Tuesday, 10 June 2008

Recommended Network Card Configuration for ISA Firewall Servers (Updated)

A common question about ISA Server configuration by people on the forums is:

How should I configure the network interfaces on my ISA Server?

A high-level overview of NIC configuration best practice is provided below:

  • The network card name used within the operating system should be changed to closely match the associated ISA Server network name. This clarifies assignment and improves supportability.
  • Only one network interface should be configured with a default gateway.
  • Only one network interface should be defined with DNS servers.
  • Unused or unnecessary bindings should be removed from all interface, where possible, to improve security. This is often termed ‘interface hardening’.
  • The default bind order should be amended to define a specific customised order.

Based upon these best practices, the configuration shown below is the standard approach that I normally use as part of my usual ISA Server build process.

Multiple NIC Deployment - ISA Server Standard Edition

Rename NICs:

Rename all NICs to descriptive names that ideally match the ISA Server network names.

Internal Network
Anonymous Access Perimeter Network
Authenticated Access Perimeter Network

External Network
Etc.

By matching the names, this makes mapping networks between ISA Server and Windows much easier when troubleshooting…

Configure NICs:

Internal Network

Default Gateway should not be defined
DNS Servers should be defined
Register this connection’s address in DNSEna
bled
File and Print Sharing for Microsoft Networks –
Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IPEnabled
Show icon in notification area when connected – Enabled

Perimeter Network(s)

Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS
Disabled
File and Print Sharing for Microsoft Networks –
Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IPDisabled
Show icon in notification area when connected – Enabled

External Network

Default Gateway should be defined
DNS Servers should not be defined
Register this connection’s address in DNS
Disabled
File and Print Sharing for Microsoft Networks –
Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IPDisabled
Show icon in notification area when connected - Enabled

Please Note: Disabling the 'File and Print Sharing for Microsoft Networks' binding on the ISA Server internal interface will prevent you from connecting to shares on the ISA Server computer, irrespective of ISA Server system policy or other custom rules that may allow it. This approach is recommended for better security, as your firewall should not be accessible as a file server!

Amend Bind Order:

Edit the bind order as follows:

Internal Network (Highest)
Perimeter Network(s)
…Others…
External Network (Lowest)

image


Multiple NIC Deployment - ISA Server Enterprise Edition

With ISA Server Enterprise Edition, it is recommended to add a dedicated Intra-Array NIC. Therefore, we need to consider this additional interface in our configuration.

Rename NICs:

Rename all NICs to descriptive names that ideally match the ISA Server network names.

Internal Network
Intra-Array Network

Anonymous Access Perimeter Network 
Authenticated Access Perimeter Network
External Network

Etc.

Configure NICs:

Internal Network

Default Gateway should not be defined
DNS Servers should be defined
Register this connection’s address in DNSEna
bled
File and Print Sharing for Microsoft Networks –
Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IPEnabled
Show icon in notification area when connected – Enabled

Intra-Array Network

Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNSDisabled
File and Print Sharing for Microsoft Networks – Enabled
Client for Microsoft Networks –
Enabled
NetBIOS over TCP/IPEnabled
Show icon in notification area when connected – Enabled

Perimeter Network(s)

Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNS
Disabled
File and Print Sharing for Microsoft Networks –
Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IPDisabled
Show icon in notification area when connected – Enabled

External Network

Default Gateway should be defined
DNS Servers should not be defined
Register this connection’s address in DNS
Disabled
File and Print Sharing for Microsoft Networks –
Disabled
Client for Microsoft Networks – Disabled
NetBIOS over TCP/IPDisabled
Show icon in notification area when connected – Enabled

Amend Bind Order:

Edit the network bind order as follows:

Internal Network (Highest)
Intra-Array Network
Perimeter Network(s)
…Others…
External Network (Lowest)

image

Single NIC Deployment – ISA Server Standard Edition

For a single NIC deployment, the following actions are recommended.

Rename NICs:

Rename all NICs to descriptive names that ideally match the ISA Server network names.

Internal Network

By matching the names, this makes mapping networks between ISA Server and Windows much easier when troubleshooting…

Configure NICs:

Internal Network

Default Gateway should be defined
DNS Servers should be defined
Register this connection’s address in DNSEna
bled
File and Print Sharing for Microsoft Networks –
Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IPEnabled
Show icon in notification area when connected – Enabled

Please Note: Disabling the 'File and Print Sharing for Microsoft Networks' binding on the ISA Server internal interface will prevent you from connecting to shares on the ISA Server computer, irrespective of ISA Server system policy or other custom rules that may allow it. This approach is recommended for better security, as your firewall should not be accessible as a file server!

Single NIC Deployment – ISA Server Enterprise Edition

For a single NIC deployment, the following actions are recommended.

Rename NICs:

Rename all NICs to descriptive names that ideally match the ISA Server network names.

Internal Network
Intra-Array Network

By matching the names, this makes mapping networks between ISA Server and Windows much easier when troubleshooting…

Configure NICs:

Internal Network

Default Gateway should be defined
DNS Servers should be defined
Register this connection’s address in DNSEna
bled
File and Print Sharing for Microsoft Networks –
Disabled
Client for Microsoft Networks – Enabled
NetBIOS over TCP/IPEnabled
Show icon in notification area when connected – Enabled

Intra-Array Network

Default Gateway should not be defined
DNS Servers should not be defined
Register this connection’s address in DNSDisabled
File and Print Sharing for Microsoft Networks – Enabled
Client for Microsoft Networks –
Enabled
NetBIOS over TCP/IPEnabled
Show icon in notification area when connected – Enabled

Please Note: Disabling the 'File and Print Sharing for Microsoft Networks' binding on the ISA Server internal interface will prevent you from connecting to shares on the ISA Server computer, irrespective of ISA Server system policy or other custom rules that may allow it. This approach is recommended for better security, as your firewall should not be accessible as a file server!

Amend Bind Order:

Edit the network bind order as follows:

Internal Network (Highest)
Intra-Array Network

image

I hope this helps!

27 comments:

  1. Thanks.
    Short and precise, and it works :)

    ReplyDelete
  2. Excellent guide, de-mystifies the whole subject. Thanks!

    ReplyDelete
  3. What if you are using a single NIC card. You have an ideal configuration for that?

    Thanks!

    ReplyDelete
  4. >> Evan

    For single NIC:

    Internal Network

    * Default Gateway should be defined.
    * DNS Servers should be defined.
    * Register this connection’s address in DNS – Enabled
    * File and Print Sharing for Microsoft Networks – Disabled
    * Client for Microsoft Networks – Enabled
    * NetBIOS over TCP/IP – Enabled
    * Show icon in notification area when connected - Enabled

    ReplyDelete
  5. Article updated for both single and multi NIC deployments and some pretty pictures too ;)

    ReplyDelete
  6. i have a question about DNS on internal NIC. It should be internal DNS or External DNS server aadress (ISP provided)?

    ReplyDelete
  7. They should normally be internal DNS servers which are then configured to forward Internet requests to your ISP DNS servers. If ISA is domain joined using internal DNS is mandatory anyhow...

    ReplyDelete
  8. Thanks.

    Very straightforward. It works the first time!!

    ReplyDelete
  9. Do you have same recommendations for TMG on WinSrvr2008R2?

    ReplyDelete
  10. Give me chance! :)

    Ok, will try and update soon but concept will remain even for TMG...

    ReplyDelete
  11. what is the best practice for interarray communication if i have only external and internal NIC.
    shall it communicate via internal or external one

    ReplyDelete
  12. ^^^ I would say intra-array should be on the internal NIC

    ReplyDelete
  13. Nope, dedicated NIC is recommended; always has been:

    http://technet.microsoft.com/en-us/library/dd441004.aspx

    ReplyDelete
  14. It is configured for internal NIC by default

    ReplyDelete
  15. Thank you.

    I'm looking for help on 3 NIC Scenario, where I'm using the ISA server as Web Proxy Server. I want to use 2 NIC cards to link to ISPs and one NIC to link to Clients in my network.
    So, I want to implement Load Balancing for the two NICs so that the clients on the 3rd NIC can avail services from both ISPs and can also benefit from web proxy server.

    ReplyDelete
  16. Hi Zohaib,

    You can use this guide or my newer version which covers TMG/UAG with Windows Server 2008:

    http://blog.msedge.org.uk/2010/04/recommended-network-card-configuration_14.html

    The two ISP NICs will be configured the same using the settings described for the "External Interface" in my guides.

    It might also be worth looking here for other NIC recommendations:

    http://www.isaserver.org/tutorials/Exploring-ISP-Redundancy-Forefront-Threat-Management-Gateway-TMG-2010.html

    Cheers

    JJ

    ReplyDelete
  17. Thanks for the article. One issue I have is my internal DNS forwards to another networks DNS (we are internally connected but no trust exists). For this reason if I leave my external DNS blank it will never work correctly so in ISA 2004 I have internal DNS on the internal card and my ISP's DNS on the external card. It works fine with ISA 2004 but I'm having issues with TMG 2010. Any ideas?

    ReplyDelete
  18. Hi Allan,

    Configure TMG with a single DNS server pointing at your internal DNS server.

    If you need to, you should then be able to configure this DNS server to do conditional forwarding to internal or external DNS servers as required.

    Only ever define DNS on the ISA/TMG internal interface; doing otherwise will cause problems...period!

    Cheers

    JJ

    ReplyDelete
  19. Hello,
    Thank for information.

    I have questions:
    Suppose that you have ISA with 2 NIC, and one ADSL modem as following:

    ISA Network Configuration
    -Internal Network:
    IP: 10.0.0.1
    DNS: 192.168.1.1 (of local)

    -External Network:
    IP: 192.168.1.2
    GW: 172.16.2.3

    -ADSL Modem for browsing Internet:
    IP: 192.168.1.3
    DNS (ISP): 212.121.12.1, 212.121.12.1

    1. What is wrong with my configuration?
    2. How I configure the client to use Web proxy (isaserver)? with default gateway on client.
    3. How I can use ISA to let users access internet by using User Name & Password?

    Thank you in advance!

    ReplyDelete
  20. Hi Yaseen,

    ISA only supports a single external interface so you need to either use the ethernet NIC or the ADSL model, but not both.

    For your other questions, post a question on forums.isaserver.org and I can answer better there...

    Cheers

    JJ

    ReplyDelete
  21. Hi Jason,

    Thank you for quick respond.

    here is my post: http://forums.isaserver.org/m_2002102157/mpage_1/key_/tm.htm#2002102157

    ReplyDelete
  22. Hi Jason,

    I have a 2 remote offices. What is the proper NIC deployment in order for me to provide them an internet access? Should I add a 3rd NIC for remote user? Please advise.

    Kurt

    ReplyDelete
  23. Hi!

    Excellent guide! Thx a lot.
    But one question:

    I know ISA/TMG was not ment to be used with DHCP enabled on either NIC. However I think many peopla like me still use DHCP on the External NIC.
    How should I configure DNS in such a case?
    I use Internal DNS on both External NIC and Intelnal NIC. Otherwise I get a DNS from my ISP...

    Is that the correct way of doing i when using DHCP?

    Regards,

    Kjell, Sweden

    ReplyDelete
  24. Internal
    Ip=172.16.1.2
    mask=255.255.255.0
    DNS=4.2.2.2

    ======
    External
    IP=192.168.1.2
    mask=255.255.255.0
    GW=192.168.1.1
    ==============

    Now what Ip,GW,DNS i give to my XP client, I dont have domain envoirment .

    ReplyDelete
  25. For web access, the XP clients will not need DNS or DG settings as you will define a proxy server setting in the web browsers. They will therefore just an IP address from the 172.16.1.x range.

    If you want to access non-web services, you will need to configure the clients with DNS:4.2.2.2 and DG:172.16.1.2.

    ReplyDelete
  26. when i configure DNS in the internal NIC on ISA 2006 the clients worked fine for few hours and they wouldnt get any access to the server even they won't be able to ping the gateway unless i remove the DNS.. please advice

    ReplyDelete
  27. Sounds like another problem, not NIC DNS settings...

    ReplyDelete