Back to Back Firewall - ISA Server
Back to Back firewall model which most of the companies will prefer because of easy design and greater sense of security. Since, this a good design very limited information is available on designing the architecture. So, i thought of writing this blog
Design:
Internet ====>>> ISA Front-End ===>>> DMZ =====>>> ISA Back-End ====> Internal Network
Since there two ISA servers involved you have to be very careful in how to configure both with rules and which rules will go where.
That being said, in this scenario Front-End ISA server will be used for authenticating the users and presenting with login information for DMZ Servers. Since. DMZ Servers need to contact internal or back-end servers we need to open some specific ports on the Back-End firewalls. Below article is a great resource which discusses about the same http://www.isaserver.org/tutorials/Configuring-Domain-Members-Back-to-Back-ISA-Firewall-DMZ-Part2.html
For giving internet access to internal users you need to open access for HTTP, HTTPS and FTP on Back end Firewalll as well as on front end servers. Since, clients would require DNS servers to resolve the names for internet websites, you need to open access for internet DNS servers to query your ISP DNS servers. So, open port 53 on both Firewalls for smotth DNS resolution.
Greater care has to be put configuring Back-end firewalls as they are saving more sensitive servers/information. Any thing which is allowd on the Firewalls for temporary use must be turned off once the work is over.
Only Authenticated traffic should be allowed to pass through the Back-end Firewalls.
Comments
Anonymous
January 01, 2003
PingBack from http://geeklectures.info/2007/12/18/back-to-back-firewall-isa-server/Anonymous
March 09, 2015
Very informative, educative and quiet useful to know and understand.
Thank you.