RE: PIX 515e and ISA 2000 (I know, I know)

  • From: "cdx47" <extra_net@xxxxxxxxxxx>
  • To: isalist@xxxxxxxxxxxxx
  • Date: Wed, 8 Mar 2006 08:07:07 -0700

Thats the annoying thing. Neither of them say anthing is wrong. The OS
logs including DNS have no errors. ISA logs have no errors. When things
like this happen my boss gets angry with me and says "but there must be a
reason" and all I can say to him is yes, but since I have nothing in the
logs and nothing has changed (as far as I know) what can I say.

Anyway to be honest, going back to my original question, I just wanted to
know peoples experiences on the board. How do you combine the excellent
SMTP filtering, OWA publishing etc features of ISA with PIX raw power and
stability. I would like to use the PIX as the Internet firewall. I will
turn off message guard and maybe a few others if necessary. I would like
to use the PIX VPN and still use WinXP clients to connect to it(I have
already tested this). I want for example to to exchange over HTTP but for
that I either need to upgrade to 2004 or remove ISA and just open the
relevant ports on PIX. Can I do this with ISA 2000 in place for  example.

I am no longer in troubleshooting mode. I just want a solution that is
"stable" even if it means a little more complication on the way. The
easiest solution would be to remove ISA completely and it is tempting but
I do know the advantages of ISA.
> What do the logs say??  Both ISA and event.=20
> 
> -----Original Message-----
> From: cdx47 [mailto:extra_net@xxxxxxxxxxx]=20
> Sent: Wednesday, March 08, 2006 10:44 AM
> To: ISA Mailing List
> Subject: [isalist] RE: PIX 515e and ISA 2000 (I know, I know)
> 
> http://www.ISAserver.org
> 
> Ok here goes
> Steve: in answer to your question. I have nothing else installed on my
> ISA box. Ive been configuring ISA for 3 years now. I bought both of Toms
> books so I have some idea of what I am doing.
> 
> Tom: You surprise me. I know you are busy so I will forgive for
> completely missing the point. I dont have the PIX installed yet. Just
> ISA.
> 
> Alex: Me too. I think that maybe they are so used to being bashed over
> the head with the software firewall thing that its just a conditioned
> reaction triggered by certain keywords eg: PIX. I want to use ISA I just
> realise it has its own limitations. Im sure 2004 overcomes many of them
> but in the end its still on a PC running on a general purpose OS. So I
> wanted to combine the best of both.
> 
> Ho hum
> 
> > ... uh.. .what?
> >=20
> > I fail to see how a PIX is easier to use than ISA... and I also fail=20
> > to =3D understand the whole point, in general. I fail at a lot of =
> things
> 
> > today. =3D May I ask for enlightenment?
> >=20
> > -----Message d'origine-----
> > De=3DA0: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]=3D20
> > Envoy=3DE9=3DA0: 8 mars 2006 08:18
> > =3DC0=3DA0: [ISAserver.org Discussion List]
> > Objet=3DA0: [isalist] RE: PIX 515e and ISA 2000 (I know, I know)
> >=20
> > http://www.ISAserver.org
> >=20
> > Here's a core fact you can take to the dopes who think a hardware=20
> > firewall is more secure:
> >=20
> > Security is inversely proportional to ease of use and accessbility
> >=20
> > Therefore, if you can understand the PIX and make it access the=20
> > content your users want, you've proven the PIX is nothing but a=20
> > security illusion and you're doing your company a disservice if you=20
> > can't prove that I'm incorrect.
> >=20
> > BTW -- you have done *nothing* to demonstate that the ISA firewall is=20
> > the problem here.  At this point, I have as much positive proof that=20
> > the pix server is the problem.=3D20
> >=20
> >=20
> > Thomas W Shinder, M.D.
> > Site: www.isaserver.org
> > Blog: http://blogs.isaserver.org/shinder/
> > Book: http://tinyurl.com/3xqb7
> > MVP -- ISA Firewalls
> >=20
> >=20
> > -----Original Message-----
> > From: cdx47 [mailto:extra_net@xxxxxxxxxxx]=3D20
> > Sent: Wednesday, March 08, 2006 1:03 AM
> > To: [ISAserver.org Discussion List]
> > Subject: [isalist] RE: PIX 515e and ISA 2000 (I know, I know)
> >=20
> > http://www.ISAserver.org
> >=20
> > Now Im really tempted to just remove ISA completely (see below). I=20
> > currently have ISA running on win2k3 sp1. Should I downgrade to win2k?
> > It
> > seemed to be a little more stable on that OS.
> >=20
> > Again this morning, for no reason DNS stopped responding. I restarted=20
> > the DNS service and nothing happened. I checked the ISPs DNS and=20
> > everything was fine. I rebooted ISA and everything came back. Im quite
> 
> > frankly fed up with this. I know 2004 is supposed to be more stable=20
> > but I cant justify the extra spend especially as most people still=20
> > think hardware firewall equals more secure and Microsoft Firewall=20
> > equals reboot (in the case of ISA 2000 I agree).
> >=20
> > > In that case, please proceed. :)=3D3D20 =3D20 =3D20  Thomas W =
> Shinder,=20
> > >M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > >=3D20
> > >=3D20
> > > -----Original Message-----
> > > From: Alexandre Gauthier [mailto:gauthiera@xxxxxxxxxxxxxxxxx]=3D3D20
> > > Sent: Tuesday, March 07, 2006 8:31 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: PIX 515e and ISA 2000 (I know, I know) =3D20  =
> 
> > >http://www.ISAserver.org =3D20  Well, unless I misread, he asked how =
> to
> 
> > >make ISA 2000 and and PIX play
> > =3D3D
> > > nice, so it is not entirely irrelevant...
> > >=3D20
> > > -----Message d'origine-----
> > > De=3D3DA0: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]=3D3D20
> > > Envoy=3D3DE9=3D3DA0: 7 mars 2006 09:25
> > > =3D3DC0=3D3DA0: [ISAserver.org Discussion List]
> > > Objet=3D3DA0: [isalist] RE: PIX 515e and ISA 2000 (I know, I know) =
> =3D20
> 
> > >http://www.ISAserver.org =3D20  You're asking how to configure a=20
> > >dreaded PIX here?=3D3D20 =3D20 =3D20  Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > >=3D20
> > >=3D20
> > > -----Original Message-----
> > > From: cdx47 [mailto:extra_net@xxxxxxxxxxx]=3D3D20
> > > Sent: Tuesday, March 07, 2006 8:11 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] PIX 515e and ISA 2000 (I know, I know) =3D20 =20
> > >http://www.ISAserver.org =3D20  Hi all =3D20  I didnt really get any=20
> > >answers to my ISA VPN question so I just gave
> > up
> > > and I will install a PIX. For some reason the ISA VPN connects but I
> 
> > > cant see the internal lan. Im not sure if I need a static route on=20
> > > the ISA box or not. But to be honest this is the last straw. Ive=20
> > > been using ISA
> > for
> > > 3
> > > years. Feature wise very good. Configuration very easy.
> > Stability.......
> > > Anyway I would like to combine the advantages of the PIX (we already
> 
> > > have sitting here doing nothing) i.e. hardware VPN, stability, speed
> 
> > > and
> > ISA
> > > 2000 exchange publishing , SMTP protection etc. I want to configure=20
> > > in the simple back to back configuration. Besides turning off=20
> > > Message Guard
> > on
> > > the PIX how do I get OWA/OMA through the PIX? Any other gotyas' I
> > should
> > > know about.
> > >=3D20
> > > ------------------------------------------------------
> > > List Archives:=20
> > >http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: =3D
> > http://www.isaserver.org/pages/larticle.asp?type=3D3D3DFAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > > tshinder@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit =3D3D
> > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx =3D20 =3D20 =3D20
> > > ------------------------------------------------------
> > > List Archives:=20
> > >http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: =3D
> > http://www.isaserver.org/pages/larticle.asp?type=3D3D3DFAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > =3D3D
> > > gauthiera@xxxxxxxxxxxxxxxxx
> > > To unsubscribe visit =3D3D
> > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx =3D20 =3D20
> > > ------------------------------------------------------
> > > List Archives:=20
> > >http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: =3D
> > http://www.isaserver.org/pages/larticle.asp?type=3D3D3DFAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org Discussion List
> as:
> > =3D3D
> > > tshinder@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit =3D3D
> > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> >=20
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: =
> http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> > tshinder@xxxxxxxxxxxxxxxxxx
> > To unsubscribe visit =3D
> > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> >=20
> >=20
> >=20
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: =
> http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org Discussion List as:
> 
> > =3D gauthiera@xxxxxxxxxxxxxxxxx To unsubscribe visit =3D=20
> > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion List as:
> isalist@xxxxxxxxxx To unsubscribe visit
> http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> Report abuse to listadmin@xxxxxxxxxxxxx


Other related posts: