Internal network PC's go out a different ISA server altogether for Internet
via a business class high speed cable circuit I have specifically for client
Internet access. It's a 6 meg circuit that supports around 80 of my people,
and is working well. I don't commingle my business services in the DMZ with
outbound net access. That would be silly ;) The "client-server" ISA will
not affect Internet access.
t
http://www.ISAserver.org
How many hops does that make to the Internet for the Internal network PC's?
Amy
Harbor Computer Services Small Business Computer Specialists
Client Blog: http://smalltechnotes.blogspot.com/ Tech Blog: http://isainsbs.blogspot.com/ Website: http://www.harborcomputerservices.net/
-----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Wednesday, December 07, 2005 8:06 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: External Network Logic
http://www.ISAserver.org
OK- just so we're on the same page-- I'm not talking about my back-to-back DMZ config that does indeed have a DMZ Perimeter network on the BE ISA for my FE Exchange server. That's done.
I'm not talking about a NEW box going into my internal network to physically separate client systems from server systems. That's the one I was talking about having 2 nics with no "External" resources. t
thehttp://www.ISAserver.org
This isn't a back-to-back config. This is a single server going in between my clients and my servers... There won't be a way to "NAT to
but inInternet" in that config as the only defined rule will be a route relationship from the Perimeter to the Internal.
I understand the concept that "Internet" is is the default gateway,
onthis case, there can't be a "Nat" relationship anywhere. t
----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, December 07, 2005 4:25 PM
Subject: [isalist] RE: External Network Logic
http://www.ISAserver.org
No, the Internet is always there, unless you're talking about a caponized ISA firewall (single NIC).
The Internet is reached via the NIC with the default gateway defined
externalit, which in a back to back config would be the internal interface of the FE ISA firewall.
There is one point of confusion induced by the UI -- and that's the ability to create an "external Network". There is no difference from the firewall's point of view between a perimeter Network and an
multinetworkingNetwork. So, you can create another external Network if you like, but its *exactly the same* as a perimeter network from ISA's
point of view. The default External Network is always there (exceptfor
connectionsthe unihomed ISA firewall).
For example, if a client on the default Internal Network connects to a host on the perimeter network between the ISA firewalls, the
theare routed and the source IP address is not replaced. If a host on the default internal Network connects to an IP addresses that is part of
default External Network (which is the Internet) the connection willbe
aNATed.
The ISA firewall's ability to enable control over your route relationships really does give you a lot of flexibility.
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls
-----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Wednesday, December 07, 2005 5:39 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: External Network Logic
http://www.ISAserver.org
One thing though, just so I understand-- How would I NAT to the Internet? There *is no* "Internet" per se in a 2 NIC config with both defined as ISA Firewall Networks, right? There would be route relationship from the Internal to the DMZ Perimeter. The Internet would only exist if an Interface was added and not defined elsewhere, correct? t
----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, December 07, 2005 3:01 PM
Subject: [isalist] RE: External Network Logic
http://www.ISAserver.org
The default External Network is defined as all addresses that defined by any other ISA firewall Network. So, there is still an external network, you just don't have any access to it, since you've created ISA firewall Networks for both the NIC (one for the default Internal Network and one for the ISA firewall Network representing the perimeter network NIC).
You can use this in a number of scenarios, like turning the DMZ between the BE and FE ISA firewall into an ISA firewall Network and creating
http://www.isaserver.org/pages/newsletter.asproute Network Rule between that and the default Internal Network, but still NAT'ing to the Internet. Pretty slick, eh?
Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?**
> -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Wednesday, December 07, 2005 4:57 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] External Network Logic > > http://www.ISAserver.org > > So, you've got ISA with 2 NIC's. You define the Internal > range on one NIC, > leaving the other NIC as "External." You then add a > perimeter network, and > give it the IP range of what used to be the "External" NIC. > What happens to > the concept of the External network since you now have a > trusted Internal > network and a less trusted "Perimeter" network, but no real > "External" > network anymore. Will it just be an "empty" network set > sitting there all > alone in the cold, cold ground? > > t > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter:
http://www.isaserver.org/pages/larticle.asp?type=FAQ> ISA Server FAQ:
> ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as:
http://www.webelists.com/cgi/lyris.pl?enter=isalistthor@xxxxxxxxxxxxxxx To unsubscribe visit
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as:
http://www.webelists.com/cgi/lyris.pl?enter=isalistthor@xxxxxxxxxxxxxxx To unsubscribe visit
Report abuse to listadmin@xxxxxxxxxxxxx
------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Visit TechGenix.com for more information about our other sites: http://www.techgenix.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: amy@xxxxxxxxxxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx