Configure ISA 2004 as a Network Services Segment Perimeter Firewall

[patris1]

کد:

http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-Segment-Perimeter-Firewall-Part1.html

Part 1: Perimeter Network Design Principles and Considerations


The ISA firewall can act in a number of roles: a front-end edge firewall that sits in front of the entire company, as a back-end firewall located behind another edge firewall that might be an ISA firewall or another type of firewall, or a perimeter network firewall that walls off critical network servers and services from the rest of the network. It’s this latter configuration we’ll focus on in this article.
In spite of eye-catching headlines about the death of the DMZ or the imminent demise of network security zones, the fact is that we who live in the trenches still need to live with the current reality, where network perimeters need to be defined to provide access controls on hosts connecting to other hosts belonging to a different security zone. And while Network Access Protection (NAP – expected to be implemented in Longhorn/Vista) and IPSec-based domain isolation hold a lot of promises, there are and will be significant technological hurdles that have to be met before those methodologies will be applicable to widespread use.
Instead of proclaiming the death of the DMZ, security experts should be making the clarion call for increased perimeterization. You’ll go a long way at improving your network’s security position by grouping hosts into different security zones and putting firewalls and other network security devices between those zones that enable strong access controls on communications between those zones.
In this article we’ll examine the requirements and procedures involved with creating a network services segment separated from the rest of the corporate network by an ISA firewall. You can put an ISA firewall in front of the network services located on the services segment to help protect those critical network services from being adversely affected by outbreaks that take place on other network segments.
The key concept here is that only required communications are allowed to and from the network services segment; all other communications are blocked. In addition to limiting communications only to those hosts and protocols that are required for access, we will leverage the ISA firewall’s advanced stateful packet and application layer inspection mechanisms to help secure the communications allowed to the network services segment.
Network Services Segment Configuration Options

As with all network security devices, and especially for network firewalls, there is no such thing as “one size fits all” when it comes to configuration. There is no replacement for understanding how your firewall works, and how to configure it to meet your organization’s specific requirements.
There are two scenarios we should look at before proceeding with a step by step example for configuring a network services segment behind an ISA firewall. These scenarios are:

• A LAN router separates the ISA firewall from the rest of the corporate network
• No LAN router separates the ISA firewall from the rest of the corporate network

While there are variations on the second theme, out discussions of these two scenarios will hopefully make clear what your configuration options are when you don’t have a LAN router on your network.
Scenario 1: LAN Router between ISA Firewall and Corporate Network

A high level view of scenario 1 appears in the figure below. In this scenario, there is a LAN router between the ISA firewall and the rest of the network. There is a route relationship between all internal networks located behind the edge ISA firewall. NAT is used only for communications to the Internet.
In this scenario, hosts on the corporate network in front of the network services perimeter ISA firewall use a default gateway that is the local address of the LAN router. The LAN router is configured with a route of last resort (which allows it to access the Internet) that is the internal address on the edge ISA firewall. The LAN router is configured with a routing table entry that provides a route to the network ID located behind the network services perimeter network ISA firewall.
When a user makes a request to a server on the network services segment located behind the network services perimeter ISA firewall, the request is forwarded to the client’s default gateway address, since the connection is to a non-local (remote) network. The packet is then forwarded based on the routing table entry on the LAN router to the IP address on the external interface of the network services perimeter ISA firewall, and then the network services perimeter ISA firewall routes the request to the server on the network services segment.
The request path is seen with the black arrows. The response path is seen in the Red arrows. The server on the services segment sends the response to its default gateway, which is the IP address on the internal interface of the network services segment perimeter ISA firewall. The response is forwarded directly to the client making the request since the ISA firewall has knowledge of all network IDs to which it is directly connected. The response is not forwarded to the LAN router and then back to the client. Note that the request and response paths are not the same.

Figure 1

The figure below shows the request and response paths for connections made to the Internet. Notice in this case the request and response paths are the same.

Figure 2

Scenario 2: No LAN Routers

Now let’s look at scenario 2, where there is no router between the ISA firewall and the rest of the network. In this case, the clients on the corporate network use the internal interface of the edge ISA firewall as their default gateway address. The edge ISA firewall is configured with a routing table entry informing the edge ISA firewall of the correct route to network ID 10.0.0.0/24. The ISA firewall forwards the connection to the IP address on the external interface of the network services perimeter ISA firewall, which then routes the connection to the server on the network services segment.
The response from the server on the network services segment is forwarded to the server’s default gateway address, which is the IP address on the internal interface of the network services perimeter ISA firewall, which in turn forwards the response directly to the client machine that made the request. Notice that the request and response paths are not the same. This scenario works because the ISA firewall is handling traffic that it has knowledge of and is not dealing with response traffic to connections it is not aware of. This will be made clear in the next figure.

Figure 3

ISA Firewall Stateful Packet Inspection and Request/Response Paths

The figure below shows a scenario where a system on the network services segment needs to initiate a connection to a host on the corporate network. A network management server on the network services segment makes a connection to a workstation on the corporate network in front of the network services perimeter ISA firewall.
The connection is first sent to the network services perimeter ISA firewall’s internal interface, as this is the default gateway of the network management server. The connection is then sent directly to the workstation, because the ISA firewall has knowledge of all networks to which is it directly connected. That is to say, the ISA firewall can do an ARP broadcast to get the MAC address of the workstation and send the request directly to that workstation.
A problem arises when the workstation tries to respond to the management server on the network services segment. Since the destination IP address of the management server is on a network remote from the workstation’s network ID, the workstation sends the response to its default gateway, which is the internal interface of the edge ISA firewall. The response traffic is denied by the ISA firewall because the client is sending a SYN-ACK message back to the management server, but the ISA firewall never “saw” the SYN message from the management server to the workstation. Since the ISA firewall is a stateful packet inspection firewall, it drops the SYN-ACK because it isn’t associated with an preceding SYN.

Figure 4

There are several ways you can deal with this issue:

• Make sure that no servers on the network services segment behind the perimeter ISA firewall ever need to create new outbound TCP connections to hosts on the corporate network in front of the network services perimeter ISA firewall. This means that not only can you not place servers making outbound connections through the network services perimeter ISA firewall, but also cannot use protocols where the clients make primary connections to the servers on the network services segment and require secondary connections from the servers on the network services segment.
• Put a LAN router between the ISA firewall and the rest of the corporate network
• Put a LAN router between the network services segment perimeter ISA firewall and the rest of the network
• Create routing table entries on the hosts located on the corporate network in front of the network services perimeter ISA firewall so that they know the gateway address to reach the network services segment, which in this case would be the IP address on the external interface of the network services perimeter ISA firewall
• Use multiple NICs on the ISA firewall and place the network services segment on an ISA firewall Network associated with one of the NICs. This avoids the routing and network with a Network issue

Most enterprise networks will have LAN routers in place, so it’s easy for these organizations to create the appropriate routing table entries to support this scenario. For small organizations that do not have LAN routers in place, you can get complete support for connections to and from the network services segment by automating routing table entries on the corporate network hosts located in front of the network services segment perimeter ISA firewall. You could use a log on script to enter these routing table entries on the clients using the route add –p command.
Multiple Departmental Networks/Security Zones Connected to a Backbone Network

Note that these issues are specific for the network within a Network configuration and when there are clients systems that are “on subnet” with an ISA firewall that must be reached from a host on a remote subnet that is part of the same ISA firewall Network. This is not a problem when you have backbone network configured and clients and servers are all behind ISA firewalls.
For example, consider the network in the figure below. In this scenario we do not run into similar problems because there are no host systems on the backbone network, and therefore no host systems that are “on-subnet” of the edge ISA firewall’s internal interface. All ISA firewalls contain routing table entries directing them to the external interface of the appropriate ISA firewall to reach the appropriate network ID(s) located behind any specific ISA firewall. Hosts behind each of the ISA firewalls use the internal interface of their local ISA firewall as their default gateway, and the routing table entries on the ISA firewalls route the connection to the correct ISA firewall’s external interface.
Note that we are assuming a Route relationship between all ISA firewall networks in this scenario, although a mix of Route and NAT relationships will work too, and can potentially simplify the routing table entries, since segments that use a NAT relationship do not require routing table entries on the ISA firewall to reach the addresses behind the NAT – the responder only needs to reach the IP address on the external interface of the ISA firewall sending the connection, and in a backbone network scenario, all the external interfaces are likely on the same network ID.

Figure 5

Note that in order for this configuration to work most efficiently, each ISA firewall requires the appropriate routing table entries. However, you could get around this requirement if each ISA firewall used the edge ISA firewall as its default gateway, and the edge ISA firewall contained the appropriate routing table entries. This solution could potentially work, but performance would be abysmal because the edge ISA firewall would be routing connections between all network IDs on the corporate network.
Example Network and Perimeter Network Design for this Article Series

In this article series we will use the sample network seen in the figure below. The default gateway for all servers on the network services segment will be the IP address on the internal interface of the network services perimeter ISA firewall. The default gateway for all hosts on the corporate network containing client systems is the IP address on the internal interface of the edge ISA firewall. Client systems are configured with a routing table entry that forwards connections to network ID 10.0.0.0/24 to the IP address on the external interface of the network services perimeter ISA firewall.

Figure 6

There is a Windows 2000 file server and an Exchange 2003 server located on the network services segment. The Exchange Server is also a domain controller, DNS server, WINS server, DHCP server, certificate server and RADIUS server. We will create access rules that enable connections to all the network services on the Exchange Server and also to file shares on the File server. The File server will host the Firewall client installation files so that we can avoid allowing file sharing protocols to any of the ISA firewall’s Local Host Network. The network services perimeter ISA firewall is already joined to the domain.
In the articles that follow this one you will perform the following procedures:

• Create an ISA firewall Network representing the corporate network on the network services perimeter ISA firewall
• Create a Network Rule on the network services perimeter ISA firewall that sets a Route relationship between the corporate network and the network services network
• Create an intradomain communications Access Rule on the network services perimeter ISA firewall that allows corporate network hosts access to the DC on the services segment for intradomain communications and a DNS Server Publishing Rule that enables the DNS application layer inspection filter
• Create Access Rules Controlling Outbound Access from the Network Services Segment on Perimeter ISA Firewall
• Create network services Access Rules on the network services perimeter ISA firewall enabling clients access to network services (OWA, Outlook MAPI, SMTP, POP3, IMAP4, file shares)
• Create a routing table entry on the edge ISA firewall providing a path to the network services segment network ID
• the front-end ISA Firewall to the domain
• Create a routing table entry on the network clients (only required if there are no LAN routers installed) providing route information to reach the network services segment network ID
• Join the network clients to the domain
• Create a wpad entry in DNS to enable autodiscovery for Firewall and Web proxy clients
• Configure the Firewall client settings on the edge ISA firewall (including Web proxy client configuration)
• Install the Firewall client share on the network services segment file server
• Install the Firewall client on the network clients
• Connect the corporate network clients to resources on the network services segment and the Internet

Summary

In this article we reviewed issues and concepts related to using the ISA firewall as a network services segment perimeter firewall. We discussed issues related to routing connections to remote network IDs and how these issues interact with the ISA firewall’s stateful packet inspection feature. Several scenarios were discussed and routing options available in each scenario. We finished off the article by describing the sample network that will be used in the remainder of this article series. Subsequent articles in this series will go over the procedures required to complete the solution and in depth discussions on the rationale behind the configuration decisions made at each juncture.

---

موضوعات مشابه:

• Install and Configure Windows 2003 Remote Installation Services
• RD Gateway deployment in a perimeter network & Firewall rules
• Deploying Forefront Client Security to non domain joined servers on a perimeter network through ISA
• Publishing Servers on a ISA Server 2004 Firewall Public Address DMZ Segment v1.01

---

[patris1]

کد:

http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-Segment-Perimeter-Firewall-Part2.html

Part 2: Configuring the Network Service Perimeter ISA Firewall


In the first part of this multipart article series on configuring a network services segment using a perimeter ISA firewall, we discussed concepts and issues in perimeter network design and issues related to the ISA firewall’s stateful packet inspection mechanisms. We also went over the sample network design used in this article series. In this, part 2 of the article series, we’ll move our attention to the network services segment perimeter ISA firewall.
In this, part 2 of the article series, we’ll move our attention to the network services segment perimeter ISA firewall. We’ll do the following in this article:

• Create the ISA Firewall Network Representing the Corporate Network on the Network Services Perimeter ISA firewall
• Create the Network Rule on the Network Services Perimeter ISA Firewall Setting a Route Relationship between the Corporate Network and the Network Services Segment
• Create an Intradomain Communications Access Rule on the Network Services Perimeter ISA Firewall and a DNS Server Publishing Rule
• Create Access Rules Controlling Outbound Access from the Network Services Segment on Perimeter ISA Firewall

As a reminder, the figure below provides a high level view of the sample network used in this article series.

Figure A

Create the ISA Firewall Network Representing the Corporate Network on the Network Services Perimeter ISA firewall

One of the most prevalent misconceptions regarding ISA firewall Networks and how the ISA firewall sees the network world is how the ISA firewall deals with the default External Network. Let’s set the record straight: the default External Network on the ISA firewall is defined as any IP address that isn’t part of any other ISA firewall Network configured on the ISA firewall.
What this means is you can configure any collection of IP addresses that aren’t part of another ISA firewall Network to be part of a custom ISA firewall Network. This includes the IP address(es) bound to the external interface of the ISA firewall (although the addresses on the external interface of the ISA firewall will always belong to the Local Host Network).
This allows us to create a custom ISA firewall Network that includes the IP addresses used on the corporate network that lies between the edge ISA firewall and the network services perimeter ISA firewall. These addresses do not need to be part of the default External Network, even though the corporate network is on the same network ID as the external interface of the ISA firewall. The term “external interface” only means that it’s the interface with the default gateway configured on it, which typically is the closest to the Internet.

NOTE:
While the term external interface is used to denote the NIC that has the default gateway configured on it, the fact is that you can configure an ISA firewall that has no default gateway. This ISA firewall won’t be able to access the Internet and hosts serviced that that ISA firewall won’t be able to access the Internet, but it does illustrate that an ISA firewall does not require an external interface.

The value of making the corporate network between the edge ISA firewall and the network services perimeter ISA firewall a separate ISA firewall Network is that you can control the routing relationship between that Network and any other Network defined on the ISA firewall. In the example network used in this article, configuring a custom corporate ISA firewall Network will enable us to create a route relationship between the default Internal Network behind the back-end ISA firewall and the corporate network between the edge ISA firewall and the network services ISA perimeter ISA firewall. We can also create Access Rules controlling traffic moving to and from any ISA firewall Network.
Create the Corpnet ISA Firewall Network
Perform the following steps on the network services perimeter ISA firewall to create the Corpnet ISA firewall Network:

1. In the ISA firewall console, expand the server name and then expand the Configuration node. Click the Networks node.
2. On the Networks node, click the Networks tab in the details pane. Click the Tasks tab in the Task Pane and then click the Create a New Network link.
3. On the Welcome to the New Network Wizard page, enter a name for the Network in the Network name text box. In this example we’ll name the Network Corpnet. Click Next.
4. On the Network Type page, select the Perimeter Network option and click Next.
5. On the Network Address page, click the Add button.
6. In the IP Address Range Properties dialog box, enter the Starting address and Ending Address for the Corpnet ISA firewall Network. In this example we’ll enter 10.0.1.0 for the Starting Address and 10.01.255 for the Ending Address. Note that you don’t have to include the entire network ID; you can include only the addresses that are actually in use on that network, or you can get even more granular and include only those addresses that you want to have a route relationship with the default Internet Network behind the network service perimeter ISA firewall so that you can later create another ISA firewall Network representing other addresses on the corporate network that you want to create a NAT relationship with. Click OK.

Figure 1

1. Click Next on the Network Addresses page.

Figure 2

1. Click Finish on the Completing the New Network Wizard page.

Figure 3

Create the Network Rule on the Network Services Perimeter ISA Firewall Setting a Route Relationship between the Corporate Network and the Network Services Segment

In the scenario discussed in this article, the hosts the corporate network are members of a domain that has its domain controllers located behind the network services perimeter ISA firewall.
An Access Rule must be created that allows hosts on the corporate network to communicate with the DCs on the network services segment. Intradomain communications require that you have a Route relationship between the source and destination networks. For this reason, we will create a Network Rule that sets a Route relationship between the corporate network and the default Internal Network located behind the network services perimeter ISA firewall.
It’s important to note that although there will be a route relationship between the network services perimeter ISA firewall’s default Internal Network and the Corpnet Network, there will still be a NAT relationship between the network services perimeter ISA firewall’s default Internal Network and the Internet. This is fully supported (and required), since private addresses are used on all networks behind the edge ISA firewall.
Create the Network Rule Defining a Route Relationship between the Corpnet ISA Firewall Network and the Default Internal Network
Perform the following steps to create the Network Rule creating a route relationship between the Corpnet Network and the default Internal Network behind the network services perimeter ISA firewall:

1. In the ISA firewall console, expand the server name and then expand the Configuration node in the left pane of the console. Click the Networks node.
2. On the Networks node, click the Network Rules tab in the details pane of the console, then click the Create a New Network Rule link in the Tasks tab of the Task Pane.
3. On the Welcome to the New Network Rule Wizard page, enter a name for the rule in the Network rule name text box. In this example we’ll name the rule Corpnet – Internal (the default Internal Network behind the network services perimeter ISA firewall represents the network services segment). Click Next.
4. On the Network Traffic Sources page, click the Add button.
5. In the Add Network Entities dialog box, click the Networks folder and then double click the Corpnet Network. Click Close.

Figure 4

1. Click Next on the Network Traffic Sources page.
2. Click Add on the Network Traffic Destinations page.
3. Click the Networks folder and then double click the Internal entry. Click Close.
4. On the Network Relationship page, select the Route option and click Next.

Figure 5

1. Click Finish on the Completing the New Network Rule Wizard page.

Figure 6

Create an Intradomain Communications Access Rule on the Network Services Perimeter ISA Firewall and a DNS Server Publishing Rule

Multiple protocols are required to allow intradomain communications between hosts on the corporate network and domain controllers on the corporate network. Table 1 provides the details of this Access Rule. Table 2 provides details of the DNS Server Publishing Rule.
Table 1: Access Rule allowing intradomain communications between the DMZ host and the DC on the default Internal Network behind the back-end ISA firewall

Name
Intradomain Corpnet -- Internal
Action
Allow
Protocols
Microsoft CIFS (TCP)
Microsoft CIFS (UDP)
Kerberos-Adm(UDP)
Kerberos-Sec(TCP)
Kerberos-Sec(UDP)
LDAP
LDAP (UDP)
LDAP GC (Global Catalog)
RPC (all interfaces)
NTP (UDP)
Ping
From
Corpnet
To
Domain Controller
Users
All
Schedule
Always
Content Types
All content types

Table 2: DNS Server Publishing Rule

Name
Publish Domain DNS
Action
Allow
Protocols
DNS Server
Listener
Corpnet
To
10.0.0.2
Schedule
Always

Note that we are using an Access Rule instead of a publishing rule to allow access from the Corpnet ISA firewall Network and the network services segment network. The reason for this is that we have a route relationship between these two Networks. Since we have a route relationship, we have no need or ability to hide the addresses of the servers on the network services segment.
You might be concerned that won’t be able to leverage the ISA firewall’s deep application layer inspection application filters when using Access Rules, but the fact is that you can benefit from the application layer filters for most protocols. If you check the protocol definitions associated with the Protocol Definitions associated application filters, you’ll see that both inbound and outbound Protocol Definitions for the protocols have the application layer inspection filters bound to them.
Unfortunately, the DNS filter is not one of the filters that you can use for both inbound and outbound access stateful application layer inspection. Even though you can bind the DNS application layer inspection filter to the outbound DNS Protocol Definition, the filter will have no effect.
You can test this yourself by binding the DNS application layer inspection filter to the outbound DNS protocol and then create an Access Rule from the Corpnet to the network services segment network using this DNS Protocol Definition. Then block DNS zone transfers in the Enable Intrusion Detection and DNS Attack Detection dialog box. After creating the Access Rule and configuring the DNS intrusion detection, try to perform a DNS zone transfer using the nslookup utility and issuing the ls –d <domain_name.> command. You’ll find that you can perform the zone transfers. In contrast, if you performed a DNS Server Publishing Rule, the zone transfer will fail because the DNS application layer inspection filter detected the intrusion.
For this reason, we will create two publishing rules: one for DNS communications and another for all other intradomain communications. While we could simplify the configuration by including the DNS protocol in the intradomain communications Access Rule, we would miss out on the added protection provided by the DNS filter.
Create the Intradomain Communications Rule
Perform the following steps to create the intradomain communications Access Rule on the network services perimeter ISA firewall:

1. In the ISA firewall console, expand the server name and then click the Firewall Policy node in the left pane of the console.
2. On the Firewall Policy node, click the Tasks tab in the Task Pane and click the Create New Access Rule link.
3. On the Welcome to the New Access Rule Wizard page, enter the name of the rule in the Access Rule name text box. In this example, we’ll name the rule Intradomain Corpnet —Internal and click Next.
4. Select the Allow option on the Rule Action page.
5. On the Protocols page, select the Selected protocols option from the This rule applies to list. Click Add.
6. Click the Add Protocols folder and then double click the following protocols:
   Microsoft CIFS (TCP)
   Microsoft CIFS (UDP)
   DNS
   Kerberos-Adm(UDP)
   Kerberos-Sec(TCP)
   Kerberos-Sec(UDP)
   LDAP
   LDAP (UDP)
   LDAP GC (Global Catalog)
   RPC (all interfaces)
   NTP (UDP)
   Ping
   Click Close in the Add Protocols dialog box.
7. Click Next on the Protocols page.

Figure 7

1. On the Access Rule Sources page, click the Add button.
2. In the Add Network Entities dialog box, double click the Corpnet entry and then click Close.
3. Click Next on the Access Rule Sources page.
4. Click Add on the Access Rule Destinations page.
5. In the Add Network Entities dialog box, click the New menu and then click Computer.
6. In the New Computer Rule Element dialog box, enter a name for the domain controller on the Internal Network (the network services segment). In this example we’ll name the Computer Object Domain Controller. Enter the IP address of the domain controller in the Computer IP Address text box. Enter an optional Description if you like. Click OK.

Figure 8

1. In the Add Network Entities dialog box, click the Computers folder and then double click on the Domain Controller entry. Click Close.
2. Click Next on the Access Rule Destinations page.

Figure 9

1. Accept the default setting, All Users, on the User Sets page and click Next.
2. Click Finish on the Completing the New Access Rule Wizard page.

Create the DNS Server Publishing Rule
The next step is to create the DNS Server Publishing Rule. Perform the following steps on the network service perimeter ISA firewall to create the DNS Server Publishing Rule:

1. In the ISA firewall console, expand the server name and then click the Firewall Policy node.
2. On the Firewall Policy node, click the Tasks tab in the Task Pane and then click the Creae a New Server Publishing Rule link.
3. On the Welcome to the New Server Publishing Rule Wizard page, enter a name for the rule in the Server Publishing Rule name text box. In this example, we’ll name the rule Publish Domain DNS and click Next.
4. On the Select Server page, enter the IP address of the DNS server for the domain in the Server IP address text box. In this example, the domain’s DNS server is located on the domain controller, which is at IP address 10.0.0.2. We enter this IP address into the text box and click Next.

Figure 10

1. On the Select Protocol page, select the DNS Server option from the Selected protocol list. Click Next.

Figure 11

1. On the IP Address page, put a checkmark in the checkbox next to Corpnet and click Next. There is an interesting vagary to this setting, which I’ll talk more about at the end of this section.

Figure 12

1. Click Finish on the Completing the New Server Publishing Rule Wizard page.

I mentioned that there is an interesting twist to Server Publishing Rules when you have a route relationship between the source and destination ISA firewall Network. To fully appreciate the situation, let’s first examine what happens when there is a NAT relationship between the published server and the external client.
When there is a NAT relationship between the published server and the external client, the external client reaches the published server using the IP address on the external interface of the ISA firewall configured to listen for incoming connections for that specific Server Publishing Rule. For example, if there were a NAT relationship between the published DNS server and the Corpnet, then we could choose the IP address 10.0.1.2 on the external interface of the network services perimeter ISA firewall as the listening address. Hosts that need to reach the published server would send DNS queries to the IP address used in the Server Publishing Rule listener, not the actual IP address of published Web server.
In contrast, when there is a route relationship between the source and destination ISA firewall Network, the external client reaches the published DNS server (or any other server except a Web server published using a Web Publishing Rule) using the actual IP address of the published server. So, even through we’ve created a DNS Server Publishing Rule that has a listener on the external interface of the network services perimeter ISA firewall, the external clients must use the actual IP address to reach the DNS server, which in this case is 10.0.0.2.
Create Access Rules Controlling Outbound Access from the Network Services Segment on Perimeter ISA Firewall

You must create Access Rules allowing new outbound connections from hosts on the network services segment and any other Network. In most cases, the only outbound connections you’ll want to allow are those that enable access to the Windows update site or the WSUS server on the corporate network. You would also likely want to enable outbound access to public DNS servers, if you’re domain DNS servers are also providing Internet host name resolution.
Exactly what you want allow outbound from the servers on the network services segment is going to be very specific to your own implementation. In our current example, we’re only going to allow outbound DNS from the DNS server and outbound HTTP and HTTPS from all hosts on the network services segment to the Windows Update sites.

NOTE:
You do not need to create outbound Access Rules from the network services segment to the Corpnet ISA firewall Network to support the inbound access rules from the Corpnet ISA firewall Network to the network services segment network. The ISA firewall is a stateful packet inspection firewall and will automatically allow the responses to requests made from hosts on the Corpnet Network.

Create the Access Rule Allowing DNS from the DNS Server to the Internet
Perform the following steps to create the Access Rule:

1. At the back-end ISA firewall, in the ISA firewall console expand the name of the server and then click the Firewall Policy node in the left pane of the console.
2. Click the Create New Access Rule link on the Tasks tab in the Task Pane.
3. In the Welcome to the New Access Rule dialog box, enter a name for the rule in the Access Rule name text box. In this example we’ll name the rule DNS to External. Click Next.
4. On the Rule Action page, select the Allow option and click Next.
5. On the Protocols page, select the Selected protocols option from the This rule applies to list. Click Add.
6. Click the Common Protocols folder and then double click the DNS entry. Click Close.
7. Click Next on the Protocols page.
8. On the Access Rule Sources page, click the Add button.
9. In the Add Network Entities dialog box, click the Computers folder and double click the Domain Controller entry. Click Close.
10. Click Next on the Access Rule Sources page.
11. On the Access Rule Destinations page, click the Add button.
12. In the Add Network Entities dialog box, click the Networks folder. Double click the External Network. Click Close.
13. Click Next on the Access Rule Destinations page.
14. On the User Sets page, accept the default entry, All Users, and click Next.
15. Click Finish on the Completing the New Access Rule Wizard page.

Create the Access Rule allowing Outbound Windows Update and Microsoft Reporting
Perform the following steps to create the HTTP/HTTPS Access Rule allowing access to the Windows Update and Reporting Sites:

1. At the back-end ISA firewall, in the ISA firewall console expand the name of the server and then click the Firewall Policy node in the left pane of the console.
2. Click the Create New Access Rule link on the Tasks tab in the Task Pane.
3. In the Welcome to the New Access Rule dialog box, enter a name for the rule in the Access Rule name text box. In this example we’ll name the rule Outbound to WU and MS Reporting . Click Next.
4. On the Rule Action page, select the Allow option and click Next.
5. On the Protocols page, select the Selected protocols option from the This rule applies to list. Click Add.
6. Click the Common Protocols folder and then double click the HTTP and HTTPS entries. Click Close.
7. Click Next on the Protocols page.
8. On the Access Rule Sources page, click the Add button.
9. In the Add Network Entities dialog box, click the Networks folder and double click the Internalentry. Click Close.
10. Click Next on the Access Rule Sources page.
11. On the Access Rule Destinations page, click the Add button.
12. In the Add Network Entities dialog box, click the Domain Name Sets folder. Double click the Microsoft Error Reporting sites and System Policy Allowed Sites entries. Click Close.
13. Click Next on the Access Rule Destinations page.
14. On the User Sets page, accept the default entry, All Users, and click Next.
15. Click Finish on the Completing the New Access Rule Wizard page.
16. Click Apply to save the changes and update the firewall policy.
17. Click OK in the Apply New Configuration dialog box.

Your firewall policy should look like the figure below.

Figure 13

Summary

In this part 2 of our article series on creating network services segment protected by a perimeter ISA firewall, we began the process by configuring the network services perimeter ISA firewall. Procedures included creating the ISA firewall Network defining the corporate network, creating a Network Rule that sets a route relationship between the network service segment and corporate network, and created a number of Access Rules and a Server Publishing Rule to allow communications inbound and outbound to and from the network services segment. In the next part of this article series we will complete the firewall policy on the network services perimeter ISA firewall.

[patris1]

کد:

http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-Segment-Perimeter-Firewall-Part3.html

Part 3: Creating Services Access Rules and Joining Machines to the Domainand Joining Machines to the Domain


Create the Network Services Access Rules Enabling Corpnet Clients Access to Network Services (OWA, SMTP, POP3, IMAP4, File Shares)

Now we’re ready to create Publishing Rules and Access Rules that allow hosts on both the Corpnet ISA firewall Network and external clients on the Internet to access Exchange Server and File server resources on the network services segment. Hosts on the Corpnet ISA firewall Network will be able to connect to Exchange Server and file server resources by going through the network services segment perimeter ISA firewall. Hosts on the Internet will need to traverse both the edge ISA firewall and the network services segment perimeter ISA firewall. Later we will create the rules on the Edge ISA firewall to enable access to network services perimeter resources.
In this section we will do the following:

• Create an OWA Publishing Rule on the network services perimeter ISA firewall
• Create SMTP, POP3 and IMAP4 Server Publishing Rules
• Create an Access Rule allowing access to file shares on the file server

In the scenario discussed in this series on creating network services segments using ISA firewalls, I will assume that you have already deployed your certificate infrastructure and have already requested the appropriate Web site certificates to support SSL/TLS connections to the Exchange Server’s e-mail services.
If you haven’t done this and are not sure how to start, I highly recommend the ISA Server 2004/Exchange Server deployment kit documents I created for Microsoft over at http://download.microsoft.com/downlo...v%201%2005.doc (note that this is a single very large document; if you need an individual Word file that applies to your network configuration from one of the chapters in the deployment kit doc, then write to me at tshinder@isaserver.org and I’ll send you the separate doc).
In the scenario used in this article series, we’ve bound certificates to the OWA Web site, the SMTP site, the POP3 site and the IMAP4 site on the Exchange Server on the network services segment. Table 1 shows the common/subject names on the certificates bound to each site.

Exchange Server service
Common/subject name on Web Site Certificate
OWA
owa.msfirewall.org
SMTP
mail.msfirewall.org
POP3
pop3.msfirewall.org
IMAP4
Imap4.msfirewall.org
Table 1: Common names bound to Exchange Server services

In the following sections we will create Access Rules, Web Publishing Rules and Server Publishing Rules with the characteristics listed in table 2.

Order
Name
Action
Protocols
From/Listener
To
Condition
1
Exchange Server IMAPS Server
Allow
IMAPS Server
Corpnet
10.0.0.2
N/A
2
Exchange Server POP3S Server
Allow
POP3S Server
Corpnet
10.0.0.2
N/A
3
Exchange Server SMTP Server
Allow
SMTP Server
Corpnet
10.0.0.2
N/A
4
Exchange Server IMAP4 Server
Allow
IMAP4 Server
Corpnet
10.0.0.2
N/A
5
Exchange Server POP3 Server
Allow
POP3 Server
Corpnet
10.0.0.2
N/A
6
Exchange Server SMTPS Server
Allow
SMTPS Server
Corpnet
10.0.0.2
N/A
7
Publish OWA
Allow
HTTPS
OWA Listener
owa.msfirewall.org
All Authenticated Users
8
Publish DNS
Allow
DNS Server
Corpnet
10.0.0.2

9
DNS to External
Allow
DNS
Domain Controller
External
All Users
10
Outbound WU and MS Reporting
Allow
HTTP
HTTPS
Internal
Microsoft Error Reporting Sites
System Policy Allowed Sites
All Users
11
Intradomain Corpnet – Internal
Allow
Kerberos-Adm (UDP)
Kerberos-Sec (TCP)
Kerberos-Sec (UDP)
LDAP
LDAP (UDP)
LDAP GC (Global Catalog)
Microsoft CIFS (TCP)
Microsoft CIFS (UDP)
NTP (UDP)
Ping
RPC (all interfaces)
Corpnet
Domain Controller
All Users
12
File Server Access
Allow
Microsoft CIFS (TCP)
Microsoft CIFS (UDP)
Corpnet
File Server 1
All Users
Table 2: Resulting Firewall Policy on the network services perimeter ISA firewall

To simplify the configuration, we’ll leverage the ISA firewall’s Mail Server Publishing Wizard to create multiple publishing rules simultaneously.
Create an OWA Publishing Rule on the Network Services Perimeter ISA Firewall

Perform the following steps on the network services perimeter ISA firewall to create the Web Publishing Rule that publishes the OWA Web site:

1. In the ISA firewall console, expand the server name and then click the Firewall Policy node.
2. On the Firewall Policy node, click the Tasks tab in the Task Pane and then click the Publish a Mail Server link.
3. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name text box. In this example, we’ll name the rule Publish OWA and click Next.
4. On the Select Access Type page, select the Web client access: Outlook Web Access (OWA), Outlook Mobile Access, Exchange Server ActiveSync option and click Next.
5. On the Select Services page, select the Outlook Web Access checkbox and click Next.

Figure 1

1. On the Bridging Mode page, select the Secure connection to clients and mail server option. This enables SSL to SSL bridging. Click Next.

Figure 2

1. On the Specify the Web Mail Server page, enter the name on the Web site certificate bound to the OWA Web site. In this example, the name is owa.msfirewall.org. Keep in mind that the ISA firewall will need to resolve this name to the actual IP address of the OWA site on the network services segment. You can do this with a hosts file entry on the ISA firewall, or setup a split DNS infrastructure.
   The split DNS infrastructure might be challenging in this scenario, because as you’ll see later, we would need to create a triple split DNS to support name resolution for the ISA firewall itself, for hosts on the corporate network, and for hosts located on the Internet. While putting together a well-designed split DNS infrastructure is fairly simple, some network admins have misconceptions that it's either insecure or difficult to manage. Both misconceptions are patently incorrect and you should not fall prey to them. We will create the HOSTS file entry on the network services perimeter ISA firewall after we’ve created all the publishing and Access Rules. Click Next.

Figure 3

1. On the Public Name Details page, select the This domain name (type below) in the Accept requests for list. Enter the common/subject name on the Web site certificate that will be bound to the Web listener for this Web Publishing Rule. In this example, we have exported the Web site certificate bound to the OWA Web site and imported it into the machine certificate store on the ISA firewall. Because this is the same certificate, it has the same common/subject name. Therefore, we enter owa.msfirewall.org in the Public name text box. Click Next.

Figure 4

1. On the Select Web Listener page, click the New button.
2. On the Welcome to the New Web Listener Wizard page, enter a name for the listener in the Web listener name text box. In this example we’ll name the Web listener OWA Listener. Click Next.
3. On the IP Addresses page, put a checkmark in the Corpnet checkbox and click Next.
4. On the Port Specification page, remove the checkmark from the Enable HTTP checkbox and put a checkmark in the Enable SSL checkbox. Click the Select button.
5. Select the OWA Web site certificate from the list in the Select Certificate dialog box and click OK.

Figure 5

1. Click Next on the Port Specification page.
2. Click Finish on the Completing the New Web Listener page.
3. On the Select Web Listener page, click the Edit button.
4. On the OWA Listener Properties dialog box, click the Preferences tab.
5. On the Preferences tab, click the Authentication button.
6. In the Authentication dialog box, remove the checkmark from the Integrated checkbox. Click OK in the dialog box informing you that you don’t have any authentication methods configured. Put a checkmark in the OWA Forms-based checkbox. Put a checkmark in the Require all users to authenticate checkbox. Click OK.

Figure 6

1. OK in the OWA Listener Properties dialog box.
2. Click Next on the Select Web Listener page.

Figure 7

1. On the User Sets page, click the All Users entry and click Remove. Click the Add button.
2. In the Add Users dialog box, double click the All Authenticated Users entry and click Close.
3. Click Next on the User Sets page.
4. Click Finish on the Completing the New Mail Server Publishing Rule Wizard page.

Your firewall policy should like that seen in the figure below.

Figure 8

Create SMTP, POP3 and IMAP4 Server Publishing Rules

The next step is to create the Server Publishing Rules that publish the rest of the Exchange Server services. These include Server Publishing Rules for Secure Exchange RPC, SMTP, POP3 and IMAP4. We have the option to create these rules separately or create them all at once by using the Mail Server Publishing Wizard. We’ll use the latter option to simplify things.
You might notice that we’re not going to create a secure Exchange RPC Server Publishing Rule in this example. The reason for this is related to two factors:

• We’re using a route relationship between the Corpnet ISA firewall Network
• The intradomain communications Access Rule is configured to allow inbound TCP 135 communications (the RPC (all interfaces) Protocol Definition)

Because we are using a Route relationship instead of a NAT relationship between the source and destination Network, we can’t bind a specific IP address to the listener used in the Server Publishing Rule. When you use a Route relationship, the Server Publishing Rule listens on all addresses bound to the external interface using a feature known internally as port stealing. Because both the Secure Exchange RPC server Server Publishing Rule and the RPC (all interfaces) component of the intradomain communications Access Rule are listening for similar communications, we end up with a conflict that prevents Outlook MAPI clients from connecting to Directory services.
If there were a NAT relationship between the Corpnet and the network services segment, we could bind multiple IP addresses to the external interface of the network services perimeter ISA firewall. Then we could create two rules: one for Secure Exchange RPC publishing and the other for RPC (all interfaces) and use a different listening address for each of the rules. Machines on the Corpnet ISA firewall Network then connect to Secure Exchange RPC services or RPC (all interfaces) services using the IP address used for their respective rule’s listener. This works because connections are made to the IP addresses on the ISA firewall’s external interface when you have a NAT relationship between the network services segment and the Corpnet ISA firewall Network.
It doesn’t work when there is a Route relationship between the network services segment and the Corpnet ISA firewall Network because hosts on the Corpnet ISA firewall Network connect to the Exchange server using the actual IP address of the Exchange Server. Since the hosts are connecting to the IP address of the Exchange Server itself and not an IP address on the external interface of the ISA firewall, the ISA firewall’s port stealing mechanism must listen and intercept RPC communications on all IP address of the external interface. This breaks the granularity required to allow both a Secure Exchange RPC Server Publishing Rule and a RPC (all interfaces) Access Rule on the same ISA firewall when there is a Route relationship between the source and destination ISA firewall Networks.
You can confirm this by creating both a secure Exchange RPC Server Publishing Rule in the scenario used in this article series. Then attempt to make a connection to the Exchange Server from the full Outlook MAPI client using RPC (don’t use RPC/HTTP, since the inbound connection is HTTP, so the ISA firewall doesn’t see the RPC communications tunneled in the HTTP header). You’ll that the connection seems to establish successfully, but if you open the Connection Status window in Outlook 2003, you’ll find that the RPC connections are successful only to the Exchange Server’s Mail Services. No connection is established to Directory Services.
Create Server Publishing Rules for POP3, IMAP4 and SMTP
Perform the following steps to create the Server Publishing Rules on the network services perimeter ISA firewall:

1. In the ISA firewall console, expand the server name and then click the Firewall Policy node.
2. On the Firewall Policy node, click the Tasks tab on the Task Pane and click the Publish a Mail Server link.
3. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name text box. In this example, we’ll name the rule Exchange Server and click Next.
4. On the Select Access Type page, select the Client access: RPC, IMAP, POP3, SMTP option and click Next.

Figure 9

1. On the Select Services page, put a checkmark in each of the checkboxes. This will allow us to connect to the Exchange Server on the network services segment through the network services perimeter ISA firewall for all the services listed on this page (with the exception of the Exchange Server’s NNTP service, we could create a separate rule for that if required). Note the comment on the page regarding the SMTP Message Screener. We will not deploy the message screener in this example, but you might want to consider it in your own deployment. You can install the SMTP Message Screener on the ISA firewall to filter both inbound and outbound mail. Even though the SMTP Message Screener won’t be enabled, the SMTP filter is enabled and will protect SMTP communications moving through the network services perimeter ISA firewall. Click Next.

Figure 10

1. On the Select Server page, enter the IP address of the Exchange Server in the Server IP address text box. In this example, the Exchange Server’s IP address is 10.0.0.2, so we enter that value. Click Next.
2. On the IP Addresses page, put a checkmark in the Corpnet checkbox. Click Next.
3. Click Finish on the Completing the New Mail Server Publishing Rule Wizard page.

Your Firewall Policy should appear similar to that in the figure below. Note that the Mail Server Publishing Rule Wizard added seven new Server Publishing Rules. Click Apply to save the changes and update the firewall policy. Click OK in the Apply New Configuration dialog box.

Figure 11

Create an Access Rule Allowing Access to File Shares on the File Server

Now we can create the Access Rule allowing connections to file shares on the file server on the network services segment. We can enable either NetBIOS protocols or Direct Hosting (TCP 445). In this example we’ll enable only Direct Hosting, which is more efficient than NetBIOS protocols.
Perform the following steps to create the Direct Hosting Access Rule:

1. In the ISA firewall console, expand the server name and then click the Firewall Policy node.
2. On the Firewall Policy node, click the Tasks tab in the Task Pane and then click the Create New Access Rule.
3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example, we’ll name the rule Publish File Server. Click Next.
4. Select the Allow option on the Rule Action page and click Next.
5. On the Protocols page, select the Selected protocols option from the This rule applies to list and then click Add.
6. In the Add Protocols dialog box, click the All Protocols folder and then double click the Microsoft CIFS (TCP) and Microsoft CIFS (UDP) protocols. Click Close.

Figure 12

1. Click Next on the Protocols page.
2. Click Add on the Access Rule Sources page.
3. In the Add Network Entities dialog box, click the Networks folder and then double click the Corpnet entry. Click Close.

Figure 13

1. Click Next on the Access Rule Sources page.
2. Click Add on the Access Rule Destinations page.
3. In the Add Network Entities dialog box, click the New menu and then click Computer.
4. In the New Computer Rule Element dialog box, enter a name for the file server in the Name text box. In this example, we’ll name it File Server 1. Enter the IP address of the file server located in the network services segment in the Computer IP Address text box. Enter an optional description if you like. Click OK.

Figure 14

1. Click the Computers folder in the Add Network Entities dialog box and double click the File Server 1 entry and click Close.
2. Click Next on the Access Rule Destinations page.
3. Click Next on the User Sets page.
4. Click Finish on the Completing the New Access Rule Wizard page.

Your firewall policy should look like that in the figure below.

Figure 15

Summary

In this article we finished up the configuration of the network services perimeter ISA firewall. We used the Mail Server Publishing Wizard to create a Web Publishing Rule allowing connections to the Exchange Server’s OWA, SMTP, POP3 and IMAP4 services. No Server Publishing Rule was created to allow access to the Exchange Server’s secure RPC services because of an issue related to the intradomain communications rule. In part 4 of this series, we will move our attention to configuring the edge network ISA firewall and hosts on the Corpnet ISA firewall Network.

[patris1]

کد:

http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-Segment-Perimeter-Firewall-Part4.html

Part 4: Configuring the Edge ISA Firewall


In the first three parts of this series on configuring a network services segment behind an ISA firewall, we began by going over concepts and considerations in creating perimeter networks. In part 2, we discussed the initial configuration of the network services perimeter ISA firewall. In part 3 we continued configuring the network services perimeter ISA firewall by adding Web Publishing Rules, Server Publishing Rules and Access Rules. In this, part 4 of the series, we’ll move out attention to the edge ISA firewall.
In this, part 4 of the series, we’ll move out attention to the edge ISA firewall. In this article we’ll perform the following procedures on the edge ISA firewall:

• Configure the Default Internal Network and Create a Routing Table Entry on the Edge ISA Firewall
• Join the Front-end ISA Firewall to the Active Directory Domain
• Create Access Rules on the Edge ISA Firewall Controlling Outbound Access from Corpnet Hosts and Hosts on the Network Services Segment
• Create Publishing Rules on the Edge ISA Firewall to Allow Inbound Connections to the Exchange Server Mail Services

As a reminder, the figure below provides a high level view of the sample network used in this article series.

Figure A

Configure the Default Internal Network on the Edge ISA Firewall

When the edge ISA firewall was installed, it took its definition of the default Internal Network from the routing table on the edge ISA firewall device. The routing table entries indicated to the ISA firewall installer that the addresses 10.0.1.0-10.0.1.255 should be included in the definition of its default Internal Network. This is a correct configuration if the only network behind the edge ISA firewall was on network ID 10.0.1.0/24. However, in our scenario this is an incorrect configuration and will cause problems with access controls on connections to and from the network services segment through the edge ISA firewall.
The reason for the problem with the initial settings for the default Internal Network on edge ISA firewall is that there is a Route relationship between the Corpnet ISA firewall Network (which is the edge ISA firewall’s default Internal Network) and the default Internal Network behind the network services segment ISA firewall. Because there is a route relationship, connections from SecureNAT clients located behind the network services perimeter ISA firewall will reach the edge ISA firewall with their original client IP address included as the source address (note that this is not the case with proxied connections by Winsock [Firewall] and Web proxy clients). If we leave the edge ISA firewall’s default Internal Network definition as it is now, then connections from SecureNAT clients located behind the network services perimeter ISA firewall will be detected as spoofed packets.
ISA firewall Networks are used to determine the validity of connections reaching the interface that is the “root” of a particular ISA firewall Network. For the edge ISA firewall, the root of its default Internal Network is the internal interface which is on network ID 10.0.1.0/24. Any connections with a source IP address on that network ID are seen as valid.
However, if a connection with a source IP address that is not part of the edge ISA firewall’s default Internal Network’s definition is made through the interface that is the root of the edge ISA firewall’s default Internal Network (which is the internal interface of the edge ISA firewall), then the connection is dropped as a spoof attempt. The ISA firewall assumes that it’s not possible for an interface to accept a connection from a host on an ISA firewall Network that isn’t the same as that for which the interface is root.

Note:
I’m using the term “root” to represent a point of exit and departure. The term “root” does not imply that the NIC’s IP address or network ID defines what network IDs or subnets can be placed behind a NIC. You can put contiguous or discontinuous network IDs behind any NIC. The only requirements are that all IP addresses located behind any NIC on the ISA firewall must be included in the ISA firewall Network for which that NIC is “root” and that no other ISA firewall Network includes the same addresses.

We can easily solve this problem by adding the IP addresses included in the network services perimeter ISA firewall’s default Internal Network (which is the network services segment) to the definition of the edge ISA firewall’s default Internal Network definition.
Add IP Addresses of the Network Services Perimeter Segment to the Front-End ISA Firewall’s Default Internal Network
Perform the following steps to add the IP addresses of the network services perimeter ISA firewall’s default Internal Network to the definition of the front-end ISA firewall’s default Internal Network:

1. In the ISA firewall console, expand the server name and then expand the Configuration node. Click on the Networks node.
2. On the Networks node, click the Networks tab in the details pane, then double click the Internal Network.
3. In the Internal Properties dialog box, click the Addresses tab.
4. On the Addresses tab, click the Add button.
5. In the IP Address Range Properties dialog box, enter the Starting address and the Ending address in the text boxes. In this example we’ll enter 10.0.0.0 and 10.0.0.255, respectively. Click OK.

Figure 1

1. Click OK in the Internal Properties dialog box

Figure 2

IP addressing information for hosts on the Corpnet is determined by your requirements. The most secure configuration is to not provide users with a default gateway address that provides a route to the Internet. This forces all users to use the Firewall client and Web proxy configuration, which can be used to enforce strong user/group-based access controls, as well as block applications installed on users’ computers from accessing the Internet. This also prevents users from using non-Winsock or Web proxy compliant applications, such as ICMP utilities like PING and TRACERT.
Administrative users and servers can be configured with gateway addresses that route to the Internet. Administrators require the use of ICMP based utilities, and servers do not have logged on users, so both admins and servers require the facilities provided by the SecureNAT client configuration.
Create a Routing Table Entry on the Edge ISA Firewall

A routing table entry must be configured on the edge ISA firewall so that it knows the path to take to reach the network services segment. The ISA firewall should always be configured with routing table entries for all network IDs that can’t be reached using the default gateway. In practice, this usually means that, except for Internet addresses, there should be a routing table entry on the ISA firewall for all network IDs on your corporate network.
Note that if your ISA firewall is configured with a default gateway pointing to a LAN router, and all network IDs are reachable from that router, then there’s no reason to enter all network IDs in the ISA firewall’s routing table, since the LAN router is doing the router duties.
At the edge ISA firewall, open a command prompt and enter the following:

route add –p 10.0.0.0 MASK 255.255.255.0 10.0.1.2

Where 10.0.0.0 is the network ID for the network services segment behind the network service perimeter ISA firewall, 255.255.255.0 is the subnet mask for that network ID, and 10.0.1.2 is the IP address on the external interface of the back-end ISA firewall.
The figure below shows an example of configuring the routing table entry.

Figure 3

Join the Edge ISA Firewall to the Domain

The edge ISA firewall should be a member of the domain so that you can fully leverage both the Firewall and Web proxy client configuration. While you can use RADIUS authentication for Web proxy clients, there are significant limitations to RADIUS authentication in both the logging and management realms. For this reason, I recommend that you avoid RADIUS authentication if at all possible. In addition, you must make the edge ISA firewall a domain member if you want to fully leverage the enhanced security and flexibility provided by the Firewall client.
The edge ISA firewall will be able to use the intradomain communications Access Rule created on the network services perimeter ISA firewall to access the domain controller. The edge ISA firewall is configured to use the DNS server on the network services segment and the DNS server on the network services segment is configured to support name resolution within the network and also for Internet host names.
Create Access Rules on the Edge ISA Firewall Controlling Outbound Access from Corpnet Hosts and Hosts on the Network Services Segment

Firewall policy on the edge ISA firewall will be highly customized based on your own network’s security requirements. You will need to decide together with your network security team who should have access to what sites and Web site at what times of day. Firewall policy is definitely something where one size does not fit all.
In the example provided by our sample network configuration, all hosts on the Corpnet ISA firewall Network are configured as Firewall and Web proxy clients and are not configured as SecureNAT clients. The only exception is for administrator workstations, since network administrators will need access to non-Winsock protocols and utilities, such as PING and TRACERT.
We will create the following Access Rules:

• An Access Rule allowing the DC on the network services segment access to DNS outbound
• An Access Rule allowing all authenticated users outbound access to all protocols. Note that in a production environment, you would create more granular access controls and create ISA firewall Groups that allow users to access only the content they require to get their jobs done
• An Access Rule allowing the servers on the network services segment access to the Windows reporting and Microsoft Update sites. We need this rule because the servers on the network services segment do not have logged on users, so we will not be able to leverage the Firewall client to force authentication from server connections.

Table 1 shows the salient characteristics of these Access Rules.

Table 1: Access Rules on the edge ISA Firewall

Order
Name
Action
Protocols
From/Listener
To
Condition
1
MU and Error Reporting – Servers
Allow
HTTP
HTTPS
Network Service Segment
Microsoft Error Reporting Sites
System Policy Allowed Sites
All Users
2
Outbound DNS for DNS Server
Allow
DNS
DNS Server*
External
All Users
3
All Open – Authenticated
Allow
All Outbound Traffic
Internal
External
All Authenticated Users
* Note discussion below on the From configuration for this Access Rule

Create the Outbound DNS for DNS Server Access Rule
Perform the following steps to create the Access Rule allowing the domain controller on the network services segment outbound access to the DNS protocol:

1. On the edge ISA firewall, open the ISA firewall console and click the Firewall Policy node.
2. On the Firewall Policy node, click the Tasks tab on the Task Pane and click Create New Access Rule
3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we’ll name the rule Outbound DNS for DNS Server and click Next.
4. Select the Allow option on the Rule Action page. Click Next.
5. On the Protocols page, select the Selected protocols option from the This rule applies to list and click Add.
6. In the Add Protocols dialog box, click the Common Protocols folder and double click on the DNS entry. Click Close.
7. Click Next on the Protocols page.
8. On the Access Rule Sources page, click the Add button.
9. In the Add Network Entities dialog box, click the New menu and click Computer.
10. In the New Computer Rule Element dialog box, enter a name for the computer in the Name text box. In this example we’ll name the computer DNS Server. Enter the IP address of the external interface of the network services segment perimeter ISA firewall. Note that we use the IP address of the external interface of the perimeter ISA firewall because there is a NAT relationship between the perimeter ISA firewall’s default Internal Network and its default External Network. Since the DNS queries the DNS server makes are to Internet-based DNS server, the connection will be NATed. When the connection is NATed, the source IP address of the outbound connection is the primary IP address on the external interface of the perimeter ISA firewall. In this example, the IP address is 10.0.1.2, so we’ll enter that address. Enter an optional description if you like. Click OK.

Figure 4

1. In the Add Network Entities dialog box, click the Computers folder and double click the DNS Server entry. Click Close.

Figure 5

1. Click Next on the Access Rule Sources page.
2. Click Add on the Access Rule Destinations page.
3. In the Add Network Entities dialog box, click the Networks folder and then double click External. Click Close.
4. Click Next on the Access Rule Destinations page.
5. Click Next on the User Sets page.
6. Click Finish on the Completing the New Access Rule Wizard page.

Create the All Open Rule for Authenticated Users
Perform the following steps to create the outbound Access Rule allowing all authenticated users outbound access to all protocols and sites:

1. On the edge ISA firewall, open the ISA firewall console and click the Firewall Policy node.
2. On the Firewall Policy node, click the Tasks tab on the Task Pane and click Create New Access Rule
3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we’ll name the rule All Open -- Authenticated and click Next.
4. Select the Allow option on the Rule Action page. Click Next.
5. On the Protocols page, select the All outbound traffic option from the This rule applies to list and click Next.
6. Click Next on the Protocols page.
7. On the Access Rule Sources page, click the Add button.
8. In the Add Network Entities dialog box, click the Networks folder and then double click Internal. Click Close.
9. Click Next on the Access Rule Sources page.
10. Click Add on the Access Rule Destinations page.
11. In the Add Network Entities dialog box, click the Networks folder and then double click External. Click Close.
12. Click Next on the Access Rule Destinations page.
13. On the User Sets page, click the All Users entry and click Remove. Click Add.
14. In the Add Users dialog box, double click on the All Authenticated Users entry and click Close.

Figure 6

1. Click Next on the User Sets page.
2. Click Finish on the Completing the New Access Rule Wizard page.

Create the Microsoft Update and Error Reporting Sites Access Rule
Perform the following steps to create the Access Rule allowing servers on the network services segment access to the Windows Update sites and the Microsoft Error Reporting sites:

1. On the edge ISA firewall, open the ISA firewall console and click the Firewall Policy node.
2. On the Firewall Policy node, click the Tasks tab on the Task Pane and click Create New Access Rule
3. On the Welcome to the New Access Rule Wizard page, enter a name for the rule in the Access Rule name text box. In this example we’ll name the rule MU and Error Reporting -- Servers and click Next.
4. Select the Allow option on the Rule Action page. Click Next.
5. On the Protocols page, select the Selected protocols option from the This rule applies to list and click Add.
6. In the Add Protocols dialog box, click the Common Protocols folder and double click on the HTTP and HTTPS entries. Click Close.
7. Click Next on the Protocols page.

Figure 7

1. On the Access Rule Sources page, click the Add button.
2. In the Add Network Entities dialog box, click the New menu and click Address Range.
3. In the New Address Range Rule Element dialog box, enter a name for the address range in the Name text box. In this example we’ll name it Network Services Segment. Enter the start and end addresses in the Start Address and End Address text boxes. Enter an optional description and then click OK

Figure 8

1. In the Add Network Entities dialog box, click the Address Ranges folder and double click the Network Services Segment entry. Click Close.

Figure 9

1. Click Next on the Access Rule Sources page.
2. Click Add on the Access Rule Destinations page.
3. In the Add Network Entities dialog box, click the Domain Name Sets folder and double click Microsoft Error Reporting sites and System Policy Allowed Sites. Click Close.

Figure 10

1. Click Next on the Access Rule Destinations page.
2. Click Next on the User Sets page.
3. Click Finish on the Completing the New Access Rule Wizard page.

Before applying the configuration to the ISA firewall’s firewall policy, make sure that you put the unauthenticated Access Rules before the authenticated rules. This is a good general approach to ordering firewall rules on your ISA firewall.
Click Apply to save the changes and update the firewall policy. Click OK in the Apply New Configuration dialog box. Your firewall policy should look like that in the figure below.

Figure 11

Create Publishing Rules on the Edge ISA Firewall to Allow Inbound Connections to the Exchange Server Mail Services

Now we’re ready to create publishing rules allowing access to Exchange Server services for users on the Internet. We’ll create Server Publishing Rules that allow access to the OWA, Secure Exchange RPC, SMTP, POP3 and IMAP4 services.
Create an SSL Server Publishing Rule on the Network Services Perimeter ISA Firewall
We begin by creating an SSL Server Publishing Rule on the front end ISA firewall. We must create a Server Publishing Rule instead of a Web Publishing Rule because the OWA form generated by the network services perimeter ISA firewall cannot deliver the log on form through a Web proxy connection on the edge ISA firewall. The SSL Server Publishing Rule will enable a secure end to end connection but will not allow the edge ISA firewall to perform stateful application layer inspection on the SSL connection moving through the edge ISA firewall.
This is a limitation of our sample network design and should not be construed to imply that you can never use OWA FBA in a back to back ISA firewall configuration. For example, suppose you have a back to back ISA firewall configuration with a DMZ between the front-end and back-end ISA firewalls. You can use FBA on the front-end ISA firewall and configure the front-end ISA firewall’s OWA Web Publishing Rule to forward basic credentials to the back-end ISA firewall’s Web Publishing Rule. The back-end ISA firewall is configured to use basic authentication. In this case, we have single sign-on with FBA.
Create the Network Services Perimeter Network OWA Web Publishing Rule
Perform the following steps on the edge ISA firewall to enable inbound access to the network services perimeter ISA firewall’s OWA Web Publishing Rule:

1. In the ISA firewall console, expand the server name and click the Firewall Policy node.
2. On the Firewall Policy node, click the Tasks tab on the Task Pane and then click the Publish a Secure Web Server link.
3. On the Welcome to the SSL Web Publishing Rule Wizard page, enter a name for the rule in the SSL Web Publishing Rule name text box. In this example we’ll name the rule SSL tunnel to OWA and click Next.
4. On the Publishing Mode page, select the SSL Tunneling option and click Next.

Figure 12

1. On the Select Server page, enter the IP address of the external interface of the network services perimeter ISA firewall. This is the address used by the listener on the OWA Web Publishing Rule on the network services perimeter ISA firewall. In this example the IP address is 10.0.1.2, so we’ll enter that address and click Next.

Figure 13

1. On the IP Addresses page, put a checkmark in the External checkbox and click Next.
2. Click Finish on the Completing the New SSL Web Publishing Rule Wizard page.

At this point, your firewall policy should look like that in the figure below.

Figure 14

Create Secure Exchange RPC, SMTP, POP3 and IMAP4 Server Publishing Rules

The next step is to create the Server Publishing Rules on the edge ISA firewall that provide access to the Server Publishing Rules configured on the network services perimeter ISA firewall. These Server Publishing Rules enable Internet based hosts access to the Exchange Server services on the network services segment.
Create the Mail Server Publishing Rules
Perform the following steps to create the Server Publishing Rules on the edge ISA firewall:

1. In the ISA firewall console, expand the server name and then click the Firewall Policy node.
2. On the Firewall Policy node, click the Tasks tab on the Task Pane and click the Publish a Mail Server link.
3. On the Welcome to the New Mail Server Publishing Rule Wizard page, enter a name for the rule in the Mail Server Publishing Rule name text box. In this example, we’ll name the rule Exchange Server and click Next.
4. On the Select Access Type page, select the Client access: RPC, IMAP, POP3, SMTP option and click Next.

Figure 15

1. On the Select Services page, put a checkmark in each of the checkboxes. This will allow us to connect to the Exchange Server on the network services segment through the network services perimeter ISA firewall for all the services listed on this page. Note the comment on the page regarding the SMTP Message Screener. We will not deploy the message screener in this example, but you might want to consider it in your own deployment. You can install the SMTP Message Screener on the ISA firewall to filter both inbound and outbound mail. Even though the SMTP Message Screener won’t be enabled, the SMTP filter is enabled and will protect SMTP communications. Click Next.

Figure 16

1. On the Select Server page, enter the IP address of the Exchange Server on the network services segment in the Server IP address text box. In this example, the IP address is 10.0.0.2, so we enter that value. Click Next.
2. On the IP Addresses page, put a checkmark in the External checkbox. Click Next.
3. Click Finish on the Completing the New Mail Server Publishing Rule Wizard page.

Your Firewall Policy should appear similar to that in the figure below. Note that the Mail Server Publishing Rule Wizard added seven new Server Publishing Rules. Click Apply to save the changes and update the firewall policy. Click OK in the Apply New Configuration dialog box.

Figure 17

There is one more thing we need to do on the edge ISA firewall to make the Server Publishing Rules work correctly. Because there is a Route relationship between the Corpnet ISA firewall Network and the network services segment, we will need to change the Server Publishing Rules on the edge ISA firewall so that the client requests appear to come from the edge ISA firewall. This allows us to use the Server Publishing Rules we created on the network services perimeter ISA firewall where the listener is listening on the Corpnet ISA firewall Network.
Configure the Server Publishing Rules to Use the ISA Firewall’s Address as the Source IP Address
For each of the Server Publishing Rules created by Mail Server Publishing Wizard, perform the following steps:

1. Double click on one of the Server Publishing Rules created by the Server Publishing Rule Wizard.
2. In the Properties dialog box for that rule, click the To tab.
3. On the To tab, select the Request appear to come from the ISA Server computer option. Click OK.

Figure 18

1. Repeat the procedure for all the Server Publishing Rules created by the Mail Server Publishing Rule Wizard.
2. Click Apply to save the changes and update the firewall policy.
3. Click OK in the Apply New Configuration dialog box.

Summary

In this, part 4 of our series on creating a network service segment using an internal ISA firewall, we moved our attention to the edge ISA firewall. We created Server Publishing Rule publishing rules that allowed inbound access to Exchange Server services through the edge ISA firewall so that users located on the Internet are able to reach Exchange services from any location in the world. In the next article in this series, we’ll configure hosts on the Corpnet ISA firewall Network, configure the internal DNS and configure the settings used by Firewall and Web proxy clients.

[patris1]

کد:

http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-Segment-Perimeter-Firewall-Part5.html

Part 5: Configuring the Clients and DNS Infrastructure


In the first four parts of this series on creating a network services segment using ISA firewalls, we discussed general DMZ and perimeter segment networking principles and design concepts, configuration of the network services segment ISA firewall, and routing principles and procedures required to make our solution work. We also configured the edge ISA firewall so that users on the Corpnet ISA firewall Network could gain access to Internet resources and external users could access Exchange Server resources located on the network services segment.
In this, part 5 of the article series, we’ll focus on the network client systems. We perform the following procedures in this article:

• Create a Routing table Entry on the Network Clients (only required if there are no LAN routers installed)
• Join the Network Clients to the Domain
• Create Configure DNS Entries in the Domain DNS, Including WPAD Entries
• Configure the Firewall Client Settings on the Edge ISA Firewall (including Web Proxy Client Configuration)
• Install the Firewall Client Share on the Network Services Segment File Server
• Install the Firewall Client on the Network Clients
• Connect the Corporate Network Clients to Resources on the Network Services Segment and the Internet

Create a Routing table Entry on the Network Clients (only required if there are no LAN routers installed)

Clients on the Corpnet ISA firewall Network need to know the route to the network services segment. As discussed in part 1 of this article series, you have two options: use LAN routers that contain the appropriate routing table entries to reach the network services segment or configure the clients with a routing table entry.
In the example used in this article, we’ll create routing table entries on the clients. You can automate this process by using a log on script that contains the Route add command used to add the routing table entry. The command required is:

Route add –p 10.0.0.0 MASK 255.255.255.0 10.0.1.2

Where –p makes the routing table entry permanent, 10.0.0.0 is the network ID of the network services segment, 255.255.255.0 is the subnet mask for the network services segment, and 10.0.1.2 is the gateway address used to reach that network.
Join the Network Clients to the Domain

All the pieces are now in place to add the network clients to the domain. The network services perimeter ISA firewall has the appropriate Access Rules in place to join hosts on the Corpnet ISA firewall Network to the domain. The procedure varies with the operating system you’re joining to the domain. In the example used in this article series, we’re joining a Windows XP client to the domain.
Create Configure DNS Entries in the Domain DNS, Including WPAD Entries

DNS infrastructure design is critical for all Windows environments. One of the most common reasons for connectivity and performance issues is a poorly designed DNS infrastructure. Proper DNS infrastructure is critically important in ISA firewall networking because the ISA firewall uses DNS name resolution for access control and security monitoring.
Clients on the Corpnet ISA firewall Network will be configured as both Web proxy and Firewall clients. Web proxy and Firewall clients need to be able to locate the edge ISA firewall to access the Internet. While you can manually configure each host with the proper information, it’s much easier to automate the process using WPAD entries in DNS and/or DHCP.
Web proxy and Firewall clients use WPAD entries in DNS and/or DHCP to find the address of the ISA firewall. After the clients find the address of the ISA firewall, the clients obtain configuration information from the ISA firewall. By default the ISA firewall advertises configuration information on TCP port 80, which can be changed if required. However, if you use DNS-based WPAD entries, you must use TCP port 80. If you use DHCP for WPAD information, you can use any port you like to advertise autodiscovery information.
In the example used in this series, we will use DNS WPAD publishing. We will create a WPAD CNAME record based on the Host (A) record for the edge ISA firewall. The Host (A) record for the edge ISA firewall maps the name of the edge ISA firewall to the IP address on the internal interface of the edge ISA firewall.
Perform the following steps to create the WPAD entry on the domain DNS server on the network services segment:

1. At the DNS server, click Start, point to Administrative Tools and click DNS.
2. In the DNS console, expand the server name and then expand the Forward Lookup Zones node. Click on the domain, which in this case is msfirewall.org.
3. Right click the domain name and click New Alias (CNAME).
4. In the New Resource Record dialog box, enter wpad in the Alias name (uses parent domain if left blank) text box. Click the Browse button.

Figure 1

1. Double click the server name in the Records section, then double click the Forward Lookup Zone entry. Double click the domain name and then double click the entry for the edge ISA firewall. In this example the name of the edge ISA firewall is remoteisa, so I’ll double click that one.

Figure 2

1. Click OK in the New Resource Record dialog box.

Figure 3

1. The new CNAME record appears in the right pane of the console.

Figure 4

Note that the edge ISA firewall’s IP address is included in the domain DNS because it was automatically added when the firewall joined the domain. If your domain DNS is not configured to enable automatic registration of DNS records, then you’ll need to create the Host (A) record yourself before you can create the CNAME record.

Configure the Firewall and Web Proxy Client Settings on the Edge ISA Firewall and Enable Autodiscovery

In my experience, who of the least understood issues with ISA firewall configuration relates to the settings in the Firewall client configuration on the ISA firewall. For each ISA firewall Network, you can configure Firewall client settings that are used by Firewall client systems located on that ISA firewall Network. These settings allow you to set how the Firewall client software finds the ISA firewall and what destination addresses should be remoted to the ISA firewall and which ones should not be serviced by the Firewall client software.
The best way to learn how these settings work is to get into the configuration interface. Perform the following steps on the edge ISA firewall to configure the Firewall client settings:

1. In the ISA firewall console, expand the server name and then expand the Configuration node. Click the Networks node.
2. On the Networks node, double click the default Internal Network entry.
3. In the Internal Properties dialog box, click the Firewall Client tab. On the Firewall Client tab, confirm that there is a checkmark in the Enable Firewall client support for this network checkbox. When this option is enabled, the Firewall client listener port, TCP 1745, is enabled and listens for connections from the Firewall clients on that ISA firewall Network. In the ISA Server name or IP address text box, enter the fully qualified domain name of the ISA firewall. This is a critical setting. The default entry in this text box is the NetBIOS name of the ISA firewall, which can create problems with name resolution. The name you enter into this text box is the name Firewall clients on the network will use to access the ISA firewall. If you leave just the NetBIOS name in this text box, there could be problems with name resolution related to fully qualifying the unqualified name. While I am not saying that it won’t work to leave just the NetBIOS name in this text box, I am saying that you will avoid difficult to troubleshoot issues with Firewall clients if you use a FQDN in this text box. Put a checkmark in the Automatically detect settings checkbox and do not enable the Use automatic configuration script and Use a Web proxy server checkboxes. You will get autoconfiguration information by using autodiscovery, and you don’t need the Use a Web proxy server setting because the client will find the Web proxy filter component of the ISA firewall using the wpad settings.

Figure 5

1. Click the Domains tab. On this tab you enter your internal domain names so that the Firewall clients do not use the Firewall client software to handle connections to hosts on the Internal domains. This is a tricky setting on multihomed ISA firewalls with multiple internal ISA firewall Networks, but in this example, the edge ISA firewall has only a single internal Network, so we won’t run into those issues. I will discuss in deep detail the configuration issues with the Domains tab on multihomed ISA firewalls with multiple internal ISA firewall Networks is another series on creating network services segments using multihomed ISA firewalls. In this example, we have a single internal domain, which is msfirewall.org. Click Add to enter the internal network domain.

Figure 6

1. In the Domain Properties dialog box, enter the name of the internal domain in the Enter a domain name to include text box. Click OK.

Figure 7

We can also configure the Web proxy client settings in the Properties dialog box of the ISA firewall Network. Continue with the following steps to configure the Web proxy client configuration:
In the Internal Properties dialog box, click the Web Browser tab. On the Web Browser tab, confirm that there are checkmarks in the Bypass proxy for Web server in this network and Direct access computers specified in the Domains tab. The Bypass proxy for Web servers in this network setting allows the Web proxy client machines to bypass their Web proxy configuration when connecting to servers using a single label name. For example, http://server1 is a single label name. When the single label name is used, the Web browser ignores the Web proxy settings and connects directly to the Web server. This is known as Direct Access. When Direct Access is used, the client system must be able to resolve the name itself, as the ISA firewall does not handle the connection and therefore does not perform name resolution on behalf of the client.

The Directly access computers specified in the Domains tab option enables the Web proxy client system to bypass the Web proxy configuration when connecting to hosts that belong to a domain included in the Domains tab. This is a useful option because the Web proxy client bypasses its Web proxy configuration and the ISA firewall when connecting to internal, trusted servers on the corporate network.

You can also add servers, domains and addresses for Direct Access by clicking the Add button next to the Directly access these servers or domains list. You might want to put all the addresses in the ISA firewall Network in the Direct Access list. For example, since we’re in the Internal Properties dialog box, we could include all the addresses in the default Internal network. In a multihomed, multiple internal Network design, this can be used for authenticated access control, but we’ll talk about these issues in the series on creating network services segments using a multihomed ISA firewall.

Confirm that there is a checkmark in the If ISA Server is unavailable, use this backup route to connect to the Internet checkbox and that the Direct Access option is selected.

Figure 8

The last thing we need to do in the Internal Properties dialog box is enable Autodiscovery publishing. Perform the following steps to enable the ISA firewall to publish autodiscovery information:

1. Click Auto Discovery tab in the Internal Properties dialog box.
2. On the Auto Discovery tab, put a checkmark in the Publish automatic discovery information checkbox. Leave the default port listed in the Use this port for automatic discovery request text box as 80. We must use TCP port 80 since we are using DNS for out WPAD entry.

Figure 9

1. Click OK in the Internal Properties dialog box.
2. Click Apply to save the changes and update the firewall policy.
3. Click OK in the Apply New Configuration dialog box.

Install the Firewall Client Share on the Network Services Segment File Server

The Firewall client software will be installed on all the client systems on the Corpnet ISA firewall Network. Note that you should only install the Firewall client software on network client systems, and avoid installing it on servers. While it is possible to install the Firewall client software on servers, there is little reason to do so, since servers typically do not have logged on users (interactive log ons, that is). You will avoid difficult to diagnose connectivity issues if you do not install the Firewall client software on network servers.
While some ISA firewall administrators choose to install the Firewall client share on the ISA firewall itself, I highly recommend against this practice, as it requires Windows file sharing protocol connections to be made to the ISA firewall device itself. This opens a potential security hole that does not need to be opened. Instead, install the Firewall client share on a file server on the network services segment. Remember, the ISA firewall is a network level security device and connections to and from the ISA firewall device should be severely limited.
Perform the following steps on the file server computer on the network services segment:

1. At the file server on the network services segment, place the ISA Server 2004 CD into the CD-ROM drive. The autorun menu will appear. If the autorun menu does not appear, double click the isaautorun.exe file on the CD.
2. In the ISA Server 2004 Setup autorun menu, click the Install ISA Server 2004 link.
3. Click Next on the Welcome to the Installation Wizard for Microsoft ISA Server 2004 page.
4. Select the I accept the terms in the license agreement option on the License Agreement page and click Next.
5. Enter your user information and product serial number on the Customer Information page and click Next.
6. Select the Custom option on the Setup Type page.
7. On the Custom Setup page, click the ISA Server Management icon and click the This feature will not be available option. Click the Firewall Client Installation Share icon and click the This feature, and all subfeatures, will be installed on local hard drive option. Click Next.
   Figure 10
8. Click Install on the Ready to Install the Program page.
9. Click Finish on the Installation Wizard Completed page.
10. Close the Internet Explorer window that presents a page on how to Protect the ISA Server Computer.
11. Click the Exit link on the ISA autorun menu.

Install the Firewall Client on the Network Clients

The Firewall client share is now installed on the file server and can be accessed using the \\server_name\mspclnt\setup.exe UNC path. Any user logged on as a local administrator can install the Firewall client software. However, if not all your users run as local administrators, you’ll need to find another way to install the Firewall client software.
Fortunately, the ideal solution to this problem is Active Directory Group Policy based software installation. Since the client machines must be domain members to fully utilize the flexibility and increased security provided by the Firewall client, those domain members can have their Firewall client software installed automatically via Group Policy.
In the following procedure we will create an OU for machines that should have the Firewall client software automatically installed. We do this to prevent the Firewall client software from being installed on servers. There may be more elegant ways to approach this, such as using Group Policy filtering, but I’ll leave that up to the Active Directory guys to figure out the most efficient way to assigning the Firewall client software only to client systems and not servers.
Note that in the following example we’ll create an OU that provides a GPO linked to the OU that installs the Firewall client software. In a production environment, you will want to link other GPOs to the OU and order the GPO links appropriately.
Perform the following steps to create the OU, place a client system in the OU, and then use Software Installation to assign the Firewall client software to members of the OU:

1. On the domain controller on the network services segment, open the Active Directory Users and Computers console from the Administrative Tools menu.
2. Right click on the domain name, point to New and click Organizational Unit.
3. In the New Object – Organizational Unit page, enter Firewall Client Systems in the Name text box. Click OK.
4. Click the Computers node and right click the client system name in the right pane of the console. Click Move.
5. In the Move dialog box, click the Firewall Client Systems node and click OK.
6. Right click the Firewall Client Systems OU and click Properties.
7. In the Firewall Client Systems Properties dialog box, click the Group Policy tab.
8. On the Group Policy tab, click the New button. Name the new GPO Firewall Client Installation and click Edit.
9. In the Group Policy Object Editor console, expand the Computer Configuration node and then expand the Software Settings node. Right click Software installation, point to New and click Package.
10. In the Open dialog box, enter the UNC path to the Firewall client installation package file. In this example, the path is \\Win2k\mspclnt\MS_FWC.msi. Click Open.

Figure 11

11. In the Deploy Software dialog box, select the Assigned option and click OK.

Figure 12

1. Close the Group Policy Object Editor.
2. Close the Firewall Client Systems Properties dialog box.
3. Close Active Directory Users and Computers.
4. Open a command prompt on the domain controller and enter gpupdate and press ENTER.
5. When the client systems restart, the Firewall client software will install automatically.

Connect the Corporate Network Clients to Resources on the Network Services Segment and the Internet

Now the clients on the Corpnet ISA firewall Network are ready to connect to resources on the network services segment and the Internet.
Open the Web browser on the client and go to www.isaserver.org. You’ll see log file entries on the edge ISA firewall that appear similar to those in the figure below.

Figure 13

Now open a share on the File server on the network services segment. You’ll see entries like those in the figure below.

Figure 14

Summary

In this article series on configuring a network services segment using an ISA firewall, we began with an in depth discussion on network perimeters and how to design a functional network services segment via perimeterization. The following articles provided detailed concepts and step by step details on how to configure the edge and network services perimeter ISA firewall to support secure connections from hosts located on the corporate network outside the perimeter and to selected Exchange Server services from Internet hosts.