Thanks Jim, I was so sure that making the web server SNAT client instead of winsock client will resolve my problem and that is why i picked up ISA and started working on it. But as I said using server publishing is not good as it forwards the internet client ip address to web server. Now that is what the problem is. Our intenal firewall drops all those packets and I can't change that policy on that firewall(that is not possible at all). So I started looking at ssl bridging options but overhead was my worry or secondly have ISA the same way as Proxy 2.0 is configured. If you have any questions do let me know....I want to be sure that what I wrote is understandable..... Thanks Shobha -----Original Message----- From: Jim Harrison [mailto:jim@xxxxxxxxxxxx] Sent: Thursday, July 19, 2001 2:30 PM To: [ISAserver.org Discussion List] Subject: [isalist] Re: FW: "ISA" Recommended practices http://www.ISAserver.org A bit impatient? ;-P Inline... Jim Harrison MCP(2K), A+, Network+, PCG ----- Original Message ----- From: "Sharma, Shobha" <c-ssharma@xxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, July 19, 2001 9:21 AM Subject: [isalist] FW: "ISA" Recommended practices http://www.ISAserver.org Still waiting for some suggestions!!!!!!!!!!!!! -----Original Message----- From: Sharma, Shobha [mailto:c-ssharma@xxxxxxxxxxx] Sent: Thursday, July 19, 2001 9:49 AM To: [ISAserver.org Discussion List] Subject: [isalist] "ISA" Recommended practices http://www.ISAserver.org Hi All, Currently we are working with multiple ssl enabled application which are published to the internet and we are using Proxy 2.0. But as that needs to be updated so Iam exploring all possible options with ISA server and trying to find some best solution for our environment. As the recommended solution: a) Iam going to put all applications together and host them as links from the master web site(one certificate) and each application is configured as virtual directory and ssl is enabled on that directory. the master web site default page is non ssl (currently each app. is independent site and configured with proxy 2.0 server publishing) * Bear in mind that any denial of a site for any reason will block that whole site for HTTPS. b) We are using server publishing feature of Proxy 2.0 so our web server is a winsock client * you can (should) drop the winsock client on all back-end servers and make sure they're all secureNAT clients (http://www.isaserver.org/shinder/tutorials/designing_an_isa_server_solution _on_a%20_simple_network.htm and http://www.isaserver.org/pages/tutorials/isanetworks.htm refer) c) there is a interna firewall between proxy and web server which accepts all the connections from Proxy server * ISA can replace this for you, unless you prefer to keep it separate. I need to upgrade or replace proxy with ISA(or may be some other server if ISA doesn't meet the requirement) I worked with server publishing on ISA but that is not good as it forwards the internet client ip address to web server and our internal firewall drops it. I tried web publishing and used SSL bridging and ISA does deencryption and reencryption and the overhead involved will be high, Approx. 3-5 secs per transaction. * If you're seeing 3-5 secs per SSL transaction, you have other issues on that server. I've personally tested ISA (firewall mode) with SSL and am able to produce 150+ TPS without an accelerator card. All the applications we are hosting are public applications and we foresee lot of traffic in next 6 months. So I am not sure about ssl brdging is best for us or not. The third option is to use ISA same way we are working with Proxy 2.0, so install firewall client 9which is winsock client) on web server and go ahead with that. * Don't use the winsock client with ISA; make the web / app servers secureNAT clients and enjoy the ride. Pls give me some suggestions what solution I should adopt. Also how to improve performance and fault tolerance. Should I use NLB for fault tolerance. How to enable reverse caching or is it enabled by default? * reverse caching is enabled only for web publishing * you should do some reading in Tom's book, at the Learning Zone on http://isaserver.org and check out the whitepapers at http://microsoft.com/isaserver/. There's a wealth of information to be had out there... Thanks in advance. Shobha Sharma Office of Information Systems Bureau of Technology Engineering Room 13c Willow Oak Bldg, Box 2675 Harrisburg, PA 17105-2675 717-772-7204 Desk ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: c-ssharma@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') To customise your settings for the list, kindly visit http://www.webelists.com/cgi/lyris.pl?enter=isalist ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') To customise your settings for the list, kindly visit http://www.webelists.com/cgi/lyris.pl?enter=isalist ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: c-ssharma@xxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') To customise your settings for the list, kindly visit http://www.webelists.com/cgi/lyris.pl?enter=isalist