RE: Need help with unusual configuration : Clarification
- From: pip.bennington@xxxxxxxxxxxxx
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 6 Nov 2003 15:51:05 +1300
Small clarification for us beginners, you now have 3 NICS in your ISA
Server?
Call it left field, but wouldn't you be better off using a VLAN to protect
those internal servers instead of 2 subnets?
and by using the 2 NICs in ISA, is that like creating a DMZ?
Thanx
Pip Bennington
---------------------------------------------------------------------------------------
E-mail: pip.bennington@xxxxxxxxxxxxx
"Dan Bartley"
<bartleyd@xxxxxxxxxx To: "[ISAserver.org
Discussion List]" <isalist@xxxxxxxxxxxxx>
rrier.com> cc:
Subject: [isalist] RE: Need
help with unusual configuration
06/11/03 15:35
Please respond to
"[ISAserver.org
Discussion List]"
http://www.ISAserver.org
Thank you John.
So, if I understand. No DMZ, 2 internal interfaces and one external
interface that talks to the PIX on a private subnet not in the LAT. It will
let me restrict communication between the internal interfaces, as well as
the external. Will this work if the server subnet does not use ISA as its
gateway? We don't want to restrict the servers from communicating at will,
they just need to be protected, and we prefer to keep them gatewayed
through the PIX for various reasons.
One last question if you do not mind, I am considering replacing my current
win2k VPN server behind another PIX with ISA also acting as a new VPN
server. Will the above allow the VPN connections to talk to both internal
interfaces according to filters I set up?
Best Regards,
Dan Bartley
From: John Tolmachoff (Lists) [mailto:johnlist@xxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, November 05, 2003 20:12
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Need help with unusual configuration
http://www.ISAserver.org
Use 2 internal NICs, one for each subnet. Then you can configure the rules
using ISA as the enforcer.
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
-----Original Message-----
From: Dan Bartley [mailto:bartleyd@xxxxxxxxxxxxxxxxxxx]
Sent: Wednesday, November 05, 2003 4:49 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Need help with unusual configuration
http://www.ISAserver.org
Here is the scenario. I have 2 private networks, talking on basically the
same physical segment. The CTO wants to restrict access to certain internal
servers as well as certain external sites. Everything is currently behind a
PIX firewall. The domain controllers and all other servers are on 1 private
subnet and the workstations on another. In order for the ISA server to
authenticate access rules by users and itself, it needs to talk to a domain
controller. The only way I could get this to work was to include the server
subnet in the LAT. However that seems to prevent me from making rules that
restrict access to servers on that subnet.
They also want to use the caching features.
Should I be using a DMZ? Will putting the server subnet on a DMZ still
allow the ISA to authenticate against the domain controllers? Is there a
way to make rules for something in the LAT, but is on the external
interface?
We want to restrict the PIX to only allow the ISA to route through it,
preventing anyone from using anything but the ISA as their gateway.
Any thoughts or direction for resource material would be greatly
appreciated.
Best Regards,
Dan Bartley
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
johnlist@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to leave-isalist-1668503D@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
bartleyd@xxxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to leave-isalist-1668503D@xxxxxxxxxxxxx
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
pip.bennington@xxxxxxxxxxxxx
To unsubscribe send a blank email to leave-isalist-1668503D@xxxxxxxxxxxxx
Other related posts:
