Scenario 2: The 3-Leg Perimeter Configuration

The 3-leg perimeter configuration creates network relationships and Access Rules to support an Internal network segment and a perimeter (DMZ) network segment. The perimeter network segment can host your publicly-accessible resources and infrastructure servers, such as a public DNS server or a caching-only DNS server.

Table 2: 3-Legged Perimeter Firewall Template Firewall Policy Options

Firewall Policy

 

Description

 

Block all

 

Block all network access through ISA Server.

 

 

 

This option does not create any access rules other than the default

 

 

 

rule which blocks all access.

 

 

 

Use this option when you want to define firewall policy on your

 

 

 

own.

 

 

 

 

 

Block Internet access,

 

Block all network access through ISA Server, except for access to

 

allow access to

 

network services, such as DNS on the perimeter network. Use this

 

network services on

 

option when you want to define the firewall policy on your own.

 

the perimeter network

 

The following access rules will be created:

 

 

 

 

 

 

1. Allow DNS traffic from Internal Network and VPN Clients

 

 

 

Network to Perimeter Network

 

 

 

 

 

Block Internet access,

 

Prevent all network access through the firewall except for network

 

allow access to ISP

 

services such as DNS. This option is useful when your Internet

 

network services

 

Service Provider (ISP) provides network services.

 

 

 

Use this option when you want to define the firewall policy on your

 

 

 

own.

 

 

 

The following rules will be created:

 

 

 

1. Allow DNS from Internal Network, VPN Clients Network and

 

 

 

Perimeter Network to External Network (Internet)

 

 

 

 

 

Allow limited Web

 

Allow limited Web access using HTTP, HTTPS, FTP only and allow

 

access, allow access

 

access to network services such as DNS on the perimeter network.

 

to network services

 

All other network access is blocked.

 

on perimeter network

 

This option is useful when network infrastructure services are

 

 

 

 

 

 

available on the perimeter network.

 

 

 

The following access rules will be created:

 

 

 

1. Allow HTTP, HTTPS, FTP from Internal Network and VPN

 

 

 

Clients Network to Perimeter Network and External Network

 

 

 

(Internet)

 

 

 

2. Allow DNS traffic from Internal Network and VPN Clients

 

 

 

Network to Perimeter Network

 

 

 

3. Allow all protocols from VPN Clients Network to Internal

 

 

 

Network

 

 

 

 

 

Allow limited Web

 

Allow limited Internet access and allow access to network services

 

access and access to

 

such as DNS provided by your Internet Service Provider (ISP). All

 

ISP network services

 

other network access is blocked.

 

 

 

 

 

ISA Server 2004 Configuration Guide

100

Page 101 Page 103
Page 102
Image 102
Microsoft 2004 manual Scenario 2 The 3-Leg Perimeter Configuration
Page 101 Page 103
Top Page Image Contents