The ISA 2004 Firewall ISP Co-location Configuration
[LEFT][CODE]http://www.isaserver.org/articles/2004ispcolo.html[FONT=Verdana]
[/FONT][/CODE]
[FONT=Verdana]
[/FONT]
[FONT=Verdana]This is an interesting configuration because the question is whether the ISA 2004 firewall software can be used effectively to protect the publicly accessible resources on the ISP co-located machine. If you’ve been following this space, you know that I strongly recommend against installing extraneous software on the ISA 2004 firewall. Each extraneous application or service installed on the ISA 2004 firewall increases the attack surface on the firewall and increases the chance of compromising resources on the ISA firewall.[/FONT]
[FONT=Verdana]However, the ISP co-located setup is a bit different. The ISP will usually provide some rudimentary stateful filtering support, such as that provided by a PIX or Netscreen. While these firewalls provide network layer filtering, they fall down when it comes to the task of strong stateful application layer inspection. For this reason, you may be able to gain some significant benefits from using the ISA 2004 firewall software on the co-located Web, FTP and SMTP server.[/FONT]
[FONT=Verdana]While I refer to this as the ISP co-location configuration, you can also use it in other scenarios. For example, suppose you want to bring a powerful ISA 2004 stateful application layer inspection firewall into your network. The problem is that you have to deal with people who have swallowed the Myth of the Hardware Firewall, hook, line and sinker (check out [URL="http://isaserver.org/articles/2004tales.html"][U][COLOR=#800080]http://isaserver.org/articles/2004tales.html[/COLOR][/U][/URL] for more information on this subject). One way to get your ISA 2004 firewall into the mix is to put the ISA 2004 firewall in a DMZ segment between the two "hardware" firewalls. By using the ISA 2004 firewall in an ISP co-location configuration in the DMZ, you’ll be able to get real stateful application layer inspection protection while mollifying the "hardware" firewall guys’ flagging egos.[/FONT]
[FONT=Verdana]The ISP co-location configuration uses a single physical NIC and a second "virtual" NIC. The virtual NIC is the Microsoft loopback adapter. The loopback adapter isn’t connected to an actual physical NIC, but you can configure the loopback adapter with IP addressing information in the same way you configure a physical NIC. The ISA 2004 firewall software sees the loopback adapter as a physical interface and you can use this interface to support publishing scenarios.[/FONT]
[FONT=Verdana]The reason for installing the virtual NIC in the ISA 2004 firewall is so that you can "trick" the firewall into thinking it’s acting as a firewall. You could install a single NIC in the ISA 2004 firewall, but then you lose a significant amount of firewall functionality, because the ISA 2004 firewall software will assume that you want to run the firewall in Web Proxy mode only. In contrast, when you install the loopback adapter on the ISA 2004 firewall, the firewall software recognizes this as an actual interface and you can then fully leverage the strong stateful application layer inspection provided by the ISA 2004 firewall software.[/FONT]
[FONT=Verdana]In this article we’ll focus on the ISP co-location configuration. The figure below shows the lab setup you can use with your VMware or Virtual PC virtual networks to perform the proof of concept testing for this setup. You can test the configuration from a host on the same segment at the physical interface of the ISA 2004 firewall, or you can test from a host that’s on the WAN side of your Internet router.[/FONT]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27231094810766453.gif[/IMG][/FONT]
[FONT=Verdana]The loopback adapter is assigned a bogus address. In the example discussed in this article, we’ll use the IP address 10.0.0.1/24. Note that the bogus internal interface does not have a DNS or default gateway address assigned.[/FONT]
[FONT=Verdana]The external interface of the ISA 2004 firewall has a real IP address and a default gateway. This configuration is important because the external IP address must be reachable, and the default gateway address is required so that the ISA 2004 firewall can respond to requests made by Internet hosts. The DNS server address should be that of a DNS server that can resolve Internet host names, because the co-located ISA 2004 firewall/Web/FTP/SMTP server needs to be able to resolve Internet MX domain names to send outbound mail. Note that you can also use the ISA 2004 firewall’s SMTP Message Screener in this configuration.[/FONT]
[FONT=Verdana]If you plan to use this design in a DMZ configuration where the ISA 2004 firewall is located between two so-called "hardware" firewalls, I recommend that the route relationship between the DMZ segment and the back-end firewall be a route relationship and not a NAT relationship. [/FONT]
[FONT=Verdana]You will perform the following steps make this configuration work:[/FONT]
[LIST][*][FONT=Verdana][/FONT][FONT=Verdana][*]Install the loopback adapter on the machine that will be the co-located ISA 2004 firewall and configure its IP addressing information[*]Install the IIS services on the machine that will be the co-located ISA 2004 firewall, disable socket pooling for those services and bind the services to the IP address on the loopback interface[*]Install the ISA 2004 firewall software[*]Disable the Web Proxy and Firewall client listeners on the Internal interface[*]Create the Web and Server Publishing Rules[*]Create an Access Rule that allows SMTP outbound from the Local Host Network to the External Network[*]Test the Configuration[/FONT][/LIST]
[FONT=Verdana][B]Note:
[/B]About 98% of the articles on this site describe procedures that I use to implement real-world installation and configuration for ISA firewalls. However, about 2% of the articles represent what I consider "lab experiments". These lab experiment articles show the procedures required to get the job done, but have not been tested by me or anyone else I know in a production environment. It extremely important to note that the reason why I provide a lab setup for most articles is so that you can perform the procedures in your own lab [I]before[/I] implementing them in your own production environment. I hope that I have not given the ISAServer.org community the false impression that all the articles on this site are lab setups only, because that is [I]not[/I] the case. The overwhelming majority of the content I provide on this site has withstood production network testing.[/FONT]
[B]Install the loopback adapter on the machine that will be the co-located ISA 2004 firewall and configure its IP addressing information[/B]
[FONT=Verdana]The first step (after installing Windows Server 2003 on a machine with a single NIC) is to install the Microsoft loopback adapter. This is a painless procedure and is done using the [B]Add/Remove Hardware[/B] applet.[/FONT]
[FONT=Verdana]Perform the following steps to add the loopback adapter:[/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]On the ISA 2004 firewall machine, click [B]Start[/B] and point to [B]Control Panel[/B]. Click [B]Add Hardware[/B].[*]On the [B]Welcome to the Add Hardware Wizard[/B] page, click [B]Next[/B].[*]On the [B]Is the hardware connected[/B] page, select the [B]Yes, I have already connected the hardware[/B] option. Click [B]Next[/B].[*]On the [B]The following hardware is already installed on your computer[/B] page, select the [B]Add a new hardware device[/B] option from the [B]Installed hardware[/B] list. Click [B]Next[/B].[*]On the [B]The wizard can help you install other hardware[/B] page, select the [B]Install the hardware that I manually select from a list (Advanced) [/B]option. Click [B]Next[/B].[*]On the [B]From the list below, select the type of hardware you are installing[/B] page, select the [B]Network adapters[/B] option and click [B]Next[/B].[*]On the [B]Select Network Adapter[/B] page, select the [B]Microsoft [/B]entry from the [B]Manufacturer[/B] list. Click the [B]Microsoft Loopback Adapter[/B] entry from the [B]Network Adapter[/B] list. Click [B]Next[/B].[/FONT][/LIST]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27241094810774718.gif[/IMG][/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]On the [B]The wizard is ready to install your hardware[/B] page, click [B]Next[/B].[*]Click [B]Finish[/B] on the [B]Completing the Add Hardware Wizard[/B] page.[*]Right click the [B]My Network Places[/B] icon on the desktop and click [B]Properties[/B].[*]Right click on the adapter representing the loopback adapter entry on the [B]Network Connections[/B] page. Click [B]Properties[/B].[*]On the adapter’s [B]Properties[/B] dialog box, select the [B]Internet Protocol (TCP/IP) [/B]from the [B]This connection uses the following items[/B] list. Click [B]Properties[/B].[*]On the [B]Internet Protocol (TCP/IP)[/B] [B]Properties[/B] dialog box, select the [B]Use the following IP address[/B] option and enter [B]10.0.0.1[/B] in the [B]IP address[/B] text box. Enter [B]255.255.255.0[/B] in the [B]Subnet mask[/B] text box. Click [B]OK[/B].[*]Click [B]OK[/B] in the adapter’s [B]Properties[/B] dialog box.[/FONT][/LIST]
[B]Install the IIS services on the machine that will be the co-located ISA 2004 firewall, disable socket pooling for those services and bind the services to the IP address on the loopback interface[/B]
[FONT=Verdana]Now we’re ready to install the IIS services. In this example, we’ll install the IIS World Wide Web (W3SVC or WWW service), the FTP service and the SMTP service. Many of you might be interested in other services that are included with Microsoft Exchange, but I consider installing Microsoft Exchange on the same machine as the ISA 2004 firewall as "going over the top". If you want the Exchange Server fully protected by the ISA 2004 firewall, then put the Exchange Server behind the ISA 2004 firewall and make special arrangements with your co-lo facility.[/FONT]
[FONT=Verdana]Perform the following steps to install the IIS services on the ISA 2004 firewall machine:[/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]On the ISA 2004 firewall machine, click [B]Start[/B] and point to [B]Control Panel[/B]. Click the [B]Add or Remove Programs[/B] link.[*]In the [B]Add or Remove[/B] [B]Programs[/B] window, click the [B]Add/Remove Windows Components[/B] button on the left side of the page.[*]On the [B]Windows Components[/B] page, select the [B]Application Server[/B] entry in the [B]Components[/B] list, then click [B]Details[/B].[*]In the [B]Application Server[/B] dialog box, select the [B]Internet Information Services (IIS)[/B] entry in the [B]Subcomponents of Application Server[/B] list and click [B]Details[/B].[*]In the [B]Internet Information Services (IIS)[/B] dialog box, put a checkmark in the [B]File Transfer Protocol (FTP) Service[/B], [B]SMTP Service[/B] and [B]World Wide Web Service[/B] checkboxes. Click [B]OK[/B].[*]Click [B]OK[/B] in the [B]Application Server[/B] dialog box.[*]Click [B]Next[/B] on the [B]Windows Components[/B] page.[*]Click [B]OK[/B] in the [B]Insert Disk[/B] dialog box.[*]In the [B]Files Needed[/B] dialog box, enter the path to the Windows Server 2003 i386 folder in the [B]Copy files from[/B] text box. Click [B]OK[/B].[*]Click [B]Finish[/B] on the [B]Completing the Windows Components Wizard[/B] page.[/FONT][/LIST]
[FONT=Verdana]The next step is to disable socket pooling for each of these services. Socket pooling allows the IIS services to listen on the same port number on all interfaces. This has some performance advantages for dedicated IIS machines. However, socket pooling is the death knell for IIS services machines that also run the ISA 2004 firewall software. In order to get our Web and Server Publishing solutions working on the ISA 2004 firewall, we need to disable socket pooling before configuring the services to listen on the internal IP address (the IP address assigned to the loopback adapter) of the ISA 2004 firewall.[/FONT]
[FONT=Verdana]Perform the following steps to disable socket pooling for the IIS WWW service:[/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]On the Windows Server 2003 installation CD-ROM, locate the [B]\SUPPORT\TOOLS[/B] folder and copy that to the local hard disk on the ISA 2004 firewall.[*]In the [B]SUPPORT[/B] folder copied to the hard disk of the ISA 2004 firewall, double click the [B]SUPTOOLS.MSI[/B] file.[*]Click [B]Next[/B] on the [B]Welcome to the Windows Support Tools Setup Wizard[/B] page.[*]Select the [B]I Agree[/B] option on the [B]End User License Agreement [/B]page.[*]Enter your user information on the [B]User Information [/B]page.[*]Use the default directory on the [B]Destination Directory[/B] page and click [B]Install Now[/B].[*]Click [B]Finish[/B] on the [B]Completing the Windows Support Tools Setup Wizard[/B] page.[*]Click [B]Start[/B] and then click [B]Run[/B]. In the [B]Run[/B] dialog box, enter [B]cmd[/B] in the [B]Open[/B] text box and click [B]OK[/B].[*]At the command prompt, enter [B]httpcfg set iplisten –i 10.0.0.1[/B] and press ENTER. You will see the response [B]HttpSetServiceConfiguration completed with 0[/B].[*]At the command prompt, enter [B]httpcfg query iplisten[/B] and press ENTER. You will see what appears in the figure below (note in the figure that I made a typo on the first query; that’s why I think the command line "blows", I never make a typo when selecting a menu option ;-)[/FONT][/LIST]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27251094810781406.gif[/IMG][/FONT]
[FONT=Verdana]Now let’s disable socket pooling for the IIS FTP service:[/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]At the command prompt, enter [B]net stop msftpsvc[/B] and press ENTER.[*]At the command prompt, navigate to the [B]\InetPub\Adminscripts [/B]folder. Enter [B]cscript adsutil.vbs set /msftpsvc/1/DisableSocketPooling 1[/B] and press ENTER. You will see what appears in the figure below.[/FONT][/LIST]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27261094810788718.gif[/IMG][/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]At the command prompt, enter [B]net start msftpsvc[/B] and press ENTER.[/FONT][/LIST]
[FONT=Verdana]The also service that needs socket pooling whacked is the SMTP service. Perform the following steps to disable the IIS SMTP service:[/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]At the command prompt, enter [B]net stop smtpsvc [/B]and press ENTER.[*]At the command prompt, navigate to the [B]\InetPub\Adminscripts [/B]folder. Enter [B]cscript adsutil.vbs set /smtpsvc/1/DisableSocketPooling 1[/B] and press ENTER. You will see what appears in the figure below.[/FONT][/LIST]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27271094810797031.gif[/IMG][/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]At the command prompt, enter [B]net start msftpsvc[/B] and press ENTER.[/FONT][/LIST]
[FONT=Verdana]Now let’s bind the WWW, FTP and SMTP services to the internal IP address of the ISA 2004 firewall:[/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]On the ISA 2004 firewall, click [B]Start[/B] and point to [B]Administrative Tools[/B]. Click [B]Internet Information Services (IIS) Manager[/B].[*]In the [B]Internet Information Services (IIS) Manager[/B] console, expand the [B]Web Sites[/B] node and right click on the [B]Default Web Site[/B] and click [B]Properties[/B].[*]In the [B]Default Web Site Properties[/B] dialog box, click the [B]Web Site[/B] tab. In the [B]IP address[/B] drop down box, select [B]10.0.0.1[/B]. Click [B]Apply[/B] and then click [B]OK[/B].[/FONT][/LIST]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27281094810804828.gif[/IMG][/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]Expand the [B]FTP Sites[/B] folder and right click the [B]Default FTP Site[/B] and click [B]Properties[/B].[*]In the [B]Default FTP Site Properties[/B] dialog box, click the [B]FTP Site[/B] tab. On the [B]FTP Site[/B] tab, select [B]10.0.0.1[/B] from the [B]IP address[/B] list. Click [B]Apply[/B] and then click [B]OK[/B].[*]Right click the [B]Default SMTP Virtual Server[/B] and click [B]Properties[/B].[*]In the [B]Default SMTP Virtual Server Properties[/B] dialog box, click the [B]General [/B]tab. Select [B]10.0.0.1[/B] from the [B]IP address[/B] drop down list.[*]Click the [B]Access[/B] tab. On the [B]Access [/B]tab, click the [B]Authentication[/B] button in the [B]Access Control[/B] frame.[*]In the [B]Authentication[/B] dialog box, place a checkmark in the [B]Integrated Windows Authentication[/B] checkbox. This will allow users who authenticate to relay through the published SMTP server. Note that this will not be an open SMTP relay. Unauthenticated users will [I]not[/I] be able to relay through this published SMTP server. Mail sent to [B]remote domains [/B]you configure on this SMTP server will not require authentication. This allows Internet SMTP servers to send mail to this machine without authenticating. For example, you might want to host relay services for MX domains for your customers. You can use the remote domains to forward mail to their servers; when their servers are down, your SMTP server can host mail until their servers come back online. Click [B]OK[/B].[*]Click [B]Apply[/B] and then click [B]OK[/B].[*]In the left pane of the IIS console, right click on the server name, point to [B]All Tasks[/B] and click [B]Restart IIS[/B].[*]In the [B]Stop/Start/Restart[/B] dialog box, select the [B]Restart Internet Services on <servername>[/B] and click [B]OK[/B].[/FONT][/LIST]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27291094810812609.gif[/IMG][/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]Open a [B]Command Prompt[/B] window. At the command prompt enter [B]netstat –na[/B] and press ENTER. Notice that TCP ports [B]21[/B], [B]25[/B] and [B]80[/B] are listening on IP address [B]10.0.0.1[/B]. We know that socket pooling is disabled for these ports (services) because they are not listening on address [B]0.0.0.0[/B].[/FONT][/LIST]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27301094810820765.gif[/IMG][/FONT]
[B]Install the ISA 2004 firewall software[/B]
[FONT=Verdana]The loopback adapter is installed, the IIS services are installed and configured and socket pooling has been disabled. Now were’ finally ready to install the ISA 2004 firewall software.[/FONT]
[FONT=Verdana]Perform the following steps to install the ISA 2004 firewall software:[/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]Double click the [B]isaautorun.exe[/B] file on the ISA Server 2004 CD-ROM. On the autorun page, click the [B]Install ISA Server 2004 [/B]link.[*]Click [B]Next[/B] on the [B]Welcome to the Installation Wizard for Microsoft ISA Server 2004[/B] page.[*]On the [B]License Agreement[/B] page, select the [B]I accept the terms in the license agreement[/B] option. Click [B]Next[/B].[*]On the [B]Customer Information [/B]page, enter your [B]User name[/B], [B]Organization[/B] and [B]Product Serial Number[/B]. Click [B]Next[/B].[*]On the [B]Setup type[/B] page, select the [B]Complete[/B] option and click [B]Next[/B].[*]On the [B]Internal Network[/B] page, click the [B]Add[/B] button.[*]In the address ranges dialog box, click the [B]Select Network Adapter [/B]button.[*]In the [B]Select Network Adapter[/B] dialog box, remove the checkmark from the [B]Add the following private ranges…[/B] checkbox. Put a checkmark in the checkbox to the left of loopback adapter in the adapter list. Click [B]OK[/B].[/FONT][/LIST]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27311094810828312.gif[/IMG][/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]Click [B]OK[/B] in the [B]Setup Message[/B] dialog box informing you that the Internal network was defined based on the ISA 2004 firewall’s routing table.[*]Click [B]OK[/B] in the address ranges dialog box.[*]Click [B]Next[/B] on the [B]Internal Network[/B] page.[/FONT][/LIST]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27321094810836156.gif[/IMG][/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]Accept the default setting on the [B]Firewall Client Connection Settings[/B] page. Click [B]Next[/B].[*]Click [B]Next[/B] on the [B]Services[/B] page.[*]Click [B]Install[/B] on the [B]Ready to Install the Program[/B] page.[*]Click [B]Finish[/B] on the [B]Installation Wizard Completed [/B]page.[*]Click [B]Yes[/B] on the [B]Microsoft ISA Server [/B]page informing you that you must restart the firewall.[*]Log on as administrator after the ISA 2004 firewall restarts. Close the Web browser window [B]Protect the ISA Server Computer[/B] after logging on.[/FONT][/LIST]
[B]Disable the Web Proxy and Firewall client listeners on the Internal interface[/B]
[FONT=Verdana]Since there is no actual Internal network, and no Internal network clients, there is no reason to enable the Web Proxy and Firewall client listeners. These listeners have the potential for causing conflicts with Web publishing rules and could use resources that we’d rather have available to the services hosted on the ISA 2004 firewall. For these reasons we will disable the Firewall client and Web Proxy listeners on the Internal network.[/FONT]
[FONT=Verdana]Perform the following steps to disable the Web Proxy and Firewall client listeners on the Internal interface:[/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]Open the [B]Microsoft Internet Security and Acceleration Server 2004[/B] management console and expand the server name in the left pane. Expand the [B]Configuration[/B] node and click on the [B]Networks[/B] node.[*]On the [B]Networks[/B] node, click on the [B]Networks[/B] tab in the Details pane. Right click on the [B]Internal[/B] network and click [B]Properties[/B].[*]In the [B]Internal Properties[/B] dialog box, click the [B]Web Proxy[/B] tab.[*]On the [B]Web Proxy [/B]tab, remove the checkmark from the [B]Enable Web Proxy clients[/B] checkbox.[*]Click on the [B]Firewall Client[/B] tab.[*]On the [B]Firewall Client[/B] tab, remove the checkmark from the [B]Enable Firewall client support for this network[/B] checkbox.[/FONT][/LIST]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27331094810843343.gif[/IMG][/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]Click [B]Apply[/B] and then click [B]OK[/B] in the [B]Internal Properties[/B] dialog box.[/FONT][/LIST]
[B]Create the Web and Server Publishing Rules[/B]
[FONT=Verdana]In order for remote users to access the services located on the ISA 2004 firewall, we must use Web and/or Server Publishing Rules. Web Publishing rules are used to published Web protocols. The Web protocols are HTTP and HTTPS (SSL). Although not strictly considered a Web protocol, you can also publish download-only FTP sites using Web publishing rules. All other services must use Server Publishing Rules. Both Web and Server Publishing Rules expose the incoming connections to the ISA 2004 firewall’s deep, stateful application layer inspection mechanisms.[/FONT]
[FONT=Verdana]We will create one Web Publishing Rule and two Server Publishing Rules. The Web Publishing Rule will be used to allow remote connections to the Web server located on the ISA 2004 firewall, and the Server Publishing Rules will be used to allow remote connections to the SMTP and FTP services.[/FONT]
[FONT=Verdana]In the following example, the Web Publishing Rule will allow us to connect to the Web site using the external IP address of the ISA 2004 firewall. However, I want to strongly emphasize to you that you should [B]not[/B] publish Web sites using the IP address on the external interface of the ISA firewall as its "public" name. If you do this, users will be able to access the published Web site using the IP address, instead of the FQDN of your site. Allowing access to your Web site via an IP address potentially exposes you to worms and other anonymous scan-based attacks. In fact, I recommend that [I]you never[/I] allow published sites to be accessible via an IP address. However, I’m lazy and don’t want to go into the details of how to setup the DNS or HOSTS file entries required for a secure solution. I’ve gone into those details in many of the other publishing articles I’ve done on this site.[/FONT]
[FONT=Verdana]Perform the following steps to create the Web Publishing Rule:[/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]In this [B]Microsoft Internet Security and Acceleration Server 2004[/B] management console, expand the server name and click the [B]Firewall Policy[/B] node.[*]On the [B]Tasks[/B] tab in the Task Pane, click the [B]Publish a Web Server[/B] link.[*]On the [B]Welcome to the New Web Publishing Rule Wizard[/B] page, enter [B]Web Server[/B] in the [B]Web publishing rule name[/B] text box. Click [B]Next[/B].[*]On the [B]Select Rule Action[/B] page, select the [B]Allow[/B] option and click [B]Next[/B].[*]On the [B]Define Website to Publish[/B] page, enter the IP address that the Web server listens on in the [B]Computer name or IP address[/B] text box. In this example, the Web server is listening on IP address[B] 10.0.0.1[/B], so we enter that value into the text box. In the [B]Path[/B] text box, enter [B]/*[/B]. Click [B]Next[/B].[/FONT][/LIST]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27341094810852312.gif[/IMG][/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]On the [B]Public Name Details[/B] page, select the [B]This domain name (type below) [/B]option in the [B]Accept requests for[/B] drop down list. In the [B]Public name[/B] text box, enter the IP address on the external interface of the ISA 2004 firewall. Note that we are using the IP address for the public name for demonstration purposes [I]only[/I]. I recommend that you [I]never[/I] publish a publicly accessible Web site in a way that can be accessed via its IP address. In the [B]Path (optional)[/B] text box, enter [B]/*[/B]. Click [B]Next[/B].[/FONT][/LIST]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27351094810860265.gif[/IMG][/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]On the [B]Web Listener[/B] page, select a Web listener from the [B]Web listener[/B] list. If you do not have a Web listener configured, then you will need to create one. In this example we have not yet created any Web listeners. To create a new Web listener, click the [B]New[/B] button.[*]On the [B]Welcome to the New Web Listener Wizard[/B] page, enter [B]HTTP Listener[/B] in the [B]Web listener name[/B] text box. Click [B]Next[/B].[*]On the [B]IP Addresses[/B] page, put a checkmark in the [B]External[/B] checkbox. This setting will allow the ISA 2004 firewall to accept incoming requests to this Web listener on all addresses bound to the external interface. Click [B]Next[/B].[*]On the [B]Port Specification [/B]page, accept the default settings. The [B]Enable HTTP [/B]checkbox should be selected and the [B]HTTP port[/B] should be set at [B]80[/B]. Click [B]Next[/B].[*]Click [B]Finish[/B] on the [B]Completing the New Web Listener Wizard[/B] page.[*]Click [B]Next[/B] on the [B]Select Web Listener [/B]page. Notice that the Web listener we created now appears in the [B]Web listener[/B] drop down list.[/FONT][/LIST]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27361094810867515.gif[/IMG][/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]On the [B]User Sets[/B] page, select the default option, [B]All Users[/B], and click [B]Next[/B].[*]Review your settings on the [B]Completing the New Web Publishing Rule Wizard[/B] page and click [B]Finish[/B].[*]Click [B]Apply [/B]to save the changes and update the firewall policy.[*]Click [B]OK[/B] in the [B]Apply New Configuration[/B] dialog box.[/FONT][/LIST]
[FONT=Verdana]The next step is to create the SMTP Server Publishing Rule:[/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]In the [B]Microsoft Internet Security and Acceleration Server 2004[/B] management console, click the [B]Firewall Policy[/B] node.[*]On the [B]Firewall Policy[/B] node, click the [B]Tasks[/B] tab on the Task Pane. Click the [B]Create a New Server Publishing Rule[/B] link.[*]On the [B]Welcome to the New Server Publishing Rule Wizard[/B] page, enter [B]SMTP Server[/B] in the [B]Server publishing rule name[/B] text box and click [B]Next[/B].[*]On the [B]Select Server[/B] page, enter the IP address that the SMTP service on the ISA 2004 firewall listens on. In this example, the IP address is [B]10.0.0.1[/B] and we’ll enter that value into the text box. Click [B]Next[/B].[*]On the [B]Select Protocol[/B] page, select the [B]SMTP Server[/B] entry in the [B]Selected protocol[/B] list. Click [B]Next[/B].[/FONT][/LIST]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27371094810875078.gif[/IMG][/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]On the [B]IP Addresses[/B] page, put a checkmark in the [B]External[/B] checkbox. This allows the ISA 2004 firewall to accept incoming connections to any IP address bound to the external interface of the firewall. Click [B]Next[/B].[*]Click [B]Finish[/B] on the [B]Completing the New Server Publishing Rule Wizard[/B] page.[/FONT][/LIST]
[FONT=Verdana]Now we’ll complete our publishing rules with an FTP Server Publishing Rule:[/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]In the [B]Microsoft Internet Security and Acceleration Server 2004[/B] management console, click the [B]Firewall Policy[/B] node.[*]On the [B]Firewall Policy[/B] node, click the [B]Tasks[/B] tab on the Task Pane. Click the [B]Create a New Server Publishing Rule[/B] link.[*]On the [B]Welcome to the New Server Publishing Rule Wizard[/B] page, enter [B]SMTP Server[/B] in the [B]Server publishing rule name[/B] text box and click [B]Next[/B].[*]On the [B]Select Server[/B] page, enter the IP address that the SMTP service on the ISA 2004 firewall listens on. In this example, the IP address is [B]10.0.0.1[/B] and we’ll enter that value into the text box. Click [B]Next[/B].[*]On the [B]Select Protocol[/B] page, select the [B]SMTP Server[/B] entry in the [B]Selected protocol[/B] list. Click [B]Next[/B].[/FONT][/LIST]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27381094810882500.gif[/IMG][/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]On the [B]IP Addresses[/B] page, put a checkmark in the [B]External[/B] checkbox. This allows the ISA 2004 firewall to accept incoming connections to any IP address bound to the external interface of the firewall. Click [B]Next[/B].[*]Click [B]Finish[/B] on the [B]Completing the New Server Publishing Rule Wizard[/B] page.[*]Click [B]Apply [/B]to save the changes and update the firewall policy.[*]Click [B]OK[/B] in the [B]Apply New Configuration[/B] dialog box.[/FONT][/LIST]
[B]Create an Access Rule that allows SMTP outbound from the Local Host Network to the External Network[/B]
[FONT=Verdana]In the current example the SMTP service is configured to allow authenticated users to relay through it to other e-mail domains. The ISA 2004 firewall must be configured with an Access Rule that allows outbound access from the Local Host Network to the External Network so that it can forward the SMTP messages to Internet SMTP servers. Note that we are [I]not[/I] allow anonymous SMTP relay. Anonymous SMTP relays can be used by spammers to send spam through your SMTP server. The result can be excessive bandwidth usage and cost, and even worse, being placed on a blacklist by a dreaded RBLer.[/FONT]
[FONT=Verdana]Perform the following steps to create the SMTP outbound access rule from the ISA 2004 firewall:[/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]In the [B]Microsoft Internet Security and Acceleration Server 2004[/B] management console, click the [B]Firewall Policy [/B]node and then click the [B]Tasks[/B] tab on the Task Pane. Click the [B]Create New Access Rule [/B]link.[*]In the [B]Welcome to the New Access Rule Wizard[/B] page, enter [B]Outbound SMTP[/B] in the [B]Access Rule name[/B] text box. Click [B]Next[/B].[*]On the [B]Rule Action[/B] page, select the [B]Allow[/B] option and click [B]Next[/B].[*]On the [B]Protocols[/B] page, select the [B]Selected protocols[/B] option from the [B]This rule applies to[/B] list. Click the [B]Add[/B] button.[*]In the [B]Add Protocols[/B] dialog box, click the [B]Common Protocols[/B] folder and then double click on the [B]SMTP [/B]protocol. Click [B]Close[/B].[*]Click [B]Next[/B] on the [B]Protocols[/B] page.[/FONT][/LIST]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27391094810889687.gif[/IMG][/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]On the [B]Access Rule Sources[/B] page, click the [B]Add[/B] button.[*]In the [B]Add Network Entities[/B] dialog box, click the [B]Networks[/B] folder and double click the [B]Local Host[/B] network. Click [B]Close[/B].[*]Click [B]Next[/B] on the [B]Access Rule Sources[/B] page.[*]On the [B]Access Rule Destinations[/B] page, click the [B]Add [/B]button.[*]In the [B]Add Network Entities[/B] dialog box, click the [B]Networks[/B] folder and double click the [B]External[/B] network. Click [B]Close[/B].[*]Click [B]Next[/B] on the [B]Access Rule Destinations[/B] page.[*]On the [B]User Sets[/B] page, accept the default entry, [B]All Users[/B], and click [B]Next[/B].[*]Click [B]Finish[/B] on the [B]Completing the New Access Rule Wizard[/B] page.[*]Click [B]Apply [/B]to save the changes and update the firewall policy.[*]Click [B]OK[/B] in the [B]Apply New Configuration[/B] dialog box.[/FONT][/LIST]
[B]Test the Configuration[/B]
[FONT=Verdana] Now we’re ready to test the configuration. In the first test, we’ll use Outlook Express to send mail to the SMTP service on the ISA 2004 firewall. The Outlook Express client is configured to authenticate with the SMTP server using the default Administrator account on the ISA 2004 firewall machine. In a production environment you would create user accounts on the ISA 2004 firewall machine that external users can use to relay mail through the firewall.
I’ll send an e-mail message to the my own user account on Hotmail. We see the following lines in the real time log viewer on the ISA 2004 firewall when sending the message. The lines in red indicate the incoming connection from the Outlook client to the ISA firewall. Notice that the connection is allowed by the [B]SMTP Server[/B] rule. The lines in blue show an outgoing SMTP connection that is allowed by the [B]Outbound SMTP[/B] rule. This connection is the one associated with sending the mail outbound to the Hotmail site. The last entry in the file is the DNS lookup the ISA 2004 firewall does to find the MX record information for the Hotmail site. It’s likely that this took place [I]before[/I] the outgoing mail, but the log file listed it as taking place at the same time as the outgoing mail because the lookup response was so quick.
[IMG]http://www.isaserver.org/img/upl/Image27401094810897843.gif[/IMG]
When we go to the Hotmail site to retrieve the message, we see what appears below. You see that the message was received by [B]ISALOCAL[/B] from [B]xpprosp1[/B] and then the hotmail.com server received the message from [B]ISALOCAL[/B]. Notice that the IP address listed for ISALOCAL actually represents the IP address on the external interface of the network router and not the IP address of the ISALOCAL machine itself.
[/FONT][FONT=Courier New] Received: from ISALOCAL ([209.30.181.91]) by mc4-f12.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Tue, 13 Jul 2004 21:15:13 -0700
Received: from xpprosp1 ([192.168.1.172]) by ISALOCAL with Microsoft SMTPSVC(6.0.3790.0); Tue, 13 Jul 2004 23:12:36 -0500
X-Message-Info: JGTYoYF78jHHLX5R9IFBtsCYF3X+PLrD
Message-ID: <000801c46958$ca281700$ac01a8c0@msfirewall.org>
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2800.1158
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1165
Return-Path: [EMAIL="tshinder@tacteam.net"]tshinder@tacteam.net[/EMAIL]
X-OriginalArrivalTime: 14 Jul 2004 04:12:36.0626 (UTC) FILETIME=[CB8CD720:01C46958]
[/FONT][FONT=Verdana]Now let’s test the FTP site functionality. Put some files in the FTPROOT directory on the ISA firewall. Then from the external client open a command prompt and enter [B]ftp 192.168.1.70[/B] and press ENTER. Enter [B]Administrator[/B] for the user and press ENTER. Enter the Administrator’s password and press ENTER. Enter [B]dir[/B] and press ENTER. You’ll see a list of files. To download a file, you can use the [B]GET[/B] command. To upload a file you can use the [B]PUT[/B] command.[/FONT]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27411094810906625.gif[/IMG][/FONT]
[FONT=Verdana]Let’s try a PUT command. We’ll put the [B]boot.ini[/B] file located in the root directory on the client on the FTP site. The figure below shows the command sequence. Notice that there’s a [B]550 Access is denied[/B] message. What’s up with that?[/FONT]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27421094810914531.gif[/IMG][/FONT]
[FONT=Verdana]The answer is that the ISA 2004 firewall is a [I]firewall[/I], not a packet filter or a NAT server. The default settings are the secure settings, and its much more secure to allow downloads [I]only[/I], as allowing uploads to an FTP site can put a server at extreme risk of compromise. We must make a change to the FTP Server Publishing rule to allow FTP uploads.[/FONT]
[FONT=Verdana]Perform the following steps to make the required changes:[/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]In the [B]Microsoft Internet Security and Acceleration Server 2004[/B] management console, click on the [B]Firewall Policy[/B] node and then right click on the [B]FTP Server[/B] Server Publishing Rule. Click on the [B]Configure FTP[/B] command.[/FONT][/LIST]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27431094810922500.gif[/IMG][/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]Remove the checkmark from the [B]Read-only[/B] checkbox. Click [B]Apply[/B] and then click [B]OK[/B].[/FONT][/LIST]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27441094810931015.gif[/IMG][/FONT]
[LIST=1][*][FONT=Verdana][/FONT][FONT=Verdana][*]Click [B]Apply [/B]to save the changes and update the firewall policy.[*]Click [B]OK[/B] in the [B]Apply New Configuration[/B] dialog box.[/FONT][/LIST]
[FONT=Verdana]Now we’ll log off the FTP site and log on again. Try the PUT command again and you’ll see what happens in the figure below.[/FONT]
[FONT=Verdana][IMG]http://www.isaserver.org/img/upl/Image27451094810938500.gif[/IMG][/FONT]
[FONT=Verdana]The final test is to use the Web browser on the external client to access the Web site. Enter [B][URL]http://192.168.1.70[/URL][/B] into the [B]Address[/B] bar and press ENTER. You’ll see the default Web site. [/FONT]
[CENTER][FONT=Verdana][FONT=Arial][SIZE=2][I][FONT=Verdana][SIZE=2][B][B][URL="http://www.amazon.com/exec/obidos/ASIN/1931836191/ref=nosim/searchbyisbn/wwwshindernet-20"]
[/URL][/B][/B][/SIZE][/FONT][/I][/SIZE][/FONT][/FONT][/CENTER]
[B]Summary[/B]
[FONT=Verdana] In this article we went over the theory and practice of creating a single NIC ISA 2004 firewall. This type of setup may be of use in an ISP co-lo configuration or when you need to put an ISA firewall between two packet filter-based firewalls. The single NIC configuration allows you to use many of the firewall features on the ISA firewall that would otherwise be unavailable in a true single NIC configuration.
[/FONT]
[/LEFT]