老方说：此篇文章摘自ISASERVER.ORG网站，出自Thomas Shinder达人之手。严重建议ISA爱好者看看。

• Published: Dec 16, 2008
• Updated: Jan 21, 2009
• Author: Thomas Shinder

In our last article . ISA and TMG firewall networking, I talked about how ISA and TMG firewalls use Networks to control traffic moving through and to the firewall. To recap, ISA and TMG Firewall Networks are collections of IP addresses located behind a specific NIC . the firewall. The addresses can be . and off-subnet for the specific NIC, but in order for a client behind any NIC . the TMG or ISA firewall to reach a destination through the firewall, that client’s IP address must be included in the definition of the ISA or TMG Firewall Network from which it connects. If the client’s IP address is not part of the ISA Firewall Network definition for the NIC that receives the request, the connection will be dropped as spoofed.

If you have not read part 1 of this series . ISA and TMG Networking, or want to brush up . what ISA/TMG Firewall Networks are all about, click here.

Now that you understand the details of ISA/TMG Firewall Networks, the next step is to understand how to connect those Networks. In order a host . .e ISA/TMG Firewall Network to connect to a host . another ISA/TMG Firewall Network, the source and destination Networks must be connected. The way you connect ISA/TMG Firewall Networks is by creating a Network Rule.

Network Rules connect ISA/TMG Firewall Networks in .e of two ways: NAT or Route. When you connect ISA/TMG Firewall Networks to each other, you also define the route relationship between the Networks.

Note:
Pay attention to the capitalization when I refer to networks. A “network” with a lower case “n” is a generic network, while a Network with an upper case “N” is an ISA/TMG Firewall Network.

When you define a NAT relationship between the source and destination Network, all IP addresses . the source Network are hidden from the destination host. The destination host sees the source IP address as the primary IP address . the external interface of the ISA/TMG firewall. The primary IP address is the IP . top of the IP address list (when there is more than .e IP address bound to the external interface of the ISA/TMG firewall). A NAT route relationship is .e-way. When you NAT from source to destination, you do not NAT from destination to source. For example, when you NAT from the default Internal Network to the default External Network, you do not NAT from the default External Network to the default Internal Network.

In general, when there is a NAT relationship between the source and destination Network, you create Access Rules to allow connections from the NATed to the non-NATed Network (for example, from the default Internal Network to the default External Network) and Publishing Rules to allow connections from the non-NATed Network to the NATed Network (for example, from the default External Network to the default Internal Network).

When you define a route relationship between two ISA/TMG Firewall Networks, the route relationship is reciprocal. That is to say, if you create a route relationship from source to destination Network, then there is also a route relationship between the destination and source Network. When there is a route relationship, no IP addresses are hidden, and the source IP address is always preserved.

In general, you use Access Rules to allow traffic in both directions when there is a route relationship between source and destination Networks. For example, if you have a route relationship defined for connections from the default Internal Network to a DMZ Network, then you can use Access Rules to allow connections from the default Internal Network to the DMZ Network, and you can use Access Rules to allow connections from the DMZ Network to the default Internal Network.

An example Network Rule appears in figure 1 below. In this example, there is a Network Rule that connects the DMZ Network to the default Internal Network and the route relationship is Route.

Figure 1

Remember, there must always be a Network Rule that connects the source and destination Network. Even if you create an Access Rule that allows a connection from a host . .e Network to a host . another Network, the connection attempt will fail because the Networks are not connected by a Network Rule. This problem can be hard to troubleshoot because when you check the ISA/TMG firewall’s log files, you will see that the connection attempt is denied, but there would not be any information indicating that the problem is a missing Network Rule. Well, that’s been true for ISA firewalls. I have not yet tested this with TMG firewalls. However, the problem should be less frequent with TMG firewalls, since when creating a new TMG Network, you are asked to define the Network Rule before the Network is created. In contrast, with the ISA firewall, you could create a Network without creating a Network Rule.

Network Rule Examples

To get a better understanding of how Network Rules work in connecting ISA/TMG Firewall Networks, let’s look at a few examples. In figure 2 below, you will see a typical configuration for an ISA/TMG firewall with a default Internal and default External Network. In this example, there is a Network Rule connecting the default Internal and External Networks, and the Network Rule defines a NAT relationship between the Networks.

When clients . the default Internal Network try to connect to hosts . the default External Network, the source IP address seen by the host . the default External Network is going to be the primary IP address . the external interface of the ISA/TMG firewall. In effect, the ISA/TMG firewall is “hiding” the IP address of the source client.

Figure 2

ISA and TMG firewalls can be configured with multiple NICs. There is no limit . the number of NICs you can install in an ISA or TMG firewall. In fact, you can even create virtual NICs using 802.1q VLAN tagging, as long your NICs and NIC drivers support this configuration. When you have multiple NICs installed . the ISA firewall, you can create an ISA/TMG Firewall Network for each of the NICs (recall our discussion of ISA/TMG Firewall Networks in part 1 of this article series, where each NIC represents the “root” of each ISA/TMG Firewall Network).

In the figure below, you can see that there are three NICs installed . the ISA firewall. .e NIC is connected to the default External Network .e NIC is connected to the default Internal Network, and .e NIC is installed . a DMZ Network. There are two Network Rules configured . the ISA Firewall:

• A Network Rule connecting the default Internal Network to the default External Network, and the route relationship is NAT
• A Network Rule connecting the default Internal Network to the DMZ Network, and the route relationship is Route

In this configuration, connections from the default Internal Network to the default External Network will be NATed, and the destination hosts will see the source IP address of the connection as the primary IP address . the external interface of the ISA firewall. When hosts . the default Internal Network connect to hosts . the DMZ Network, the destination hosts . the DMZ Network will see the source IP address as the actual IP address of the host . the default Internal Network. Likewise, since the route relationship is reciprocal, when a host . the DMZ Network tried to connect to a host . the default Internal Network, the host . the default Internal Network will see the source IP address as the actual IP address of the host . the DMZ Network.

In this next example (figure 3), connections from the default Internal Network to the default External Network are allowed by using Access Rules. Connections from the default External Network to the default Internal Network are allowed by publishing rules (either Web or Server Publishing Rules). Connections from the DMZ Network to the default Internal Network, and from the default Internal Network to the DMZ are allowed using Access Rules.

Figure 3

What do you think will happen if a host . the DMZ Network tries to connect to a host . the default External Network? Since there is no Network Rule in place connecting hosts . the DMZ Network to the default External Network, the connection attempt will be denied, as seen in figure 4 below. Even if there is an Access Rule allowing the connection, the connection attempt will fail because there is no Network Rule connecting the Networks.

Figure 4

Let us say that we create a Network Rule that connects the DMZ Network to the default External Network and define the route relationship as NAT. When there is a NAT relationship, we can use either public or private addresses . the source Network. Connections from hosts . the DMZ Network to the default External Network are allowed by using Access Rules, and connections from the default External Network to the DMZ network are allowed by using publishing rules.

Figure 5

Figure 6 below shows a slight alteration in the configuration. In this case, there is a route Network Rule connecting the DMZ Network to the default External Network. Because there is a route relationship, we must use public addresses . the DMZ Network, because private addresses are not routable over the Internet. We can use Access Rules to allow connections from the DMZ Network to the default External Network, and we can also use Access Rules to allow connections from the default External Network to the DMZ Network.

Up to this point, I’ve been telling you that when you have a route relationship, you can use Access Rules to control traffic in both directions. However, it is possible to use publishing rules. In the case or Web Publishing Rules, the route relationship isn’t an issue, because the connections are always proxied from the source and destination Network, so no actual “routing” at an IP level actually takes place. However, the situation is a little different with Server Publishing Rules.

When there is a route relationship between the source and destination Network, you can allow incoming connections using either an Access Rule or a Server Publishing Rule. In some cases, you might want to use a Server Publishing Rule instead of an Access Rule, because application layer inspection filters are bound to some Server Publishing Rules that can’t be bound to access rules.

For example, in the example configuration noted in the above figure 5, there is a route relationship because the default External Network and the DMZ Network. Suppose you have an SMTP server . the DMZ Network. You want to allow incoming SMTP messages from the Internet to the SMTP server . the DMZ Network. In this case, you could create an Access Rule to allow incoming SMTP connections from the default External Network to the DMZ Network, or you could create a Server Publishing Rule that publishes the SMTP server . the DMZ Network.

The advantage of using a Server Publishing Rule in this scenario is that the SMTP filter can be bound to the “SMTP Server” protocol. “Server” protocols are for inbound connections .ly. The SMTP filter can’t be bound to the “SMTP” protocol, which is used for Access Rules. Thus, a Server Publishing Rule using the SMTP Server protocol allows us to apply application layer inspection . the incoming connections.

I should note here that when you do use Server Publishing Rules to publish servers in a scenario where this is a route relationship between the source and destination Network, you still publish the machine using the actual IP address of the published server. However, the ISA or TMG firewall then performs a bit of magic to intercept the connection so that application layer inspection can be performed. The firewall does what is called “port stealing” . the Server Publishing Rule, so that when connections destined to the actual IP address of the published server are made, the firewall “steals” the connection and passes it to the application layer inspection filters. If the connection passes inspection, then it is forwarded to the published server. If the connection does not pass inspection, then it is dropped.

Figure 6

Now let us change our focus and look at the connectivity between the DMZ Network and the default Internal Network. In figure 7 below, you can see that we have a Network Rule connecting the default Internal Network to the DMZ Network, and the route relationship is NAT. Because the route relationship is NAT, when hosts . the default Internal Network try to connect to hosts . the DMZ Network, the DMZ Network hosts will see the source IP address of the connection to the be primary IP address . the DMZ NIC.

To allow connections to the DMZ Network from the default Internal Network, you need to create Access Rules. To allow connections from hosts . the DMZ Network to hosts . the default Internal Network, you need to create publishing rules. What you cannot do when there is a NAT relationship from the default Internal Network to the DMZ Network is create Access Rules allowing connections from the DMZ Network to the default Internal Network.

Figure 7

Figure 8 shows a reversal of the Network Rule connecting the DMZ Network to the default Internal Network. In this case, the Network Rule defines a NAT relationship from the DMZ Network to the default Internal Network. When hosts . the DMZ Network try to connect to hosts . the default Internal Network, the hosts . the default Internal Network will see the source IP address of the connection request as the primary IP address . the Internal Network NIC. Access Rules are allow connections from hosts . the DMZ Network to the default Internal Network and publishing rules allow connections from hosts . the default Internal Network to the DMZ Network. You cannot create Access Rules to allow connections from the default Internal Network to the DMZ Network because the hosts . the default Internal Network are . the non-NATed Network.

Figure 8

The next scenario looks at a scenario that is a common point of confusion: the back to back ISA/TMG firewall configuration. In a back to back firewall configuration, there is a front-end ISA/TMG firewall that is connected to the Internet, and there is a back-end ISA/TMG firewall that is connected to a DMZ behind the front-end firewall and an internal network behind the back-end firewall.

In the typical case, the front-end ISA/TMG firewall has a NAT route relationship between the DMZ network behind the front-end firewall and the default External Network. The back-end ISA/TMG firewall has a NAT relationship between the default Internal Network and the default External Network.

What you should appreciate here is that in this typical scenario, the DMZ network in front of the back-end ISA/TMG firewall is part of the back-end ISA/TMG firewall’s default External Network. Because it is part of its default External Network, the route relationship is going to be NAT. Therefore, if hosts behind the back-end ISA/TMG firewall need to connect to machines . the DMZ network between the firewalls, then you will create Access Rules to enable those connections. If there are machines in the DMZ network between the firewalls that need to connect to hosts behind the back-end ISA/TMG firewall, then you will need to create publishing rules to enable those connections.

Figure 9

Now let’s look a variation of the above scenario. In this case, . the back-end ISA/TMG firewall we create an ISA/TMG Firewall Network for the DMZ between the firewalls. Then we create a Network Rule that connects the default Internal Network . the back-end ISA/TMG firewall to the DMZ Network and define a Route relationship between the Networks. Now when hosts connect to resources . the DMZ Network, an Access Rule is used to allow the connection and the hosts . the DMZ Network see the source IP address as the original client IP address. This configuration also allows you to create Access Rules to allow hosts . the DMZ Network to connect to hosts . the default Internal Network behind the back-end ISA/TMG firewall.

This scenario is important because many people would like to terminate *** connections at the front-end firewall. When *** clients are terminated at the front-end ISA/TMG firewall, they are given IP addresses that are part of the DMZ Network. Thus, they act as DMZ Network hosts. You can then create Access Rules that allow the *** clients access to resources . the default Internal Network behind the back-end ISA/TMG firewall. The take home point is that since the *** clients are given IP addresses that belong to DMZ Network definition . the back-end ISA/TMG firewall, you can use Access Rules instead of publishing rules due to the route relationship between the two Networks.

There is .e more thing you should be aware of in this back to back configuration where there is a route relationship between the back-end ISA/TMG firewall’s default Internal Network and the DMZ Network. When hosts . the back-end ISA/TMG firewall’s default Internal Network try to connect to the Internet, the connections must go through both firewalls. When the front-end ISA/TMG firewall receives the outbound connection request from hosts . the back-end ISA/TMG firewall’s default Internal Network, the source IP address is going to be the actual IP address of the host making the request.

Normally, the default Internal Network for the front-end ISA/TMG firewall will include the IP addresses . the DMZ Network. However, since there is a route relationship between the DMZ Network and the back-end ISA/TMG firewall’s default Internal Network, you need to include the addresses in the back-end ISA/TMG firewall’s default Internal Network in the addresses that define the front-end ISA/TMG firewall’s default Internal Network. If you fail to do this, the front-end ISA/TMG firewall will see the source address as .e that doesn’t belong to it’s default Internal Network and will drop the connection as spoofed.

Figure 10

Summary

In this, part two in our series about ISA/TMG Network concepts, I went over some scenarios that were designed to help you understand the concept of Network Rules. Network Rules are required to connect Networks. If source and destination Networks are not connected, no communications will be allowed between those Networks, even if there are Access Rules configured to allow the connections. When defining a Network Rule to connect a source and destination Network, you also define the route relationship. The route relationship can be either NAT or Route. Access Rules and publishing rules are supported in a different way, depending . the route relationship between the source and destination Networks.

Next week we will look at a case study where we had to have a good understanding of how ISA/TMG firewall Networks work in order to get a working solution. This case study involves migrating an old ISA 2000 firewall to ISA 2006. Not .ly that, but the migration also includes changing over from a unihomed ISA firewall to a dual-homed firewall. As you might imagine, there were several network issues that needed to be addressed. You find out what the problems where and how we solved them in the next article. See you then! –Tom.

Overview of ISA and TMG Networking and ISA Networking Case Study (Part 2)相关推荐

1. Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)

            老方说:此篇文章摘自ISASERVER.ORG网站,出自Thomas Shinder达人之手.严重建议ISA爱好者看看. Published: Dec 16, 2008 Update ...

2. 在DC中误删除ISA计算机后无法连接ISA配置服务器问题

   最近遇到一个问题,一个客户使用两台ISA服务器做了ISA阵列,但不小心人为的在DC中将其中一台ISA服务器的计算机帐户删除了,删除后又重新把ISA服务器重新加域,但发现重新加入的这台ISA服务器无法连 ...

3. java中isa什么意思_iOS中isa的深层理解

   我之前的isa理解不透彻,现在重新梳理我对iOS底层object的理解.(只代表个人理解). 在中我们可以看到: typedef struct objc_class *Class; struct ob ...

4. Failed to restart networking.service: Unit networking.service not found.

   service networking restart没用 service network-manager restart没用 systemctl restart network没用 service n ...

5. ISA SERVER2000 学习笔记

   ISA SERVER2000 学习笔记 2004-01-11          点击: 3731   ISA SERVER2000 学习笔记 以下内容希望对对ISA有兴趣的朋友有所帮助 ======= ...

6. 6 OC中 isa 和 superclass 的总结

   目录 一 关于isa 和 superclass 的总结 二  为什么基类的metaclass 的superclass 指向的是基类的类 三  isa 的细节问题 总结如下: instance 的isa ...

7. 利用ISA Server 2006服务器阵列构建高性能、高可靠的企业防火墙

   企业策略: 多"模板"策略              阵列策略继承企业策略 有效策略: 系统策略              企业策略: 阵列前             阵列策略   ...

8. ISA Server 2006的CARP与NLB的构建

   一,             CARP与NLB基本概念 概要: CARP(Cache Array Routing Protocol)只针对网页对象,而且只对内部网络用户来提供服务:然而NLB(Netw ...

9. ISA SERVER 2004 对多重网络支持功能简述

   一.ISA SERVER 2000的网络设计局限ISA SERVER 2000实际上只支持三个网络,既外部网络.内部网络和DMZ区.它认为内部网络是一个完全安全的网络,因此其内网卡是不受防火墙保护的, ...

最新文章

1. Spark SQL与外部数据源的操作（Spark SQL ——＞ CSV/JSON/Parquet/hive/mysql）
2. Android中怎样使用Navicat可视化查看sqllite的数据库(查看db文件)
3. POJ 3253 -- Fence Repair
4. css学习笔记（三）——布局模型
5. python的速度_关于python的速度
6. Like rlike在hive中的区别
7. SQL注入学习part04：(结合sqli-libs学习：31-40关）
8. 2017.5.26暴力赛解题报告
9. Threejs 精灵火焰特效 Sprite Firey Aura effect
10. 台式计算机 蓝牙,台式电脑蓝牙在哪里打开（手把手教你打开台式电脑蓝牙）...
11. Android jetpack Room数据库（一）基本使用
12. 微信小程序傻瓜制作_怎么能免费制作自己的微信小程序？
13. Zookeeper一致性级别分析，含爱奇艺，小米，腾讯，阿里
14. 通俗讲解单片机、ARM、MUC、DSP、FPGA、嵌入式错综复杂的关系
15. 每周一书《用户故事地图》分享！设计、产品、开发必读！
16. IntelliJ IDEA 2019从入门到癫狂
17. Python opencv：人眼/人脸识别并实时打码处理
18. 线性回归和贝叶斯的线性回归
19. Xilinx MIG 控制器使用详解（二）
20. 嵌入式系统下Microwindows的实现

热门文章

1. 富人和穷人的对比图，时刻提醒自己！
2. 小两口攒钱不吵嘴 用理财加固你的爱情
3. 路考变更车道该注意什么？
4. 机器学习入门阶段程序员易犯的5个错误
5. JS 中 Map 与 JSON 转换
6. 使用 nohup 设置后台进程
7. Docker Installation : Docker 中安装并启动 Kong
8. PostgreSQL查看版本信息
9. IntelliJ IDEA 中 右键新建时，选项没有Java class的解决方法和具体解释
10. 64 装饰器函数: 母版 csrf防御机制 cookie