RE: Need help with a small problem

  • From: Dave May <dave.may@xxxxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Sat, 18 Feb 2006 02:11:14 -0500

First off I must agree with Ara that your contributions to the ISA community
could never be overstated.  I have learned much over the years lurking on
this list and digesting the vast amount of information on isaserver.org.
But I must disagree with the notion that having PIX'en as an edge firewall
and an ISA server in outbound firewall client/cache-only mode relegates the
admin to a "moron" and a "pirate".

Consider this scenario.

2 PIX 515E's in a redundant configuration are setup a few years ago as a
firewall solution to replace what was originally an early rev IOS ACL based
Cisco 1605R router solution.  Definite improvement in every sense, but
logging is still IP based and is not able to track usernames.

Add an ISA2000SE server to the mix as an outbound proxy solution behind the
PIX'en and you gain an enormous amount of control over where specific users
can go, and logging as to where they actually went.  After spending
$15K-$20K upfront plus SmartNET each year on the PIX config though, you can
understand why we were unwilling to spend an additional $5K per processor to
switch over to a redundant ISA EE configuration when a single SE server
would suffice.

ISA dies, internal users can't surf.  PIX'en die, customers can't get in.  I
can count on 0 fingers how many times either of the PIX'en have died (let
alone both), but I don't have enough fingers to count how many times over
the past 4 years I've needed to reboot the ISA server during business hours
(24x7 with a 4am - 6am downwindow) because something went belly up (ISA or
Windows, doesn't matter, services are down).

On the other hand, I have had it up to here with trying to deal with RPC on
the PIX.  Seems to me that an ideal scenario for us would be to let the
PIX'en continue to be a front-end firewall to take care of the majority of
the scanning/etc type attacks (and not lose the value of the investment),
and create an ISA2004EE pair as a back-end firewall.  We would then have a
solution for DMZ->Inside traffic which understands RPC and eliminates the
need for registry hacks and allowing large ranges of ports to be wide open
just to get a COM+ component in the DMZ to be able to talk to the inside
network (no, we're not using .NET Remoting or Web Services yet which would
make this much easier - believe me I'm trying).  Not to mention it would be
the perfect way to publish an upcoming Exchange 2003 OWA site.  But it would
also require purchasing at least an additional $10K of licensing (depending
on the # of procs), plus either additional hardware or a firm commitment to
virtual machines.

I very much value your knowledge and opinions, Tom, but sometimes I think
you get a bit too zealous about ISA only configurations.  In any case I
don't believe it is fair to dismiss other products outright (either as part
of an ISA solution or independent) as being inferior without taking in to
account individual situations.  A fully redundant ISA configuration as your
sole means of protection is neither a cheap nor simple investment,
especially when considering the infrastructure that may already be in place.
Not to mention that you aren't doing anything to increase your "defense in
depth" when you have a homogenous firewall solution...

Dave.

-----Original Message-----
From: Ara Avvali [mailto:ara.avvali@xxxxxxxxxxxxx] 
Sent: Saturday, February 18, 2006 12:45 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Need help with a small problem

http://www.ISAserver.org

Hi Tom,
You have done a lot for people around here so no apology is required
specially me :). Peace :)

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Friday, February 17, 2006 9:31 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Need help with a small problem

http://www.ISAserver.org

Hi Ara,

You're right, and I was over the top there. I just hit my limit
regarding the Web proxy only issue. I hear some many morons consider a
PIX or netscreen as a network security solution and relegate the ISA
firewall to Web proxy.

Please accept my sincere apology.

Tom 


Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls


-----Original Message-----
From: Ara Avvali [mailto:ara.avvali@xxxxxxxxxxxxx] 
Sent: Friday, February 17, 2006 6:11 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Need help with a small problem

http://www.ISAserver.org

Tom,
I think your statement is offensive about stealing. Not every one who
needs a cache only server is a pirate. It is what they have on hand so
it's up to them if you use it or not. 
Thanks 

-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Friday, February 17, 2006 12:35 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Need help with a small problem

http://www.ISAserver.org

Please deploy the firewall correctly.
Only those who steal the software do web proxy only.

Sent via ISA firewall protected Exchange 2003 Windows Mobile


-----Original Message-----
From: "MJ"<mjtech@xxxxxxxxx>
Sent: 2/17/06 2:17:56 PM
To: "[ISAserver.org Discussion List]"<isalist@xxxxxxxxxxxxx>
Subject: [isalist] Need help with a small problem

http://www.ISAserver.org

Hi all,

We are running ISA server 2004 Standard edition as a proxy. I understand
that if you try to play a media online with Windows Media Player 9 you
could get a prompt for a user and a password, but I thought that has
nothing to do with version 10.

I am working on it and gooling it, but please if some one have had this
issue before and got it fixed, let me know the fix.

Thanks a lot

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ara.avvali@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx



------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ara.avvali@xxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
dave.may@xxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx


Other related posts: