Sunday, April 1, 2007

Where Do I Place My ISA and DMZ?

With the introduction of Exchange 2007, there's been a lot of upselling of ISA Server. Don't get me wrong, ISA 2006 is an awsome firewall, it's rock solid. So the question now exist, i've got my superb Exchange 2007 now in my internal network and i wan't to use ISA to protect my Exchange resources (MAPI publishing, RPC-HTTPS, OWA, etc). Where do i place my ISA and my DMZ?

Simple, look at sample diagram below;, now you don't need to pay consultants thousands of bucks to design something like this. (Note, this is perhaps a setup ideal for a small to medium organization)

Let me explain a little of this diagram above

  1. My first firewall is my traditional firewall. This box should filter all those incoming traffic not explicitly allowed by your organization. Outgoing packets can go freely without restrictions. Later, i will share why you can confidently do this and therefore reduce complexity in your network.

  2. The DMZ is placed in between the ISA and my 1st FW. Please note, this server is now "published" by the 1st FW and not ISA. In here, you should only keep boxes that will not contain data for a long time (a temp repository) like a web server, smtp server etc..

  3. Finally, the ISA comes in. ISA's default GW is the 1st FW.

Lets talk about NAT.

1stFW (liveIP) --NAT/Route --> ISA --NAT/Route > Internal Networks

So, the DMZ IP network will act as ISA's external network but you can still use private IP addresses. Some of these IPs will be the publishing IP for your internal networks, just imagine them as public IPs.

Another huge benefit of having ISA there is to do Proxy-ing. Now that i've mentioned to allow all traffic outbound on the 1stFW, ISA takes the responsibility to ensure certain ports and protocols are allowed. Doing this, having one place for internal to external traffic control simplifies management of security in your network. Users can be authenticated and authorized to sites or services that are allowed by your organization policies.

Even VPN should work fine in this design where ISA can terminate the VPN connection after a NAT done by the 1st FW.

Got a better idea? Share with us here. Write me ..
Post a Comment