RE: External Network Logic

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Thu, 8 Dec 2005 09:10:17 -0600

Rank has nothing to do with you. Once you're elected, you're a ruler.
Try it, you'll see.

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
> Sent: Thursday, December 08, 2005 8:52 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: External Network Logic
> 
> http://www.ISAserver.org
> 
> So IT staff are equal to higher ranking members of the civil service
> then?
> 
> Amy
>  
> Harbor Computer Services
> Small Business Computer Specialists
>  
> Client Blog: http://smalltechnotes.blogspot.com/
> Tech Blog: http://isainsbs.blogspot.com/
> Website: http://www.harborcomputerservices.net/
>  
> 
>  
> 
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
> Sent: Thursday, December 08, 2005 9:35 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: External Network Logic
> 
> http://www.ISAserver.org
> 
> Hi Amy,
> 
> Yes, like our public servants. You know, the ones we pay confiscatory
> income taxes to based on their representative good judgement.
> 
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
> 
>  
> 
> > -----Original Message-----
> > From: Amy Babinchak [mailto:amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] 
> > Sent: Thursday, December 08, 2005 8:17 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: External Network Logic
> > 
> > http://www.ISAserver.org
> > 
> > But servers have no purpose other than to serve clients. In 
> servitude
> > they must remain regardless of how "clean" you think you've 
> made them.
> > 
> > Amy
> >  
> > Harbor Computer Services
> > Small Business Computer Specialists
> >  
> > Client Blog: http://smalltechnotes.blogspot.com/
> > Tech Blog: http://isainsbs.blogspot.com/
> > Website: http://www.harborcomputerservices.net/
> >  
> > 
> >  
> > 
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] 
> > Sent: Wednesday, December 07, 2005 8:52 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: External Network Logic
> > 
> > http://www.ISAserver.org
> > 
> > Man- what one typo can mess up...
> > 
> > I meant:
> > I am NOT talking about the back-to-back DMZ with an Exchange FE
> > Perimeter.
> > 
> > I AM talking about a new machine that goes between the 
> > clients machines
> > and 
> > the servers.  That's all it does-- separates the filthy, 
> > nasty, cesspool
> > of 
> > festering client scum from my beautiful, clean, and perfectly 
> > configured
> > 
> > servers.
> > 
> > t
> > 
> > ----- Original Message ----- 
> > From: "Amy Babinchak" <amy@xxxxxxxxxxxxxxxxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Wednesday, December 07, 2005 5:07 PM
> > Subject: [isalist] RE: External Network Logic
> > 
> > 
> > http://www.ISAserver.org
> > 
> > How many hops does that make to the Internet for the 
> Internal network
> > PC's?
> > 
> > Amy
> > 
> > Harbor Computer Services
> > Small Business Computer Specialists
> > 
> > Client Blog: http://smalltechnotes.blogspot.com/
> > Tech Blog: http://isainsbs.blogspot.com/
> > Website: http://www.harborcomputerservices.net/
> > 
> > 
> > 
> > 
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > Sent: Wednesday, December 07, 2005 8:06 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: External Network Logic
> > 
> > http://www.ISAserver.org
> > 
> > OK- just so we're on the same page-- I'm not talking about my
> > back-to-back
> > DMZ config that does indeed have a DMZ Perimeter network on 
> the BE ISA
> > for
> > my FE Exchange server.  That's done.
> > 
> > I'm not talking about a NEW box going into my internal network to
> > physically
> > separate client systems from server systems.  That's the one I was
> > talking
> > about having 2 nics with no "External" resources.
> > t
> > 
> > 
> > 
> > ----- Original Message ----- 
> > From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > Sent: Wednesday, December 07, 2005 4:41 PM
> > Subject: [isalist] RE: External Network Logic
> > 
> > 
> > > http://www.ISAserver.org
> > >
> > > This isn't a back-to-back config.  This is a single 
> server going in
> > > between my clients and my servers... There won't be a way 
> to "NAT to
> > the
> > > Internet" in that config as the only defined rule will be a route
> > > relationship from the Perimeter to the Internal.
> > >
> > > I understand the concept that "Internet" is is the 
> default gateway,
> > but in
> > > this case, there can't be a "Nat" relationship anywhere.
> > > t
> > >
> > >
> > > ----- Original Message ----- 
> > > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> > > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > > Sent: Wednesday, December 07, 2005 4:25 PM
> > > Subject: [isalist] RE: External Network Logic
> > >
> > >
> > > http://www.ISAserver.org
> > >
> > > No, the Internet is always there, unless you're talking about a
> > > caponized ISA firewall (single NIC).
> > >
> > > The Internet is reached via the NIC with the default 
> gateway defined
> > on
> > > it, which in a back to back config would be the internal 
> > interface of
> > > the FE ISA firewall.
> > >
> > > There is one point of confusion induced by the UI -- and 
> that's the
> > > ability to create an "external Network".  There is no 
> > difference from
> > > the firewall's point of view between a perimeter Network and an
> > external
> > > Network. So, you can create another external Network if you 
> > like, but
> > > its *exactly the same* as a perimeter network from ISA's
> > multinetworking
> > > point of view. The default External Network is always 
> there (except
> > for
> > > the unihomed ISA firewall).
> > >
> > > For example, if a client on the default Internal Network 
> > connects to a
> > > host on the perimeter network between the ISA firewalls, the
> > connections
> > > are routed and the source IP address is not replaced. If a 
> > host on the
> > > default internal Network connects to an IP addresses that 
> is part of
> > the
> > > default External Network (which is the Internet) the 
> connection will
> > be
> > > NATed.
> > >
> > > The ISA firewall's ability to enable control over your route
> > > relationships really does give you a lot of flexibility.
> > >
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://spaces.msn.com/members/drisa/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > >
> > >
> > >
> > >> -----Original Message-----
> > >> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > >> Sent: Wednesday, December 07, 2005 5:39 PM
> > >> To: [ISAserver.org Discussion List]
> > >> Subject: [isalist] RE: External Network Logic
> > >>
> > >> http://www.ISAserver.org
> > >>
> > >> One thing though, just so I understand-- How would I NAT to
> > >> the Internet?
> > >> There *is no* "Internet" per se in a 2 NIC config with both
> > >> defined as ISA
> > >> Firewall Networks, right?  There would be route 
> > relationship from the
> > >> Internal to the DMZ Perimeter.  The Internet would only 
> exist if an
> > >> Interface was added and not defined elsewhere, correct?
> > >> t
> > >>
> > >> ----- Original Message ----- 
> > >> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> > >> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> > >> Sent: Wednesday, December 07, 2005 3:01 PM
> > >> Subject: [isalist] RE: External Network Logic
> > >>
> > >>
> > >> http://www.ISAserver.org
> > >>
> > >> The default External Network is defined as all addresses that
> > >> defined by
> > >> any other ISA firewall Network. So, there is still an
> > >> external network,
> > >> you just don't have any access to it, since you've created
> > >> ISA firewall
> > >> Networks for both the NIC (one for the default Internal
> > >> Network and one
> > >> for the ISA firewall Network representing the perimeter 
> > network NIC).
> > >>
> > >> You can use this in a number of scenarios, like turning the
> > >> DMZ between
> > >> the BE and FE ISA firewall into an ISA firewall Network 
> > and creating
> > a
> > >> route Network Rule between that and the default Internal 
> > Network, but
> > >> still NAT'ing to the Internet. Pretty slick, eh?
> > >>
> > >> Thomas W Shinder, M.D.
> > >> Site: www.isaserver.org
> > >> Blog: http://spaces.msn.com/members/drisa/
> > >> Book: http://tinyurl.com/3xqb7
> > >> MVP -- ISA Firewalls
> > >> **Who is John Galt?**
> > >>
> > >>
> > >>
> > >> > -----Original Message-----
> > >> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > >> > Sent: Wednesday, December 07, 2005 4:57 PM
> > >> > To: [ISAserver.org Discussion List]
> > >> > Subject: [isalist] External Network Logic
> > >> >
> > >> > http://www.ISAserver.org
> > >> >
> > >> > So, you've got ISA with 2 NIC's.  You define the Internal
> > >> > range on one NIC,
> > >> > leaving the other NIC as "External."  You then add a
> > >> > perimeter network, and
> > >> > give it the IP range of what used to be the "External" NIC.
> > >> > What happens to
> > >> > the concept of the External network since you now have a
> > >> > trusted Internal
> > >> > network and a less trusted "Perimeter" network, but no real
> > >> > "External"
> > >> > network anymore.  Will it just be an "empty" network set
> > >> > sitting there all
> > >> > alone in the cold, cold ground?
> > >> >
> > >> > t
> > >> >
> > >> >
> > >> > ------------------------------------------------------
> > >> > List Archives: 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > >> > ISA Server Newsletter:
> > http://www.isaserver.org/pages/newsletter.asp
> > >> > ISA Server FAQ:
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > >> > ------------------------------------------------------
> > >> > Visit TechGenix.com for more information about our other sites:
> > >> > http://www.techgenix.com
> > >> > ------------------------------------------------------
> > >> > You are currently subscribed to this ISAserver.org Discussion
> > >> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > >> > To unsubscribe visit
> > >> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > >> > Report abuse to listadmin@xxxxxxxxxxxxx
> > >> >
> > >> >
> > >>
> > >> ------------------------------------------------------
> > >> List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > >> ISA Server Newsletter: 
> > http://www.isaserver.org/pages/newsletter.asp
> > >> ISA Server FAQ: 
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > >> ------------------------------------------------------
> > >> Visit TechGenix.com for more information about our other sites:
> > >> http://www.techgenix.com
> > >> ------------------------------------------------------
> > >> You are currently subscribed to this ISAserver.org Discussion
> > >> List as:
> > >> thor@xxxxxxxxxxxxxxx
> > >> To unsubscribe visit
> > >> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > >> Report abuse to listadmin@xxxxxxxxxxxxx
> > >>
> > >>
> > >>
> > >> ------------------------------------------------------
> > >> List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > >> ISA Server Newsletter: 
> > http://www.isaserver.org/pages/newsletter.asp
> > >> ISA Server FAQ: 
> > http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > >> ------------------------------------------------------
> > >> Visit TechGenix.com for more information about our other sites:
> > >> http://www.techgenix.com
> > >> ------------------------------------------------------
> > >> You are currently subscribed to this ISAserver.org Discussion
> > >> List as: tshinder@xxxxxxxxxxxxxxxxxx
> > >> To unsubscribe visit
> > >> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > >> Report abuse to listadmin@xxxxxxxxxxxxx
> > >>
> > >>
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org 
> > Discussion List as:
> > 
> > > thor@xxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > >
> > > ------------------------------------------------------
> > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org 
> > Discussion List as:
> > 
> > > thor@xxxxxxxxxxxxxxx
> > > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >
> > >
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> > amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion 
> > List as: 
> > thor@xxxxxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > 
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> > amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion 
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit 
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> amy@xxxxxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
>

Other related posts:

  1. Home
  2. isalist
  3. Archive
  4. 12-2005