Advanced Firewall in a Perimeter Network
The following figure illustrates an advanced firewall scenario, in which an advanced firewall is put inside the perimeter network, between the Internet firewall and the internal firewall. Front-end and back-end servers are put in the same network behind the internal firewall. This is the recommended topology for the following reasons:
It provides security by isolating intruders from the rest of the network.
It provides application protocol filtering.
It performs additional verification on requests before it proxies them to the internal network.
Note
As an alternative to placing the advanced firewall server within a perimeter network behind a separate Internet firewall, the advanced firewall server itself can function as the Internet firewall.
Exchange front-end server behind an advanced firewall
.gif "ISA Server on Perimeter Network")
Scenario
A corporation places an advanced firewall such as ISA Server between two separated firewalls. The corporation's decision to set up this advanced firewall topology is based on the following benefits:
Advanced firewalls provide additional security to the network by protecting against unauthorized access, inspecting traffic, and alerting the network administrator to attacks.
Advanced firewalls enable you to use such methods as port filtering and IP filtering to control traffic.
Advanced firewalls allow you to restrict access by users and groups, application type, time of day, content type, and destination sets.
Setup Instructions
For detailed setup instructions, see How to Set Up a Front-End and Back-End Topology with an Advanced Firewall in a Perimeter Network.For more information about ISA Server, including product information and technical resources, see the ISA Server Web site.
Discussion
ISA Server contains two types of rules:
Server publishing rules These rules, which can apply to any protocol, inspect incoming requests at the receiving port. If an incoming request is allowed, the protocol rule forwards it from the receiving port to an internal IP address.
Web publishing rules These rules apply to HTTP or HTTPS (80/443) requests only. You can set up Web publishing rules to filter incoming requests based on the service type, port, source computer name, and destination computer name. You can also allow only specific servers or deny high-risk servers.
If you are supporting HTTP clients, create a Web publishing rule to handle HTTP or HTTPS traffic. If you are supporting POP or IMAP clients, create server publishing rules to handle these protocols.
Unlike the perimeter network scenario, the ISA server in the perimeter network does not have to be a member server unless you configure ISA Server to authenticate requests. Generally, if you have configured authentication on the front-end server, you do not have to configure ISA Server to authenticate users. However, if you want to restrict incoming requests to those that originate from specific users, you must create a Web publishing rule that specifies the users and enables authentication on the ISA Server. In this case, the ISA server must be a member of the Windows domain. Additionally, ISA Server does not delegate the user's credentials to back-end servers. Therefore, although ISA Server can authenticate users and restrict access to the network, users cannot be pre-authenticated for Outlook Web Access.
Issues
In the advanced firewall scenario, there is no need for RPC access to the internal network. This is often regarded as an advantage because fewer ports must be open on the internal firewall; however, regardless of the number of open ports, the potential for a security breach exists. To avoid this security risk, ensure that the appropriate filters are set up for each open port.
In the advanced firewall scenario, you can configure SSL in one of two ways:
Between the client and ISA server only.
Between the client and ISA server, and between the ISA server and the front-end server.
The second option is typically used if customer policy dictates that e-mail traffic within the perimeter network is encrypted. After ISA Server receives the SSL request from the client, it ends the session and re-opens a new SSL session with a new certificate to contact the front-end server. The name on each certificate is important. The certificate name on the incoming request must match the name the user typed in the URL. Moreover, the certificate name on the request to the front-end server must match the name or IP address of the front-end server.
To configure SSL in ISA Server, use the Bridging tab in the Web publishing server rule to direct SSL traffic. If you are hosting multiple domains and want to use SSL, you must set up a listener and a different IP address for each domain. This is because the certificates must be named so that they match the destination names or IP addresses.