Re: FW: "ISA" Recommended practices

  • From: "Sharma, Shobha" <c-ssharma@xxxxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 20 Jul 2001 11:51:16 -0400

Thanks Jim,

I was so sure that making the web server SNAT client instead of winsock
client will resolve my problem and that is why i picked up ISA and started
working on it. But as I said using server publishing  is not good as it
forwards the internet client ip address to web server. Now that is what the
problem is. Our intenal firewall drops all those packets and I can't change
that policy on that firewall(that is not possible at all). So I started
looking at ssl bridging options but overhead was my worry or secondly have
ISA the same way as Proxy 2.0 is configured.
If you have any questions do let me know....I want to be sure that what I
wrote is understandable.....

Thanks

Shobha



-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Thursday, July 19, 2001 2:30 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: FW: "ISA" Recommended practices


http://www.ISAserver.org


A bit impatient?  ;-P

Inline...

Jim Harrison
MCP(2K), A+, Network+, PCG

----- Original Message -----
From: "Sharma, Shobha" <c-ssharma@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Thursday, July 19, 2001 9:21 AM
Subject: [isalist] FW: "ISA" Recommended practices


http://www.ISAserver.org


Still waiting for some suggestions!!!!!!!!!!!!!

-----Original Message-----
From: Sharma, Shobha [mailto:c-ssharma@xxxxxxxxxxx]
Sent: Thursday, July 19, 2001 9:49 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] "ISA" Recommended practices


http://www.ISAserver.org



Hi All,

Currently we are working with multiple ssl enabled application which are
published to the internet and we are using Proxy 2.0. But as that needs to
be updated so Iam exploring all possible options with ISA server and trying
to find some best solution for our environment.
As the recommended solution:

a) Iam going to put all applications together and host them as links from
the master web site(one certificate) and each application is configured as
virtual directory and ssl is enabled on that directory. the master web site
default page is non ssl (currently each app. is independent site and
configured with proxy 2.0 server publishing)

* Bear in mind that any denial of a site for any reason will block that
whole site for HTTPS.

b) We are using server publishing feature of Proxy 2.0 so our web server is
a winsock client

* you can (should) drop the winsock client on all back-end servers and make
sure they're all secureNAT clients
(http://www.isaserver.org/shinder/tutorials/designing_an_isa_server_solution
_on_a%20_simple_network.htm and
http://www.isaserver.org/pages/tutorials/isanetworks.htm refer)
c) there is a interna firewall between proxy and web server which accepts
all the connections from Proxy server

* ISA can replace this for you, unless you prefer to keep it separate.

I need to upgrade or replace proxy with ISA(or may be some other server if
ISA doesn't meet the requirement)
 I worked with server publishing on ISA but that is not good as it forwards
the internet client ip address to web server
and our internal firewall drops
it. I tried web publishing and used SSL bridging and ISA does deencryption
and reencryption and the overhead involved will be high, Approx. 3-5 secs
per transaction.
* If you're seeing 3-5 secs per SSL transaction, you have other issues on
that server.  I've personally tested ISA (firewall mode) with SSL and am
able to produce 150+ TPS without an accelerator card.
All the applications we are hosting are public applications
and we foresee lot of traffic in next 6 months. So I am not sure about ssl
brdging is best for us or not. The third option is to use ISA same way we
are working with Proxy 2.0, so install firewall client 9which is winsock
client) on web server and go ahead with that.
* Don't use the winsock client with ISA; make the web / app servers
secureNAT clients and enjoy the ride.
Pls give me some suggestions what solution I should adopt. Also how to
improve performance and fault tolerance. Should I use NLB for  fault
tolerance. How to enable reverse caching or is it enabled by default?
* reverse caching is enabled only for web publishing

* you should do some reading in Tom's book, at the Learning Zone on
http://isaserver.org and check out the whitepapers at
http://microsoft.com/isaserver/.  There's a wealth of information to be had
out there...

Thanks in advance.


Shobha Sharma
Office of Information Systems
Bureau of Technology Engineering
Room 13c Willow Oak Bldg, Box 2675
Harrisburg, PA 17105-2675
717-772-7204 Desk






------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
c-ssharma@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
To customise your settings for the list, kindly visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
To customise your settings for the list, kindly visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist



------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
c-ssharma@xxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
To customise your settings for the list, kindly visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist


Other related posts: