RE: Packet filters ???
- From: "Francois Malherbe" <Francois@xxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 19 Jun 2003 21:49:22 +0200
Thanks Thomas
Indirectly, yes, I have seen this newsletter - you probably could see
that some of the info I pasted into my email was directly from the
article: Howto use ISA server Packet Filters.
It still doesn't really answer my question of whether or not it is
possible. I agree that it is inadvisable.
My angle here is that my company recently moved a client from an old
Gauntlet NT Firewall to ISA.
Some problems immediately became apparent:
1) ISA cannot, according to MS, create a packet filter (to a proper DMZ)
for IP protocol 57 - an arbitrary protocol, but we use it for the group
VPN links.
2) ISA cannot, according to everything I have researched, create a
simple packet filter for inbound TCP connections from a DMZ to an
internal SQL server for example. eg: webmail. However, web publishing
and server publishing cover that angle even though there is a fairly
heavy overhead of rulesets.
Later, another problem reared its head - one of my client's suppliers
hosts a server they need to connect to, on a custom TCP port. When the
protocol rule is in place on ISA, speed is incredibly slow - perhaps 20
to 50 times slower than web access to a web server which is on their
same subnet, behind the same firewall.
As a test, we fired up the old Gauntlet, which used packet filters not
proxy plug-ins, and the speed immediately came up to par with http
access speeds ???
This is the reason for my queries regarding a packet filter.
Francois
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: 19 June 2003 08:59 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Packet filters ???
http://www.ISAserver.org
Hi Francois,
Did you see this one at www.isaserver.org?
http://www.isaserver.org/pages/newsletters/July.asp
HTH,
Tom
Thomas W Shinder
Other related posts:
