RE: FW1 between ISA and internal network

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 18 Dec 2002 17:56:38 -0600

What was wrong with the reasons I provided? Do I need to draw packet
diagrams to make them technical? :-)

HTH,
Tom

-----Original Message-----
From: Howard Griffith [mailto:hgriffith@xxxxxxxxxx] 
Sent: Wednesday, December 18, 2002 4:10 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FW1 between ISA and internal network


http://www.ISAserver.org


I guess I should clarify what I'm referring to.


What he wants:
INET---FW1---ISA---FW1---Internal network/Exchange

What I want:
INET---FW1---ISA---Internal network/Exchange


I need a good reason that will stand on it's own as to why ISA should be
connected to the internal network. He's saying it doesn't have to be and
doesn't want it to be but I'm saying it should be. IMO, there's no
reason to
duplicate layers when it won't do any good and all it will do is create
redundancy. I know that and most others know that but I need a good
technical reason to stand on to defend ISA and have it connected to the
inside without the other FW1 in it's way.

Thanks!
Howard


-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, December 18, 2002 4:08 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: FW1 between ISA and internal network


http://www.ISAserver.org


Hi Howard,

There's no reason why you can't do it this way. You'll have two DMZ
segments, an "external" DMZ and an "internal" DMZ. If all three of these
machines were ISA Servers, it would be very easy to publish internal
network
Exchange RPC, SMTP, NNTP, OWA, etc. But I don't believe Checkpoint has
the
Application layer intelligence to handle the task without making swiss
cheeze out of the checkbox boxes.

Another reason to put the ISA Sever is on the LAN edge is that you can
leverage user/group based outbound and inbound access control. If you
open
up the VPN ports and protocols on the two Checkpoint boxes in front of
the
ISA Server on the LAN's edge, you can have unlimited number of inbound
VPN
connections to the ISA Server without paying a penny more. Can you say
the
same with Checkpoint?

HTH,
Tom

Thomas W Shinder
www.isaserver.org/shinder 
http://tinyurl.com/1jq1
http://tinyurl.com/1llp

 
 


-----Original Message-----
From: Howard Griffith [mailto:hgriffith@xxxxxxxxxx] 
Sent: Wednesday, December 18, 2002 2:34 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] FW1 between ISA and internal network


http://www.ISAserver.org


Yes, you read the subject correctly. The project team I am on has a
person
on it who thinks he is a firewall god. With my proposal to implement ISA
server to publish our internal Exchange severs to the world came a
backlash
of defiancy. This guy does not give ISA any respect and doesn't even
consider it to be a firewall that can stand on it's own. The guy wants
me to
put my ISA server between two checkpoint firewalls. Yes you read
correctly,
he wants to put a firewall between two firewalls. Why, I don't know.
Probably because he's defensive about his checkpoint and doesn't want to
lose control of it or something. Anyway, can someone give me a good
solid
reason that will be worth putting in my gun and shooting as to why this
should NOT be done.

Is there any reason at all, technically, that ISA has to be connected to
the
same segment as the Exchange servers? Any reason at all? Say for the
secure
connection to OWA, SMTP, POP3, IMAP, NNTP, anything at all??

TIA and HELP!!!!

Howard

List Sponsored by Aspelle
Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server
and
the Internet to quickly and cost-effectively manage and deliver secure,
client-less access to all corporate applications (Web, Unix, Windows and
legacy systems), for all users. More info at http://www.aspelle.com/info

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows
Security
Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax
Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

List Sponsored by Aspelle
Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server
and
the Internet to quickly and cost-effectively manage and deliver secure,
client-less access to all corporate applications (Web, Unix, Windows and
legacy systems), for all users. More info at http://www.aspelle.com/info

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/ Windows
Security
Resource Site: http://www.windowsecurity.com/ Windows 2000/NT Fax
Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
isaserver.org@xxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')

List Sponsored by Aspelle
Aspelle's Microsoft-centric, Aspelle Everywhere, leverages ISA server
and the Internet to quickly and cost-effectively manage and deliver
secure, client-less access to all corporate applications (Web, Unix,
Windows and legacy systems), for all users.
More info at http://www.aspelle.com/info

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Exchange Server Resource Site: http://www.msexchange.org/
Windows Security Resource Site: http://www.windowsecurity.com/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


Other related posts: