Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)

老方说：此篇文章摘自ISASERVER.ORG网站，出自Thomas Shinder达人之手。严重建议ISA爱好者看看。

Published: Dec 16, 2008
Updated: Jan 21, 2009
Author: Thomas Shinder

What ISA/TMG firewall Networks are about and how the firewall uses these networks to perform several key functions.

Last week I did a blog post asking our ISAserver.org members what kind of content they would like to see . the site. I expected the typical stuff, such as “more articles . integrating with other networking equipment vendors” and “more information . how NLB works” and “more articles . how to make ISA and TMG work with Exchange 2007, SharePoint and OCS” and maybe even “more stuff about ISA and TMG add-ons”. I was not disappointed. I did get requests for all of that kind of content.

There was also another comment that I thought was interesting. Someone wrote to me and said that what he would like is some information . the basics. For example, the basics of ISA networking. This fellow said that many Microsoft admins who use ISA have a basic understanding of TCP/IP networking but do not have a good grip . how the ISA firewall see the networked world and any information that would help along those lines would be very helpful.

The comment was a timely .e for me, as it dovetailed with some other experiences I was having last week. Therefore, in the spirit of this request for some return to the basics and my experiences last week, we will go over some of the basics of ISA/TMG firewall networking.

ISA/TMG Firewall Networks

NOTE:
Pay close attention to the capitalization I use in this article. Network with a capital “N” refers to an ISA/TMG Firewall Network – which is a network objects that the firewall uses to define collections of IP addresses directly accessible from a specific network interface. In contrast, when a lower case “n” is used for network, I am referring to a generic network or network segment.

ISA and TMG firewalls see the networked world based . the concept of the Network network object. The Network network object defines traffic that moves through the firewall. All traffic that moves to or through the firewall must source from .e Network and have a destination to another Network. If the source and destination traffic are . the same Network, then the traffic doesn’t move through the firewall. However, there are times when traffic with the same source and destination Network can bounce off the firewall. We will take a look at this example later.

What is an ISA Firewall Network? An ISA/TMG Firewall Network is a collection of IP addresses that can directly reach a NIC . the firewall without having to traverse the firewall. For example, consider a simple scenario where the ISA firewall has two NICs: an internal interface with an IP address of 10.0.0.1 and an external interface with a public IP address. There is a host connected to the same network as the firewall’s internal interface and that client has an IP address of 10.0.0.2. In this example, the internal interface and the client at 10.0.0.2 are part of the same network, since the client can directly reach that interface without crossing the firewall. In addition, the client can’t be . the same network as the external interface of the firewall, since it would have to cross the firewall to reach that interface.

The figure below depicts this example. The internal interface has the IP address 10.0.0.1 and the client behind that interface has IP address 10.0.0.2. The client behind the internal interface can reach the internal interface directly. The client behind the internal interface cannot reach the external interface directly. Therefore, the client could never be a member of the ISA Firewall Network that the external interface belongs to.

Figure 1

As I mentioned earlier, an ISA Firewall Network is defined as a collection of IP addresses that can be reached directly through .e of the interfaces . the ISA or TMG firewall. However, this does not mean that all of those IP addresses have to be . the same network ID as the interface . the ISA firewall.

For example, in the figure above, the internal interface of the ISA firewall was . network ID 10.0.0.0/24 and the client was an “on subnet” client that was also . network ID 10.0.0.0/24. The ISA Firewall Network defined for that interface was 10.0.0.0-10.0.0.255.

What if there is a router behind the ISA firewall’s internal interface and there are remote network IDs that need to connect to the Internet through the ISA Firewall’s internal interface? For example, in the figure below you see that I have added a router and a remote network ID behind that router, which in this case is 192.168.1.0/24. Will the ISA Firewall need to see connections from the 192.168.1.0/24 network ID as being . the same ISA Firewall Network as connections from the 10.0.0.0/24 network ID?

The answer is YES. The reason for this is that both 10.0.0.0/24 and 192.168.1.0/24 in this example have to connect to and through the ISA firewall using the same NIC. Since the ISA Firewall see each NIC as the root of an ISA Firewall Network, all connections made directly to and through the firewall . that interface are part of the same ISA Firewall Network.

Figure 2

However, in order to make this work, you need to add those addresses to the definition of the ISA Firewall Network. In this example, the definition of the default Internal Network would include the addresses 10.0.0.0-10.0.0.255 and 192.168.1.0-192.168.1.255. All of these IP addresses are part of the default Internal Network and reach the ISA firewall through the same network interface card.

