Microsoft Corporation Microsoft Windows Server 2003 Deployment Kit(c) Deploying Network Services 2003

ISA Server secures your connection to the Internet or to remote sites and extranets. Security decisions for implementing ISA Server are discussed in the following sections. Figure 5.11 shows the process for securing the design.

click to expand Figure 5.11: Securing the Design

Connecting Remote Sites Using ISA Server

Using ISA Server to connect remote offices includes the following benefits:

Securing Network Perimeters with ISA Server

A perimeter network, also known as a screened subnet, is a network that is set up separately from an organization's private network and the Internet. The perimeter network allows external users access to the specific servers located in the perimeter network, while preventing access to the internal network. In addition, an organization might allow very limited access from computers in the perimeter networks to computers in the internal network.

A perimeter network is commonly used for deploying the e-mail and Web servers. The perimeter network can be set up using either of the following configurations:

Designing a Back-to-Back Perimeter Network

In a back-to-back perimeter network configuration, two ISA Server-based computers are located on either side of the perimeter network. Figure 5.12 shows a back-to-back perimeter network configuration.

Figure 5.12: Back-to-Back Perimeter Network

Both ISA Server-based computers are set up in integrated or firewall mode. This configuration reduces the risk of compromise by requiring anyone attempting to access the internal network from the Internet to access both systems to reach the internal network.

Perform the following steps to make the servers on the perimeter network available to Internet clients:

  1. Configure the local address table (LAT) on the ISA Server-based computer that is connected to the internal network to include the IP addresses of the computers in the internal network.

  2. Configure the LAT on the ISA Server-based computer connected to the Internet to include the IP address of the ISA Server-based computer connected to the internal network, and the IP addresses of all the publishing servers in the perimeter network.

  3. Create a Web publishing rule on the ISA Server-based computer connected to the Internet to publish the Web server.

  4. Create a server publishing rule on the ISA Server-based computer connected to the Internet to publish the e-mail server. Configure the server publishing rule to apply to the e-mail server.

  5. Create a Web publishing rule to publish the Web server, and configure the rule to redirect requests to the hosted site.

  6. With this back-to-back perimeter network design, selected traffic can access the e-mail or Web server without accessing the internal network. This example publishes the e-mail and the Web servers without exposing the internal network to the Internet.

Designing a Three-Homed Perimeter Network

In a three-homed perimeter network, a single ISA Server-based computer is set up with three network adapters:

Figure 5.13 illustrates the three-homed perimeter network configuration.

Figure 5.13: Three-Homed Perimeter Network

Perform the following configuration steps for the three-homed ISA Server perimeter network:

Using ISA Server in Extranets

An extranet is a private network that is configured for use outside your internal network. The extranet is installed to support selected partners who require access to your network. ISA Server supports the installation of extranets through the built-in capability of VPNs. Figure 5.14 shows ISA Server within an extranet design.

Figure 5.14: ISA Server in Extranets

Related

Категории