So, what does this have to do with ISA then? Well, in addition to creating logical separation with forest boundaries, the model also normally includes some form of physical segmentation. This often results in the Extranet forest being placed into a perimeter network away from the internal network. In order to create this boundary and define the perimeter network, ISA Server is an ideal choice as the border firewall between these two security zones.
So, based upon the above, we can summarise the necessary firewall policies as follows:
AD Forest Trust: Allow Access for Forest Trust Creation/Validation AD Forest Trust: Allow Access for Conditional DNS Forwarding AD Forest Trust: Allow Access for Kerberos Client Authentication AD Forest Trust: Allow Access for NTLM Client Authentication AD Forest Trust: Allow Access for Object Picker (Extranet Web Servers) AD Forest Trust: Allow Access for Object Picker (Extranet Domain Controllers) AD Forest Trust: Allow Access for Object Picker (Extranet ISA Servers)
An overview of each rule is provided below:
AD Forest Trust: Allow Access for Forest Trust Creation/Validation
This rules allows the necessary communication required to initially setup and validate the trust relationship. Once the trust has been established, this rule can be disabled unless it is necessary to recreate/revalidate the trust for troubleshooting purposes. Following a least privilege approach, this step is strongly recommeneded for day-to-day operations.
AD Forest Trust: Allow Access for Conditional DNS Forwarding
This rule allows DNS servers in the Extranet forest to communication with DNS servers in the Intranet forest (and vice sersa). This is a based upon the use of conditional DNS forwarding which is needed to provide underlying name resolution services between the two AD environments.
This rule allow clients from the Intranet forest to authenticate to systems in the Extranet forest using Kerberos authentication. If Kerberos is not required, this rule is not required and should be disabled in order to adhere to least privilege.
This rule is the same as the Extranet Web Servers rule, but allows the object picker to be used from the Extranet Domain Controllers themselves. Depending on how the system will be administered, this rule may or may not be required. If this rule is not required, it should be disabled or deleted.
So, now that we know what firewall polices are required to map the key communications required for everthing to function, we now need to look at the required policy objects in more detail. Before approaching this, it is worthwhile defining a few elements of the example environement that will be used as part of firewall policies:
AD Forest Trust: Allow Access for Kerberos Client Authentication
AD Forest Trust: Allow Access for NTLM Client Authentication