If you chain, you can authenticate. Otherwise, you use only IP address based access control. Configure only the back-end ISA firewall to perform name resolution. Don't enable caching on the front-end ISA firewall. Now you might say "hey Tom, why not just do Firewall chaining if all you want is authenticated connections from the back-end" and that would be an excellent question. HTH, Tom Thomas W Shinder, M.D. Site: www.isaserver.org Blog: http://spaces.msn.com/members/drisa/ Book: http://tinyurl.com/3xqb7 MVP -- ISA Firewalls **Who is John Galt?** > -----Original Message----- > From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx] > Sent: Sunday, December 04, 2005 1:54 AM > To: [ISAserver.org Discussion List] > Subject: [isalist] To Chain, or Not To Chain? > > http://www.ISAserver.org > > So, in a back-to-back ISA config, how do you guys configure > web access from > the internal network's border ISA server to the edge > network's ISA server? > Do you tell the internal ISA server to chain to the external > ISA server and > create an allow rule for 8080, or do you just tell the > internal ISA that > it's got a direct connection by pointing the external > interface gateway to > the internal interface of the edge ISA box (with > corresponding rules to > allow the traffic)?? > > I've done it both ways, and am just digging for more info as > to which method > is better than the other and why. > > t > > ----- > "And yet, even if one person finds his way... that means > there is a Way. Even if I personally fail to reach it." > > Mr. Nobusuke Tagomi > Top Place, Ranking Imperial Trade Mission > Pacific States of America > > > ------------------------------------------------------ > List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist > ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp > ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ > ------------------------------------------------------ > Visit TechGenix.com for more information about our other sites: > http://www.techgenix.com > ------------------------------------------------------ > You are currently subscribed to this ISAserver.org Discussion > List as: tshinder@xxxxxxxxxxxxxxxxxx > To unsubscribe visit > http://www.webelists.com/cgi/lyris.pl?enter=isalist > Report abuse to listadmin@xxxxxxxxxxxxx > >