Thanks Jim. So, In other words packet filters are similar to non-application aware packet filtering firewalls? ISA treats the packet filters like a traditional firewall rather than an advanced firewall. Is that right? HTH. Regards, Raj Periyasamy Systems Administrator MCSE(Messaging), CCNA -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Friday, April 08, 2005 2:47 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA newbie with remote administration questions http://www.ISAserver.org ISA packet filters are the "dumbest" form of protection. Since they literally know nothing more than IP protocol/Port, they have no way of validating the traffic. Frankly, any application that sends "connect to me" invitations is not to be trusted - especially on the firewall itself. ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx] Sent: Friday, April 08, 2005 11:26 To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA newbie with remote administration questions http://www.ISAserver.org I don't understand, The requests from the gotomypc will still pass through an ISA packet filter in "Outbound" direction, and is talking SSL to a secure server. All connections are initiated by a the host running the gotomypc. How is this any different from a regular PC in the network sending out connections to any other Internet site? How is it a security hole. The client initiates a request through the ISA, and ISA opens the port for the client and serves the connection. Authentication is controlled at every level of Gottomypc. Be more specific with your comments.....They are rather vague... HTH. Regards, Raj Periyasamy Systems Administrator MCSE(Messaging), CCNA -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Friday, April 08, 2005 2:07 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA newbie with remote administration questions http://www.ISAserver.org Yep - this is what we need; a process running on the firewall that's asking s remote, unknown (to the firewall) service if there's anyone asking for a connection. ..that's my definition of secure; yup-yup... ------------------------------------------------------- Jim Harrison MCP(NT4, W2K), A+, Network+, PCG http://isaserver.org/Jim_Harrison/ http://isatools.org Read the help / books / articles! ------------------------------------------------------- -----Original Message----- From: Periyasamy, Raj [mailto:Raj.Periyasamy@xxxxxxxxxxxx] Sent: Friday, April 08, 2005 10:59 To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA newbie with remote administration questions http://www.ISAserver.org Just been reading this thread, and the first impression I got is no one knows how exactly gotomypc client/server components integrate and work. Unlike a published service through ISA firewall, gotomypc does not wait to listen for incoming requests, rather gotmypc "pings" a pre-registered secure broker Server to check if any secure authenticated sessions are awaitng to be serviced. In my opinion, this is as secure or more secure than having RDP enabled in a Internet facing host. Read this article for detailed info. By the way Gotomypc is a company owned by Citrix, I don't think Citrix would market an insecure product, considering the reputation Citrix has earnt worldwide. https://www.gotomypc.com/downloads/pdf/m/GoToMyPC_Personal_Overview.pdf HTH. Regards, Raj Periyasamy Systems Administrator MCSE(Messaging), CCNA -----Original Message----- From: Greg Mulholland [mailto:greg@xxxxxxxxxxxxxx] Sent: Friday, April 08, 2005 4:50 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA newbie with remote administration questions http://www.ISAserver.org Ok then, mine too -----Original Message----- From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Friday, April 08, 2005 11:40 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA newbie with remote administration questions http://www.ISAserver.org mee2 Tom www.isaserver.org/shinder Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 MVP -- ISA Firewalls -----Original Message----- From: Jim Harrison [mailto:Jim@xxxxxxxxxxxx] Sent: Thursday, April 07, 2005 8:33 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA newbie with remote administration questions http://www.ISAserver.org ..and me. Bear in mind that every networking application you add to (and make available from) your firewall increases the attack surface. HTTP applications have proven (regardless of author) to be the best attractor of 'Net meanies. Get rid of that applet-like toy... -----Original Message----- From: Steve Moffat [mailto:steve@xxxxxxxxxx] Sent: Thursday, April 07, 2005 4:30 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: ISA newbie with remote administration questions http://www.ISAserver.org And me S -----Original Message----- From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] Sent: Thursday, April 07, 2005 7:50 PM To: ISA Mailing List Subject: [isalist] RE: ISA newbie with remote administration questions http://www.ISAserver.org While it may expand your knowledge, it will decrease your security... RDP is more secure, and easier to control as a separate protocol/port than bundling difference services within a single protocol like HTTP. You also won't have to screw around with combined filters/rules (you said Win2k, but did not specify ISA2k, but I'm assuming that is what you meant) or proxy settings. So while this does not specifically answer your question, it does give you a better, faster, more secure alternative. Personally, I would never even consider putting GMPC on my ISA server for remote admin when TS is a far better way to go- but that's me. t ------ *Secure your infrastructure* Microsoft Ninjitsu: Securely Deploying MS Technologies security training delivered by Timothy Mullen. Registration now open for Blackhat Seattle 2005: http://www.blackhat.com/html/training-seattle-05/train-bh-sea-05-tm.html ----- Original Message ----- From: "Jeffry Nimeroff" <jeffry.nimeroff@xxxxxxxxxxxxxxxxx> To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx> Sent: Thursday, April 07, 2005 3:16 PM Subject: [isalist] RE: ISA newbie with remote administration questions > http://www.ISAserver.org > > Personal choice. I am not a big fan of Remote Desktop. > > Also, I always like to participate in exercises that expand my knowledge, > and figuring out why the ISA box itself doesn't have the same privileges > (in terms of outbound connectivity) as the other boxes behind it is just > such an exercise. I have already test installed GMPC on two other > machines at my client. > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Other Internet Software Marketing Sites: > World of Windows Networking: http://www.windowsnetworking.com Leading > Network Software Directory: http://www.serverfiles.com > No.1 Exchange Server Resource Site: http://www.msexchange.org Windows > Security Resource Site: http://www.windowsecurity.com/ Network > Security Library: http://www.secinf.net/ Windows 2000/NT Fax > Solutions: http://www.ntfaxfaq.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion List as: > thor@xxxxxxxxxxxxxxx > To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > > ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: isalist@xxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx The haggis is unusual in that it is neither consistently nocturnal nor diurnal, but instead is active at dawn and dusk (crepuscular), with occasional forays forth during the day and night. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: greg@xxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: raj.periyasamy@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: raj.periyasamy@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: jim@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx All mail to and from this domain is GFI-scanned. ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: raj.periyasamy@xxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx