Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations gkittelson on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Using Watchguard with ISA Server 2006 Application Publishing

Status
Not open for further replies.

JVKAdmin

IS-IT--Management
Dec 28, 2001
155
CA
Hi,

I currently have a Watchguard Firebox X 1000 configured as our main firewall/gateway router.

We have one DMZ, Trusted and External network defined.

What we want to do is put in an ISA Server 2006 in order to do Outlook Web Access over HTTPS properly but I've heard that you can't do application publishing when its configured in a proxy type mode (1 NIC versus 2+).

Leaving the Watchguard networks they way they are, what is the best way to integrate these two firewalls in a configuration that will do what we want.

My one proposed solution would be to do a dual gateway firewall config.

What I mean is that we essentially have two gateway firewalls, one configured for one public (static) address and the other configured with another. The connection has a switch in front to split the incoming internet connection.

Configure the ISA Server to connect to the watchguards DMZ(on the inside) using a switch which means effectively we bypass the watchguard external portion of the firewall for any Outlook web access traffic sent from the ISA Server firewall. We then use RADIUS to authenticate through the Watchguards DMZ (Optional) port to Trusted domain allowing only DNS and RADIUS (and encrypted web traffic between the trusted exchange server and the ISA Server).

Will this work or will there be routing / security issues with having essentially two gateway firewalls ?
 
I would suggest simply forwarding the HTTPS directly to the ISA box. The is no reason to Firewall the port twice and you will run into routing problems that over complicate things as well. Since you are using ISA to handle the application level firewalling you should be fine from a security point of view. Typically a 2 fire wall setup is used to wall of the lan from the exposed server. It sounds like you are using the Firebox at the perimeter and then using the ISA just inside of that with no server truely exposed.

ISA is a full blown firewall that has held up to many test as being very tough. You have a lot of options as to the setup.

Most security professions use this basic setup.
perimeter = firebox
DMZ = ISA with services exposed behind it
Trusted = LAN->firebox to handle outbound traffic security

Cheers


haunter@battlestrata.com
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top