RE: Packet filters ???
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Thu, 19 Jun 2003 14:07:32 -0500
Hi David,
Yes, the search feature leaves a bit to be desired :( But then, it does
help generate traffic on the mailing list :)
Thanks!
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: David V. Dellanno [mailto:ddellanno@xxxxxxxxxx]
Sent: Thursday, June 19, 2003 2:04 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Packet filters ???
http://www.ISAserver.org
Hi Tom,
Are you aware of the www.isaserver.org Site Search didn't pickup
your newsletter article as a result, using 'packet filters' as keywords?
-----Original Message-----
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxxxxxxxxx]
Sent: Thursday, June 19, 2003 2:59 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: Packet filters ???
http://www.ISAserver.org
Hi Francois,
Did you see this one at www.isaserver.org?
http://www.isaserver.org/pages/newsletters/July.asp
HTH,
Tom
Thomas W Shinder
www.isaserver.org/shinder
ISA Server and Beyond: http://tinyurl.com/1jq1
Configuring ISA Server: http://tinyurl.com/1llp
-----Original Message-----
From: Francois Malherbe [mailto:Francois@xxxxxxxxxxxxxx]
Sent: Thursday, June 19, 2003 1:33 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] Packet filters ???
http://www.ISAserver.org
Hi anyone
Please bear with me on what is probably quite a common and maybe a
simple question.
I have spent quite a lot of time looking for what I think is a simple
answer and I still can't get a simple answer. I have gone through
Technet, ISA homepage and isaserver.org and so far I have either not
found the answer or I have found it, and I haven't understood.
Quite simply, ISA help says a packet filter can be created to allow
traffic flow between the internal network and the external network.
To me, an example of this would be to ceate an TCP filter to allow the
following:
outbound traffic from source_TCP:dynamic to destination_TCP:1100 and
from Internal IP 192.168.168.168 to External IP 196.44.44.44
My difficulty in answering this question is that I have not seen
anything on Microsoft Technet or ISA homepage or isaserver.org which
says that this is impossible. But, I have seen many references which say
it is not advisable. Also, in tests on my systems, I have not been able
to get even the simplest packet filter working from the externel network
to the internal network or vice versa.
I know that it is recommended to use server publishing for external -
internal traffic, and I do use it in our environment, but I still would
like a definite answer - just for arguments sake, can I create such a
packet filter and if so, what addresses are applied for the local and
remote computers?
ISA Help says the following:
IP packet filters are defined by the following parameters:
Protocol, port, and direction.
The filter allows or blocks traffic at the specified port, using the
specified protocol.
Local computer.
The IP address of the computer in the INTERNAL network for which
communication is open or blocked. You can specify a range or a single IP
address on the ISA Server computer.
Remote computer.
The IP address of the computer on the Internet for which communication
is allowed or blocked.
Practical experience and isaserver.org tutorials says the following:
ISA Server uses packet filtering to control inbound and outbound access
to and from the EXTERNAL interface of the ISA Server. Packet filtering
is the ISA Server's first line of defense against INBOUND attack.
You should always use Protocol Rules to allow outbound access to
external network resource for internal network clients. You should Web
Publishing and Server Publishing Rules to allow inbound access from
external network clients to internal network servers.
Basically, to me, this means that packet filters apply to the EXTERNAL
NIC and the PERIMETER (DMZ) NIC ONLY, NOT the internal NIC. Looking at
the layout of the packet filter creation tool, it specifically mentions
external network and perimeter network, NOT internal network at all.
Please assist me with this, the answer may well be all too obvious to
others, but it's driving me nuts.
Thanks
Francois
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com No.1
Exchange Server Resource Site: http://www.msexchange.org Windows
Security Resource Site: http://www.windowsecurity.com/ Network Security
Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions:
http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
ddellanno@xxxxxxxxxx To unsubscribe send a blank email to
$subst('Email.Unsub')
Confidentiality Notice:
This e-mail message, including any attachments, is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.
Confidentiality Notice:
This e-mail message, including any attachments, is for the sole use of
the intended recipient(s) and may contain confidential and privileged
information. Any unauthorized review, use, disclosure or distribution is
prohibited. If you are not the intended recipient, please contact the
sender by reply e-mail and destroy all copies of the original message.
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as:
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe send a blank email to $subst('Email.Unsub')
Other related posts:
