RE: ISA Proxy only and DNS configuration; additional pr oxy services?

  • From: "Quillman Shawn (RBNA/CIT7)" <Shawn.Quillman@xxxxxxxxxxxx>
  • To: "'[ISAserver.org Discussion List]'" <isalist@xxxxxxxxxxxxx>
  • Date: Fri, 12 Jul 2002 15:41:48 -0500

See below

-Shawn

-----Original Message-----
From: Richardson, Stephan [mailto:steric@xxxxxxxxxx]
Sent: Friday, July 12, 2002 4:17 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] ISA Proxy only and DNS configuration; additional
proxy services?


http://www.ISAserver.org


I want to install an ISA server in proxy mode only just for web caching,
content control, etc.   I also want to run my internal DNS zone on this
server as well.  Caveats to this configuration?  

-- Should be ok in cache only mode, no problems I can think of.

Can it be done (everything
I have browsed always discusses using a separate DNS server(s))?  Why or why
not?

-- Yes, it can

Is there any advantage to using an integrated mode with both NICs
internal for basically proxy only services?

-- Advantage: tighter security.  Disadvantage: more complex configuration

In proxy mode only, can I proxy other services besides http/ftp/gopher like
RealAudio, Quicktime, and other streaming media?  What if these media types
are tunneled though http?

-- Yes, but must be tunneled through http.  No support for other protocols
in cache only mode

  Can I permit/control them on a per-user basis
related to content type within the http stream if tunneled?  

-- Yes.  Create a content group then a site and content rule based on that
content group and the security groups / accounts for your users.  Keep in
mind: most players only support basic authentication.  RealOne claims to,
but there's a problem where if you have basic and another scheme enabled it
will fail.  They will apparently have a fix for this built into the next
release due out sometime this summer.  Quicktime stores proxy passwords in
it's options menu in a regular text box (not *******, like a password
box)...  Good job Apple, nice and secure.  Maybe this has been fixed, I
haven't looked in a little while.  And if you have a virus scanning server
for web content (such as Trend Interscan WebProtect), Windows Media formats
come across as mime type application/octet-stream.  Most scanners that I've
seen you can set to not scan specific mime types.  But .exe's (and other
program files) come accross as application/octet-stream as well which means
you wouldn't be scanning them (bad).  So what happens is the virus scanner
buffers the stream until it can scan it for viruses which means you'll just
be sitting there for a long time (until the entire stream is downloaded and
scanned) staring at your Media Player if you're trying to play a lengthier
clip.

If I have no
control over those other protocols except with integrated mode, can this be
done with just 2 internal NICs (none facing a DMZ or Internet)?  

-- Huh?

All ready
have working firewalls, no need for more, but I want to use ISA for proxy
services and maintain control over those other protocols, like IM,
RealAudio, etc.

Stephan

------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
shawn.quillman@xxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


Other related posts:

  • » RE: ISA Proxy only and DNS configuration; additional pr oxy services?