ISA Server Branch Office Policies Best Practices: ISA Server co-location with a domain controller
Cat’s sleeping with dogs? Fish riding bicycles? Cows with wings? ISA firewall on a DC? Tell me it’s not true! For years we’ve been waving the flag that the ISA firewall should never, ever, never ever, never ever never never ever be installed on a domain controller. This is a key tenet on why the SBS 2003 platform could never be considered secure, since the DC was an Internet facing device and had a horked ISA firewall configuration required to support domain traffic to the firewall.
So, what’s up with this new article on the ISA firewall community site? What article? ISA Server Branch Office Policies Best Practices: ISA Server co-location with a domain controller at http://technet.microsoft.com/en-us/library/cc891503.aspx
Why would Microsoft write such an article? Because the fact is that people have been installing the ISA firewall on branch office domain controllers. While Microsoft can’t come out and say “hey, this is a great idea” any more than parents and teachers can say to kids “hey kids, its a great thing that you run with scissors in your hands”, the fact is that kids will run with scissors in their hands, and admins will install the ISA firewall on a branch office domain controller. So, as responsible adults, we need to round the ends of the kid’s scissors and “round the edges” of the firewall policies on the branch office domain controller that also hosts an ISA firewall.
Let me know what you think of this development? Do you think this guidance gives hapless admins the imprimatur to install ISA firewall’s on DCs? Will this hurt the overall reputation of the ISA firewall as a enterprise grade network firewall? Or, does it matter, since the ISA brand is soon to go on life support at the TMG firewall bellys up to the bar to take the torch from the ISA firewall?
Thanks!
Tom
Thomas W Shinder, M.D., MCSE
Sr. Consultant / Technical Writer
Prowess Consulting www.prowessconsulting.com
PROWESS CONSULTING documentation | integration | virtualization
Email: tshinder@isaserver.org
MVP — Forefront Edge Security (ISA/TMG/IAG)
Ian Banyard Says:
September 2nd, 2008 at 9:57 am
I’d prefer to see a W2008 based installation with necessary network interfaces to support an instance of ISA, and an instance of the DC role, just cant my head around the co-location of the 2 roles - I can understand the intention, to make life easy for small or remote deployed infrastructure, and if people are doing this then at least there’s something of a best (er maybe Better?!) practise to follow.
(Quick issue with the Captcha not displaying, when you refresh you loose the text in the form, how about positioning the captcha above the form so that your aware of a problem before typing an essay!!!)
Don Adams Says:
September 2nd, 2008 at 5:01 pm
Hi Tom;
EBS could be a good solution to build into a hardware appliance based on Windows 2008 Server Core running Hyper V. The EBS servers would run as two or three separate virtual machines (TMG by itself) on top of Hyper V.
This would violate your “don’t mix zones” philosophy but plays into an “ISA/TMG on every Virtual Host” philosophy.
What do you think?
Don Adams
USEast Technologies
Don Adams Says:
September 2nd, 2008 at 5:14 pm
Whoops … pasted my comment above into the wrong blog…. It was meant for your EBS post.
In a branch environment (focus of the MS article) it seems to me that virtualizing all the roles is where everything is heading. I see one big-ass physical machine running a hypervisor with ISA/TMG as the gatekeeper virtual appliance and all the other roles running behind it. I can even see the desktops running on the same physical device. Add a small SAN device capable of replicating with home base and backing up the virtual machines and I think we’re done!
Don Adams
USEast Technologies
Ian Banyard Says:
September 3rd, 2008 at 3:06 am
Absolutely agree with Don - while i didnt specifically mention hype-v that was the intention - perhaps the new licensing for EBS already caters for this? One to look up later!
Jim Harrison Says:
September 3rd, 2008 at 11:37 pm
I’m actually quite surprised at your response to this article, Tom.
You know exactly why we wrote it - to provide the ground work for a “don’t be stupid” support policy. Although you can’t tell from the publishing dates, this article predates the Hyper-V article by some months. Now that there is prescriptive guidance on how to virtualize your edge deployments (another subject where Tom feels very strongly), this one should get short notice.
If not, then this one is article what CSS engineers can point to when customer X asks “show me how to do this without an “allow all” policy.
Jim
Thomas Shinder Says:
September 4th, 2008 at 5:43 am
Hey Jim,
I think we agree — you said that the article provides the groundwork for “don’t be stupid” - I essentially say the same thing in a more long winded way:
“Why would Microsoft write such an article? Because the fact is that people have been installing the ISA firewall on branch office domain controllers. While Microsoft can’t come out and say “hey, this is a great idea” any more than parents and teachers can say to kids “hey kids, its a great thing that you run with scissors in your hands”, the fact is that kids will run with scissors in their hands, and admins will install the ISA firewall on a branch office domain controller. So, as responsible adults, we need to round the ends of the kid’s scissors and “round the edges” of the firewall policies on the branch office domain controller that also hosts an ISA firewall.”
Agreed?
Thanks!
Tom
Jim Harrison Says:
September 4th, 2008 at 9:01 am
You’re right; I suspect the Percocet is making things a bit fuzzy.
Thomas Shinder Says:
September 4th, 2008 at 9:04 am
It does that to me too
Thanks!
Tom
Jim Harrison Says:
September 4th, 2008 at 9:21 am
for Ian -
- the bad news is that ISA doesn’t install; much less run on WS08.
- the good news is that the traffic profiles defined in that article can be used regardless of whether ISA or TMG are co-located iwth the DC or merely another guest in that deployment.
Given the licensing freedom offered for Hyper-V deployments, I really don’t see the value in a co-located deploment.
Office Rental Space Says:
October 13th, 2008 at 11:01 am
I\’m not a big fan of the concept of dual deployment since I deem it necessary for each DC to have it\’s own firewall ingeniousness to the others in a enterprise unless top-level execs and/or senior techs need another way into systems that have been compromised. I\’m not saying that ISA itself is garbage because it really isn\’t. It\’s just that there\’s little or no room for error when deploying it. Until they work out all the kinks, I don\’t see a problem with setting up the firewall separate from dc configurations.