Securing the Design

Previous page
Table of content
Next page

ISA Server secures your connection to the Internet or to remote sites and extranets. Security decisions for implementing ISA Server are discussed in the following sections. Figure 5.11 shows the process for securing the design.

click to expand
Figure 5.11: Securing the Design

Connecting Remote Sites Using ISA Server

Using ISA Server to connect remote offices includes the following benefits:

  • The ability to connect remote offices together through the Internet using a virtual private network (VPN).

  • Hierarchical caching can also be implemented across the wide area network (WAN) on ISA Server-based computers.

Securing Network Perimeters with ISA Server

A perimeter network, also known as a screened subnet, is a network that is set up separately from an organization's private network and the Internet. The perimeter network allows external users access to the specific servers located in the perimeter network, while preventing access to the internal network. In addition, an organization might allow very limited access from computers in the perimeter networks to computers in the internal network.

A perimeter network is commonly used for deploying the e-mail and Web servers. The perimeter network can be set up using either of the following configurations:

  • Back-to-back perimeter network configuration with two ISA Server-based computers on either side of the perimeter network.

  • Three-homed ISA Server-based computer with both the perimeter and internal network protected by the same computer.

Designing a Back-to-Back Perimeter Network

In a back-to-back perimeter network configuration, two ISA Server-based computers are located on either side of the perimeter network. Figure 5.12 shows a back-to-back perimeter network configuration.

click to expand
Figure 5.12: Back-to-Back Perimeter Network

Both ISA Server-based computers are set up in integrated or firewall mode. This configuration reduces the risk of compromise by requiring anyone attempting to access the internal network from the Internet to access both systems to reach the internal network.

Perform the following steps to make the servers on the perimeter network available to Internet clients:

  1. Configure the local address table (LAT) on the ISA Server-based computer that is connected to the internal network to include the IP addresses of the computers in the internal network.

  2. Configure the LAT on the ISA Server-based computer connected to the Internet to include the IP address of the ISA Server-based computer connected to the internal network, and the IP addresses of all the publishing servers in the perimeter network.

  3. Create a Web publishing rule on the ISA Server-based computer connected to the Internet to publish the Web server.

  4. Create a server publishing rule on the ISA Server-based computer connected to the Internet to publish the e-mail server. Configure the server publishing rule to apply to the e-mail server.

  5. Create a Web publishing rule to publish the Web server, and configure the rule to redirect requests to the hosted site.

  6. With this back-to-back perimeter network design, selected traffic can access the e-mail or Web server without accessing the internal network. This example publishes the e-mail and the Web servers without exposing the internal network to the Internet.

Designing a Three-Homed Perimeter Network

In a three-homed perimeter network, a single ISA Server-based computer is set up with three network adapters:

  • The first network adapter connects to clients on the internal network.

  • The second network adapter connects to the servers located in the perimeter network.

  • The third network adapter connects to the Internet.

Figure 5.13 illustrates the three-homed perimeter network configuration.

click to expand
Figure 5.13: Three-Homed Perimeter Network

Perform the following configuration steps for the three-homed ISA Server perimeter network:

  • Configure the LAT to include all of the addresses on the internal network. The LAT should not include the addresses on the perimeter network.

  • Enable packet filtering and IP routing.

  • Create IP packet filters for each of the servers in the perimeter network. For each IP packet filter, the local computer should be specified as the IP address of the server on the perimeter network.

Using ISA Server in Extranets

An extranet is a private network that is configured for use outside your internal network. The extranet is installed to support selected partners who require access to your network. ISA Server supports the installation of extranets through the built-in capability of VPNs. Figure 5.14 shows ISA Server within an extranet design.

click to expand
Figure 5.14: ISA Server in Extranets



Previous page
Table of content
Next page
Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit(c) Deploying Network Services 2003
Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit(c) Deploying Network Services 2003
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 146
BUY ON AMAZON
Introducing Microsoft Office InfoPath 2003 (Bpg-Other)
The CISSP and CAP Prep Guide: Platinum Edition
Excel Scientific and Engineering Cookbook (Cookbooks (OReilly))
Cisco IOS Cookbook (Cookbooks (OReilly))
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Mastering Delphi 7
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy