RE: To Chain, or Not To Chain?

• From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Sun, 4 Dec 2005 10:54:57 -0600

If you chain, you can authenticate. Otherwise, you use only IP address
based access control.

Configure only the back-end ISA firewall to perform name resolution.

Don't enable caching on the front-end ISA firewall.

Now you might say "hey Tom, why not just do Firewall chaining if all you
want is authenticated connections from the back-end" and that would be
an excellent question.

HTH,
Tom

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

 

> -----Original Message-----
> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] 
> Sent: Sunday, December 04, 2005 1:54 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] To Chain, or Not To Chain?
> 
> http://www.ISAserver.org
> 
> So, in a back-to-back ISA config, how do you guys configure 
> web access from 
> the internal network's border ISA server to the edge 
> network's ISA server? 
> Do you tell the internal ISA server to chain to the external 
> ISA server and 
> create an allow rule for 8080, or do you just tell the 
> internal ISA that 
> it's got a direct connection by pointing the external 
> interface gateway to 
> the internal interface of the edge ISA box (with 
> corresponding rules to 
> allow the traffic)??
> 
> I've done it both ways, and am just digging for more info as 
> to which method 
> is better than the other and why.
> 
> t
> 
> -----
> "And yet, even if one person finds his way... that means
> there is a Way.  Even if I personally fail to reach it."
> 
> Mr. Nobusuke Tagomi
> Top Place, Ranking Imperial Trade Mission
> Pacific States of America
> 
> 
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org Discussion 
> List as: tshinder@xxxxxxxxxxxxxxxxxx
> To unsubscribe visit 
> http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
> 
> 

Other related posts:

• » To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?

1. Home
2. isalist
3. Archive
4. 12-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---