I am hoping there is some genious out there that can speak some geek with me 
I have a pair of MS NLB OWA front end servers in a PIX DMZ speaking to ADC's and Exchange Cluster's Virtual Server (not the nodes directly) via IPSec.
OWA IPSec is set to Require Security and point only to those resources with which they should comm. Users are automagically redirected to HTTPS so there's no "you have to type HTTPS:" you know the drill
BE Cluster Nodes and ADC's have IPSec set to Request Security and point only to those resources with which secured comm. should occur. This setting in the BE allows these servers to still comm. with other hosts in the domain without FIRST requesting security.
With this setup the only thing I have running into the DMZ from behind the firewall is IPSec as well as the only thing coming from the DMZ to behind the firewall (AH, ESP, 88, ISAKMP) no other ports need be open since all the typical OWA ports would be sent over IPSEC.
Now my questions are these:
What do you think about this setup?
We used the GUI snap-in to configure it but "netsh ipsec" seems a little more granular - is this correct?
I ask the last one becuase the require security rule reads that ALL traffic is to be IPSEC and NO traffic is to be sent to untrusted (no configured) hosts requesting communication...now if that is so...how in the WORLD is OWA working over the Internet...I don't have, know or want to know all the IP's my team(s) may use! and they certainly are not configured which by definition would make them untrusted hosts????????
On another note...if I place an ACL ahead of the IPSEC ACLs for specific IP/Proto comm to these hosts from behind the firewall...the damn things answer and that just makes no sense when reading the GUI's description of Require Security. My guess is that netsh ipsec commands from the command line are going to be more definitive, but I just do not know for sure.
Another issue I am grappling with in my mind is this...in the IPSec GUI we used the ANY ANY option on the ports with mirroring on. My contention is this...If a DMZ system gets nailed with some trash They could potentially trash the inside ADC's and Exchange Cluster and do so over a secured communications link! Is it possible to tweak IPSec to behave much like a firewall by shying away from IP ANY to IP port 80, 443, etc? What about ICMP? Is the whole ICMP proto needed for the initiation of IPSec communications? Why not lock that down as well?
I am thinking that if the Firewall allows all IPSEC traffic (to secure the FE/BE comm.) and IPSec only allows specific port traffic to specified hosts then this is more in line with my two prong secured comm. approach (SSL encryption over IPSec tunnel). You may at first say this is overkill, but my needs are not yours and yours not mine
I am just looking for someone to geek with :-D
Thanks to all who even popped in to look!
DigiMahn
I have a pair of MS NLB OWA front end servers in a PIX DMZ speaking to ADC's and Exchange Cluster's Virtual Server (not the nodes directly) via IPSec.
OWA IPSec is set to Require Security and point only to those resources with which they should comm. Users are automagically redirected to HTTPS so there's no "you have to type HTTPS:" you know the drill
BE Cluster Nodes and ADC's have IPSec set to Request Security and point only to those resources with which secured comm. should occur. This setting in the BE allows these servers to still comm. with other hosts in the domain without FIRST requesting security.
With this setup the only thing I have running into the DMZ from behind the firewall is IPSec as well as the only thing coming from the DMZ to behind the firewall (AH, ESP, 88, ISAKMP) no other ports need be open since all the typical OWA ports would be sent over IPSEC.
Now my questions are these:
What do you think about this setup?
We used the GUI snap-in to configure it but "netsh ipsec" seems a little more granular - is this correct?
I ask the last one becuase the require security rule reads that ALL traffic is to be IPSEC and NO traffic is to be sent to untrusted (no configured) hosts requesting communication...now if that is so...how in the WORLD is OWA working over the Internet...I don't have, know or want to know all the IP's my team(s) may use! and they certainly are not configured which by definition would make them untrusted hosts????????
On another note...if I place an ACL ahead of the IPSEC ACLs for specific IP/Proto comm to these hosts from behind the firewall...the damn things answer and that just makes no sense when reading the GUI's description of Require Security. My guess is that netsh ipsec commands from the command line are going to be more definitive, but I just do not know for sure.
Another issue I am grappling with in my mind is this...in the IPSec GUI we used the ANY ANY option on the ports with mirroring on. My contention is this...If a DMZ system gets nailed with some trash They could potentially trash the inside ADC's and Exchange Cluster and do so over a secured communications link! Is it possible to tweak IPSec to behave much like a firewall by shying away from IP ANY to IP port 80, 443, etc? What about ICMP? Is the whole ICMP proto needed for the initiation of IPSec communications? Why not lock that down as well?
I am thinking that if the Firewall allows all IPSEC traffic (to secure the FE/BE comm.) and IPSec only allows specific port traffic to specified hosts then this is more in line with my two prong secured comm. approach (SSL encryption over IPSec tunnel). You may at first say this is overkill, but my needs are not yours and yours not mine
I am just looking for someone to geek with :-D
Thanks to all who even popped in to look!
DigiMahn
