Hey Tim, That's such a compelling scenario I think I'll write a detailed article series on how I would do it. Oh wait, I did :) http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-S egment-Perimeter-Firewall-Part1.html GMT. Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Wednesday, December 07, 2005 5:32 PM > To: [ISAserver.org Discussion List] > Subject: [isalist] RE: External Network Logic > > http://www.ISAserver.org > > Good-- that's what I was thinking... > > Now that my new DMZ (Including a way cool FE Exchange Server > DMZ Perimeter > ;) is complete, I was contemplating using this type of > config (2 NICS > representing Internal and Perimeter networks with no "actual" > External > network) for my next project of deploying ISA between my clients and > servers. > In this way, I would treat all the users as the Perimeter, > and my servers as > Internal. I would only allow specific services from the > Perimeter to the > specific servers necessary. My only concern was that I > really wanted to > filter HTTP traffic to my internal web servers, so I was > thinking of some > sort of "external" implementation where I could publish using > the filters. > But as you so correctly pointed out last night, even the > access rule will > use the HTTP filter between the two networks. So doing it > this way really > makes it tight. > > I just wanted to make sure that doing this (no external > network) wasn't > going to cause a rift in the temporal vortex. > > Does anyone see anything wrong with doing it this way??? > > t > > > > ----- Original Message ----- > From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx> > To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> > Sent: Wednesday, December 07, 2005 3:01 PM > Subject: [isalist] RE: External Network Logic > > > http://www.ISAserver.org > > The default External Network is defined as all addresses that > defined by > any other ISA firewall Network. So, there is still an > external network, > you just don't have any access to it, since you've created > ISA firewall > Networks for both the NIC (one for the default Internal > Network and one > for the ISA firewall Network representing the perimeter network NIC). > > You can use this in a number of scenarios, like turning the > DMZ between > the BE and FE ISA firewall into an ISA firewall Network and creating a > route Network Rule between that and the default Internal Network, but > still NAT'ing to the Internet. Pretty slick, eh? > > Thomas W Shinder, M.D. > Site: www.isaserver.org > Blog: http://spaces.msn.com/members/drisa/ > Book: http://tinyurl.com/3xqb7 > MVP -- ISA Firewalls > **Who is John Galt?** > > > > > -----Original Message----- > > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > > Sent: Wednesday, December 07, 2005 4:57 PM > > To: [ISAserver.org Discussion List] > > Subject: [isalist] External Network Logic > > > > http://www.ISAserver.org > > > > So, you've got ISA with 2 NIC's. You define the Internal > > range on one NIC, > > leaving the other NIC as "External." You then add a > > perimeter network, and > > give it the IP range of what used to be the "External" NIC. > > What happens to > > the concept of the External network since you now have a > > trusted Internal > > network and a less trusted "Perimeter" network, but no real > > "External" > > network anymore. Will it just be an "empty" network set > > sitting there all > > alone in the cold, cold ground? > > > > t > > > > > > ------------------------------------------------------ > > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > > ------------------------------------------------------ > > Visit TechGenix.com for more information about our other sites: > > http://www.techgenix.com > > ------------------------------------------------------ > > You are currently subscribed to this ISAserver.org Discussion > > List as: tshinder@xxxxxxxxxxxxxxxxxx > > To unsubscribe visit > > http://www.webelists.com/cgi/lyris.pl?enter=isalist > > Report abuse to listadmin@xxxxxxxxxxxxx > > > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >