While Windows Essential Business Server 2008 (Windows EBS) Security Server can be installed as the single perimeter security solution it is common to have it coexist with existing security solutions like hardware firewall on the perimeter. In this configuration, Forefront TMG is the “back end firewall” to the existing “front end” firewall, providing a defense in depth setup.
In this case, there are few choices available – this blog post calls out the decision points and provides an outline of the activity for each decision:
1. Configuring the network to support two security devices for defense in depth.
The introduction of a backend firewall requires the front end firewall to be on a separate subnet than the rest of the local network. There are two ways to easily achieve this. The selection will be driven by your knowledge of the existing firewall and the number of devices in your network.
a. (default) Take over internal IP address of front end firewall and create a new subnet between the front end firewall and EBS Security Server. Windows EBS Setup automatically defaults the internal IP of Security Server to be the internal IP address of existing (front end) firewall. The only remaining activity is to reconfigure your front end firewall for the new subnet. Refer to the documentation of your front end firewall to accomplish this task.
b. Create a new subnet for existing clients to use with EBS Security Server, leaving the front end firewall networking configuration untouched (you still need to update any rules that refer to old server IPs for any servers you publish). This requires reconfiguration of all the clients and servers in your network to use EBS Security server as the default gateway. To accomplish this task, you need to edit the internal IP address of Security Server during Setup to be the new gateway IP address. You will also need to change the default gateway on all the machines that have a static IP address in your network and update the gateway property on your existing DHCP server. The latter is automatically done if you decide to install the DHCP role on EBS.
2. Choice of security level enforced by EBS Security Server
Based on the capabilities of your existing front end firewall, you can reduce the security level enforced by EBS Security Server, using the tool introduced by Feature Pack 1 for Windows Essential Business Server 2008. The various levels and security features for each level are documented at the Change the Security Level topic in the Windows Essential Business Server Technical Library. This feature pack id downloaded when you check for updates during installation of Windows EBS or you can download it from Microsoft Download Center.
3. Keeping the two firewalls in sync with each other
The default configuration for Windows EBS configures the EBS Security Server to :
- publish Remote Web Workplace & Exchange services,
- allow internet access for all users, and
- configures firewall rules for essential network services like DNS to function.
If you chose the security level for EBS Security Server to be medium-low or higher, you need to identify other applications your users will access from outside and publish those servers/services using the Server Publishing or Web Publishing wizard; you may also need to add access rules for any line of business application that needs outbound access on protocols other than HTTP or HTTPS protocol, using the “Add new access rule” wizard. On the front end firewall, you also need to update the firewall rules to forward the traffic to EBS Security Server. You may need to republish services like Remote Web Workplace and Exchange services like Outlook Web Access from EBS Security Server in your existing firewall.
If you chose security level for the EBS Security Server to be “low”, you do not need any changes in EBS Security Server. You need to publish services like Remote Web Workplace and Exchange services like Outlook Web Access directly in your front end firewall. For all the default configuration details, refer to the Security and Protection section in the Windows Essential Business Server Technical Library.
4. Choices with site to site VPN configurations (if applicable)
Site to Site VPNs are commonly used to provide connectivity to remote branches. The branch network is connected using a VPN tunnel into the VPN device (typically the front end firewall) – with EBS Security Server installed behind the existing front end firewall, you have 2 choices:
a. A simple option is to continue to terminate VPN at the front end firewall and configure EBS Security Server to route traffic between the branch networks and your internal network. The steps involved are:
i. Create an “Address Range” object for each branch subnet.
ii. Add a Network rule of type “route” and place it above default NAT rule.
iii. Add an array access rule allowing traffic between branch network address range and internal network .
With this configuration, you can now access internal network resources from remote branch subnets and vice versa.
b. An advanced option is to terminate your VPNs in EBS Security server – this requires reconfiguring the existing firewall to pass through traffic to EBS Security Server and establish VPN tunnel in the EBS Security Server with the branch device. You can use the “Create Site to Site VPN connection wizard” in Forefront TMG console to accomplish this task. Refer to VPN Consortium for compatibility of VPN devices.
Hope this helps organizations, partners, and administrators who want to integrate their Security Server in Windows EBS 2008 into a network with an existing firewall. Let us know if you would like more detailed steps for any of these sections!
Security and Protection section in the Windows Essential Business Server Technical Library.
Related posts :
As always, your comments and questions are welcome!
Kannan C Iyer
Windows Essential Business Server