What was wrong with the reasons I provided? Do I need to draw packet diagrams to make them technical? :-) HTH, Tom -----Original Message----- From: Howard Griffith [mailto:hgriffith@xxxxxxxxxx] Sent: Wednesday, December 18, 2002 4:10 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: FW1 between ISA and internal network http://www.ISAserver.org I guess I should clarify what I'm referring to. What he wants: INET---FW1---ISA---FW1---Internal network/Exchange What I want: INET---FW1---ISA---Internal network/Exchange I need a good reason that will stand on it's own as to why ISA should be connected to the internal network. He's saying it doesn't have to be and doesn't want it to be but I'm saying it should be. IMO, there's no reason to duplicate layers when it won't do any good and all it will do is create redundancy. I know that and most others know that but I need a good technical reason to stand on to defend ISA and have it connected to the inside without the other FW1 in it's way. Thanks! Howard -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] Sent: Wednesday, December 18, 2002 4:08 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: FW1 between ISA and internal network http://www.ISAserver.org Hi Howard, There's no reason why you can't do it this way. You'll have two DMZ segments, an "external" DMZ and an "internal" DMZ. If all three of these machines were ISA Servers, it would be very easy to publish internal network Exchange RPC, SMTP, NNTP, OWA, etc. But I don't believe Checkpoint has the Application layer intelligence to handle the task without making swiss cheeze out of the checkbox boxes. Another reason to put the ISA Sever is on the LAN edge is that you can leverage user/group based outbound and inbound access control. If you open up the VPN ports and protocols on the two Checkpoint boxes in front of the ISA Server on the LAN's edge, you can have unlimited number of inbound VPN connections to the ISA Server without paying a penny more. Can you say the same with Checkpoint? HTH, Tom Thomas W Shinder www.isaserver.org/shinder http://tinyurl.com/1jq1 http://tinyurl.com/1llp -----Original Message----- From: Howard Griffith [mailto:hgriffith@xxxxxxxxxx] Sent: Wednesday, December 18, 2002 2:34 PM To: [ISAserver.org Discussion List] Subject: [isalist] FW1 between ISA and internal network http://www.ISAserver.org Yes, you read the subject correctly. The project team I am on has a person on it who thinks he is a firewall god. With my proposal to implement ISA server to publish our internal Exchange severs to the world came a backlash of defiancy. This guy does not give ISA any respect and doesn't even consider it to be a firewall that can stand on it's own. The guy wants me to put my ISA server between two checkpoint firewalls. Yes you read correctly, he wants to put a firewall between two firewalls. Why, I don't know. Probably because he's defensive about his checkpoint and doesn't want to lose control of it or something. Anyway, can someone give me a good solid reason that will be worth putting in my gun and shooting as to why this should NOT be done. Is there any reason at all, technically, that ISA has to be connected to the same segment as the Exchange servers? Any reason at all? Say for the secure connection to OWA, SMTP, POP3, IMAP, NNTP, anything at all?? TIA and HELP!!!! Howard List Sponsored by Aspelle Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server and the Internet to quickly and cost-effectively manage and deliver secure, client-less access to all corporate applications (Web, Unix, Windows and legacy systems), for all users. More info at http://www.aspelle.com/info ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') List Sponsored by Aspelle Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server and the Internet to quickly and cost-effectively manage and deliver secure, client-less access to all corporate applications (Web, Unix, Windows and legacy systems), for all users. More info at http://www.aspelle.com/info ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: isaserver.org@xxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') List Sponsored by Aspelle Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server and the Internet to quickly and cost-effectively manage and deliver secure, client-less access to all corporate applications (Web, Unix, Windows and legacy systems), for all users. More info at http://www.aspelle.com/info ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Exchange Server Resource Site: http://www.msexchange.org/ Windows Security Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')