- sensibilium
- » sensiblog
- » Securing the Server
Securing the Server
So they guy came round and had a look over my settings, everything appeared to be hunky-dory, and he just re-ran the Internet Connection Wizard (somewhat different from the non-server wizard) and then all my clients had access to all protocols and content type required.
After reading the ISA book I recently bought, I decided to get another network card for the server, at six pounds for a huge increase in security has to be worth it. I mean, six quid?! Bargain!
Anyway, I shat down the server and installed the second NIC. Rebooted and waited an age for the Preparing Network Connections... bit finished, got slightly concerned that wouldn't ever finish what it was doing, but just as I gave up it finished and brough up the login prompt.
So, I then changed the IP address on the external connection to a IP range outside of the local area network (otherwise conflicts can take place in ISA's LAT table), and plugged in my router. Suddenly realised that I couldn't access my routers web admin as I hadn't changed the IP address, so I had to unplug the router from the external network card and plug it back into the the hub, whereupon I logged into the webpanel and changed the IP address. Plugged it back into the servers external NIC and hey presto! A live internet connection.
Then spent a little time configuring the VPN passthrough using Routing and Remote Access, phoned up my remote user, asked him to try it out, and other than one problem (I had forgotten to give the VPN user account Dial-In permission), he connected within seconds. Marvellous.
As confusing as all this sounds, it really is a shit lot easier than you'd think.
So, here's an example of our old network setup:
As you can see that problem lies in the fact that any hax0r that breaks into the router is then onto the internal network.
The second network card allowed me to do this:
Now if anyone breaks through the router, they then have to break through ISA Server too. Much more secure I'm sure you'll agree.
After reading the ISA book I recently bought, I decided to get another network card for the server, at six pounds for a huge increase in security has to be worth it. I mean, six quid?! Bargain!
Anyway, I shat down the server and installed the second NIC. Rebooted and waited an age for the Preparing Network Connections... bit finished, got slightly concerned that wouldn't ever finish what it was doing, but just as I gave up it finished and brough up the login prompt.
So, I then changed the IP address on the external connection to a IP range outside of the local area network (otherwise conflicts can take place in ISA's LAT table), and plugged in my router. Suddenly realised that I couldn't access my routers web admin as I hadn't changed the IP address, so I had to unplug the router from the external network card and plug it back into the the hub, whereupon I logged into the webpanel and changed the IP address. Plugged it back into the servers external NIC and hey presto! A live internet connection.
Then spent a little time configuring the VPN passthrough using Routing and Remote Access, phoned up my remote user, asked him to try it out, and other than one problem (I had forgotten to give the VPN user account Dial-In permission), he connected within seconds. Marvellous.
As confusing as all this sounds, it really is a shit lot easier than you'd think.
So, here's an example of our old network setup:
As you can see that problem lies in the fact that any hax0r that breaks into the router is then onto the internal network.
The second network card allowed me to do this:
Now if anyone breaks through the router, they then have to break through ISA Server too. Much more secure I'm sure you'll agree.
Comments
very nice. it's the way i probaly would've set it up myself, but that's nto ebcause i'm qualified or have any know how. :p