Figure 3

The reason we need to include all the addresses that are behind a specific NIC . the firewall is that if there is a host that tries to connect through the ISA firewall . that NIC from a source IP address that is not part of that ISA Firewall Network, the connection request will be dropped as a spoof attempt. The ISA or TMG firewall sees the connection attempt as a spoof because the IP address is not part of the definition of that ISA Firewall Network.

For example, check out the figure below. We have defined the default Internal Network in this example as all IP addresses in the 10.0.0.0/24 and 192.168.1.0/24 ranges (note that I have included all the addresses in each network ID – that is not a requirement. I could have included .ly a subset of those IP addresses if I wanted to). What if a host with the IP address 172.16.0.2 tried to connect to the ISA Firewall through the NIC that represents the “root” of the default Internal Network?

The connection attempt would fail. The reason why it would fail is that 172.16.0.2 is not part of the definition of the default Internal Network in this example. Since the ISA Firewall does not recognize this source IP address as part of the default Internal Network, it will not allow the connection through the NIC that defines the “root” of the default Internal Network. It will call out this connection as a spoof attempt. All spoof attempts are blocked by the firewall.

Figure 4

What if you wanted to allow connections from that host at 172.16.0.2? It is a simple matter of adding that IP address to the definition of the ISA Firewall Network that this host uses to connect to and through the ISA firewall. In this case, you could add just that IP address, or if you have other hosts . that network ID, you could add the IP addresses of those hosts, or you could add all the addresses in that network ID.

You define that addresses that belong to a specific ISA Firewall network in the Properties dialog box for that Network. In the figure below, you can see the addresses tab for the default Internal Network. This default Internal ISA Firewall Network includes all addresses . the network ID 192.168.1.0/24.

Figure 5

You can create multiple ISA Firewall Networks . a single ISA Firewall. For example, suppose you wanted to create an ISA Firewall Network for wireless guest computers to connect to the Internet. In this case, you would add a third NIC to the ISA firewall (the other two interfaces are for the external interface and the internal interface). The third NIC would become the “root” of a new ISA Firewall Network. You would then assign addresses to that ISA Firewall Network. Each NIC . the ISA firewall needs to be . a different network ID, so after installing the third NIC, we assign it an IP address . a network ID that is different than the other two NICs. Then we assign IP addresses for the new ISA Firewall Network. In the figure below, you can see that all addresses . network ID 192.168.0.0/24 are part of the Guest ISA Firewall Network.

Figure 6

It is important to remember that an IP address can participate . a single ISA Firewall Network. You can not assign the same IP address to two different ISA Firewall Networks. If you do, you will receive an error message.

Out of the box, the ISA or TMG firewall will have the following Networks defined:

The default External Network – the default External Network is defined by all IP addresses that are used by any other ISA Firewall Network. Any address that is not used by any other ISA Firewall Network will automatically be included as part of the default External Network. The NIC that defines the default External Network is usually the NIC with the default gateway bound to it. ISA and TMG MBE firewalls support a single default gateway
The default Internal Network – this is the network you define during setup that represents your primary internal network. You can have multiple internal networks if you like, but there is .ly .e default Internal Network which you set up during installation of the ISA firewall. The default Internal Network typically contains your key infrastructure services, such as DNS, DHCP and Active Directory domain services. The default Internal Network is important because much of the ISA and TMG firewall’s System Policy is configured to access resources . the default Internal Network
The Local Host Network – The Local Host Network is defined by the IP addresses bound to all NICs . the ISA or TMG firewall. For example, if the firewall had two interfaces, .e with IP address 2.2.2.2 bound to it and the other with 10.0.0.1 bound to it, then IP addresses 2.2.2.2 and 10.0.0.1 are members of the Local Host Network. Note that this breaks .e of the rules of ISA/TMG Networks – in that these IP addresses are also members of the Networks to which those NICs are connected. The 2.2.2.2 is likely a member of the default External Network and the 10.0.0.1 is a member of the default Internet Network.
*** Clients Network – The *** Clients Network contains the IP addresses of connected *** clients. There are two ways to assign IP addresses to *** clients: using a static address pool and using DHCP. If you assign IP addresses to *** clients using a static address pool, then you must remove those IP addresses from any other Network that might contain them. For example, if you want to assign .-subnet addresses to *** clients (such as 192.168.1.200-192.168.1.225/24 when the internal interface is . 192.168.1.1/24), you must remove those addresses from the definition of the .-subnet network.
In contrast, if you want to use DHCP to assign IP addresses to *** clients, then you do not have to remove those addresses from the definition of any other Network that might also be using those addresses. It makes sense, since when you use DHCP to assign these addresses; you know that no other host should be able to use the same IP address . any other Network. In contrast, if you assign static addresses to *** clients, you do not know for sure that there might be an error that would lead you to use the same addresses . another Network. Addresses are automatically added and removed from the *** clients Network when they are used and released by the *** clients. Note that this represents a second exception to our rule that an IP address can belong to a single Network – since you use DHCP to assign IP addresses to *** clients, those addresses can belong to another ISA/TMG Firewall Network.
Quarantined *** Clients Network – The Quarantined *** Clients Network contains the IP addresses of *** clients that have not yet passed *** quarantine control. This is configured as a separate Network from the *** Clients Network because you might want to create Firewall Rules that allow quarantined *** clients access to resources . a Protected Network (a Protected Network is any ISA/TMG Network that isn’t the default External Network) or even . the Internet so that they can remediate themselves. IP addresses are automatically moved from the Quarantined *** Clients Network to the *** Clients Network when the *** client passes quarantine control checks.

Figure 7

Summing up what we know at this point:

ISA/TMG Firewall Networks are used for spoof detection. If a source IP address arrives at an interface that is a root of an ISA Firewall Network that isn’t an IP address defined for that Network, then the connection attempt is dropped as a spoofed connection attempt
An IP address can be assigned to a single ISA/TMG Firewall Network. The .ly exceptions to this rule are seen with the Local Host Network and the *** Clients and Quarantined *** Clients Networks when you use DHCP to assign addresses to *** clients.
An ISA/TMG Firewall Network can contain IP addresses from multiple network IDs. What all these IP addresses have in common is that if they need to connect to and through the ISA or TMG firewall through the same NIC

ISA/TMG Firewall Networks also are used to do .e more important task: define whether connections are routed or NATed from the systems . a particular Network to another Network. In order to hosts . a Network to communicate with hosts . another Network, the two Networks must be connected using a Network Rule. The Network Rule accomplishes two things:

Enables communications between the two ISA/TMG Firewall Networks
Sets a routing relationship between the two Networks

I’ll go into more details . Network Rules and connecting Networks to .e another in the second part of this series . ISA/TMG firewall networking.

Summary

In this article, we went over what ISA/TMG firewall Networks are about and how the firewall uses these networks to perform several key functions. We saw that an IP address can belong to .ly a single Network, with the exception of the Local Host Network and the *** Clients and Quarantined *** Clients Networks. We then finished off with a brief overview of the default ISA/TMG Firewall Networks. Next week I will continue the story by showing you how ISA/TMG Networks are used to connect hosts . .e Network to another, and how Networks are used to define a route relationship between source and destination. See you then! –Tom.

Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)相关推荐

Overview of ISA and TMG Networking and ISA Networking Case Study (Part 2)
老方说:此篇文章摘自ISASERVER.ORG网站,出自Thomas Shinder达人之手.严重建议ISA爱好者看看. Published: Dec 16, 2008 Upd ...
在DC中误删除ISA计算机后无法连接ISA配置服务器问题
最近遇到一个问题,一个客户使用两台ISA服务器做了ISA阵列,但不小心人为的在DC中将其中一台ISA服务器的计算机帐户删除了,删除后又重新把ISA服务器重新加域,但发现重新加入的这台ISA服务器无法连 ...
java中isa什么意思_iOS中isa的深层理解
我之前的isa理解不透彻,现在重新梳理我对iOS底层object的理解.(只代表个人理解). 在中我们可以看到: typedef struct objc_class *Class; struct ob ...
Failed to restart networking.service: Unit networking.service not found.
service networking restart没用 service network-manager restart没用 systemctl restart network没用 service n ...
ISA SERVER2000 学习笔记
ISA SERVER2000 学习笔记 2004-01-11 点击: 3731 ISA SERVER2000 学习笔记以下内容希望对对ISA有兴趣的朋友有所帮助 ======= ...
6 OC中 isa 和 superclass 的总结
目录一关于isa 和 superclass 的总结二为什么基类的metaclass 的superclass 指向的是基类的类三 isa 的细节问题总结如下: instance 的isa ...
利用ISA Server 2006服务器阵列构建高性能、高可靠的企业防火墙
企业策略: 多"模板"策略阵列策略继承企业策略有效策略: 系统策略企业策略: 阵列前阵列策略 ...
ISA Server 2006的CARP与NLB的构建
一, CARP与NLB基本概念概要: CARP(Cache Array Routing Protocol)只针对网页对象,而且只对内部网络用户来提供服务:然而NLB(Netw ...
ISA SERVER 2004 对多重网络支持功能简述
一.ISA SERVER 2000的网络设计局限ISA SERVER 2000实际上只支持三个网络,既外部网络.内部网络和DMZ区.它认为内部网络是一个完全安全的网络,因此其内网卡是不受防火墙保护的, ...

Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)

Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)相关推荐

最新文章

热门文章