Simplify your life: IP Routing enables the Kernel mode data pump, which allows data to be transfered in kernel mode code, rather than switching between user mode and back again. So long as you keep IP Filtering enabled, ISA will only pass that traffic for which you create rules. Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! On Thu, 20 Nov 2003 22:04:51 -0700 "Steve Gerzabek" <steve.gerzabek@xxxxxxxxxxxx> wrote: http://www.ISAserver.org G'day all, I have done a Google search, isaserver.org, and books24x7.com search (also around 1000 emails in this weblist) and cannot find a clear description of the option "Enable IP routing" on the General tab of IP Packet Filters Properties, and what the security implications are if this option is enabled. The best I could find is: IP routing is like a conduit that simply moves traffic from one area to another; in this case IP routing moves traffic from the Internet through the firewall to your internal network. Without packet filtering, IP routing provides no protection whatsoever, routing any and all requests. It does, however, help to improve ISA Server?s performance and functionality (see Microsoft Knowledge Base article 279347, ?Enable IP Routing on ISA Server to Increase Performance,? at http:// support.microsoft.com, for one example Obviously I would like to increase ISA performance by having this option turned on but am not sure what the security implications are. One description I found says only enable this option for tri-homed ISA servers. This has left me stunned and confused. Can anyone help? My configuration: - 2 ISA servers in an Array, both installed in Integrated mode and only used for Outgoing access. Server publishing will never be used on these servers. - 2 NICS per server - 1 connected to Internal network, 1 connected to External network - Site and Content Rule - Allow any request to all external destinations (Websense is used to filter sites) - Protocol Rules - HTTP/HTTPS allowed and applied to group X, FTP (Download only) allowed and applied to group Y. - Packet filtering is enabled, as is Intrusion detection Regards, Steve. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^* All mail from this domain is virus-scanned with RAV. www.ravantivirus.com ^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*^*