RE: To Chain, or Not To Chain?

• From: "Thor \(Hammer of God\)" <thor@xxxxxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Sun, 4 Dec 2005 14:55:33 -0800

Never mind.  I've got it all worked out.

Thanks.
t

----- Original Message ----- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Sunday, December 04, 2005 2:13 PM
Subject: [isalist] RE: To Chain, or Not To Chain?

http://www.ISAserver.org

Wait- I think I've got it backwards, or Microsoft does, anyway:

"A downstream ISA Server server is configured to chain Web proxy requests to the upstream server." They are calling the edge box "upstream" it looks like.

I don't think of it like that... Maybe it's my ego, but I always refer to things going away from me as "down." My self-perspective is "up." "I'll be down to see you." "Yes, I can do down there and get that." "Don't bring me down." "Hey baby, let's get down." "I'm down with that."

Can I get a witness?

t

----- Original Message ----- From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Sunday, December 04, 2005 1:33 PM
Subject: [isalist] RE: To Chain, or Not To Chain?

http://www.ISAserver.org

Yes, I agree about the terminology... So, just to be sure, both of these articles regard the "downstream" ISA box. That would be the "edge," "external," "front-end" ISA box that is Internet facing, right??

[Internal Net] -> [Back-End ISA] -> [DMZ] -> [Front-End ISA] -> [Internet]

These articles are for what is listed as [Front-End ISA] above, correct?

Which means, if I chain the [Back-End ISA] to the [Front-End ISA], and then use the script to disable name resolution as described in the 2nd link you provided, the hotfix referenced in the first link is not necessary, right???

t

----- Original Message ----- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Sunday, December 04, 2005 12:17 PM
Subject: [isalist] RE: To Chain, or Not To Chain?

http://www.ISAserver.org

You use a local account on the front-end ISA firewall, and have the
back-end ISA firewall use the local account to authenticate.

So, no Active Directory access is required.

Actually, if your DNS is well-designed (i.e., your internal DNS server
can resolve Internet host names) you can allow the back-end to resolve
names) you won't have problems. Check out
http://support.microsoft.com/default.aspx?scid=kb;en-us;292018 for more
info.

I don't see any reason to have the front-end perform name resolution,
since the access controls are being done on the back-end. Check out
http://www.microsoft.com/technet/prodtechnol/isa/2004/plan/disablenamere
solution.mspx

The problem I have is with the terminology. Downstream and upstream are
good when talking about rivers and streams, where the "flow" is
unidirectional. But is a bit confusing with network connections, where
are bidirectional :)

Thomas W Shinder, M.D.
Site: www.isaserver.org
Blog: http://spaces.msn.com/members/drisa/
Book: http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
**Who is John Galt?**

-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
Sent: Sunday, December 04, 2005 1:47 PM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: To Chain, or Not To Chain?

http://www.ISAserver.org

OK- I'm a bit confused-- probably because I haven't had any
Jaeger yet.

Regarding authentication, how can the front-end server
authenticate?  The
front end would have to have access to AD, which you would
never do through
the DMZ - that'd be nuts...  Or is that just an example of
where chaining in
and of itself serves a purpose?  I'm thinking to just keep
the internal
back-end guy thinking the DMZ is the internet as I did before.

Regarding the "config the back end not to perform name
resolution," how do I
do that?  That's a new one on me.

t

----- Original Message ----- From: "Jim Harrison" <Jim@xxxxxxxxxxxx>
To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
Sent: Sunday, December 04, 2005 9:42 AM
Subject: [isalist] RE: To Chain, or Not To Chain?

> http://www.ISAserver.org
>
> Er - I think you mean "configure only the front-end
firewall to perform
> name resolution"?
> If the back-end does name resolution, this will slow your ISA
> considerably.
>
> -----Original Message-----
> From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
> Sent: Sunday, December 04, 2005 8:55 AM
> To: [ISAserver.org Discussion List]
> Subject: [isalist] RE: To Chain, or Not To Chain?
>
> http://www.ISAserver.org
>
> If you chain, you can authenticate. Otherwise, you use only
IP address
> based access control.
>
> Configure only the back-end ISA firewall to perform name resolution.
>
> Don't enable caching on the front-end ISA firewall.
>
> Now you might say "hey Tom, why not just do Firewall
chaining if all you
> want is authenticated connections from the back-end" and
that would be
> an excellent question.
>
> HTH,
> Tom
>
> Thomas W Shinder, M.D.
> Site: www.isaserver.org
> Blog: http://spaces.msn.com/members/drisa/
> Book: http://tinyurl.com/3xqb7
> MVP -- ISA Firewalls
> **Who is John Galt?**
>
>
>
>> -----Original Message-----
>> From: Thor (Hammer of God) [mailto:thor@xxxxxxxxxxxxxxx]
>> Sent: Sunday, December 04, 2005 1:54 AM
>> To: [ISAserver.org Discussion List]
>> Subject: [isalist] To Chain, or Not To Chain?
>>
>> http://www.ISAserver.org
>>
>> So, in a back-to-back ISA config, how do you guys configure
>> web access from
>> the internal network's border ISA server to the edge
>> network's ISA server?
>> Do you tell the internal ISA server to chain to the external
>> ISA server and
>> create an allow rule for 8080, or do you just tell the
>> internal ISA that
>> it's got a direct connection by pointing the external
>> interface gateway to
>> the internal interface of the edge ISA box (with
>> corresponding rules to
>> allow the traffic)??
>>
>> I've done it both ways, and am just digging for more info as
>> to which method
>> is better than the other and why.
>>
>> t
>>
>> -----
>> "And yet, even if one person finds his way... that means
>> there is a Way.  Even if I personally fail to reach it."
>>
>> Mr. Nobusuke Tagomi
>> Top Place, Ranking Imperial Trade Mission
>> Pacific States of America
>>
>>
>> ------------------------------------------------------
>> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
>> ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
>> ------------------------------------------------------
>> Visit TechGenix.com for more information about our other sites:
>> http://www.techgenix.com
>> ------------------------------------------------------
>> You are currently subscribed to this ISAserver.org Discussion
>> List as: tshinder@xxxxxxxxxxxxxxxxxx
>> To unsubscribe visit
>> http://www.webelists.com/cgi/lyris.pl?enter=isalist
>> Report abuse to listadmin@xxxxxxxxxxxxx
>>
>>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org
Discussion List as:
> jim@xxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
> All mail to and from this domain is GFI-scanned.
>
>
> ------------------------------------------------------
> List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
> ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
> ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
> ------------------------------------------------------
> Visit TechGenix.com for more information about our other sites:
> http://www.techgenix.com
> ------------------------------------------------------
> You are currently subscribed to this ISAserver.org
Discussion List as:
> thor@xxxxxxxxxxxxxxx
> To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
> Report abuse to listadmin@xxxxxxxxxxxxx
>
>

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Visit TechGenix.com for more information about our other sites:
http://www.techgenix.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: thor@xxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?
• » RE: To Chain, or Not To Chain?

1. Home
2. isalist
3. Archive
4. 12-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---