RE: ISA & FW1
- From: Holger Reichert <holger.reichert@xxxxxxxxxxxx>
- To: isalist@xxxxxxxxxxxxx
- Date: Wed, 28 Nov 2001 08:17:49 +0100
Hello Ronny,
you may use ISA for this task, but i think it's better to place ISA
behind your FW-1.
Internet -> FW-1 -> ISA -> LAN
You are lowering the risk of your ISA getting compromised.
In this scenario you can also use the Authentication and personalized
logging feature of ISA.
More secure is this scenario with a DMZ
Internet -> FW-1 -> LAN
|
ISA
Well you lose the authentication Information based on NT or W2K if you
use these Domains in your LAN, but if ISA gets compromised, its not
standing in your LAN.
An even better scenario is this
Internet -> FW-1 -> ISA -> FW-1 -> ISA -> LAN
DMZ
Now you can benefit of the authentication mechanism of ISA and having a
real second layer of security.
As ever it depends on the $ and the level of security your customer may
need.
Best wishes
Holger Reichert
Buisness Manager
Holysword gbr
www.holysword.de
Ronny wrote:
I have a weird scenario..
A Checkpoint FW1 is in place and runs fine. The client wants to add a
server that will do some antivirus scanning on HTTP. Checkpoint's CVP
protocol does this, but is single threaded and basically will kill
everything. We are looking into placing an ISA server, with the
AntiVirus
stuff before the checkpoint FW. Since the users are already comforable
with using the FW1, here's my question:
can I configure ISA to just allow all traffic through. All the FW rules
will be handled by the Checkpoint FW. I also would like to have all the
clients be SNAT, because I don't want to setup any software on the
users'
desktops.
Please let me know your thoughts.
Thanks
RS
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
holger.reichert@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
