ISA Enterprise Array need suggestions.

[Thor86]

Looking at building an ISA Enterprise array with two machines hosting Win2k Adv Server with NLB, Active Directory, DNS on both machines and Dhcp on one.

(Router) <-> (ISA server array) <-> (Web/Mail/DB servers)

Possible? Comments and/or suggestions are welcome and appreciated from people with this setup experience.

Thanks.

 

[Darthkim]

You do know that you can't Cluster a DNS service (if i am understanding your setup right).

Also running a DC on the same box that runs the Firewall is very unsafe. If your firewall was to be compromised, Your whole domain would be at risk.

If possible, i would split off the ISA portion and then put the DC behind it. Remember that ISA is pretty beefy and make sure you have plenty of memory on the box that is running it.

here is a site if you have any more isa server questions. www.isaserver.org

 

[JackBurton]

Dude, when you say "ISA array" you know that means you will be running more than one ISA server, right? An array of Proxy 2.0 or ISA severs are multiple servers running Proxy 2.0/ISA and is primarily for load balancing, and you won't need that for home or even a small business. Just use one ISA server if this is for your home set up. Having said that, Darthkim is right, make sure one server is a dedicated ISA server, don't run your DC on it. Running a Proxy 2.0/ISA on a DC w/ AD is a security no no. Anyway, you have a router infront of your ISA server so you'll have added security with that. As for your web/mail/DB servers, that is exactly where they need to be (behind the ISA server). However, you're going to need to set up your DNS server to point to your web and mail server. For this you'll also have to punch specific holes in ISA to let mail/web traffic into your mail/web servers.

Overall, your setup looks good and you should be fine.

 

[Saltin]

1) If you've only got a few boxen, you don't need an ISA Array.
2) The ISA server should be on a dedicated box.
3) If you have a router, install ISA in proxy mode, and let the router handle the firewall.

 

[Thor86]

Thanks for everyone's input on this so far.


Darthkim,

Not looking to cluster DNS in the technical way, but just to keep two DNS servers running for redundancy for the Active Directory portion. I guess getting a domain controller server behind ISA servers is now a necessity. As for RAM, I have 512 megs on both ISA servers. I am hoping that will be enough for the time being.

Jack Burton,

This setup will be for corporate sites with a fair bit of traffic, 100-140 gigs per month. Management wants more control/monitoring of all network traffic to these servers. Will see about aquiring another server to move the DC's off the ISA servers as you and Darthkim suggested, but since the DC's only control the ISA servers would it not be ok? No other server will be part of that win2k domain, only the 2 isa servers.

Saltin,

This setup currently will have 20+ servers behind it, with tendency to expand to at least another 20 servers sometime this year. I will be running 2 servers just dedicated for ISA/DC/DNS for redundancy and NLB of all network traffic for monitoring and control. The router should be able to handle most basic stuff, but I would like to use ISA as an intrusion detection system as well.

 

[Saltin]

<< I will be running 2 servers just dedicated for ISA/DC/DNS for redundancy >>



It's a bad move to put ISA on DC's. By design, the ISA server must sit on the edge of the network, with one NIC in the private and one NIC in the public. You don't want your DC's anywhere near the public network.

There are also a million and one technical issues you will encounter with a multihomed DC (master browser loops, DNS issues, etc). Save yourself the headache and worry and make the ISA servers member servers.
Sounds like you have the boxen to spare.

 

[err]

I would suggest to invest in the third box running ISA server. You don't have to put it in an array unless high reliability is a must. Our ISA server is proxy for about 500 machines and several remote sites, yet we don't have it in an array. It is running fine.

Running DNS in both DC would be great. I would also suggest running the third DNS on your ISA box to resolve internet addresses and point your domain DC to forward to your ISA dns to resolve internet address if you need to.

Good luck with your design. Have fun

eRr

 

[N11]

I'm going to agree with the others.

Keep your domain controllers behind the ISA server.

A couple domain controllers, primary dns on one, install secondary on another, residing in your lan. My personal preference when looking for a pure firewall would be checkpoint on a nokia device, and house your web and any frontends in a restricted DMZ.

But all in all keep the AD DCs inside the network and away from the primary or secondary point of contact in your network.

 

[Woodie]

An interesting design... I wouldn't do it that way, but I have different resources.

Observations:
If the only objects in the domain are the ISA's, then the only thing you're putting at risk is the whole domain where the ISA's live. (Not just local admin, but Domain Admin).
Since redundancy is important to you, make sure the ISA boxes (and the DCs, and the DNS) are in seperate buildings, with seperate power sources.
Multi-homing DCs could become a major headache!
ISA in an array can be very useful for adding/removing (ISA) servers from the cluster rapidly.
I would keep the ISA Domain outside the private network. That way your DMZ doesn't have to have W2K domain-traffic ports back through your inner firewall.
I'm thinking something like this:

Internet
||
Router/Firewall
||
ISA Cluster (2-3 boxes)
||
DMZ Segment ==DC1+DNS1 == DC2+DNS2
||
Firewall
||
Internal network(s)

Do you need to provide DNS service to the Internet or just internally? If Internet, then you'll have to put up a couple of Public DNS servers in the same position as the ISA Cluster in the picture above.

 

[Thor86]

Saltin,

Thanks for the advice. Will do so, and move the DC's off the ISA servers and make them members from the private side only.

eRr,

Thanks for the input. I have no clue in what to expect from these servers performance-wise, but your confidence in your ISA server to serve your network has boosted mine. My question to you would be, what happens if/when your one ISA server goes down, what is your fail-over for your ISA proxy to your network?

N11,

I will look into more information regarding "checkpoint" and "nokia devices" as you mentioned. As far as the DC and DNS setups, I am glad to hear similar suggestions from you on your input. Thank you.

Woodie,

I guess any risk is still a risk. Are there any base-line information on "hardened" or "high-secure" DC servers connected to the public network? Are there any specific exploits for Win2k DC servers on the public networks, or resources to such information from security websites? Have I asked you enough questions already? As for my redundancy plans, well it is more of a hardware failure redundancy rather than a disaster recovery type, but I agree with your suggestion on different physical locations of such services. Thanks for the network diagram and your suggestions, as I will investigate them in further detail.

As always, having lots of fun.

 

[err]

<< eRr,

Thanks for the input. I have no clue in what to expect from these servers performance-wise, but your confidence in your ISA server to serve your network has boosted mine. My question to you would be, what happens if/when your one ISA server goes down, what is your fail-over for your ISA proxy to your network? >>



Thor,

I am not saying that our ISA server won't go down. However, we had our proxy 2.0 box for almost 3 years and never a major problem with it. Our ISA server has been in production for almost 6 mos now and we also never had any stability problem / even a minor problem with it.

You can quickly save your ISA server settings and rebuild your ISA server (with Win2k server install) from scratch in 4 hours.

This now comes to the question of how important is the availability of Internet to your business? For us, the ISA server can go down for 4 hours and people would still be productive. We also have another proxy server in house as a backup route if it is necessary (we never used them). We would just change our GPO and redirect our users to the backup proxy.

However, if you absolutely need 100% uptime, setting up ISA cluster will help you achieve your goals better.

eRr

 

[Woodie]

As far as AD goes, the question is this:

Why would you allow the public to access a directory of internal information. (The contents of the directory). I know there are companies that will pay $$ for internal company telephone directories. (sales and recruiting companies).

Keep in mind, the AD stores (by default): User Name, phone number, mailing address, email address, email server, work hours, physical address, group memberships, and on and on and on, and "Everyone" has the ability to read this information about any other user in the directory.

So again, the question is: Why would you allow the public to access such a directory?
The answer is (or should be) very specific to your company. We choose not to expose internal email addresses or userIDs to the world at large. We escpecially don't want to expose Server information, with IP addresses, real names, roles, etc. We also don't want to expose all our subnetting information, which can show the network topology as well.

References: securityfocus.com securify.org, etc.. google. Many won't talk directly about network architecture, as they're focused on securing one particular server, rather than a group of servers, which are really just the building blocks of a "Web Application". Read the article about the Anandtech servers...that's the sort of detail that most places don't wish to make available.

 

[Thor86]

Ok, did some reading, and I am not quite sure as to whether or not ISA server arrays with NLB require Active Directory. I am guessing it doesn't. Someone confirm this with me please. Thanks.

 

[JustinLerner]

Without AD in your domain, you will have significantly less security unless you completely understand how to implement a Kerberos realm via some 'nix server version. Don't have the faintest idea if or how this could be done on ISA, nor would I try it. Make sure you have a 2000/XP DC (ie - properly implementing and using DNS and AD).

 

[Thor86]

JustinLerner,

Thanks for you reply. Can you point me to some info on the web concerning what you mentioned? I don't see how ISA servers in a standalone config would be less secure than one that would be a member of a 2K domain. My specifics are, can I setup an ISA array without Active Directory and just use the ISA array service so I only need to configure 1 server which will propogate all changes to the settings to other ISA servers, rather than all of them?

Much appreciated!