RE: External Network Logic

From: "Thor \(Hammer of God\)" <thor@xxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Date: Wed, 7 Dec 2005 17:58:05 -0800

It's funny how we can both mean the same thing, and even think the same thing, but refer to it in totally opposite ways.

----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, December 07, 2005 5:42 PM Subject: [isalist] RE: External Network Logic


http://www.ISAserver.org

Same difference. I think of the "walled off" guys as being in the
perimeter as opposed to the free range chickens where the users are.

However, literally, the network services perimeter will be part of the
default Internal Network.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Wednesday, December 07, 2005 7:39 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: External Network Logic
http://www.ISAserver.org
I was thinking the servers would be the Internal network, and
the clients
would actually be in the perimeter network.  Is that not how
you would do
it?  I only ask that because you use the words "network
service perimeter."
I would say "client-access perimeter."
t
----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Wednesday, December 07, 2005 5:27 PM Subject: [isalist] RE: External Network Logic
http://www.ISAserver.org
OK. Keep in mind that if you create Web Publishing Rules to publish
resources in your network service perimeter segment, the default is
replace the client IP address with the ISA firewall's address. But you
can control this behavior if you want. However, in your
scenario, you'll
proably want to have the ISA firewall's addreses as source
for both your
Web Publishing Rules and Server Publishing Rules, since those servers
don't need Internet access, they won't need a gateway
address. That is,
unless you want them directly contact remote networks on your private
net.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Wednesday, December 07, 2005 7:09 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: External Network Logic > > http://www.ISAserver.org > > Right- that's what I was saying... Ignore the last email then. > t > > > ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, December 07, 2005 4:57 PM > Subject: [isalist] RE: External Network Logic > > > http://www.ISAserver.org > > OK, in that case, there won't be any NAT, since the external network > isn't available because you'll have no route of last resort. NAT is > never enforced unless you want it to be. > > Tom > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > > > > > -----Original Message----- > > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > > Sent: Wednesday, December 07, 2005 6:42 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] RE: External Network Logic > > > > http://www.ISAserver.org > > > > This isn't a back-to-back config. This is a single server > > going in between > > my clients and my servers... There won't be a way to "NAT to > > the Internet" > > in that config as the only defined rule will be a route > > relationship from > > the Perimeter to the Internal. > > > > I understand the concept that "Internet" is is the default > > gateway, but in > > this case, there can't be a "Nat" relationship anywhere. > > t > > > > > > ----- Original Message ----- > > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > Sent: Wednesday, December 07, 2005 4:25 PM > > Subject: [isalist] RE: External Network Logic > > > > > > http://www.ISAserver.org > > > > No, the Internet is always there, unless you're talking about a > > caponized ISA firewall (single NIC). > > > > The Internet is reached via the NIC with the default gateway > > defined on > > it, which in a back to back config would be the internal > interface of > > the FE ISA firewall. > > > > There is one point of confusion induced by the UI -- and that's the > > ability to create an "external Network". There is no > difference from > > the firewall's point of view between a perimeter Network and > > an external > > Network. So, you can create another external Network if you > like, but > > its *exactly the same* as a perimeter network from ISA's > > multinetworking > > point of view. The default External Network is always there > > (except for > > the unihomed ISA firewall). > > > > For example, if a client on the default Internal Network > connects to a > > host on the perimeter network between the ISA firewalls, the > > connections > > are routed and the source IP address is not replaced. If a > host on the > > default internal Network connects to an IP addresses that is > > part of the > > default External Network (which is the Internet) the > > connection will be > > NATed. > > > > The ISA firewall's ability to enable control over your route > > relationships really does give you a lot of flexibility. > > > > Thomas W Shinder, M.D. > > Site: www.isaserver.org > > Blog: http://spaces.msn.com/members/drisa/ > > Book: http://tinyurl.com/3xqb7 > > MVP -- ISA Firewalls > > > > > > > > > -----Original Message----- > > > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > > > Sent: Wednesday, December 07, 2005 5:39 PM > > > To: [ISAserver.org Discussion List] > > > Subject: [isalist] RE: External Network Logic > > > > > > http://www.ISAserver.org > > > > > > One thing though, just so I understand-- How would I NAT to > > > the Internet? > > > There *is no* "Internet" per se in a 2 NIC config with both > > > defined as ISA > > > Firewall Networks, right? There would be route > > relationship from the > > > Internal to the DMZ Perimeter. The Internet would only > exist if an > > > Interface was added and not defined elsewhere, correct? > > > t > > > > > > ----- Original Message ----- > > > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > > > Sent: Wednesday, December 07, 2005 3:01 PM > > > Subject: [isalist] RE: External Network Logic > > > > > > > > > http://www.ISAserver.org > > > > > > The default External Network is defined as all addresses that > > > defined by > > > any other ISA firewall Network. So, there is still an > > > external network, > > > you just don't have any access to it, since you've created > > > ISA firewall > > > Networks for both the NIC (one for the default Internal > > > Network and one > > > for the ISA firewall Network representing the perimeter > > network NIC). > > > > > > You can use this in a number of scenarios, like turning the > > > DMZ between > > > the BE and FE ISA firewall into an ISA firewall Network and > > creating a > > > route Network Rule between that and the default Internal > > Network, but > > > still NAT'ing to the Internet. Pretty slick, eh? > > > > > > Thomas W Shinder, M.D. > > > Site: www.isaserver.org > > > Blog: http://spaces.msn.com/members/drisa/ > > > Book: http://tinyurl.com/3xqb7 > > > MVP -- ISA Firewalls > > > **Who is John Galt?** > > > > > > > > > > > > > -----Original Message----- > > > > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > > > > Sent: Wednesday, December 07, 2005 4:57 PM > > > > To: [ISAserver.org Discussion List] > > > > Subject: [isalist] External Network Logic > > > > > > > > http://www.ISAserver.org > > > > > > > > So, you've got ISA with 2 NIC's. You define the Internal > > > > range on one NIC, > > > > leaving the other NIC as "External." You then add a > > > > perimeter network, and > > > > give it the IP range of what used to be the "External" NIC. > > > > What happens to > > > > the concept of the External network since you now have a > > > > trusted Internal > > > > network and a less trusted "Perimeter" network, but no real > > > > "External" > > > > network anymore. Will it just be an "empty" network set > > > > sitting there all > > > > alone in the cold, cold ground? > > > > > > > > t > > > > > > > > > > > > ------------------------------------------------------ > > > > List Archives: > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > ISA Server Newsletter: > > http://www.isaserver.org/pages/newsletter.asp > > > > ISA Server FAQ: > > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > > ------------------------------------------------------ > > > > Visit TechGenix.com for more information about our other sites: > > > > http://www.techgenix.com > > > > ------------------------------------------------------ > > > > You are currently subscribed to this ISAserver.org Discussion > > > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > > > To unsubscribe visit > > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion > > > List as: > > > thor@xxxxxxxxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > > > ------------------------------------------------------ > > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > ISA Server Newsletter: > http://www.isaserver.org/pages/newsletter.asp > > > ISA Server FAQ: > http://www.isaserver.org/pages/larticle.asp?type=FAQ > > > ------------------------------------------------------ > > > Visit TechGenix.com for more information about our other sites: > > > http://www.techgenix.com > > > ------------------------------------------------------ > > > You are currently subscribed to this ISAserver.org Discussion > > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > > To unsubscribe visit > > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: > > thor@xxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as:
thor@xxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx

RE: External Network Logic

Other related posts: