RE: Why Tom recommended NOT to use a gateway for FW Clients
- From: "Thomas W. Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 29 Nov 2001 15:02:49 -0600
Hi Armando,
I don't see what the point is of doing this way, even it if did work.
Just use private addresses and keep those public address for your
external interface and DMZ.
HTH,
Tom
www.isaserver.org/shinder
----- Original Message -----
From: "Armando Treviño López" <armando.trevino@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, November 29, 2001 11:36
Subject: [isalist] RE: Why Tom recommended NOT to use a gateway for FW
Clients
http://www.ISAserver.org
yeah, but for example I have two IP's in my internal interface..
200.36.X.X and 10.2.0.102.
The primary ip is 200.36.X.X and the secondary is 10.2.0.102
Although only the primary IP is the one that registers in WINS, so all
the
pings made to ISA are replied by that IP.
But I can configure a SNAT client with IP 200.36.154.2 to use as default
gateway the IP 200.36.X.X
and also a client with IP 10.2.0.101 to use as default gateway the IP
10.2.0.102
In that way the two clients can find the ISA server, because its part of
the
same subnet in both cases.
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, November 28, 2001 10:22 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Why Tom recommended NOT to use a gateway for FW
Clients
http://www.ISAserver.org
Ahh, but there's a "gotcha" there, too. ISA only uses the primary
(first-bound) IP as the secureNAT interface.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/authors/harrison/
----- Original Message -----
From: "Armando Treviño López" <armando.trevino@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, November 28, 2001 18:57
Subject: [isalist] RE: Why Tom recommended NOT to use a gateway for FW
Clients
http://www.ISAserver.org
You also can configure multiple IP's in the internal interface of the
ISA
server, so any of your internal networks can always have a default
gateway
pointing to the ISA's internal interface, without the need of
configuring
routers and all of that stuff.
:)
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, November 28, 2001 7:33 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Why Tom recommended NOT to use a gateway for FW
Clients
http://www.ISAserver.org
If you have a routed network, then you need to look at:
http://www.isaserver.org/pages/tutorials/isanetworks.htm
Jim Harrison
MCP(NT4, 2K), A+, Network+, PCG
----- Original Message -----
From: "Armando Treviño López" <armando.trevino@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, November 28, 2001 11:54
Subject: [isalist] RE: Why Tom recommended NOT to use a gateway for FW
Clients
http://www.ISAserver.org
Another issue is that if you configure all computers as SNAT clients,
all IP
traffic is routed by the ISA server (Not only internet, but also
intranet
traffic if you have different networks in your LAN or WAN).
So maybe this will use more server resources.
I haven't tried so I don't know how much it affects.
What we are doing is configure SNAT only in MAC clients (which use
Appletalk
for internal communication, and IP only for internet).
In PC clients I think is better to use firewall client.
Armando Treviño
-----Original Message-----
From: Brian Tirch [mailto:btirch@xxxxxxxxxxxx]
Sent: Wednesday, November 28, 2001 9:36 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Why Tom recommended NOT to use a gateway for FW
Clients
http://www.ISAserver.org
Put it this way, the firewall client will handle all tcp/udp transaction
and
that's about it. If you wish to do other things like ping (icmp) or vpn
(gre) then you need to be a snat client. So think of it as know what it
needs to be when using certain actions
Brian Tirch
Entre Information Services
Mct,mcse4.0/2000,ccna,cca,a+,n+
-----Original Message-----
From: Nigel Carroll [mailto:nigel@xxxxxxxxxxxxxxx]
Sent: Wednesday, November 28, 2001 7:16 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Why Tom recommended NOT to use a gateway for FW
Clients
http://www.ISAserver.org
I hear what your saying Jim but my reading strongly suggests that even
if you config a default GW the FW client s\ware will intercept all calls
(inc DNS) and redirect to ISA anyway.
Muqeem suggested that its best to give clients only one way out - again
I understand the logic Muqeem but again the FW client will intercept
anyway and infact configuring your clients with a default GW may be a
good idea since they could fallback to a secureNAT client if something
goes wrong with the FW s\ware.
Any other suggestions?
Nigel
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Tuesday, 27 November 2001 23:07
Subject: Re: Why Tom recommended NOT to use a gateway for FW Clients
A host with a default route to the ISA via its default gateway becomes a
secureNAT client. If you don't want them to become secureNAT, don't
point
their default gateways to the ISA server.
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
btirch@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
armando.trevino@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
armando.trevino@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
armando.trevino@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts: