Routed Networks in ISA 2004

I was having an argument with a friend from elsewhere in the Aussie support organization about ISA’s (new in 2004) network templates and their default routing layouts. I like arguments – I learn a good 57.3% of what I know from (friendly) arguments with people.

The short version is this: The Front Firewall template assumes you’re using routable IPs for the perimeter network (eg, that ISA will be used essentially as a router to get to the actual internet IPs of the servers in the perimeter network) – so it’s configured with a Route relationship by default. Generally, you pair this with the Back Firewall template to provide NAT for the actual internal network.

Likewise, the three-leg perimeter network is roughly analogous to ISA 2000’s three-network layout, in which the perimeter needed to be routable (with ISA 2000, you publish from the internal network, and packet filter the perimeter and local host).

You can always adjust the relationships later – and if your perimeter network (aka screened subnet or DMZ) uses private IPs and is connected to the Internet, you don’t have any real options other than switching to a NAT relationship for that network.

That leads to another discussion about Server Publishing vs Access Rules for routed networks that I’ll expand on another time – for now:

The technique I’m using at the moment (because I have no time to test the alternative) is to always assume you don’t use a Server Publishing rule on a Routed network, only an Access Rule. In a Route relationship, the clients don’t connect to a published port in the classical sense (eg, no listener will necessarily be created), they connect directly to the IP of the target.

This doesn’t apply for Web Publishing rules because they’re special, but it applies to basically everything else. ISA 2004, unlike 2000, does its content inspection magic regardless (even with a Route relationship).

And if you’re NATting, you need to publish – the client can’t see the IPs behind the NAT relationship, so there’s no way it can connect directly.

Mental notes: cover NAT (or link to a good quick overview), more on Server Publishing on a routed network.