RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer

• From: "Steve Moffat" <steve@xxxxxxxxxxxxxxxxxxxxxxxxxx>
• To: "Isa Weblist" <isalist@xxxxxxxxxxxxx>
• Date: Thu, 29 Jul 2004 16:27:22 +0100

Well articulated James, I have a client who has been running sbs 2000
with isa installed and has never in all these years had a security
breach tho' many have tried.

There is no problem with a loaded sbs server, 2000 or 2003...as long as
it's done right.

Steve 

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] 
Sent: Tuesday, July 27, 2004 3:44 PM
To: Isa Weblist
Subject: [isalist] RE: 838376 - Cannot connect to a published service
from the external network when the published service is running dire
ctly on the ISA Server 2004 computer

http://www.ISAserver.org

Unscrew the top of your head and let some light in.
It's exactly this sort of self-serving, elitist rhetoric that causes
folks to feel like they "just can't do it".

There isn't and never will be "just one right way" to do something.
There are external factors that are not always controllable.

Security is and will always be a balancing act between requirements,
money and hardware resources.
"Fast, Secure or cheap; choose two" is one of my favorite quotes.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG
 http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message -----
From: "Troy Radtke" <TRadtke@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Tuesday, July 27, 2004 06:31
Subject: [isalist] RE: 838376 - Cannot connect to a published service
from the external network when the published service is running dire
ctly on the ISA Server 2004 computer


http://www.ISAserver.org

Which is why you'll never see anyone in their right mind running SBS who
expects the same level of protection from a dedicated system.

I forwarded that e-mail from Tom to the guys at work, and the first
thing they did is say: Look at ISA! It's a piece of junk since you've
gotta do a work around just to make stuff even work on the box!  You
never have that problem with a PIX!

If you're boss won't look at the cost justification of buying a low end
desktop to run a service, all I have to say to any financial institution
is how much is the cost of an FDIC audit in terms of your labor?
Pulling 50% of the IT staff into meetings with the FBI/FDIC/Secret
Service (yes, the secret service is involved in these types of audits)
for 2 months along with hiring a small army of people to produce all
your audit trails for the past
7 years is by FAR more expensive than any server that I can think of....

What I was getting at in my first e-mail is that since you can't even
install services on a PIX, you'd need to purchase or use another server
anyways, which is why you should leave things off of an ISA box and just
not even open yourself up to an service exploit.....

Troy

-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, July 27, 2004 12:16 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: 838376 - Cannot connect to a published service
from the external network when the published service is running directly
on the ISA Server 2004 computer


http://www.ISAserver.org

"Hardware"; thpthpthpthpthp
Please drop this blatant BS; until it's implemented in the ASICs, it
ain't "hardware".
Facts:
    - Installing service on any machine is only as functional or secure
as the person deploying / securing it.
    - There are folks with more motivation than $$
    - These same folks need an answer, not attitude.
    - placing services on the firewall is not for the faint of heart;
this is why the SBS folks spend years perfecting the compromise.

 Jim Harrison
 MCP(NT4, W2K), A+, Network+, PCG  http://www.microsoft.com/isaserver
 http://isaserver.org/Jim_Harrison
 http://isatools.org

 Read the help, books and articles!
----- Original Message -----
From: "Troy Radtke" <TRadtke@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Monday, July 26, 2004 09:10
Subject: [isalist] RE: 838376 - Cannot connect to a published service
from the external network when the published service is running directly
on the ISA Server 2004 computer


http://www.ISAserver.org

Installing services on your ISA box is like hiring a blind, deaf body
guard
and expecting him to walk you to the other side of the street..... Only
bad
things can happen.....

Suggestion: The service you've installed can't be mission critical,
otherwise you'd have a dedicated server..... BYOS (build your own
@#(*$&)@(#*ing server) or put it on a cheap POJ (Piece of Junk) box....

Besides, I'd love to see someone try and install a service on a PIX box
anyways...... so the hardware firewall people can't even bring this up
as a
'flaw'...... even though i am a fan of hardware at the entrance for bulk
processing of incoming/outgoing traffic......

-----Original Message-----
From: Ray Dzek [mailto:rdzek@xxxxxxxxxxxxxxx]
Sent: Monday, July 26, 2004 10:35 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: 838376 - Cannot connect to a published service
from
the external network when the published service is running directly on
the
ISA Server 2004 computer


http://www.ISAserver.org

They left out the most obvious solution, and the one which is usually
the
most correct...  Move the service to something besides your firewall.




Ray Dzek
Network Operations Supervisor
Specialized Bicycle Components


-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Monday, July 26, 2004 7:10 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] 838376 - Cannot connect to a published service from
the
external network when the published service is running directly on the
ISA
Server 2004 computer


http://www.ISAserver.org


Very interesting KB article and an issue that I'm sure will generate a
lot
of heat in the coming months.

838376 - Cannot connect to a published service from the external network
when the published service is running directly on the ISA Server 2004
computer: http://support.microsoft.com/default.aspx?scid=kb;en-us;838376
<http://support.microsoft.com/default.aspx?scid=kb;en-us;838376>

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
steve@xxxxxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist

This E-Mail is confidential. It is not intended to be read, copied, disclosed 
or used by any person other than the recipient named above. 


Unauthorised use, disclosure, or copying is strictly prohibited and may be 
unlawful. Optimum IT Solutions disclaims any liability for any action taken in 
connection of this E-Mail. The comments or statements expressed in this E-Mail 
are not necessarily those of Optimum IT Solutions or its subsidiaries or 
affiliates.

administrator@xxxxxxxxxxxxxxxxxxxxxxxxxx 

Other related posts:

• » RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer
• » RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer
• » RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer
• » RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer
• » RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer
• » RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer
• » RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer
• » RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer
• » RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer
• » RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer
• » RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer
• » RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer
• » RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer
• » RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer
• » RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer

1. Home
2. isalist
3. Archive
4. 07-2004

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---