Hi Joseph, So, if the Web server on the DMZ is compromised (its supposed to be, it's a bastion host!), then they could access the staging server. If they compromise the staging server, then they have direct access to the internal network. Right? Thanks! Tom -----Original Message----- From: Joseph [mailto:cismic@xxxxxxx] Sent: Monday, March 25, 2002 5:10 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Staging Web Server http://www.ISAserver.org Hi Tom, EXTERNAL ISA 2 NIC cards WEB Server 1 NIC card (would like 2) INTERNAL ISA 2 NIC cards STAGING Server will have 2 NIC cards with only one going to the Web Server located in the DMZ. Does this extra info help? Thank you, Joseph -----Original Message----- From: Thomas W. Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Monday, March 25, 2002 3:03 PM To: [ISAserver.org Discussion List] Subject: [isalist] Staging Web Server http://www.ISAserver.org Hi Joseph, I looked at the graphic you sent about your dual homed staging Web server. Its looks like its got an interface on the DMZ and another interface on the internal network. Is that right? Or, do you have two interfaces on the "internal" ISA Server, both of them on the DMZ network? If it's the former, I think that's not a top security config, because even if IP routing isn't enabled on the staging server, someone with control of the staging server will still have direct access to your internal network. HTH, Tom www.isaserver.org/shinder ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: cismic@xxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')