Bugger ! ...as they would say in England. This seriously degrades the intelligence of ISA compared to other solutions. Could we only do stateful on at NAT DMZ I believe this Would be a much more attractive firewall. I`m inclined to to take this as an authorative Statement, but will of course do futher reseach :-) David -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: 30. oktober 2002 22:56 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Stateful inspection http://www.ISAserver.org Hi David, No. That's why packet filters and trihomed DMZ (including public address DMZs), suck. :-) HTH, Tom Thomas W Shinder www.isaserver.org/shinder <http://www.isaserver.org/shinder> http://tinyurl.com/1jq1 <http://tinyurl.com/1jq1> http://tinyurl.com/1llp <http://tinyurl.com/1llp> -----Original Message----- From: David Elmquist [mailto:david@xxxxxxxxxx] Sent: Wednesday, October 30, 2002 3:23 PM To: [ISAserver.org Discussion List] Subject: [isalist] Stateful inspection http://www.ISAserver.org Lately, I`ve been asked to make a comparison between ISA and other firewalls, such as PIX and FW1. One thing that`s been nagging me, is the ability to have a DMZ and do stateful inspection on Traffic there. I`m aware that ISA does in fact do stateful inspection on traffic outbound traffic and Traffic initiated by published server rules. My question is this: Does ISA perform stateful inspection on traffic to a DMZ zone via packet filters ? The reason this is not obvious is the 3 types of traffic configurable in a packet filter; Inbound, Outbound and both. I`ve noticed that for example a filter like TCP 3389 inbound would allow Terminal services to be used on the ISA machine - but a typical oldfashined filtering firewall Would require a filter allowing both Inbound AND outbound access. Stateful inspection would Account for this. I`ve found no literature to back this up though...any thoughts ? Regards, David Elmquist ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: david@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')