کد:
http://www.isaserver.org/tutorials/OCS-2007-ISA-2006-Firewall-Design-Architecture.html
PART-1
How to configure ISA 2006 to support OCS 2007
Assumptions
- 10.0.0.0 /24 and 172.16.0.0 /24 will be considered part of the “public” IP space. We’re going to pretend those addresses would be publicly routable addresses in the real world.
- The Edge server’s private NIC is directly connected to the internal network.
- Clients will be accessing the OCS services by these names and IP addresses:
IP Address
DNS Name
Function
172.16.0.2
sip.confusedamused.com
IM, Presence & Federation
172.16.0.3
lm.confusedamused.com
Web Conferencing
172.16.0.4
av.confusedamused.com
A/V Conferencing
10.0.0.2
ocs.confusedamused.com
Web Components
Prerequisites
- A complete OCS 2007 Front-End server and Edge server setup is already configured.
- ISA Server 2006 is installed as either a domain member or in a workgroup.
- ISA 2006 can resolve the DNS name of the Front-End server. If not, a host file entry has been created.
- The ISA machine should have 3 physical NICs, 1 connected to the Internal network, 1 to the DMZ, and 1 to the External network. In this example the NICs are configured as follows:
- Internal: 192.168.0.1 / 24, no gateway, DNS points to 192.168.0.10 (Domain Controller)
- DMZ: 172.16.0.1 /24, no gateway, no DNS
- External: 10.0.0.1 /24 and 10.0.0.6, no DNS - The binding order of the NICs should be: Internal, DMZ, External.
- The root certificate for the certificate authority exists in the Trusted Root Certification Authorities Store of the Local Computer.
- A certificate issued to ocs.confusedamused.com with the private key exists in the Personal Store of the Local Computer.
Network Diagram
The layout of the network should follow this configuration.
ISA 2006 Configuration
Configure Network Topology
- Open the ISA Management console by navigating to Start | All Programs | Microsoft ISA Server | ISA Server Management.
- Click on Networks in the left pane.
- Click on Templates | 3-Leg Perimeter in the right pane.
- Press Next to start the wizard.
- Press Next again to skip the configuration export, or follow it if desired. This wizard will erase all existing rules in ISA. Proceed with caution. Step to Appendix A if you need to keep your existing rule set.
- Ensure that the 192.168.0.0 – 192.168.0.255 is defined as the internal range and press Next.
- For the Perimeter Network press Add Adapter. Check the box for the DMZ NIC and press OK. Press Next.
- For the Firewall Policy scroll down and pick Allow unrestricted access.
- Press Finish to complete the wizard.
- Press Apply and then OK to complete the changes. The fancy ISA diagram should now look like this.
Allow Outgoing Connections
- Click the Firewall Policy object in the left pane.
- Right-click the rule titled VPN Clients to Internal Network and choose Delete. Press Yes when prompted for confirmation.
- Double-click the rule titled Unrestricted Internet Access.
- On the From tab, press Add, choose Perimeter from the list and press OK.
This last step will allow the Edge server to initiate outgoing requests for DNS and federation. You could be more specific with these rules if you wanted, but I don’t see a huge reason for being more restrictive on outgoing connections.
Create Computer Objects
- Ensure the right-pane is open, click on Toolbox | Network Objects | New | Computer.
- Enter the name of Access Edge and the IP address of 172.16.0.2, the public IP which resolves to sip.confusedamused.com. Press OK.
- Create another computer object titled Web Conferencing Edge with an IP of 172.16.0.3
- Create another computer object titled A/V Edge with an IP of 172.16.0.4.
- There should be 3 computer objects when finished.
Create Web Listener
If the ISA server already has a web listener configured for SSL with no authentication created you could simply bind the ocs.confusedamused.com certificate to an additional IP address rather than creating a new Web Listener object.
- In the right-pane again click on Toolbox | Network Objects | New | Web Listener.
- Name the web listener something descriptive such as No Authentication SSL so it can be reused for other applications and press Next.
- Choose to Require SSL secured connections with clients and press Next.
- Check the box for the External network and press Select IP Addresses.
- Select Specified IP Address on the ISA Server computer in the selected network, choose the 2nd IP address added to the NIC, 10.0.0.2, press Add and then OK.
- Press Next to continue.
- Select Assign a certificate for each IP address. Press Select certificate and choose the certificate issued to ocs.confusedamused.com. Press Select.
- Press Next to continue.
- Choose No Authentication as the method clients will provide credentials to ISA server and press Next.
- Press Next again because SSO cannot be used.
- Press Finish to complete the wizard.
Create Protocols
The default HTTPS protocol for most services is already defined, but ports for Federation and STUN need to be configured.
- In the right-pane again, click on Toolbox | Protocols | New | Protocol.
- Name the protocol MTLS and press Next.
- Click New to define the protocol.
- Choose TCP for the protocol name, Outbound as the direction, and the port range as 5061-5061. Press OK.
- Press Next.
- Press Next to not use any secondary connections and then Finish to complete the wizard.
- Create another new protocol and name it STUN.
- Click New to define the protocol. Choose Protocol Type: TCP,Direction: Outbound, Port Range From: 50000, Port Range To: 59999. Press OK.
- Click New again to define the protocol. Choose Protocol Type: UDP,Direction: Send, Port Range From: 50000, Port Range To: 59999. Press OK.
- Click New again to define the protocol. Choose Protocol Type: UDP,Direction: Send, Port Range From: 3478, Port Range To: 3478. Press OK.
- When all is said and done the protocol definition should look like this.
- Press Next twice again and Finish to close the wizard.
Access Rules
Now that all of the necessary items have been defined, the actual access rules can be created.
Access Edge
- Right-click the Firewall Policy and choose New | Access Rule.
- Name the rule something descriptive like Inbound Access Edge Connections and press Next.
- Choose Allow and press Next.
- Ensure the dropdown says Selected Protocols and press the Add button.
- Choose HTTPS from the Common Protocols folder and MTLS from the User-Defined folder. Press Add for each of those and then Close.
- Press Next once the definition looks like this.
- For the sources press Add, choose External from the Networks folder, press Close, and then Next.
- For the destination press Add, choose Access Edge from the Computers folder, press Close, and then Next.
موضوعات مشابه: