Re: ISA Design Question: Best Practice
- From: "Jim Harrison" <jim@xxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Wed, 28 May 2003 17:09:52 -0700
The question of good practice depends largely on how much responsibility for
the "safety" of your guests you're willing to assume. Regardless of the
content of the "warning page", someone could successfully claim not to
understand it in a court of law.
Frankly, I'd create a sandbox-net for them behind ISA and create Client
address set rules for them.
They could be any kind of client they want, but user-auth is out (have to
manage local-ISA users).
You'd also have to configure your router/switches to support specific IP
configurations for those clients.
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://www.microsoft.com/isaserver
http://isaserver.org/Jim_Harrison
http://isatools.org
Read the help, books and articles!
----- Original Message -----
From: "David V. Dellanno" <ddellanno@xxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Wednesday, May 28, 2003 06:33
Subject: [isalist] Re: ISA Design Question: Best Practice
http://www.ISAserver.org
Hi Jim,
I know it came out wrong in the explaination, and sorry for the
repeated statement. The reason why I ask this question was that I
visited this March at the Fairmont Royal York in Toronto, Ontario and
the Hilton in the subburbs (no, I don't have SARS). They had thier
internet serviced by Cisco, in each room. a small cisco router (this was
at the Fairmont, I forgot what model it was, but the Hilton just
provided cat5 cable) but once connected to it, you are automatically
connected to a webpage (this is the hotel's service aggrement and
internet access choices). You have a choice to either be behind a
firewall with a private ip or a public ip with no firewall protection.
I thought this was a good idea to provide such a service and delegate
the two types of configurations to the guest and contractors with no
administration needed but I don't quite understand how this can be done?
Is this a good practice or not?
-----Original Message-----
From: Jim Harrison [mailto:jim@xxxxxxxxxxxx]
Sent: Wednesday, May 28, 2003 9:17 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] Re: ISA Design Question: Best Practice
http://www.ISAserver.org
The required lack of tasking makes this impossible.
Are you sure you're not willing to do something besides wiggle your
nose?
;-)
Two relatively simple options:
1. give them a VLAN on your external switch and tell them that they're
completely exposed. 2. hand each one of them their assigned IP settings
via script and use Client Address Sets. Also, make sure your routers
know that these IPs can only see a path to ISA and DNS (so they can find
ISA).
Jim Harrison
MCP(NT4, W2K), A+, Network+, PCG
http://isaserver.org/Jim_Harrison/
http://isatools.org
Read the help / books / articles!
Confidentiality Notice:
This e-mail message, including any attachments, is for the sole use of the
intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the sender
by reply e-mail and destroy all copies of the original message.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
jim@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
