http://www.ISAserver.org
-------------------------------------------------------
agreed, i was more thinking of what else i need dns, other than ftp and http
even on those clients i can separate into another network (if needed)
i was never having a go at the non-workability of the setup, nor did i say i
couldn't find away around it for my environment, You initiated a thought
process which led to more discussion, i merely tried to expand on it from my
POV, not argue that it was not viable or it would never work. you telling me
that it still can be done doesn't bother me because i know it can be with
careful planning and a bit of imagination. Dont get me im not arguing with
you im trying to stimulate you :)
otherwise i would expect you to use one of your favourite sayings, something
about urine and a rope ! :)
Greg
http://www.ISAserver.org -------------------------------------------------------
Dude, if you don't want to separate out your DNS, then don't... I'm not
saying any of this is how you HAVE to do it-- I've just found it a very easy
to implement security configuration with real benefits. I know you say you
agree with and like the setup, but these other arguments are really "straw
man" arguments as I see them- and all easily solvable.
If you require authentication to apps/os's that don't support integrated
auth, then you're screwed with those configs anyway. Don't require auth for
those clients then.. Put in another card with a different web proxy listener
config... And I've got to say, if you have "big providers" there that have
all their DNS go out at the same time, then something is really wrong. Have
secondary (which is really your primary) at your site and have them listed
as the 3rd or 4th DNS then- and enable a publishing rule when their DNS goes
down. Or just have those "special" clients configured to use direct DNS
somewhere-- whatever. But I disagree with throwing the baby out with the
bathwater because of examples of extreme challenges. Work around them. I
mean, dude, arguing for poor service or bad ISP's isn't the answer here...
Even if we take the "ISP sucks" attitude and require publishing of your own
DNS, the fine-- do that. You'll have to have 2 different servers anyway, so
put one internally (I mean, with all those heterogeneous clients, you're not
using integrated AD anyway, right? ;) and put the other in a perimeter DMZ
for outside access... Or even better, just host DNS with a professional
company, and not your ISP. DNS can be hosted by any company in the world,
not just your ISP or anywhre in AU for that matter..
Again, I understand that you are cool with the "idea" but when confronted
with challenges, it is our job to handle them in a secure manner, not just
give up and do things the regular old stupid way... If that's not good for
the gander, then it can go duck itself. :-p
t
On 10/19/06 8:15 PM, "Greg Mulholland" <gmulholland@xxxxxxxxxxxx> spoketh to
all:
http://www.ISAserver.org -------------------------------------------------------
Yeah except when your are bound by requiring authentication on web proxy
clients on your internal network and you have machines that dont talk
integrated auth. Or in the example where the default gateway of the machines
is not the ISA Server itself.
I wish i could have that amount of faith in my isp but i can recall a number
of times in the last few years when even the biggest ISP here has had its
dns server/servers go belly up for a period of time. Regardless of the fact
that my connection is still stable and people can still get to me. Now maybe
that comes down to the price we pay or the level of service/quality but, you
live with what you can and i dare say we are by far not the worst off in
that respect.
anyhow, like i said i agree with the concept fully and would always strive
to make it as secure and functional as possible but im merely trying to
illustrate that every situation is different and whats good for the goose is
not good for the gander, always.
Greg
------------------------------------------------------
List Archives: //www.freelists.org/archives/isalist/
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server Articles and Tutorials: http://www.isaserver.org/articles_tutorials/
ISA Server Blogs: http://blogs.isaserver.org/
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
To unsubscribe visit http://www.isaserver.org/pages/isalist.asp
Report abuse to listadmin@xxxxxxxxxxxxx
