Just because there is no "just one right way" of doing something, does not mean that you should comprimise with the "greater of two evils". That would be like going in for a broken toe to the doctor and leaving without both of your legs. Did it fix your problem? Yeah, not going to break your toe ever again. Is it worth it in the long run? No, I like to be able to walk once in a while. As far as "self-serving, elitiest rhetoric" goes, I'm lost as to what you make reference against. I have seen companies spend in the upwards of $800,000+ in labor going over records and audit trails with 3 letter government agencies. Were they smart about how they had there stuff set up? Maybe. Did it work correctly? No, apparently not. Was it a Cisco device? A few times. Was it an ISA box? Yeah, a couple. Was it the hardware/software that was breached? I can confidently say no to both. In each instance both of them did EXACTLY what they were asked to do. In fact, one of the times a service was used to breach into the network was located on the ISA box that had absolutely NO REASON to be there. Needless to say, the ISA box behind it without that service not only stopped them dead in their tracks, but weathered the veritable storm of hacks that were thrown at with with great ease. Last time I looked, a $750k+ ROI from adding a dedicated server is a good thing..... And that is how most of the real world runs, on money.... Secure, yes, fast, yes, cheap, yes...... 3 for 3 isn't bad at all.... -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Tuesday, July 27, 2004 1:44 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer http://www.ISAserver.org Unscrew the top of your head and let some light in. It's exactly this sort of self-serving, elitist rhetoric that causes folks to feel like they "just can't do it". There isn't and never will be "just one right way" to do something. There are external factors that are not always controllable. Security is and will always be a balancing act between requirements, money and hardware resources. "Fast, Secure or cheap; choose two" is one of my favorite quotes. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://www.microsoft.com/isaserver http://isaserver.org/Jim_Harrison http://isatools.org Read the help, books and articles! ----- Original Message ----- From: "Troy Radtke" <TRadtke@xxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Tuesday, July 27, 2004 06:31 Subject: [isalist] RE: 838376 - Cannot connect to a published service from the external network when the published service is running dire ctly on the ISA Server 2004 computer http://www.ISAserver.org Which is why you'll never see anyone in their right mind running SBS who expects the same level of protection from a dedicated system. I forwarded that e-mail from Tom to the guys at work, and the first thing they did is say: Look at ISA! It's a piece of junk since you've gotta do a work around just to make stuff even work on the box! You never have that problem with a PIX! If you're boss won't look at the cost justification of buying a low end desktop to run a service, all I have to say to any financial institution is how much is the cost of an FDIC audit in terms of your labor? Pulling 50% of the IT staff into meetings with the FBI/FDIC/Secret Service (yes, the secret service is involved in these types of audits) for 2 months along with hiring a small army of people to produce all your audit trails for the past 7 years is by FAR more expensive than any server that I can think of.... What I was getting at in my first e-mail is that since you can't even install services on a PIX, you'd need to purchase or use another server anyways, which is why you should leave things off of an ISA box and just not even open yourself up to an service exploit..... Troy