RE: FW1 between ISA and internal network
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 18 Dec 2002 15:07:54 -0600
Hi Howard,
There's no reason why you can't do it this way. You'll have two DMZ
segments, an "external" DMZ and an "internal" DMZ. If all three of these
machines were ISA Servers, it would be very easy to publish internal
network Exchange RPC, SMTP, NNTP, OWA, etc. But I don't believe
Checkpoint has the Application layer intelligence to handle the task
without making swiss cheeze out of the checkbox boxes.
Another reason to put the ISA Sever is on the LAN edge is that you can
leverage user/group based outbound and inbound access control. If you
open up the VPN ports and protocols on the two Checkpoint boxes in front
of the ISA Server on the LAN's edge, you can have unlimited number of
inbound VPN connections to the ISA Server without paying a penny more.
Can you say the same with Checkpoint?
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
http://tinyurl.com/1jq1
http://tinyurl.com/1llp
-----Original Message-----
From: Howard Griffith [mailto:hgriffith@xxxxxxxxxx]
Sent: Wednesday, December 18, 2002 2:34 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] FW1 between ISA and internal network
http://www.ISAserver.org
Yes, you read the subject correctly. The project team I am on has a
person
on it who thinks he is a firewall god. With my proposal to implement ISA
server to publish our internal Exchange severs to the world came a
backlash
of defiancy. This guy does not give ISA any respect and doesn't even
consider it to be a firewall that can stand on it's own. The guy wants
me to
put my ISA server between two checkpoint firewalls. Yes you read
correctly,
he wants to put a firewall between two firewalls. Why, I don't know.
Probably because he's defensive about his checkpoint and doesn't want to
lose control of it or something. Anyway, can someone give me a good
solid
reason that will be worth putting in my gun and shooting as to why this
should NOT be done.
Is there any reason at all, technically, that ISA has to be connected to
the
same segment as the Exchange servers? Any reason at all? Say for the
secure
connection to OWA, SMTP, POP3, IMAP, NNTP, anything at all??
TIA and HELP!!!!
Howard
List Sponsored by Aspelle
Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server
and the Internet to quickly and cost-effectively manage and deliver
secure, client-less access to all corporate applications (Web, Unix,
Windows and legacy systems), for all users.
More info at http://www.aspelle.com/info
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
