Inline... Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Administrator" <Administrator@xxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, October 04, 2001 7:15 AM Subject: [isalist] Re: Dedicated Firewall Mode. http://www.ISAserver.org Jim, The only reason we are trying to go for ISA is that we want more security than just IP filtering. We can actually do packet filtering using access lists on the router. We have already configured RRAS in any case to allow routing between the two NIC's on the server. Everything is being routed at present using this server, the only thing, I have not implemented ISA. * First, RRAS NAT ( if you're using it ) has to go. ISA and RRAS will fight over NAT control, with you coming out the loser. 1. What would happen if I implement ISA in a dedicated firewall mode? * That's not quite as simple as it may sound; ISA introduces NAT when you have "firewall-separated" networks. If you don't want to use NAT between them (breaks IPSec, among other things), then you have to use the "fake LAT" technique introduced in the early days of ISA by Tom Shinder. The only problem with this is that you're back to packet filters again (although more powerful that W2K IP filters). 2. What do I have to do to allow certain ports to go through and block all others? * That depends on your deployment choices; LAT-"external" scenario allows protocol rules, server and web publishing, etc. The "fake LAT" technique limits your options to packet filters. 3. Do we need a ISA client on all the workstations / servers trying to go through this firewall in either direction? * For basic (SMTP, HTTP, etc.) protocols, not normally. Other more complex protocols MSNIM, MMS, RTSP, etc. work best with the fw client installed. Also, user auth for non-web protocols is impossible without the fw client. I will appreciate any help in this regard. Thanks Rami -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Wednesday, October 03, 2001 2:38 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: Dedicated Firewall Mode. http://www.ISAserver.org You may be better off using RRAS and IP filtering. ISA makes that kind of scenario difficult and maintenance-intensive. Jim Harrison MCP(2K), A+, Network+, PCG On Wed, 3 Oct 2001 11:03:55 -0700 "Chhatwal, Raminder S." <RChhatwal@xxxxxxxxxxxxxxxxx> wrote: http://www.ISAserver.org Hi all, Is it possible to use ISA as a dedicated firewall router without having to use firewall client software on the internal user workstations. Basically I want to replace a Cisco router with an ISA with 2 NIC's. I am routing between 2 VLANS but need added security. Thanks RSC ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: administrator@xxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')