RE: PIX 515e and ISA 2000 (I know, I know)

  • From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
  • To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
  • Date: Wed, 8 Mar 2006 09:13:18 -0600

Hi CDX,

Check out:

http://spaces.msn.com/drisa/blog/cns!BC3213176E0489FD!392.entry

And
http://www.isaserver.org/tutorials/2004isapixdmz.html

And
http://www.isaserver.org/pages/search.asp?query=netscreen

HTH,
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://blogs.isaserver.org/shinder/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls

 

> -----Original Message-----
> From: cdx47 [mailto:extra_net@xxxxxxxxxxx] 
> Sent: Wednesday, March 08, 2006 9:07 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: PIX 515e and ISA 2000 (I know, I know)
> 
> http://www.ISAserver.org
> 
> Thats the annoying thing. Neither of them say anthing is wrong. The OS
> logs including DNS have no errors. ISA logs have no errors. 
> When things
> like this happen my boss gets angry with me and says "but 
> there must be a
> reason" and all I can say to him is yes, but since I have 
> nothing in the
> logs and nothing has changed (as far as I know) what can I say.
> 
> Anyway to be honest, going back to my original question, I 
> just wanted to
> know peoples experiences on the board. How do you combine the 
> excellent
> SMTP filtering, OWA publishing etc features of ISA with PIX 
> raw power and
> stability. I would like to use the PIX as the Internet 
> firewall. I will
> turn off message guard and maybe a few others if necessary. I 
> would like
> to use the PIX VPN and still use WinXP clients to connect to it(I have
> already tested this). I want for example to to exchange over 
> HTTP but for
> that I either need to upgrade to 2004 or remove ISA and just open the
> relevant ports on PIX. Can I do this with ISA 2000 in place 
> for  example.
> 
> I am no longer in troubleshooting mode. I just want a solution that is
> "stable" even if it means a little more complication on the way. The
> easiest solution would be to remove ISA completely and it is 
> tempting but
> I do know the advantages of ISA.
> > What do the logs say??  Both ISA and event.=20
> > 
> > -----Original Message-----
> > From: cdx47 [mailto:extra_net@xxxxxxxxxxx]=20
> > Sent: Wednesday, March 08, 2006 10:44 AM
> > To: ISA Mailing List
> > Subject: [isalist] RE: PIX 515e and ISA 2000 (I know, I know)
> > 
> > http://www.ISAserver.org
> > 
> > Ok here goes
> > Steve: in answer to your question. I have nothing else 
> installed on my
> > ISA box. Ive been configuring ISA for 3 years now. I bought 
> both of Toms
> > books so I have some idea of what I am doing.
> > 
> > Tom: You surprise me. I know you are busy so I will forgive for
> > completely missing the point. I dont have the PIX installed 
> yet. Just
> > ISA.
> > 
> > Alex: Me too. I think that maybe they are so used to being 
> bashed over
> > the head with the software firewall thing that its just a 
> conditioned
> > reaction triggered by certain keywords eg: PIX. I want to 
> use ISA I just
> > realise it has its own limitations. Im sure 2004 overcomes 
> many of them
> > but in the end its still on a PC running on a general 
> purpose OS. So I
> > wanted to combine the best of both.
> > 
> > Ho hum
> > 
> > > ... uh.. .what?
> > >=20
> > > I fail to see how a PIX is easier to use than ISA... and 
> I also fail=20
> > > to =3D understand the whole point, in general. I fail at 
> a lot of =
> > things
> > 
> > > today. =3D May I ask for enlightenment?
> > >=20
> > > -----Message d'origine-----
> > > De=3DA0: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]=3D20
> > > Envoy=3DE9=3DA0: 8 mars 2006 08:18
> > > =3DC0=3DA0: [ISAserver.org Discussion List]
> > > Objet=3DA0: [isalist] RE: PIX 515e and ISA 2000 (I know, I know)
> > >=20
> > > http://www.ISAserver.org
> > >=20
> > > Here's a core fact you can take to the dopes who think a 
> hardware=20
> > > firewall is more secure:
> > >=20
> > > Security is inversely proportional to ease of use and accessbility
> > >=20
> > > Therefore, if you can understand the PIX and make it access the=20
> > > content your users want, you've proven the PIX is nothing but a=20
> > > security illusion and you're doing your company a 
> disservice if you=20
> > > can't prove that I'm incorrect.
> > >=20
> > > BTW -- you have done *nothing* to demonstate that the ISA 
> firewall is=20
> > > the problem here.  At this point, I have as much positive 
> proof that=20
> > > the pix server is the problem.=3D20
> > >=20
> > >=20
> > > Thomas W Shinder, M.D.
> > > Site: www.isaserver.org
> > > Blog: http://blogs.isaserver.org/shinder/
> > > Book: http://tinyurl.com/3xqb7
> > > MVP -- ISA Firewalls
> > >=20
> > >=20
> > > -----Original Message-----
> > > From: cdx47 [mailto:extra_net@xxxxxxxxxxx]=3D20
> > > Sent: Wednesday, March 08, 2006 1:03 AM
> > > To: [ISAserver.org Discussion List]
> > > Subject: [isalist] RE: PIX 515e and ISA 2000 (I know, I know)
> > >=20
> > > http://www.ISAserver.org
> > >=20
> > > Now Im really tempted to just remove ISA completely (see 
> below). I=20
> > > currently have ISA running on win2k3 sp1. Should I 
> downgrade to win2k?
> > > It
> > > seemed to be a little more stable on that OS.
> > >=20
> > > Again this morning, for no reason DNS stopped responding. 
> I restarted=20
> > > the DNS service and nothing happened. I checked the ISPs 
> DNS and=20
> > > everything was fine. I rebooted ISA and everything came 
> back. Im quite
> > 
> > > frankly fed up with this. I know 2004 is supposed to be 
> more stable=20
> > > but I cant justify the extra spend especially as most 
> people still=20
> > > think hardware firewall equals more secure and Microsoft 
> Firewall=20
> > > equals reboot (in the case of ISA 2000 I agree).
> > >=20
> > > > In that case, please proceed. :)=3D3D20 =3D20 =3D20  Thomas W =
> > Shinder,=20
> > > >M.D.
> > > > Site: www.isaserver.org
> > > > Blog: http://blogs.isaserver.org/shinder/
> > > > Book: http://tinyurl.com/3xqb7
> > > > MVP -- ISA Firewalls
> > > >=3D20
> > > >=3D20
> > > > -----Original Message-----
> > > > From: Alexandre Gauthier 
> [mailto:gauthiera@xxxxxxxxxxxxxxxxx]=3D3D20
> > > > Sent: Tuesday, March 07, 2006 8:31 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] RE: PIX 515e and ISA 2000 (I know, I 
> know) =3D20  =
> > 
> > > >http://www.ISAserver.org =3D20  Well, unless I misread, 
> he asked how =
> > to
> > 
> > > >make ISA 2000 and and PIX play
> > > =3D3D
> > > > nice, so it is not entirely irrelevant...
> > > >=3D20
> > > > -----Message d'origine-----
> > > > De=3D3DA0: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]=3D3D20
> > > > Envoy=3D3DE9=3D3DA0: 7 mars 2006 09:25
> > > > =3D3DC0=3D3DA0: [ISAserver.org Discussion List]
> > > > Objet=3D3DA0: [isalist] RE: PIX 515e and ISA 2000 (I 
> know, I know) =
> > =3D20
> > 
> > > >http://www.ISAserver.org =3D20  You're asking how to 
> configure a=20
> > > >dreaded PIX here?=3D3D20 =3D20 =3D20  Thomas W Shinder, M.D.
> > > > Site: www.isaserver.org
> > > > Blog: http://blogs.isaserver.org/shinder/
> > > > Book: http://tinyurl.com/3xqb7
> > > > MVP -- ISA Firewalls
> > > >=3D20
> > > >=3D20
> > > > -----Original Message-----
> > > > From: cdx47 [mailto:extra_net@xxxxxxxxxxx]=3D3D20
> > > > Sent: Tuesday, March 07, 2006 8:11 AM
> > > > To: [ISAserver.org Discussion List]
> > > > Subject: [isalist] PIX 515e and ISA 2000 (I know, I 
> know) =3D20 =20
> > > >http://www.ISAserver.org =3D20  Hi all =3D20  I didnt 
> really get any=20
> > > >answers to my ISA VPN question so I just gave
> > > up
> > > > and I will install a PIX. For some reason the ISA VPN 
> connects but I
> > 
> > > > cant see the internal lan. Im not sure if I need a 
> static route on=20
> > > > the ISA box or not. But to be honest this is the last 
> straw. Ive=20
> > > > been using ISA
> > > for
> > > > 3
> > > > years. Feature wise very good. Configuration very easy.
> > > Stability.......
> > > > Anyway I would like to combine the advantages of the 
> PIX (we already
> > 
> > > > have sitting here doing nothing) i.e. hardware VPN, 
> stability, speed
> > 
> > > > and
> > > ISA
> > > > 2000 exchange publishing , SMTP protection etc. I want 
> to configure=20
> > > > in the simple back to back configuration. Besides turning off=20
> > > > Message Guard
> > > on
> > > > the PIX how do I get OWA/OMA through the PIX? Any other 
> gotyas' I
> > > should
> > > > know about.
> > > >=3D20
> > > > ------------------------------------------------------
> > > > List Archives:=20
> > > >http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ: =3D
> > > http://www.isaserver.org/pages/larticle.asp?type=3D3D3DFAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org 
> Discussion List
> > as:
> > > > tshinder@xxxxxxxxxxxxxxxxxx
> > > > To unsubscribe visit =3D3D
> > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx =3D20 =3D20 =3D20
> > > > ------------------------------------------------------
> > > > List Archives:=20
> > > >http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ: =3D
> > > http://www.isaserver.org/pages/larticle.asp?type=3D3D3DFAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org 
> Discussion List
> > as:
> > > =3D3D
> > > > gauthiera@xxxxxxxxxxxxxxxxx
> > > > To unsubscribe visit =3D3D
> > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx =3D20 =3D20
> > > > ------------------------------------------------------
> > > > List Archives:=20
> > > >http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > > ISA Server FAQ: =3D
> > > http://www.isaserver.org/pages/larticle.asp?type=3D3D3DFAQ
> > > > ------------------------------------------------------
> > > > Visit TechGenix.com for more information about our other sites:
> > > > http://www.techgenix.com
> > > > ------------------------------------------------------
> > > > You are currently subscribed to this ISAserver.org 
> Discussion List
> > as:
> > > =3D3D
> > > > tshinder@xxxxxxxxxxxxxxxxxx
> > > > To unsubscribe visit =3D3D
> > > > http://www.webelists.com/cgi/lyris.pl?enter=3D3D3Disalist
> > > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >=20
> > > ------------------------------------------------------
> > > List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: =
> > http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> > > tshinder@xxxxxxxxxxxxxxxxxx
> > > To unsubscribe visit =3D
> > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > >=20
> > >=20
> > >=20
> > > ------------------------------------------------------
> > > List Archives: 
> http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > ISA Server Newsletter: 
> http://www.isaserver.org/pages/newsletter.asp
> > > ISA Server FAQ: =
> > http://www.isaserver.org/pages/larticle.asp?type=3D3DFAQ
> > > ------------------------------------------------------
> > > Visit TechGenix.com for more information about our other sites:
> > > http://www.techgenix.com
> > > ------------------------------------------------------
> > > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> > 
> > > =3D gauthiera@xxxxxxxxxxxxxxxxx To unsubscribe visit =3D=20
> > > http://www.webelists.com/cgi/lyris.pl?enter=3D3Disalist
> > > Report abuse to listadmin@xxxxxxxxxxxxx
> > 
> > ------------------------------------------------------
> > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> > ISA Server FAQ: 
> http://www.isaserver.org/pages/larticle.asp?type=3DFAQ
> > ------------------------------------------------------
> > Visit TechGenix.com for more information about our other sites:
> > http://www.techgenix.com
> > ------------------------------------------------------
> > You are currently subscribed to this ISAserver.org 
> Discussion List as:
> > isalist@xxxxxxxxxx To unsubscribe visit
> > http://www.webelists.com/cgi/lyris.pl?enter=3Disalist
> > Report abuse to listadmin@xxxxxxxxxxxxx
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 


Other related posts: