ISA in SBS - yes, it's secure

A central location for SBS ISA specific configuration information relevant to small consulting practices and others smart enough to use the best technology in the world.

Lingo - The Talk of Broadband

Friday, May 12, 2006

DMZ - SBS special considerations

So you'd like to create a DMZ? It's easy to do with ISA 2004 but don't forget that you've got pre-defined rules in SBS that are going to open up your DMZ to more that you might want.

Step 1: Create the DMZ. To do this use this article but start at the section titled Create The Anonymous DMZ and continue through the section titled Create the Network (routing) Rule between the Anonymous Access DMZ and the External Network, then stop.

If this were a non-SBS implementation of ISA you'd have a DMZ with no rules defining access to it. But we live in a pre-configured world so the next step is to add a new rule to the ISA 2004 Firewall Policy to exclude the DMZ network from our pre-existing rule set.

Step 2: Open up the ISA 2004 management console and expand Configuration. Click on Networks. Move to the Network Sets tab. Click on Create new Network Set. Call it something like All Protected, Except DMZ. Make this network set look just like All Protected Networks except add your DMZ network to the exclusions list.

Step 3: Move to the Firewall Policy and edit the SBS Protected Networks Access Rule. Move to the From tab and replace All Protected Networks with the network set that you just created. This will prevent all traffic from the DMZ reaching your internal network. Now you've isolated the DMZ from your Internal network.

Step 4: Create a Rule so that the server in the DMZ can communicate with the other servers in your network. (this assumes that the server in the DMZ is a member server) Open up the ISA 2004 management console and click on Firewall Policy. Scroll down to the bottom. Highlight the SBS Protected Networks Access Rule. In the taskpad click New Access Rule. Call it something like DMZ Server Communications. Allow traffic from the DMZ to Internal Network with the following protocols: DNA, Kerberos-Sec (UDP), Kerberos - Sec (TCP), LDAP, Microsoft CIFS (TCP) Netbios Datagram, Netbios Name Service, Netbios Session, RPC (all interfaces), LDAP (UDP), Kerberos-ADM, ping and NTP. Make sure that this rule is placed just ahead of the SBS Protected Networks Rule.

Step 4: Create a Rule for any additional ports that the application running on the server in the DMZ requires. Place this rule above the SBS Protected Networks Rule as well.


At 12:05 PM, Blogger radman57 said...

Is it possible to use this configuration to set up a linux based web server as a "member server" of the DMZ?

At 12:11 PM, Blogger Amy - Harbor Computer Services said...

Sure. ISA doesn't care what kind of server you have on the network. Use the server publishing wizard to make the sites on the Linux server available to the Internet.


Post a Comment

<< Home