I appreciate the time you are taking to help. I can wait :-) Best Regards, Dan Bartley _____ From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] Sent: Wednesday, November 05, 2003 21:48 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Need help with unusual configuration http://www.ISAserver.org I have about 6 different things going right now. Something does not sound quite right. I will get back to this latter when I can think about it. John Tolmachoff Engineer/Consultant/Owner eServices For You -----Original Message----- From: Dan Bartley [mailto:bartleyd@xxxxxxxxxxxxxxxxxxx] Sent: Wednesday, November 05, 2003 6:35 PM To: [ISAserver.org Discussion List] Subject: [isalist] RE: Need help with unusual configuration http://www.ISAserver.org Thank you John. So, if I understand. No DMZ, 2 internal interfaces and one external interface that talks to the PIX on a private subnet not in the LAT. It will let me restrict communication between the internal interfaces, as well as the external. Will this work if the server subnet does not use ISA as its gateway? We don't want to restrict the servers from communicating at will, they just need to be protected, and we prefer to keep them gatewayed through the PIX for various reasons. One last question if you do not mind, I am considering replacing my current win2k VPN server behind another PIX with ISA also acting as a new VPN server. Will the above allow the VPN connections to talk to both internal interfaces according to filters I set up? Best Regards, Dan Bartley _____ From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx] Sent: Wednesday, November 05, 2003 20:12 To: [ISAserver.org Discussion List] Subject: [isalist] RE: Need help with unusual configuration http://www.ISAserver.org Use 2 internal NICs, one for each subnet. Then you can configure the rules using ISA as the enforcer. John Tolmachoff Engineer/Consultant/Owner eServices For You -----Original Message----- From: Dan Bartley [mailto:bartleyd@xxxxxxxxxxxxxxxxxxx] Sent: Wednesday, November 05, 2003 4:49 PM To: [ISAserver.org Discussion List] Subject: [isalist] Need help with unusual configuration http://www.ISAserver.org Here is the scenario. I have 2 private networks, talking on basically the same physical segment. The CTO wants to restrict access to certain internal servers as well as certain external sites. Everything is currently behind a PIX firewall. The domain controllers and all other servers are on 1 private subnet and the workstations on another. In order for the ISA server to authenticate access rules by users and itself, it needs to talk to a domain controller. The only way I could get this to work was to include the server subnet in the LAT. However that seems to prevent me from making rules that restrict access to servers on that subnet. They also want to use the caching features. Should I be using a DMZ? Will putting the server subnet on a DMZ still allow the ISA to authenticate against the domain controllers? Is there a way to make rules for something in the LAT, but is on the external interface? We want to restrict the PIX to only allow the ISA to route through it, preventing anyone from using anything but the ISA as their gateway. Any thoughts or direction for resource material would be greatly appreciated. Best Regards, Dan Bartley ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: johnlist@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bartleyd@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: johnlist@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub') ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: bartleyd@xxxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to $subst('Email.Unsub')