DMZ – SBS special considerations

So you’d like to create a DMZ? It’s easy to do with ISA 2004 but don’t forget that you’ve got pre-defined rules in SBS that are going to open up your DMZ to more that you might want.

Step 1: Create the DMZ. To do this use this article but start at the section titled Create The Anonymous DMZ and continue through the section titled Create the Network (routing) Rule between the Anonymous Access DMZ and the External Network, then stop.

If this were a non-SBS implementation of ISA you’d have a DMZ with no rules defining access to it. But we live in a pre-configured world so the next step is to add a new rule to the ISA 2004 Firewall Policy to exclude the DMZ network from our pre-existing rule set.

Step 2: Open up the ISA 2004 management console and expand Configuration. Click on Networks. Move to the Network Sets tab. Click on Create new Network Set. Call it something like All Protected, Except DMZ. Make this network set look just like All Protected Networks except add your DMZ network to the exclusions list.

Step 3: Move to the Firewall Policy and edit the SBS Protected Networks Access Rule. Move to the From tab and replace All Protected Networks with the network set that you just created. This will prevent all traffic from the DMZ reaching your internal network. Now you’ve isolated the DMZ from your Internal network.

Step 4: Create a Rule so that the server in the DMZ can communicate with the other servers in your network. (this assumes that the server in the DMZ is a member server) Open up the ISA 2004 management console and click on Firewall Policy. Scroll down to the bottom. Highlight the SBS Protected Networks Access Rule. In the taskpad click New Access Rule. Call it something like DMZ Server Communications. Allow traffic from the DMZ to Internal Network with the following protocols: DNA, Kerberos-Sec (UDP), Kerberos – Sec (TCP), LDAP, Microsoft CIFS (TCP) Netbios Datagram, Netbios Name Service, Netbios Session, RPC (all interfaces), LDAP (UDP), Kerberos-ADM, ping and NTP. Make sure that this rule is placed just ahead of the SBS Protected Networks Rule.

Step 4: Create a Rule for any additional ports that the application running on the server in the DMZ requires. Place this rule above the SBS Protected Networks Rule as well.

Leave a Reply

Your email address will not be published. Required fields are marked *