Gee Tom, you broke the rule, no preaching. John T From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Thomas W Shinder Sent: Friday, October 12, 2007 1:17 PM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Help with access rules (no preaching please) I don't want to step into something that I have no knowledge whatsoever about, but shouldn't the add-on vendor have some very explicit instructions on how to configure this? Tom From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Roy Tsao Sent: Friday, October 12, 2007 11:01 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Help with access rules (no preaching please) ISA shall be placed as downstream if authentication is required but I am still wondering if such downstream scenario works because IWSS and ISA seem looped on same machine. ----- Original Message ----- From: Jim Harrison <mailto:Jim@xxxxxxxxxxxx> To: isalist@xxxxxxxxxxxxx Sent: Friday, October 12, 2007 9:56 PM Subject: [isalist] Re: Help with access rules (no preaching please) Amy, Actually, that's not true. In the context of the traffic flow from the client to the endpoint server, ISA _is_ either "upstream" or "downstream" from IWSS, regardless of where IWSS is installed. ..lemme 'splain: Traffic doth flow thusly: (ISA downstream) Client --> ISA --> IWSS --> Web Server ..or thusly: (ISA upstream) Client --> IWSS --> ISA --> Web Server It doesn't matter that the two applications share the same processor space; the traffic still flows serially. In either case, ISA policies will determine whether ortnot IWSS gets the traffic. but the simpler scenario is defined when ISA is "upstream" from IWSS because you don't have to configure (and manage) ISA web chaining rules to accomplish the task. Jim _____ From: isalist-bounce@xxxxxxxxxxxxx [isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Amy Babinchak [amy@xxxxxxxxxxxxxxxxxxxxxxxxxx] Sent: Friday, October 12, 2007 6:03 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Re: Help with access rules (no preaching please) Nathan, Your ISA box is neither upstream nor downstream because you are installing on the same box. This means, using your example, that your rule would be localhost to external. You are going to have to interpret the instructions to your situation. Amy From: isalist-bounce@xxxxxxxxxxxxx [mailto:isalist-bounce@xxxxxxxxxxxxx] On Behalf Of Nathan Sent: Friday, October 12, 2007 12:37 AM To: isalist@xxxxxxxxxxxxx Subject: [isalist] Help with access rules (no preaching please) Hi, I have a need to install ISA 2006 SE on the same box as Trend Micros IWSS. We don't have enough hardware to install on 2 seperate pieces of hardware. I am having trouble setting this up with either the ISA being an upstream or downstream server. I am not sure which way is best. There are 2 KB articles on the Trend site saying how to install in either situation. ISA upstream http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-126115 <http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-126115&id=EN -126115> &id=EN-126115 ISA downstream http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-124425 <http://esupport.trendmicro.com/support/viewxml.do?ContentID=EN-124425&id=EN -124425> &id=EN-124425 We want ISA to do the authenticating. This is the screen that you edit the IWSS properties I just can't seem to get this to work. Are there any special Access Rules that you need to setup to have IWSS pass traffic to ISA? To have ISA as upstream all the doc above says is to open Internal to External, but this doesn't seem to work. I have tried to find sites with other products that do the same kind of thing, but nothing seems to make this work. We had this working with ISA 2000 but 2006 this is way different. This is a fresh ISA install. All help really appreciated. Thanks Nathan Lara, Vic, Australia ExchangeDefender Message Security: Check Authenticity <http://www.exchangedefender.com/verify.asp?id=l9CD494v025414&from=amy@harbo rcomputerservices.net>