Re: Dedicated Firewall Mode.
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 4 Oct 2001 07:32:43 -0700
Inline...
Jim Harrison
MCP(2K), A+, Network+, PCG
----- Original Message -----
From: "Administrator" <Administrator@xxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, October 04, 2001 7:15 AM
Subject: [isalist] Re: Dedicated Firewall Mode.
http://www.ISAserver.org
Jim,
The only reason we are trying to go for ISA is that we want more
security than just IP filtering. We can actually do packet filtering
using access lists on the router. We have already configured RRAS in any
case to allow routing between the two NIC's on the server.
Everything is being routed at present using this server, the only thing,
I have not implemented ISA.
* First, RRAS NAT ( if you're using it ) has to go. ISA and RRAS will fight
over NAT control, with you coming out the loser.
1. What would happen if I implement ISA in a dedicated firewall mode?
* That's not quite as simple as it may sound; ISA introduces NAT when you
have "firewall-separated" networks. If you don't want to use NAT between
them (breaks IPSec, among other things), then you have to use the "fake LAT"
technique introduced in the early days of ISA by Tom Shinder. The only
problem with this is that you're back to packet filters again (although more
powerful that W2K IP filters).
2. What do I have to do to allow certain ports to go through and block
all others?
* That depends on your deployment choices; LAT-"external" scenario allows
protocol rules, server and web publishing, etc. The "fake LAT" technique
limits your options to packet filters.
3. Do we need a ISA client on all the workstations / servers trying to
go through this firewall in either direction?
* For basic (SMTP, HTTP, etc.) protocols, not normally. Other more complex
protocols MSNIM, MMS, RTSP, etc. work best with the fw client installed.
Also, user auth for non-web protocols is impossible without the fw client.
I will appreciate any help in this regard.
Thanks
Rami
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, October 03, 2001 2:38 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: Dedicated Firewall Mode.
http://www.ISAserver.org
You may be better off using RRAS and IP filtering. ISA
makes that kind of scenario difficult and
maintenance-intensive.
Jim Harrison
MCP(2K), A+, Network+, PCG
On Wed, 3 Oct 2001 11:03:55 -0700
"Chhatwal, Raminder S." <RChhatwal@xxxxxxxxxxxxxxxxx>
wrote:
http://www.ISAserver.org
Hi all,
Is it possible to use ISA as a dedicated firewall router
without having
to use firewall client software on the internal user
workstations.
Basically I want to replace a Cisco router with an ISA with
2 NIC's. I
am routing between 2 VLANS but need added security.
Thanks
RSC
------------------------------------------------------
You are currently subscribed to this ISAserver.org
Discussion List as: jim@xxxxxxxxxxxx
To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
administrator@xxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
