Partilhar via


Back to Back Firewall - ISA Server

Back to Back firewall model which most of the companies will prefer because of easy design and greater sense of security. Since, this a good design very limited information is available on designing the architecture. So, i thought of writing this blog

 

 Design:

 

    Internet ====>>> ISA Front-End ===>>> DMZ =====>>> ISA Back-End ====> Internal Network

 

Since there two ISA servers involved you have to be very careful in how to configure both with rules and which rules will go where.

 

That being said, in this scenario Front-End ISA server will be used for authenticating the users and presenting with login information for DMZ Servers. Since. DMZ Servers need to contact internal or back-end servers we need to open some specific ports on the Back-End firewalls. Below article is a great resource which discusses about the same http://www.isaserver.org/tutorials/Configuring-Domain-Members-Back-to-Back-ISA-Firewall-DMZ-Part2.html 

 

For giving internet access to internal users you need to open access for HTTP, HTTPS and FTP on Back end Firewalll as well as on front end servers. Since, clients would require DNS servers to resolve the names for internet websites, you need to open access for internet DNS servers to query your ISP DNS servers. So, open port 53 on both Firewalls for smotth DNS resolution.

 

Greater care has to be put configuring Back-end firewalls as they are saving more sensitive servers/information. Any thing which is allowd on the Firewalls for temporary use must be turned off once the work is over.

 

Only Authenticated traffic should be allowed to pass through the Back-end Firewalls.

Comments