RE: External Network Logic
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 7 Dec 2005 18:18:28 -0600
Hey Tim,
That's such a compelling scenario I think I'll write a detailed article
series on how I would do it. Oh wait, I did :)
http://www.isaserver.org/tutorials/Configure-ISA-2004-Network-Services-S
egment-Perimeter-Firewall-Part1.html
GMT.
Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> Sent: Wednesday, December 07, 2005 5:32 PM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: External Network Logic
>
> http://www.ISAserver.org
>
> Good-- that's what I was thinking...
>
> Now that my new DMZ (Including a way cool FE Exchange Server
> DMZ Perimeter
> ;) is complete, I was contemplating using this type of
> config (2 NICS
> representing Internal and Perimeter networks with no "actual"
> External
> network) for my next project of deploying ISA between my clients and
> servers.
> In this way, I would treat all the users as the Perimeter,
> and my servers as
> Internal. I would only allow specific services from the
> Perimeter to the
> specific servers necessary. My only concern was that I
> really wanted to
> filter HTTP traffic to my internal web servers, so I was
> thinking of some
> sort of "external" implementation where I could publish using
> the filters.
> But as you so correctly pointed out last night, even the
> access rule will
> use the HTTP filter between the two networks. So doing it
> this way really
> makes it tight.
>
> I just wanted to make sure that doing this (no external
> network) wasn't
> going to cause a rift in the temporal vortex.
>
> Does anyone see anything wrong with doing it this way???
>
> t
>
>
>
> ----- Original Message -----
> From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
> Sent: Wednesday, December 07, 2005 3:01 PM
> Subject: [isalist] RE: External Network Logic
>
>
> http://www.ISAserver.org
>
> The default External Network is defined as all addresses that
> defined by
> any other ISA firewall Network. So, there is still an
> external network,
> you just don't have any access to it, since you've created
> ISA firewall
> Networks for both the NIC (one for the default Internal
> Network and one
> for the ISA firewall Network representing the perimeter network NIC).
>
> You can use this in a number of scenarios, like turning the
> DMZ between
> the BE and FE ISA firewall into an ISA firewall Network and creating a
> route Network Rule between that and the default Internal Network, but
> still NAT'ing to the Internet. Pretty slick, eh?
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
> > -----Original Message-----
> > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
> > Sent: Wednesday, December 07, 2005 4:57 PM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] External Network Logic
> >
> > http://www.ISAserver.org
> >
> > So, you've got ISA with 2 NIC's. You define the Internal
> > range on one NIC,
> > leaving the other NIC as "External." You then add a
> > perimeter network, and
> > give it the IP range of what used to be the "External" NIC.
> > What happens to
> > the concept of the External network since you now have a
> > trusted Internal
> > network and a less trusted "Perimeter" network, but no real
> > "External"
> > network anymore. Will it just be an "empty" network set
> > sitting there all
> > alone in the cold, cold ground?
> >
> > t
> >
> >
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion
> > List as: tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=isalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >
> >
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>
Other related posts:
