B]Finish[/B] to complete the wizard.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0201212582752614.jpg[/IMG]
[LIST=1][*]Press [B]Apply[/B] and then [B]OK[/B] to complete the changes. The fancy ISA diagram should now look like this.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0221212583256161.jpg[/IMG]
[B]Allow Outgoing Connections[/B]
[LIST=1][*]Click the [B]Firewall Policy[/B] object in the left pane.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0241212583256161.jpg[/IMG]
[LIST=1][*][B]Right-click [/B]the rule titled [B]VPN Clients to Internal Network [/B]and choose [B]Delete. [/B] Press [B]Yes[/B] when prompted for confirmation.[*][B]Double-click [/B]the rule titled [B]Unrestricted Internet Access[/B].[*]On the [B]From[/B] tab, press [B]Add[/B], choose [B]Perimeter[/B] from the list and press [B]OK[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0261212583256177.jpg[/IMG]
This last step will allow the Edge server to initiate outgoing requests for DNS and federation. You could be more specific with these rules if you wanted, but I don’t see a huge reason for being more restrictive on outgoing connections.
[B]Create Computer Objects[/B]
[LIST=1][*]Ensure the right-pane is open, click on [B]Toolbox | Network Objects | New | Computer[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0281212583612755.jpg[/IMG]
[LIST=1][*]Enter the name of [B]Access Edge[/B] and the IP address of [B]172.16.0.2[/B], the public IP which resolves to sip.confusedamused.com. Press [B]OK[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0301212583612755.jpg[/IMG]
[LIST=1][*]Create another computer object titled [B]Web Conferencing Edge[/B] with an IP of [B]172.16.0.3[/B][/LIST]
[IMG]http://www.isaserver.org/img/upl/image0321212583612755.jpg[/IMG]
[LIST=1][*]Create another computer object titled [B]A/V Edge[/B] with an IP of [B]172.16.0.4[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0341212583636380.jpg[/IMG]
[LIST=1][*]There should be 3 computer objects when finished.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0361212583636380.jpg[/IMG]
[B]Create Web Listener[/B]
[I]If the ISA server already has a web listener configured for SSL with no authentication created you could simply bind the ocs.confusedamused.com certificate to an additional IP address rather than creating a new Web Listener object.[/I]
[LIST=1][*]In the right-pane again click on [B]Toolbox | Network Objects | New | Web Listener[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0381212583636396.jpg[/IMG]
[LIST=1][*]Name the web listener something descriptive such as [B]No Authentication SSL[/B] so it can be reused for other applications and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0401212583655099.jpg[/IMG]
[LIST=1][*]Choose to [B]Require SSL secured connections with clients[/B] and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0421212583655099.jpg[/IMG]
[LIST=1][*]Check the box for the [B]External[/B] network and press [B]Select IP Addresses[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0441212583655099.jpg[/IMG]
[LIST=1][*]Select [B]Specified IP Address on the ISA Server computer in the selected network[/B], choose the 2nd IP address added to the NIC, [B]10.0.0.2[/B], press [B]Add[/B] and then [B]OK[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0461212583926239.jpg[/IMG]
[LIST=1][*]Press [B]Next [/B]to continue.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0481212583926239.jpg[/IMG]
[LIST=1][*]Select [B]Assign a certificate for each IP address[/B]. Press [B]Select certificate [/B]and choose the certificate issued to [B]ocs.confusedamused.com[/B]. Press [B]Select[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0501212583926255.jpg[/IMG]
[LIST=1][*]Press [B]Next[/B] to continue.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0521212583945177.jpg[/IMG]
[LIST=1][*]Choose [B]No Authentication[/B] as the method clients will provide credentials to ISA server and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0541212583945177.jpg[/IMG]
[LIST=1][*]Press [B]Next[/B] again because SSO cannot be used.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0561212583960521.jpg[/IMG]
[LIST=1][*]Press [B]Finish[/B] to complete the wizard.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0581212583960521.jpg[/IMG]
[B]Create Protocols[/B]
The default HTTPS protocol for most services is already defined, but ports for Federation and STUN need to be configured.
[LIST=1][*]In the right-pane again, click on [B]Toolbox | Protocols | New | Protocol[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0601212584479302.jpg[/IMG]
[LIST=1][*]Name the protocol [B]MTLS[/B] and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0621212584479302.jpg[/IMG]
[LIST=1][*]Click [B]New[/B] to define the protocol.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0641212584479302.jpg[/IMG]
[LIST=1][*]Choose [B]TCP [/B]for the protocol name, [B]Outbound[/B] as the direction, and the port range as [B]5061-5061[/B]. Press [B]OK[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0661212584501333.jpg[/IMG]
[LIST=1][*]Press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0681212584501349.jpg[/IMG]
[LIST=1][*]Press [B]Next[/B] to not use any secondary connections and then [B]Finish[/B] to complete the wizard.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0701212584501349.jpg[/IMG]
[LIST=1][*]Create another new protocol and name it [B]STUN[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0721212584521364.jpg[/IMG]
[LIST=1][*]Click [B]New[/B] to define the protocol. Choose Protocol Type: [B]TCP[/B],Direction: [B]Outbound[/B], Port Range From: [B]50000[/B], Port Range To: [B]59999[/B]. Press [B]OK[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0741212584521364.jpg[/IMG]
[LIST=1][*]Click [B]New [/B]again to define the protocol. Choose Protocol Type: [B]UDP[/B],Direction: [B]Send[/B], Port Range From: [B]50000[/B], Port Range To: [B]59999[/B]. Press [B]OK[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0761212584521380.jpg[/IMG]
[LIST=1][*]Click [B]New [/B]again to define the protocol. Choose Protocol Type: [B]UDP[/B],Direction: [B]Send[/B], Port Range From: [B]3478[/B], Port Range To: [B]3478[/B]. Press [B]OK[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0781212584536083.jpg[/IMG]
[LIST=1][*]When all is said and done the protocol definition should look like this.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0801212584536083.jpg[/IMG]
[LIST=1][*]Press [B]Next [/B]twice again and [B]Finish[/B] to close the wizard.[/LIST]
[B]Access Rules[/B]
Now that all of the necessary items have been defined, the actual access rules can be created.
[I]Access Edge[/I]
[LIST=1][*][B]Right-click[/B] the [B]Firewall Policy[/B] and choose [B]New | Access Rule[/B].[*]Name the rule something descriptive like [B]Inbound Access Edge Connections[/B] and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0821212584845052.jpg[/IMG]
[LIST=1][*]Choose [B]Allow[/B] and press [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0841212584845068.jpg[/IMG]
[LIST=1][*]Ensure the dropdown says [B]Selected Protocols[/B] and press the [B]Add[/B] button.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0861212584845099.jpg[/IMG]
[LIST=1][*]Choose [B]HTTPS [/B]from the Common Protocols folder and [B]MTLS[/B] from the User-Defined folder. Press [B]Add[/B] for each of those and then [B]Close[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0881212584865880.jpg[/IMG]
[LIST=1][*]Press [B]Next [/B]once the definition looks like this.[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0901212584865880.jpg[/IMG]
[LIST=1][*]For the sources press [B]Add[/B], choose [B]External [/B]from the Networks folder, press [B]Close[/B], and then [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0921212584865880.jpg[/IMG]
[LIST=1][*]For the destination press [B]Add[/B], choose [B]Access Edge [/B]from the Computers folder, press [B]Close[/B], and then [B]Next[/B].[/LIST]
[IMG]http://www.isaserver.org/img/upl/image0941212584882739.jpg[/IMG]
[/LEFT]