Configuring Existing Firewalls to Utilize ISA Server 2004 Reverse Proxy
For various reasons, it may not be feasible or desired to replace an existing firewall with an ISA Server firewall. In these circumstances, the ISA Server can still be utilized for reverse proxy capabilities, and it can be deployed in the DMZ of the existing firewall.What this effectively means is that ISA Server effectively can be treated as an isolated web server from the firewall's perspective. The configuration steps on the packet-filter firewall are therefore straightforward.
Understanding Packet-Filter Firewall Configuration for ISA Server Publishing
Simply opening the proper port (HTTP and/or SSL) to the ISA Server, and then from the ISA server to the Internal web server, is all that is necessary. For example, the following rule illustrates the firewall rules that would be set up on the packet-filter firewall shown in Figure 7.4NAT 18.104.22.168 to 172.16.1.10Allow 443 from External to 172.16.1.10Allow 443 from 172.16.1.10 to 10.10.10.20
Figure 7.4. Examining the Listener Networks tab.
Each firewall product will have a different way of configuring rules. Consult the product documentation for information on how to set these up.
Isolating and Securing an ISA Security Appliance
This concept drives home the real benefit of ISA in the DMZ, isolating and protecting the web services from direct physical access from the Internet. In this design, even if an attacker were able to compromise and overcome the ISA server, he or she would be isolated in the DMZ of the firewall, and able to communicate over only a single port to a single server in the internal network. This adds another security layer into an already secure environment, and enables ISA to scan the traffic at the Application layer, adding yet another layer of security.