Guidelines on Allowing Domain-related Communications through the ISA Server

Guidelines on Allowing Domain-related Communications through the ISA Server

Basic Setup

The internal network DC was configured first. Single NIC. DNS configured manually (never use the Wizard).
Create a Reverse Lookup Zone for the DMZ Network ID and internal network ID
Make a manual entry in DNS for DMZ host using the DMZ host’s address on the DMZ; DC and ISA Server will dynamically register their addresses.
IP settings configured to make DC a SecureNAT client
ISA Server installed on Windows 2000 Advanced Server dual NIC machine.
Typical IP settings on each NIC of the ISA Server. No special requirements

On the ISA Server create Protocol Definitions for:

Direct Host (TCP)	445	TCP	Inbound
Kerberos(UDP)	88	UDP	Receive/Send
LDAP(TCP)	389	TCP	Inbound
LDAP(UDP)	389	UDP	Receive/Send
NTP(UDP) Inbound	123	TCP	Inbound
DNS Query Server`	53	UDP	Inbound
DNS Zone Transfers	53	TCP	Inbound

Create Server Publishing Rules using the following Protocol Definitions

Direct Host (TCP)	445	TCP	Inbound
Kerberos(UDP)	88	UDP	Receive/Send
LDAP(TCP)	389	TCP	Inbound
LDAP(UDP)	389	UDP	Receive/Send
NTP(UDP) Inbound	123	TCP	Inbound
DNS Query Server`	53	UDP	Inbound
DNS Zone Transfers	53	TCP	Inbound
Any RPC Server	135	TCP	Inbound

In order for the Direct Host Protocol Rule to work, you have to disable NetBIOS over TCP/IP completely. In order to do this, you must disable nbt.sys in the Device Manager. When in the Device Manager, change the view to show hidden devices. The right click and disable nbt.sys.

After disabling nbt.sys, go into the Services applet and disable the TCP/IP NetBIOS Helper service and the DHCP Client service. This is supposed to stop errors from the Service Control Manager when the server is restarted. Although in my testing, I still get the error on system startup L. No problem, because everything still works; its just an esthetic issue.

Also, make sure you’re not running DNS or WINS on the ISA Server. Not that WINS will make much of a difference, since NetBIOS is now dead J. The DNS service must not be installed or else it will conflict with your DNS Query and DNS Zone Transfer Server Publishing Rules.

Create the RPC Registry Entries on the DC

Because RPC is a f***ked up protocol from the Firewall standpoint, you need to put some limits on the ports used. I don’t pretend to completely understand how this works (because I haven’t made the effort J), but you should add the following Registry entries on the DC.

Key: HKLM\SOFTWARE\Microsoft\RPC\Internet
Named Value: Ports
Type: REG_MULTI_SZ
Setting: Range of port. This can be multiple lines.
4001-4039
9001-9099

Named Value: PortsInternetAvailable
Type: REG_SZ
Setting: Y

Named Value: UseInternetPorts
Type: REG_SZ
Setting: Y

It might work without these entries, but then again, maybe the RPC filter makes use of these entries. Do this first and mess with it later if you want to experiment.

DMZ Host Configuration

The DMZ host was a single NIC Windows 2000 Advanced Server. Initial interface configuration was set to use the external interface of the ISA Server for its DNS server.

Install the DNS service on the DMZ host.

Create a Reverse Lookup Zone for the DMZ network ID
Create a Forward lookup zone and make it a secondary zone to the internal network’s DNS zone of the same name.
With the DMZ Host configured as a Secondary, perform the Zone transfer (this should happen by itself, but you can force it if you get impatient).
After the Zone Transfer is complete, change the Zone to a Standard Primary Zone
Change the Host (A) records for the internal DC to be the IP address of the external interface of the ISA Server that matches the IP address of the Server Publishing Rules you created.
Also, change the domain Host (A) record to match the external IP address of the ISA Server
Manually create the PTR records for the new entries. You have already created the Reverse Lookup Zone, so now just add PTR records to it that go with the Host (A) records you just created/changed

The goal of all this is to make the internal network DC represented by the external IP address used in the Server Publishing Rules.

After the changes have been made to DNS, change the interface settings on the DMZ Host to its own IP address. This forces the DMZ host to use its own DNS server configuration and *not* the configuration and entries on the internal network Active Directory/DNS server. Reboot the DMZ Host just for old time’s sake.

Join the Domain

After rebooting the server, join the machine to the domain. It should work! It worked for me J. Go to Active Directory users and computers on the internal network DC and confirm the machine actually has an account in the domain. Amazing!

Having Fun with Directing Hosting and UNC Paths

Just for fun, try accessing a share on the internal network DC by typing a UNC path to the server. Bingo! It works. Want to have more fun? Create a Protocol Rule that allows outbound access to Direct Hosting (TCP 445). Now you’re able to access shares on the DMZ host. All sorts of security implications with this setup, eh? Especially the inbound from DMZ to the DC (arrgh!).

Comments:

I think the Direct Hosting Protocols and the Registry entries, along with whacking nbt.sys where the magic bullets. Hey, I’d like to say that I figured all this out on my own, but I pieced together the solution from information I found on the Microsoft site. Of course, the tricky thing for most admins (not you and I, of course), is the split DNS configuration. For the DNS novitiate, this stuff isn’t going to make sense to them and may complicate their deployment, even after I create the step-by-step for the ISAserver.org site.

Now, whether this will allow the Exchange FE/BE thing to work, I don’t know. Since I haven’t tried a FE/BE thing for a long time, I’m going to have to read up on it again and see if there are any more requirements for the Server Publishing Rules and/or Web Publishing Rules.

Finally, I think we can agree that this is a piss poor security design. Extending the internal network Domain into the DMZ seems moronic to me, but there may be compelling business reasons to do so, and I might just be ignorant and the security implications are not as severe as I think. I’d be glad to hear comments on this.