RE: Need help with unusual configuration

• From: "Dan Bartley" <bartleyd@xxxxxxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Wed, 5 Nov 2003 22:04:47 -0500

I appreciate the time you are taking to help. I can wait :-)

Best Regards, 

Dan Bartley



  _____  

From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, November 05, 2003 21:48
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Need help with unusual configuration

 

http://www.ISAserver.org

I have about 6 different things going right now.

 

Something does not sound quite right. 

 

I will get back to this latter when I can think about it.

 

John Tolmachoff

Engineer/Consultant/Owner

eServices For You

 

-----Original Message-----
From: Dan Bartley [mailto:bartleyd@xxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, November 05, 2003 6:35 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Need help with unusual configuration

 

http://www.ISAserver.org

Thank you John.

 

So, if I understand. No DMZ, 2 internal interfaces and one external
interface that talks to the PIX on a private subnet not in the LAT. It
will let me restrict communication between the internal interfaces, as
well as the external. Will this work if the server subnet does not use
ISA as its gateway? We don't want to restrict the servers from
communicating at will, they just need to be protected, and we prefer to
keep them gatewayed through the PIX for various reasons. 

 

One last question if you do not mind, I am considering replacing my
current win2k VPN server behind another PIX with ISA also acting as a
new VPN server. Will the above allow the VPN connections to talk to both
internal interfaces according to filters I set up?

 

Best Regards, 

Dan Bartley

  _____  

From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, November 05, 2003 20:12
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Need help with unusual configuration

 

http://www.ISAserver.org

Use 2 internal NICs, one for each subnet. Then you can configure the
rules using ISA as the enforcer.

 

John Tolmachoff

Engineer/Consultant/Owner

eServices For You

 

-----Original Message-----
From: Dan Bartley [mailto:bartleyd@xxxxxxxxxxxxxxxxxxx] 
Sent: Wednesday, November 05, 2003 4:49 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Need help with unusual configuration

 

http://www.ISAserver.org

Here is the scenario. I have 2 private networks, talking on basically
the same physical segment. The CTO wants to restrict access to certain
internal servers as well as certain external sites. Everything is
currently behind a PIX firewall. The domain controllers and all other
servers are on 1 private subnet and the workstations on another. In
order for the ISA server to authenticate access rules by users and
itself, it needs to talk to a domain controller. The only way I could
get this to work was to include the server subnet in the LAT. However
that seems to prevent me from making rules that restrict access to
servers on that subnet.

They also want to use the caching features.

Should I be using a DMZ? Will putting the server subnet on a DMZ still
allow the ISA to authenticate against the domain controllers? Is there a
way to make rules for something in the LAT, but is on the external
interface?

We want to restrict the PIX to only allow the ISA to route through it,
preventing anyone from using anything but the ISA as their gateway.

Any thoughts or direction for resource material would be greatly
appreciated.

Best Regards, 

 

Dan Bartley

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
johnlist@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bartleyd@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
johnlist@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')


------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bartleyd@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')

Other related posts:

• » Need help with unusual configuration
• » RE: Need help with unusual configuration
• » RE: Need help with unusual configuration
• » RE: Need help with unusual configuration
• » RE: Need help with unusual configuration
• » RE: Need help with unusual configuration
• » RE: Need help with unusual configuration
• » RE: Need help with unusual configuration

1. Home
2. isalist
3. Archive
4. 11-2003

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---