ISA 2006 from Edge Firewall to 3-Leg Perimeter

ISA FirewallWhat if you want to take your simple 2 NIC “Internal/External” firewall and add a DMZ to it on the fly?  We recently tried this on a production firewall no less and hoped it would work.  It did after a few bumps. 

The big problem with changing your Network Template is that ISA wants' to slick your config and start over, so you’ll end up with two options: Try to make a 3 NIC config work in  your original design by adding in networks and network rules, or applying a new network template and then bringing your config back in via import.  After failing the former (likely my lack of skills), we chose the later.

Mileage may very, but here’s some notes on what we did:

  • Obviously you need the 3rd NIC installed first.
  • Add the Subnets to the new NIC’s IP config for your DMZ aka “Perimeter” network in Windows.
  • Export your firewall config, including all settings, make a copy of the XML file, and open for editing.
  • We’re going to remove the network section of the XML file to prevent issues later.  Once you’ve chosen a new network template, you’ll want to import the config back in, minus the network related stuff (which is what the network template will change for  you).
  • Search the XML file for the open and closing NetConfig tags:
  • <fpc4:NetConfig StorageName="NetConfig" StorageType="1">
  • </fpc4:NetConfig>
  • Remove everything between these two tags and save the file.
  • Run through the network template wizard for 3-leg perimeter.  If clicking finish generates errors, work through them and come back to try again.  Our single error was because we had web listeners using HTTP compression, so we removed all objects from “General > Define HTTP Compression > Return Compressed Data” and added them back in later after re-import.
  • Once template wizard works, notice the lack of rules in your firewall policy and missing objects.  About now your thinking “OMG you screwed me!”, so import your augmented config and they should all be back. 
  • You’ll likely have a few dupe firewall rules if you chose a template firewall policy other then “block all”.  Sort your rules by the various columns to look for dupes.  We had dupes for “Allow Internal Routing” and “VPN Clients to Internal Network”.
  • Lastly go through your rule list and ensure the From/To columns are filled in.  You’ll want to restart the firewall service at this point to be sure it can start properly, and if it fails it’s likely a rule that won’t work in the new network config.  Check event logs for hints.  We had several rules we deleted and recreated based on new network names.