This example represents only one of many possible scenarios in which you can deploy the SMTP Message Screener. Other scenarios include having Exchange Server on the ISA server and running the Message Screener on the same machine as the Exchange server. We have found this configuration to be the most reliable and easy to set up. Note that with this configuration, inbound mail is limited to the mail domain you configured in the IIS 5.0 SMTP server, and the internal Exchange (or other) mail server is able to accept SMTP messages destined for all domains. The IIS SMTP server protects your mail server from spammers trying to spam other domains through your server, because it drops messages destined for domains outside the ones you configure on the IIS 5.0 SMTP server. External SMTP messages never arrive at the internal mail server without being handled by the IIS SMTP server. Desi g nin g Perimeter Networks A perimeter network is a security zone where all hosts on the network have public IP a ddresses. ISA Server supports perimeter network configuration by placing the perimeter network segment on a third interface on the ISA server or by placing the perimeter network between two ISA servers. You also have the option of mixing ISA Server with a nother firewall product in the back-to-back perimeter network configuration. Perimeter networks allow you to publish servers without needing to change your IP a ddressing scheme or DNS server configuration. Requests into and out of a perimeter network are routed by the ISA server rather than being translated, as they are when s ervers are contained within an internal network. Another advantage of using perimeter networks is that Internet traffic never enters y our internal network. All Internet traffic can be segregated by placing all servers that receive requests from the Internet on a perimeter network. This has beneficial security implications. If an intruder is able to break into a server on the perimeter network, they d o not automatically have access to your internal network. The reason for this is that the perimeter is just another untrusted network to machines on the internal network. When you partition your Internet traffic on the perimeter network, you also reduce t he amount of bandwidth required on the internal network used up by Internet users a ccessing resources on Web servers. However, we should point out that you can a ccomplish this by routing your internal network scheme in such a way that prevents I nternet traffic from impacting your internal network’s available bandwidth. Limitations of Perimeter Networks W hile placing servers such as E-mail, FTP, and Web on a perimeter network does have s ome advantages, there are some significant disadvantages to using perimeter network c onfigurations with ISA Server: · You cannot use Web or Server Publishing Rules to publish servers. · All access into and out of the perimeter network is controlled by static packet filters. · Packet filters access control is limited to an IP address or a subnet. · Configuring communications between perimeter network hosts and the internal network is cumbersome. Because communications between the perimeter network are not run through the I SA Server rules engine, you must use packet filters to control access to servers on the perimeter network. As you have seen, access control using packet filters is somewhat limited. When using the wizard to create the packet filter, you can configure a Remote Host entry for a single IP address. After creating the packet filter you can open the Properties dialog box for the filter and include an entire subnet. However, you cannot use Client Address Sets to control access. Controlling communications between internal network clients and hosts on the perimeter network can be somewhat challenging. Since the hosts on the perimeter network are treated like any other untrusted external network host, you must create publishing rules for the services on the internal network in order for the perimeter network hosts to communicate with the internal clients. This might present a problem in the rare event that you might need to publish a NetBIOS dependent server on the internal network. An example might be a SQL server that is not using SQL authentication. However, in this instance, you can configure it to use SQL authentication and obviate the need for NetBIOS. Another example might be an ISA server that is a member of a Windows NT 4.0 domain which requires NetBIOS communications for authentication. One way to work around this is to configure the perimeter network host to use a VPN connection to the internal network client. By using a VPN connection, the nature of the communications between the perimeter network hosts and the internal networks hosts are not exposed even if security is breached and an intruder is able to install sniffing software on a perimeter network server. Perimeter Network Configurations Two types of perimeter network configurations are popular with ISA Server: · Tri-homed ISA Server · Back-to-Back ISA Servers Let’s take a closer look at each of these perimeter network configurations. Back-to-Back ISA Server Perimeter Networks A back-to-back perimeter network consists of two ISA server computers: · An ISA server directly connected to the Internet. · An ISA server connected to the internal network. The ISA server connected to the Internet can be considered the “external” ISA server and the ISA server connected to the internal network can be considered the “ internal” ISA server. Figure 9.26 shows how you might configure such a back-to-back perimeter network. Figure 9.26 Back -to-Back Perimeter Network Configuration When configuring a back-to-back perimeter network, you need to do the following: 1. On the external ISA server, place the IP addresses of the hosts on the perimeter network in the LAT. 2. Use Server and Web Publishing Rules on the external ISA server to make servers on the perimeter network available to external clients. 3. On the internal ISA server, include only the internal network IP addresses in the LAT. Do not put the perimeter network IP addresses in the LAT of the internal ISA server. 4. Use Server and Web Publishing Rules to allow perimeter network hosts to communicate with internal network clients. If you notice something a little funny here, then you have been paying attention. Remember we said that you must use packet filters to publish services on a perimeter network? If that is true, then why are we now saying that you can use Publishing Rules to allow access to resources on the back-to-back perimeter network? The reason is that when you configure a perimeter network in this way, without doing anything else, communications between Internet clients and hosts on the perimeter network are translated rather than routed. By virtue of placing the perimeter network host IP addresses on the LAT, you have made them part of the “internal” network, from the vantage point of the external ISA server. All communications between computers on the LAT and external network hosts are translated and not routed. You do not have the option of changing this behavior unless you remove the clients on the perimeter network from the LAT. The problem is that when you try to remove the perimeter host IP addresses from the LAT, ISA Server gets upset. You will get an error message indicating that there must be at least one IP address in the LAT. You’ll see the same error message if you try to install ISA Server and not include any IP addresses in the LAT. There is a way to work around this situation. If you do not want your perimeter network communications to be translated, you have to add another network adapter that will support what we’ll call a “bogus” interface. The bogus interface will be used for the IP address to put into the LAT. You can create such an interface by installing the Microsoft Loopback Adapter. After the loopback adapter is installed, configure it to use a private IP address such as 192.168.254.1. After installing the loopback adapter, you can then remove the perimeter network addresses from the LAT. The will allow you to route, rather than translate, communications between the perimeter network and the external network. At this point ISA Server ISA Server Mail Web Hub Back-to-Back ISA Server DMZ you will need to configure packet filters to support communications between the external network and the perimeter network. If you do choose to add a third interface on the external ISA server to support routing packets to the perimeter network in a back-to-back configuration, you will also need to make the following changes: 1. On the external ISA Server enable IP r outing. 2. On the external ISA Server enable packet filtering. Keep in mind that with this kind of configuration, services can be published only by using packet filters. You will not be able to use Server and Web Publishing Rules. SECURITY ALERT! Note that while you can configure your back-to-back network to route packets through the ISA Server, this is not the preferred configuration. Remember that the purpose of the perimeter network is isolate your internal network from Internet traffic. You are able to accomplish this even when the traffic moving to and from the perimeter network is translated. Given that the server publishing method is more secure, you should consider this the preferred method of publishing services on the back-to-back perimeter network. Tri-homed ISA Server Perimeter Networks A tri-homed perimeter network configuration has the internal network interface and the perimeter network interface directly connected to the same ISA server. In this case, a single standalone ISA erver or an ISA server array member is used to connect all three interfaces. As we noted previously, this is the only configuration in which you can route packets to the perimeter network rather than translating them. In fact, the workaround we came up with creates a tri-homed ISA server although, in the above example, the third interface to the internal network was a “dummy” interface. A tri-homed ISA server configuration would look something like what is seen in Figure 9.27. Figure 9.27 A Tri -homed ISA Server When configuring a tri-homed ISA server, perform the following steps: 1. Install an interface with a public IP address that is directly connected to the Internet. 2. Install a second interface with a public IP address that will be used for the ISA Server Tri-Homed ISA Server DMZ Mail Web Private Network DMZ Network perimeter network. 3. Install a third interface that will be used for the private network. 4. Place only the private network IP addresses in the LAT. Do not place the perimeter network IP addresses into the LAT. 5. Enable IP routing. 6. Enable packet filtering. To publish resources on the perimeter network, you will need to use packet filters. There are too many reasons to publish servers in a tri-homed DMZ configuration. Server and Web Publishing offer a lot more features and are a more secure configuration. The one instance where publishing servers on a perimeter network might be useful is when you wish to publish an FTP server on an alternate port number. If you try to create a Protocol Definition and and a Server Publishing Rule that allows inbound access to an alternate port number to a FTP server, it will fail. While you could make the FTP server a Firewall Client and then create a wspcfg.ini file to support the alternate port, it is better to put the FTP server on a perimeter network that does not perform translation. The external clients will be able to access the FTP server on the perimeter network through the alternate port number. Publishing Services on a Perimeter Network When using packet filters to publish servers on a perimeter network, you have to be mindful of all required communications that must move into and out of the perimeter network. For example, suppose you want to publish a Web server on the perimeter network. You would need to configure a packet filter that allowed inbound access to port 80 to the perimeter network. To do this, perform the following steps: 1. Right click on the IP Packet Filters node in the left pane, click New, and then click Filter. 2. On the Welcome page, give the filter a name, and click Next. 3. On the Filter Mode page, select the Allow packet transmission option, and click Next. 4. On the Filter Type page, select the HTTP servers (port 80) predefined packet filter, and click Next. 5. On the Local Computer page, select the This computer (on the perimeter network)option button, and type in the IP address of the Web server on the perimeter network. Then click Next. 6. On the Remote Computers page, select the All remote computers or the Only this remote computer, and then type in the IP address of the remote computer. If you need to allow a group of remote computers, you can configure a subnet of computers to allow access. This option is available after you have completed the wizard. Click Next. 7. After reviewing your selections, click Finish. 8. Double click on the packet filter you created, and click on the Remote Computer tab. Note that you have the options to apply the filter to a single remote computer or a range of computers. In addition, if you click on the Local Computer tab, you can allow packets through to the entire subnet, or to a group of computers denoted by a network ID and subnet mask. What if you need to provide access to a Web server on the perimeter network to more than one client, or to several groups of clients? It’s clear that you cannot do this by creating a single packet filter because you only have the option to control access by Remote Computer by specifying a single IP address or subnet. There are likely to be many occasions where you would like to limit access to a select few computers or subnets, but a single filter won’t accomplish the task. You can solve this problem by creating multiple packet filters for port 80. Each packet filter will be searched by the ISA server to allow access from the appropriate client. Therefore, if you created one packet filter that allowed for inbound port 80 from remote hosts 222.222.222.0/24, you can create a second packet filter that would allow access from 111.111.111.0/24. All hosts from both network IDs would then have access to port 80 on the perimeter network client. After the server is published by the packet filter, inbound requests to port 80 to that perimeter network host will be allowed. The ISA server will automatically allow the response to the external host by opening a dynamic packet filter. If your perimeter network hosts need access to name resolution services, you will need to configure a packet filter that allows DNS queries outbound from the perimeter network. Its very common for administrators to forget about name services for the perimeter network. We recommend that the first packet filter you create for the perimeter network be one that allows DNS queries. Publishing FTP Servers on a Perimeter Network Publishing FTP servers on the perimeter network presents a special challenge. The reason is that there are two types of FTP clients that may connect to your FTP server. The two types of FTP server connections you might want to support on the perimeter network are: · PASV servers · Standard servers To create a packet filter to support FTP servers to work with PASV mode FTP clients, you need to create a packet filter with the following specifications: FTP Server – PASV Protocol: TCP Direction: Both Local Port: Dynamic (Ports 1025-5000) Remote Port: Any To create a packet filter to support FTP servers to work with standard FTP clients (that send PORT commands), you need to create two packet filters: FTP Server – Inbound Protocol: TCP Direction: Inbound Local Port: 21 Remote Port: All Ports FTP Server – Outbound Protocol: TCP Direction: BOTH Local Port: 20 Remote Port: All Ports Enabling Communication between Perimeter Hosts and the Internal Network As we mentioned earlier, servers on the perimeter network are considered external, untrusted network hosts. In order to allow machines on the perimeter network to initiate communications with those on the internal network, you will need to publish those servers on the internal network. Perimeter network hosts will access the published servers as would any other external network client. The main difference in the publishing of the internal server is that instead of allowing all hosts on the external network to communicate with the internal server, you will just let the server on the perimeter network communicate with it. If you require multiple servers on the internal network to communicate with an internal server, you can take advantage of Client Address Sets and include the perimeter network servers in a Client Address Set that you would use in your publishing rule. For example, suppose you need your Web server on the perimeter network to communicate with a SQL server on the internal network. You can use the Microsoft SQL Server Protocol Definition to create the rule. After publishing the internal SQL Server, the Web server on the perimeter network will be able to initate an inbound connection to the private network to the published server. If the Web server, or any other server on the perimeter network, needs to resolve names on the internal network, you will need to publish the internal DNS server and allow the servers on the perimeter network to access this server. This can get tricky because if the server on the perimeter network needs to resolve both internal and external host names, there’s no way for you to get the server to “switch” what server it uses to resolve names. Therefore, consider having the perimeter network host always use the internal DNS server and then configure the internal DNS server to use a Forwarder that can resolve Internet names. There internal DNS server then will be able to resolve the external host names for the perimeter network server. Remember, only allow the perimeter network servers access to the internal DNS server. You do not want to publish the internal network’s DNS server to all other external network users. Bastion Host Considerations A bastion host is a machine that interacts with the Internet and protects your internal resources. There are actually a number of definitions for basion host. For example, your ISA server that directly connects to the Internet is a bastion host. Another example of a bastion host is the Web or E-mail server you put on the perimeter network. What all of these machines have in common is that they directly interact with computers on the external network. Servers on the internal network are not bastion hosts because the ISA server mediates all communications between the internal servers and the Internet clients. The purpose of the bastion host is to protect your internal network. While many observers feel that the bastion host should be considered a form of “sacrificial lamb,” many others feel that the bastion host should be the most secure machine under your control. When Windows 2000 is installed, as a lot of services are installed by default, any service running on the bastion host provides a potential vector for attack by an intruder. The key to good bastion host configuration is to remove all services and applications that are not required in order for the bastion host to do its job. And here lies the rub. The job of the ISA server acting as a bastion host is to protect the internal network and provide sophisticated packet filtering routing to servers on perimeter networks. The job of the ISA server acting as bastion host is not to run Exchange 2000 or SQL 2000 or any other memory, disk, or network intensive application. These applications tend to be mission critical, and in the event of a break-in, the ISA server and whatever else is on it will be the first to be destroyed or compromised. Therefore, we strongly recommend that you do not install any other server application on the ISA server acting as bastion host. However, if you are implementing the ISA server as a Caching-only server on the edge of a departmental network connecting to the corporate backbone then you may consider such a configuration. Configuring the Windows 2000 Bastion Host When configuring the Windows 2000 machine that runs ISA server as a bastion host, the first thing you should do is disable the Client for Microsoft Networks. However, if you are running IIS on the ISA server machine, you should not do this because IIS will not start if you disable the Client for Microsoft Networks. Be sure to disable this service on each network adapter. Another networking feature that is not required on the ISA server is the NetBIOS interface. You can disable the NetBIOS interface from the Advanced TCP/IP dialog box. However, this only disables attaching to Windows shares through the NetBIOS interface. Windows 2000 features a new way to access SMB shares through a method called direct hosting. This method uses DNS for name resolution, and shares are connected to via TCP Port 445. In order to prevent an intruder from attaching to a share via direct hosting, you need to disable the nbt.sys (the NetBIOS over TCP/IP driver). To do this, perform the following steps: 1. Right click on the My Computer object on the desktop, and click Manage. 2. Click on the Device Manager node in the left pane. Then click the View menu, and click Show Hidden Devices. 3. Right click on the NetBIOS over Tcip node in the right pane, and click Disable. This procedure will disable connecting to SMB shares on the ISA Server. Disabling Services Now it's time to take a sledge hammer to the machine. What we want to do here is disable all services that are not absolutely required. The point is to run only the absolutely required services. To begin, open the Services applet from the Adminsitrative Tools menu. After the Services applet is opened, disable all services except the following: · Terminal Server · DNS Client · Event Log · Logical Disk Manager · Network Connections · Plug and Play · Protected Storage · Remote Procedure Call · RunAs Service · Security Account Manager · Task Scheduler · Windows Management Instrumentation · Windows Management Instrumentation Driver Extensions · Windows Media Services (if you are running live stream splitting) Including the Monitor service, Program service, Station service, and Unicast service · Windows Time Service · System Event Notification · Routing and Remote Access Service (unless you are using VPN) · QoS RSVP · Performance Logs and Alerts · Microsoft Web Proxy · Microsoft Scheduled Content Download Service · Microsoft ISA Server Server Control · Microsoft Identd Simulation Service · Microsoft H.323 Gatekeeper · Microsoft Firewall · COM+ Event System · Remote Access Connection Manager · Telephony You may be able to get away with fewer services, and you may require more. After making the changes, reboot the system. If the system does not boot, then reboot and enter the Last Known Good configuration and check the Event Log to see what service have stalled the reboot. If the system is able to start, but something doesn’t work correctly, check the Event Log to assess what the problem might be. Summary In this chapter, we covered some important concepts in inbound access control. Packet filters are used to control ingress and egress through the external interface. Application filters can be used to affect the flow of information through the ISA server to the internal network. You learned the difference between static packet filtering and dynamic—or stateful—packet filtering, and you found out when and how to create manual packet filters. We discussed “routing” between public and private networks and the implications of various packet-filtering and IP-routing scenarios that you might encounter on a Windows network on which ISA Server is deployed. You learned how you can run applications and services on your ISA server (and received a strong suggestion that you dedicate a machine to running ISA and run few, if any, other applications on that machine). We also discussed how to use the built-in intrusion detection functionality of ISA, and finally, we gave you some tips on how to best design a DMZ, or perimeter network, using ISA Server. In the next chapter, you will find out how to publish servers and services to the Internet. Solutions Fast Track Configuring ISA Server Packet Filtering n Packet filtering is the process of examining the TCP and IP header information to assess whether a packet should be allowed to enter or leave the external interface of the ISA server. n When packet filtering is enabled, only packets for which a filter has been configured are allowed to pass through the external interface of the ISA server. n Static packet filters allow you to permanently open or close access to packets of your choice. n Packet filtering must be enabled in order to enable intrusion detection. ISA Server can be configured to detect a limited number of intrusion types. Application Filters That Affect Inbound Access n The RPC filter, when enabled, allows you to publish internal servers that use RPC communications. RPC, or remote procedure call, is message-passing mechanism that allows a distributed application to call services that are available on various computers on a network. n SMTP is a member of the TCP/IP protocol suite, used for exchanging e-mail across the Internet. Designing Perimeter Networks n A perimeter network is a security zone where all hosts on the network have public IP addresses. n A tri-homed perimeter network configuration has the internal network interface and the perimeter network interface directly connected to the same ISA server. n Publishing FTP servers on the perimeter network presents a special challenge. The reason is that there are two types of FTP clients that may connect to your FTP server: PASV servers, and Standard servers. n A bastion host is a machine that interacts with the Internet and protects your internal resources. Frequently Asked Questions Q: How can I allow an internal client to ping an external address? A: In order for an internal client to ping an external IP address, you must configure the client as a SecureNAT client and enable IP routing on the ISA server. Note that you do not need to disable the Firewall Client software to do this. All you need is to configure a default gateway that routes to the internal interface of the ISA server, and it will be able to ping external hosts. Q: I want to be able to ping internal clients from a computer on the Internet. However, when I enable IP routing and configure the ICMP Ping Query filters, it does not work. Why is this? A: You cannot ping clients on the internal network from the Internet or from any external network. The reason is that external clients can only access internal clients when the internal clients have been published. In essence, you would have to make the internal clients a “ping server.” However, the Server Publishing Rules only support TCP and UDP protocols, so you cannot even create such a server. Q: How can I filter attachments on inbound e-mail? A: Enable and configure the SMTP filter, then install and configure the Message Screener. Remember that the Message Screener needs to be installed on a computer running IIS 5.0. The preferred configuration is to place the Message Screener on an IIS server on the internal network. Q: How can I allow internal clients to use PPTP to access external VPN servers? A: Enable the SecureNAT PPTP packet filter. Keep in mind that once the PPTP filter is enabled, all computers on the network will have access to this filter. The reason is that you can only create access controls for TCP and UDP based protocols. Since PPTP uses GRE, you cannot place access controls over this protocol. Q: I would like to attach a modem to my computer that already has an external interface and use it for a backup route for both inbound and outbound access. Can I do that? A: No. ISA Server was designed, for security reasons, to have a single external network access point. If you want to use the modem for a backup route, install a second ISA server and configure it as backup to the main ISA erver. [...]... internal interface of the ISA server When working with a routed network, make sure the routing table on the ISA server is configured properly before even setting up ISA Server Remember that packets need to know the path from the ISA server to all subnets on the internal network, and all the subnets need to know the path to the internal interface of the ISA server In order for the ISA server to know the paths... interface of the ISA server If the published server is on the same logical network as the internal interface of the ISA server, you can set the default gateway to be the IP address of the internal interface of the ISA server If the published server is on a logical network ID remote from the internal network interface of the ISA server, then you must configure the default gateway on the published server to... is TCP port 80 ) Server publishing does not allow multiple services to listen on the same external port number Let’s look at an example to illustrate this problem If you publish an internal terminal server on TCP port 3 389 on the external interface of the ISA server, that port can be used only once per IP address bound to the external interface of the ISA server, and for only the single server published... your published servers are SecureNAT clients of the ISA server ISA Server DNS Client Infrastructure The DNS infrastructure must be in place to support name resolution requests, both for internal resources and resources contained on the Internet This is one of the most common pitfalls we encounter when working with new ISA Server administrators First, you need to understand how the ISA server clients... Connection timeout (seconds) Configure the number of seconds you want the ISA server to wait before dropping idle connections by typing the number of seconds into the text box 7 Click Apply, and you will see the ISA Server Warning text box shown in Figure 10.7 Figure 10.7 The ISA Server Warning Dialog Box 8 If you want the ISA server to restart the service, choose the Save the changes and restart the... of the ISA server While this is doable, most people can hardly remember their own telephone number, much less a 12-digit IP address As it stands with ISA Server, using IP addresses in destination sets used for inbound access to the external interface of the ISA server doesn’t work DNS Client /Server Infrastructure In order for your publishing rules to work, make sure you have your DNS client /server. .. the ISA Management console When the ISA server receives a request for one of these destinations, it will examine the headers in the request and see if it has the destination listed in the header that matches a name included in a destination set for a published server ISA Client Configuration You should configure the published server as a SecureNAT client This departs from how Proxy Server 2.0 did server. .. publishing In Proxy Server 2.0, the only way you could publish a server was to make the server a Winsock proxy client, and then hammer away at a wspcfg.ini file ISA Server allows you to escape that pain (in most instances) by configuring published servers as SecureNAT clients SecureNAT client configuration is easy; the only thing you need to do is set the default gateway on the published server to an address... the publishing server instead of the actual one (specified above) This option allows the ISA server to send the original host header to the internal server, rather than the actual host header In this example, the actual host header would be exeter.tacteam.net, since that is the name of the internal server, and the ISA server in the process of forwarding the request would include the server s internal... publishing By default, IIS wants to use port 80 to listen for inbound Web requests The problem is that the ISA server s Web Proxy Service uses port 80 to listen for inbound Web requests You cannot have both the ISA server and the IIS WWW Service listening on the same port To solve this problem, you should configure IIS to listen only on the internal interface of the ISA server This prevents conflict with the . Back-to-Back ISA Server Perimeter Networks A back-to-back perimeter network consists of two ISA server computers: · An ISA server directly connected to the Internet. · An ISA server connected. network. The ISA server connected to the Internet can be considered the “external” ISA server and the ISA server connected to the internal network can be considered the “ internal” ISA server. . perimeter network server. Perimeter Network Configurations Two types of perimeter network configurations are popular with ISA Server: · Tri-homed ISA Server · Back-to-Back ISA Servers Let’s