Hi Nigel, Are you bind public and private address to the same NIC?? Hmmm. I think that defeats the purpose of creating a DMZ, even if such a thing were possible. For a trihomed ISA Server DMZ configuration, you have to have the TRI part configured :-) HTH< Tom www.isaserver.org/shinder -----Original Message----- From: Nigel Carroll [mailto:nigel@xxxxxxxxxxxxxxx] Sent: Friday, January 25, 2002 2:55 AM To: [ISAserver.org Discussion List] Subject: [isalist] ISA does NOT limit access by DMZ 'perimeter pcs' as expected when internal NIC is multihomed http://www.ISAserver.org My testing (packet captures & vunerability scans) suggests than ISA does NOT limit access of a perimeter PC if you have multihomed ISAs internal NIC with a private AND a public IP. In other words it appears that 'Perimeter PCs' (with public IPs) in a 'DMZ' behind ISA appear to be able to access the same SBS2K services that PCs in the private subnet can. For example I have a packet capture the shows a perimeter PC can read and write to the NNTP service yet I haven't created ANY filters or rules allowing this! This could be very dangerous for people under the mistaken belief (as I was) that use this technique to setup a DMZ thinking ISA server is protected from their DMZ subnet when in fact all the services on it (available to your private LAN) are ALSO available to the perimeter network! Perhaps this DMZ\perimeter network config only works when you have 2 physically seperate internal NICs instead of multihoming 1 with a private and public subnet as I have done? Does anyone else have any comments, experiences or seen this behaviour? - I'd be interested in your comments. Nigel ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')