First off I must agree with Ara that your contributions to the ISA community could never be overstated. I have learned much over the years lurking on this list and digesting the vast amount of information on isaserver.org. But I must disagree with the notion that having PIX'en as an edge firewall and an ISA server in outbound firewall client/cache-only mode relegates the admin to a "moron" and a "pirate". Consider this scenario. 2 PIX 515E's in a redundant configuration are setup a few years ago as a firewall solution to replace what was originally an early rev IOS ACL based Cisco 1605R router solution. Definite improvement in every sense, but logging is still IP based and is not able to track usernames. Add an ISA2000SE server to the mix as an outbound proxy solution behind the PIX'en and you gain an enormous amount of control over where specific users can go, and logging as to where they actually went. After spending $15K-$20K upfront plus SmartNET each year on the PIX config though, you can understand why we were unwilling to spend an additional $5K per processor to switch over to a redundant ISA EE configuration when a single SE server would suffice. ISA dies, internal users can't surf. PIX'en die, customers can't get in. I can count on 0 fingers how many times either of the PIX'en have died (let alone both), but I don't have enough fingers to count how many times over the past 4 years I've needed to reboot the ISA server during business hours (24x7 with a 4am - 6am downwindow) because something went belly up (ISA or Windows, doesn't matter, services are down). On the other hand, I have had it up to here with trying to deal with RPC on the PIX. Seems to me that an ideal scenario for us would be to let the PIX'en continue to be a front-end firewall to take care of the majority of the scanning/etc type attacks (and not lose the value of the investment), and create an ISA2004EE pair as a back-end firewall. We would then have a solution for DMZ->Inside traffic which understands RPC and eliminates the need for registry hacks and allowing large ranges of ports to be wide open just to get a COM+ component in the DMZ to be able to talk to the inside network (no, we're not using .NET Remoting or Web Services yet which would make this much easier - believe me I'm trying). Not to mention it would be the perfect way to publish an upcoming Exchange 2003 OWA site. But it would also require purchasing at least an additional $10K of licensing (depending on the # of procs), plus either additional hardware or a firm commitment to virtual machines. I very much value your knowledge and opinions, Tom, but sometimes I think you get a bit too zealous about ISA only configurations. In any case I don't believe it is fair to dismiss other products outright (either as part of an ISA solution or independent) as being inferior without taking in to account individual situations. A fully redundant ISA configuration as your sole means of protection is neither a cheap nor simple investment, especially when considering the infrastructure that may already be in place. Not to mention that you aren't doing anything to increase your "defense in depth" when you have a homogenous firewall solution... Dave. -----Original Message----- From: Ara Avvali [mailto:ara.avvali@xxxxxxxxxxxxx] Sent: Saturday, February 18, 2006 12:45 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Need help with a small problem http://www.ISAserver.org Hi Tom, You have done a lot for people around here so no apology is required specially me :). Peace :) -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Friday, February 17, 2006 9:31 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Need help with a small problem http://www.ISAserver.org Hi Ara, You're right, and I was over the top there. I just hit my limit regarding the Web proxy only issue. I hear some many morons consider a PIX or netscreen as a network security solution and relegate the ISA firewall to Web proxy. Please accept my sincere apology. Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://blogs.isaserver.org/shinder/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Ara Avvali [mailto:ara.avvali@xxxxxxxxxxxxx] Sent: Friday, February 17, 2006 6:11 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Need help with a small problem http://www.ISAserver.org Tom, I think your statement is offensive about stealing. Not every one who needs a cache only server is a pirate. It is what they have on hand so it's up to them if you use it or not. Thanks -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Friday, February 17, 2006 12:35 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Need help with a small problem http://www.ISAserver.org Please deploy the firewall correctly. Only those who steal the software do web proxy only. Sent via ISA firewall protected Exchange 2003 Windows Mobile -----Original Message----- From: "MJ"<mjtech@xxxxxxxxx> Sent: 2/17/06 2:17:56 PM To: "[ISAserver.org Discussion List]"<isalist@xxxxxxxxxxxxx> Subject: [isalist] Need help with a small problem http://www.ISAserver.org Hi all, We are running ISA server 2004 Standard edition as a proxy. I understand that if you try to play a media online with Windows Media Player 9 you could get a prompt for a user and a password, but I thought that has nothing to do with version 10. I am working on it and gooling it, but please if some one have had this issue before and got it fixed, let me know the fix. Thanks a lot ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ara.avvali@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: ara.avvali@xxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: dave.may@xxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx