See below -Shawn -----Original Message----- From: Richardson, Stephan [mailto:steric@xxxxxxxxxx] Sent: Friday, July 12, 2002 4:17 PM To: [ISAserver.org Discussion List] Subject: [isalist] ISA Proxy only and DNS configuration; additional proxy services? http://www.ISAserver.org I want to install an ISA server in proxy mode only just for web caching, content control, etc. I also want to run my internal DNS zone on this server as well. Caveats to this configuration? -- Should be ok in cache only mode, no problems I can think of. Can it be done (everything I have browsed always discusses using a separate DNS server(s))? Why or why not? -- Yes, it can Is there any advantage to using an integrated mode with both NICs internal for basically proxy only services? -- Advantage: tighter security. Disadvantage: more complex configuration In proxy mode only, can I proxy other services besides http/ftp/gopher like RealAudio, Quicktime, and other streaming media? What if these media types are tunneled though http? -- Yes, but must be tunneled through http. No support for other protocols in cache only mode Can I permit/control them on a per-user basis related to content type within the http stream if tunneled? -- Yes. Create a content group then a site and content rule based on that content group and the security groups / accounts for your users. Keep in mind: most players only support basic authentication. RealOne claims to, but there's a problem where if you have basic and another scheme enabled it will fail. They will apparently have a fix for this built into the next release due out sometime this summer. Quicktime stores proxy passwords in it's options menu in a regular text box (not *******, like a password box)... Good job Apple, nice and secure. Maybe this has been fixed, I haven't looked in a little while. And if you have a virus scanning server for web content (such as Trend Interscan WebProtect), Windows Media formats come across as mime type application/octet-stream. Most scanners that I've seen you can set to not scan specific mime types. But .exe's (and other program files) come accross as application/octet-stream as well which means you wouldn't be scanning them (bad). So what happens is the virus scanner buffers the stream until it can scan it for viruses which means you'll just be sitting there for a long time (until the entire stream is downloaded and scanned) staring at your Media Player if you're trying to play a lengthier clip. If I have no control over those other protocols except with integrated mode, can this be done with just 2 internal NICs (none facing a DMZ or Internet)? -- Huh? All ready have working firewalls, no need for more, but I want to use ISA for proxy services and maintain control over those other protocols, like IM, RealAudio, etc. Stephan ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: shawn.quillman@xxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')