07-22-2005 11:32 AM - edited 02-21-2020 12:17 AM
We currently have a configuration of redundant PIX 525s and are in the process of planning and designing an implementation of Microsoft ISA 2004 on an appliance. There are, if you will, two factions with ideas on how this should be done. Our MS Administration team wants to plant ISA's outside interface on one of the three DMZs behind the PIX and they want the inside interface to have unrestricted, unfettered access to the inside network. The Networking team, of which I am a part, wants to also put ISA's outside interface in the "outermost" DMZ but we also want the inside interface in the "innermost" DMZ forcing the inside traffic back through packet filtering before hitting the inside network. The "innermost" DMZ has been defined with a ruleset that does not allow direct access from the outside , unsecured network but does allow limited traffic to pass from the other DMZs and the inside network. It has been used primarily for the middle-tier of multi-tiered architectures. We realize that we would have to permit Kerberos, LDAP, RPC, DNS, etc. from ISA through the PIX to a limited number of inside systems. Our primary concern with the other design is that the ISA appliance will be terminating client connections for web traffic and other things so it operates as a publicly accessible host. The questions come down to this...
Are there any glaring issues with protecting both sides with the FW?
Can someone point me to documentation or standards that would recommend that a system of this nature be totally contained within a FW?
Any legitimate arguments that we could use to sell our design would be helpful. At the same time any assurances with justification that the ISA 2004 appliance is secure enough to plant the inside interface totally on the inside of the network would be welcomed as well.
Thanks,
Tyler West
Sr. Network Engineer
07-22-2005 12:18 PM
They can accomplish the same thing with a Unihomed ISA connection in the DMZ. We are using it at my job because we reject the Microsoft Engineers request for security reasons
07-22-2005 01:29 PM
Thank you for your quick reply. I unfortunately don't have the luxury of simply rejecting their request. I must show some amount of justification to validate my concerns. We have our own reasons for our proposed design and we probably share some of those. What were some of the specific reasons you disallowed the configuration that puts the ISA inside interface on the internal network?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide