当前位置：首页 > 编程日记 > 正文

Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)

编程日记 2024-12-08 19:40:00

老方说：此篇文章摘自ISASERVER.ORG网站，出自Thomas Shinder达人之手。严重建议ISA爱好者看看。

Published: Dec 16, 2008
Updated: Jan 21, 2009
Author: Thomas Shinder

What ISA/TMG firewall Networks are about and how the firewall uses these networks to perform several key functions.

Last week I did a blog post asking our ISAserver.org members what kind of content they would like to see . the site. I expected the typical stuff, such as “more articles . integrating with other networking equipment vendors” and “more information . how NLB works” and “more articles . how to make ISA and TMG work with Exchange 2007, SharePoint and OCS” and maybe even “more stuff about ISA and TMG add-ons”. I was not disappointed. I did get requests for all of that kind of content.

There was also another comment that I thought was interesting. Someone wrote to me and said that what he would like is some information . the basics. For example, the basics of ISA networking. This fellow said that many Microsoft admins who use ISA have a basic understanding of TCP/IP networking but do not have a good grip . how the ISA firewall see the networked world and any information that would help along those lines would be very helpful.

The comment was a timely .e for me, as it dovetailed with some other experiences I was having last week. Therefore, in the spirit of this request for some return to the basics and my experiences last week, we will go over some of the basics of ISA/TMG firewall networking.

ISA/TMG Firewall Networks

NOTE:
Pay close attention to the capitalization I use in this article. Network with a capital “N” refers to an ISA/TMG Firewall Network – which is a network objects that the firewall uses to define collections of IP addresses directly accessible from a specific network interface. In contrast, when a lower case “n” is used for network, I am referring to a generic network or network segment.

ISA and TMG firewalls see the networked world based . the concept of the Network network object. The Network network object defines traffic that moves through the firewall. All traffic that moves to or through the firewall must source from .e Network and have a destination to another Network. If the source and destination traffic are . the same Network, then the traffic doesn’t move through the firewall. However, there are times when traffic with the same source and destination Network can bounce off the firewall. We will take a look at this example later.

What is an ISA Firewall Network? An ISA/TMG Firewall Network is a collection of IP addresses that can directly reach a NIC . the firewall without having to traverse the firewall. For example, consider a simple scenario where the ISA firewall has two NICs: an internal interface with an IP address of 10.0.0.1 and an external interface with a public IP address. There is a host connected to the same network as the firewall’s internal interface and that client has an IP address of 10.0.0.2. In this example, the internal interface and the client at 10.0.0.2 are part of the same network, since the client can directly reach that interface without crossing the firewall. In addition, the client can’t be . the same network as the external interface of the firewall, since it would have to cross the firewall to reach that interface.

The figure below depicts this example. The internal interface has the IP address 10.0.0.1 and the client behind that interface has IP address 10.0.0.2. The client behind the internal interface can reach the internal interface directly. The client behind the internal interface cannot reach the external interface directly. Therefore, the client could never be a member of the ISA Firewall Network that the external interface belongs to.

Figure 1

As I mentioned earlier, an ISA Firewall Network is defined as a collection of IP addresses that can be reached directly through .e of the interfaces . the ISA or TMG firewall. However, this does not mean that all of those IP addresses have to be . the same network ID as the interface . the ISA firewall.

For example, in the figure above, the internal interface of the ISA firewall was . network ID 10.0.0.0/24 and the client was an “on subnet” client that was also . network ID 10.0.0.0/24. The ISA Firewall Network defined for that interface was 10.0.0.0-10.0.0.255.

What if there is a router behind the ISA firewall’s internal interface and there are remote network IDs that need to connect to the Internet through the ISA Firewall’s internal interface? For example, in the figure below you see that I have added a router and a remote network ID behind that router, which in this case is 192.168.1.0/24. Will the ISA Firewall need to see connections from the 192.168.1.0/24 network ID as being . the same ISA Firewall Network as connections from the 10.0.0.0/24 network ID?

The answer is YES. The reason for this is that both 10.0.0.0/24 and 192.168.1.0/24 in this example have to connect to and through the ISA firewall using the same NIC. Since the ISA Firewall see each NIC as the root of an ISA Firewall Network, all connections made directly to and through the firewall . that interface are part of the same ISA Firewall Network.

Figure 2

However, in order to make this work, you need to add those addresses to the definition of the ISA Firewall Network. In this example, the definition of the default Internal Network would include the addresses 10.0.0.0-10.0.0.255 and 192.168.1.0-192.168.1.255. All of these IP addresses are part of the default Internal Network and reach the ISA firewall through the same network interface card.

Figure 3

The reason we need to include all the addresses that are behind a specific NIC . the firewall is that if there is a host that tries to connect through the ISA firewall . that NIC from a source IP address that is not part of that ISA Firewall Network, the connection request will be dropped as a spoof attempt. The ISA or TMG firewall sees the connection attempt as a spoof because the IP address is not part of the definition of that ISA Firewall Network.

For example, check out the figure below. We have defined the default Internal Network in this example as all IP addresses in the 10.0.0.0/24 and 192.168.1.0/24 ranges (note that I have included all the addresses in each network ID – that is not a requirement. I could have included .ly a subset of those IP addresses if I wanted to). What if a host with the IP address 172.16.0.2 tried to connect to the ISA Firewall through the NIC that represents the “root” of the default Internal Network?

The connection attempt would fail. The reason why it would fail is that 172.16.0.2 is not part of the definition of the default Internal Network in this example. Since the ISA Firewall does not recognize this source IP address as part of the default Internal Network, it will not allow the connection through the NIC that defines the “root” of the default Internal Network. It will call out this connection as a spoof attempt. All spoof attempts are blocked by the firewall.

Figure 4

What if you wanted to allow connections from that host at 172.16.0.2? It is a simple matter of adding that IP address to the definition of the ISA Firewall Network that this host uses to connect to and through the ISA firewall. In this case, you could add just that IP address, or if you have other hosts . that network ID, you could add the IP addresses of those hosts, or you could add all the addresses in that network ID.

You define that addresses that belong to a specific ISA Firewall network in the Properties dialog box for that Network. In the figure below, you can see the addresses tab for the default Internal Network. This default Internal ISA Firewall Network includes all addresses . the network ID 192.168.1.0/24.

Figure 5

You can create multiple ISA Firewall Networks . a single ISA Firewall. For example, suppose you wanted to create an ISA Firewall Network for wireless guest computers to connect to the Internet. In this case, you would add a third NIC to the ISA firewall (the other two interfaces are for the external interface and the internal interface). The third NIC would become the “root” of a new ISA Firewall Network. You would then assign addresses to that ISA Firewall Network. Each NIC . the ISA firewall needs to be . a different network ID, so after installing the third NIC, we assign it an IP address . a network ID that is different than the other two NICs. Then we assign IP addresses for the new ISA Firewall Network. In the figure below, you can see that all addresses . network ID 192.168.0.0/24 are part of the Guest ISA Firewall Network.

Figure 6

It is important to remember that an IP address can participate . a single ISA Firewall Network. You can not assign the same IP address to two different ISA Firewall Networks. If you do, you will receive an error message.

Out of the box, the ISA or TMG firewall will have the following Networks defined:

The default External Network – the default External Network is defined by all IP addresses that are used by any other ISA Firewall Network. Any address that is not used by any other ISA Firewall Network will automatically be included as part of the default External Network. The NIC that defines the default External Network is usually the NIC with the default gateway bound to it. ISA and TMG MBE firewalls support a single default gateway
The default Internal Network – this is the network you define during setup that represents your primary internal network. You can have multiple internal networks if you like, but there is .ly .e default Internal Network which you set up during installation of the ISA firewall. The default Internal Network typically contains your key infrastructure services, such as DNS, DHCP and Active Directory domain services. The default Internal Network is important because much of the ISA and TMG firewall’s System Policy is configured to access resources . the default Internal Network
The Local Host Network – The Local Host Network is defined by the IP addresses bound to all NICs . the ISA or TMG firewall. For example, if the firewall had two interfaces, .e with IP address 2.2.2.2 bound to it and the other with 10.0.0.1 bound to it, then IP addresses 2.2.2.2 and 10.0.0.1 are members of the Local Host Network. Note that this breaks .e of the rules of ISA/TMG Networks – in that these IP addresses are also members of the Networks to which those NICs are connected. The 2.2.2.2 is likely a member of the default External Network and the 10.0.0.1 is a member of the default Internet Network.
*** Clients Network – The *** Clients Network contains the IP addresses of connected *** clients. There are two ways to assign IP addresses to *** clients: using a static address pool and using DHCP. If you assign IP addresses to *** clients using a static address pool, then you must remove those IP addresses from any other Network that might contain them. For example, if you want to assign .-subnet addresses to *** clients (such as 192.168.1.200-192.168.1.225/24 when the internal interface is . 192.168.1.1/24), you must remove those addresses from the definition of the .-subnet network.
In contrast, if you want to use DHCP to assign IP addresses to *** clients, then you do not have to remove those addresses from the definition of any other Network that might also be using those addresses. It makes sense, since when you use DHCP to assign these addresses; you know that no other host should be able to use the same IP address . any other Network. In contrast, if you assign static addresses to *** clients, you do not know for sure that there might be an error that would lead you to use the same addresses . another Network. Addresses are automatically added and removed from the *** clients Network when they are used and released by the *** clients. Note that this represents a second exception to our rule that an IP address can belong to a single Network – since you use DHCP to assign IP addresses to *** clients, those addresses can belong to another ISA/TMG Firewall Network.
Quarantined *** Clients Network – The Quarantined *** Clients Network contains the IP addresses of *** clients that have not yet passed *** quarantine control. This is configured as a separate Network from the *** Clients Network because you might want to create Firewall Rules that allow quarantined *** clients access to resources . a Protected Network (a Protected Network is any ISA/TMG Network that isn’t the default External Network) or even . the Internet so that they can remediate themselves. IP addresses are automatically moved from the Quarantined *** Clients Network to the *** Clients Network when the *** client passes quarantine control checks.

Figure 7

Summing up what we know at this point:

ISA/TMG Firewall Networks are used for spoof detection. If a source IP address arrives at an interface that is a root of an ISA Firewall Network that isn’t an IP address defined for that Network, then the connection attempt is dropped as a spoofed connection attempt
An IP address can be assigned to a single ISA/TMG Firewall Network. The .ly exceptions to this rule are seen with the Local Host Network and the *** Clients and Quarantined *** Clients Networks when you use DHCP to assign addresses to *** clients.
An ISA/TMG Firewall Network can contain IP addresses from multiple network IDs. What all these IP addresses have in common is that if they need to connect to and through the ISA or TMG firewall through the same NIC

ISA/TMG Firewall Networks also are used to do .e more important task: define whether connections are routed or NATed from the systems . a particular Network to another Network. In order to hosts . a Network to communicate with hosts . another Network, the two Networks must be connected using a Network Rule. The Network Rule accomplishes two things:

Enables communications between the two ISA/TMG Firewall Networks
Sets a routing relationship between the two Networks

I’ll go into more details . Network Rules and connecting Networks to .e another in the second part of this series . ISA/TMG firewall networking.

Summary

In this article, we went over what ISA/TMG firewall Networks are about and how the firewall uses these networks to perform several key functions. We saw that an IP address can belong to .ly a single Network, with the exception of the Local Host Network and the *** Clients and Quarantined *** Clients Networks. We then finished off with a brief overview of the default ISA/TMG Firewall Networks. Next week I will continue the story by showing you how ISA/TMG Networks are used to connect hosts . .e Network to another, and how Networks are used to define a route relationship between source and destination. See you then! –Tom.

https://www.dkcj.cn/info/30968.html

Overview of ISA and TMG Networking and ISA Networking Case Study (Part 1)

相关文章：

阿里云免费开放一切AI算力，加速新型冠状病毒新药和疫苗研发

ASP.net（C#）批量上传图片（完整版）

码农技术炒股之路——任务管理器

面对新型肺炎疫情，AI能做什么？

大家帮忙.谢谢!..(急急急急急)

HDU4866 Shooting (要持久段树)

C++过去的这一年

码农技术炒股之路——抓取股票基本信息、实时交易信息、主力动向信息

TemplateBuilder

【iOS UI】iOS 9 GUI 资源分享

反向R？削弱显著特征为细粒度分类带来提升 | AAAI 2020

C#初学——doWhile

码农技术炒股之路——实时交易信息、主力动向信息分库备份

数据预处理（完整步骤）

码农技术炒股之路——抓取日线数据、计算均线和除权数据

茫茫碌碌的日子

Python PK C++，究竟谁更胜一筹？

oracle--查看表空间大小以及修改表空间大小

同步、异步、堵塞、非堵塞和函数调用及I/O之间的组合概念

“抗击”新型肺炎！阿里达摩院研发AI算法，半小时完成疑似病例基因分析

反编译工具jad简单用法

ubuntu 系统设置bugzilla制

静态分析C语言生成函数调用关系的利器——cflow

我在MongoDB年终大会上获二等奖文章：由数据迁移至MongoDB导致的数据不一致问题及解决方案...

注意String.Split的几个重载形式

如何让猎头找到你

libev源码解析——总览

GPT-2仅是“反刍”知识，真正理解语言还要改弦更张

sap business one 笑谈

来51学院的第一天