192 CHAPTER 7 Deploying ISA Server as a Reverse Proxy in an Existing Firewall DMZ
Understanding Packet-Filter Firewall Configuration for ISA Server
Publishing
Simply opening the proper port (HTTP and/or SSL) to the ISA server, and then from the
ISA server to the Internal web server, is all that is necessary. For example, the following
rule illustrates the firewall rules that would be set up on the packet-filter firewall shown in
Figure 7.5:
. NAT 12.155.166.151 to 172.16.1.21
. Allow 443 from External to 172.16.1.21
. Allow 443 from 172.16.1.21 to 10.10.10.20
Each firewall product will have a different way of configuring rules. Consult the product
documentation for information on how to set these up.
Isolating and Securing an ISA Security Appliance
This concept drives home the real benefit of ISA in the DMZ: isolating and protecting the
web services from direct physical access from the Internet. In this design, even if an
attacker were able to compromise and overcome the ISA server, he or she would be
isolated in the DMZ of the firewall, and able to communicate over only a single port to a
single server in the internal network.
Pages:
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353